vcl/source/filter/itiff/itiff.cxx | 45 ++++++++++++++++++--------------------
1 file changed, 22 insertions(+), 23 deletions(-)
New commits:
commit 63ae3bd49834b9961f43b5a082ec809878acb891
Author: Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Sat Oct 28 20:10:24 2023 +0100
Commit: Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Sun Oct 29 10:16:00 2023 +0100
ofz#63518 don't allow short read with PHOTOMETRIC_YCBCR format
which the old parser didn't support
Change-Id: I63e426f57e893b13dd800f4af1ed4b50751dbb2b
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158600
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
diff --git a/vcl/source/filter/itiff/itiff.cxx
b/vcl/source/filter/itiff/itiff.cxx
index 39bc51a00860..acd9e6d8e1ae 100644
--- a/vcl/source/filter/itiff/itiff.cxx
+++ b/vcl/source/filter/itiff/itiff.cxx
@@ -171,6 +171,14 @@ bool ImportTiffGraphicImport(SvStream& rTIFF, Graphic&
rGraphic)
}
}
+ uint16_t PhotometricInterpretation(0);
+ uint16_t Compression(COMPRESSION_NONE);
+ if (bOk)
+ {
+ TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &PhotometricInterpretation);
+ TIFFGetField(tif, TIFFTAG_COMPRESSION, &Compression);
+ }
+
if (bOk && bFuzzing)
{
const uint64_t MAX_PIXEL_SIZE = 120000000;
@@ -194,26 +202,18 @@ bool ImportTiffGraphicImport(SvStream& rTIFF, Graphic&
rGraphic)
SAL_WARN_IF(!bOk, "filter.tiff", "skipping slow bizarre
ratio tile of " << tw << " x " << th << " for image of " << w << " x " << h);
}
- uint16_t PhotometricInterpretation;
- if (TIFFGetField(tif, TIFFTAG_PHOTOMETRIC,
&PhotometricInterpretation) == 1)
+ if (PhotometricInterpretation == PHOTOMETRIC_LOGL)
{
- if (PhotometricInterpretation == PHOTOMETRIC_LOGL)
- {
- uint32_t nLogLBufferRequired;
- bOk &= !o3tl::checked_multiply(tw, th,
nLogLBufferRequired) && nLogLBufferRequired < MAX_PIXEL_SIZE;
- SAL_WARN_IF(!bOk, "filter.tiff", "skipping oversized
tiff tile " << tw << " x " << th);
- }
+ uint32_t nLogLBufferRequired;
+ bOk &= !o3tl::checked_multiply(tw, th,
nLogLBufferRequired) && nLogLBufferRequired < MAX_PIXEL_SIZE;
+ SAL_WARN_IF(!bOk, "filter.tiff", "skipping oversized tiff
tile " << tw << " x " << th);
}
- uint16_t Compression;
- if (TIFFGetField(tif, TIFFTAG_COMPRESSION, &Compression) == 1)
+ if (Compression == COMPRESSION_CCITTFAX4)
{
- if (Compression == COMPRESSION_CCITTFAX4)
- {
- uint32_t DspRuns;
- bOk &= !o3tl::checked_multiply(tw,
static_cast<uint32_t>(4), DspRuns) && DspRuns < MAX_PIXEL_SIZE;
- SAL_WARN_IF(!bOk, "filter.tiff", "skipping oversized
tiff tile width: " << tw);
- }
+ uint32_t DspRuns;
+ bOk &= !o3tl::checked_multiply(tw,
static_cast<uint32_t>(4), DspRuns) && DspRuns < MAX_PIXEL_SIZE;
+ SAL_WARN_IF(!bOk, "filter.tiff", "skipping oversized tiff
tile width: " << tw);
}
}
}
@@ -223,14 +223,13 @@ bool ImportTiffGraphicImport(SvStream& rTIFF, Graphic&
rGraphic)
std::vector<uint32_t> raster(nPixelsRequired);
- uint16_t compression(COMPRESSION_NONE);
- const bool bNewCodec = TIFFGetField(tif, TIFFTAG_COMPRESSION,
&compression) == 1 &&
- compression >= COMPRESSION_ZSTD; // >= 50000 at
time of writing
+ const bool bNewCodec = Compression >= COMPRESSION_ZSTD; // >= 50000 at
time of writing
// For tdf#149417 we generally allow one short read for fidelity with
the old
- // parser that this replaced. But don't allow that for new format
variations
- // that the old parser didn't handle so we don't take libtiff into
uncharted
- // territory.
- aContext.bAllowOneShortRead = !bNewCodec;
+ // parser that this replaced. But don't allow that for:
+ // a) new compression variations that the old parser didn't handle
+ // b) complicated pixel layout variations that the old parser didn't
handle
+ // so we don't take libtiff into uncharted territory.
+ aContext.bAllowOneShortRead = !bNewCodec && PhotometricInterpretation
!= PHOTOMETRIC_YCBCR;
if (TIFFReadRGBAImageOriented(tif, w, h, raster.data(),
ORIENTATION_TOPLEFT, 1))
{
