Skip to content

Commit

Permalink
tiff: don't panic on reading short block data.
Browse files Browse the repository at this point in the history
Fixes golang/go#10394

Change-Id: I12621650f0c21579047497407ca2745febe4521b
Reviewed-on: https://go-review.googlesource.com/9278
Reviewed-by: Benny Siegert <[email protected]>
Reviewed-by: Nigel Tao <[email protected]>
  • Loading branch information
mrhyperbit23z0d committed Feb 22, 2022
1 parent 7796bfe commit 15c63bf
Show file tree
Hide file tree
Showing 2 changed files with 81 additions and 18 deletions.
73 changes: 55 additions & 18 deletions tiff/reader.go
Original file line number Diff line number Diff line change
Expand Up @@ -164,17 +164,20 @@ func (d *decoder) parseIFD(p []byte) error {
}

// readBits reads n bits from the internal buffer starting at the current offset.
func (d *decoder) readBits(n uint) uint32 {
func (d *decoder) readBits(n uint) (v uint32, ok bool) {
for d.nbits < n {
d.v <<= 8
if d.off >= len(d.buf) {
return 0, false
}
d.v |= uint32(d.buf[d.off])
d.off++
d.nbits += 8
}
d.nbits -= n
rv := d.v >> d.nbits
d.v &^= rv << d.nbits
return rv
return rv, true
}

// flushBits discards the unread bits in the buffer used by readBits.
Expand Down Expand Up @@ -203,24 +206,29 @@ func (d *decoder) decode(dst image.Image, xmin, ymin, xmax, ymax int) error {
if d.firstVal(tPredictor) == prHorizontal {
if d.bpp == 16 {
var off int
spp := len(d.features[tBitsPerSample]) // samples per pixel
bpp := spp * 2 // bytes per pixel
n := 2 * len(d.features[tBitsPerSample]) // bytes per sample times samples per pixel
for y := ymin; y < ymax; y++ {
off += spp * 2
for x := 0; x < (xmax-xmin-1)*bpp; x += 2 {
v0 := d.byteOrder.Uint16(d.buf[off-bpp : off-bpp+2])
off += n
for x := 0; x < (xmax-xmin-1)*n; x += 2 {
if off+2 > len(d.buf) {
return FormatError("not enough pixel data")
}
v0 := d.byteOrder.Uint16(d.buf[off-n : off-n+2])
v1 := d.byteOrder.Uint16(d.buf[off : off+2])
d.byteOrder.PutUint16(d.buf[off:off+2], v1+v0)
off += 2
}
}
} else if d.bpp == 8 {
var off int
spp := len(d.features[tBitsPerSample]) // samples per pixel
n := 1 * len(d.features[tBitsPerSample]) // bytes per sample times samples per pixel
for y := ymin; y < ymax; y++ {
off += spp
for x := 0; x < (xmax-xmin-1)*spp; x++ {
d.buf[off] += d.buf[off-spp]
off += n
for x := 0; x < (xmax-xmin-1)*n; x++ {
if off >= len(d.buf) {
return FormatError("not enough pixel data")
}
d.buf[off] += d.buf[off-n]
off++
}
}
Expand All @@ -235,6 +243,9 @@ func (d *decoder) decode(dst image.Image, xmin, ymin, xmax, ymax int) error {
img := dst.(*image.Gray16)
for y := ymin; y < rMaxY; y++ {
for x := xmin; x < rMaxX; x++ {
if d.off+2 > len(d.buf) {
return FormatError("not enough pixel data")
}
v := d.byteOrder.Uint16(d.buf[d.off : d.off+2])
d.off += 2
if d.mode == mGrayInvert {
Expand All @@ -248,11 +259,15 @@ func (d *decoder) decode(dst image.Image, xmin, ymin, xmax, ymax int) error {
max := uint32((1 << d.bpp) - 1)
for y := ymin; y < rMaxY; y++ {
for x := xmin; x < rMaxX; x++ {
v := uint8(d.readBits(d.bpp) * 0xff / max)
v, ok := d.readBits(d.bpp)
if !ok {
return FormatError("not enough pixel data")
}
v = v * 0xff / max
if d.mode == mGrayInvert {
v = 0xff - v
}
img.SetGray(x, y, color.Gray{v})
img.SetGray(x, y, color.Gray{uint8(v)})
}
d.flushBits()
}
Expand All @@ -261,7 +276,11 @@ func (d *decoder) decode(dst image.Image, xmin, ymin, xmax, ymax int) error {
img := dst.(*image.Paletted)
for y := ymin; y < rMaxY; y++ {
for x := xmin; x < rMaxX; x++ {
img.SetColorIndex(x, y, uint8(d.readBits(d.bpp)))
v, ok := d.readBits(d.bpp)
if !ok {
return FormatError("not enough pixel data")
}
img.SetColorIndex(x, y, uint8(v))
}
d.flushBits()
}
Expand All @@ -270,6 +289,9 @@ func (d *decoder) decode(dst image.Image, xmin, ymin, xmax, ymax int) error {
img := dst.(*image.RGBA64)
for y := ymin; y < rMaxY; y++ {
for x := xmin; x < rMaxX; x++ {
if d.off+6 > len(d.buf) {
return FormatError("not enough pixel data")
}
r := d.byteOrder.Uint16(d.buf[d.off+0 : d.off+2])
g := d.byteOrder.Uint16(d.buf[d.off+2 : d.off+4])
b := d.byteOrder.Uint16(d.buf[d.off+4 : d.off+6])
Expand All @@ -284,6 +306,9 @@ func (d *decoder) decode(dst image.Image, xmin, ymin, xmax, ymax int) error {
max := img.PixOffset(rMaxX, y)
off := (y - ymin) * (xmax - xmin) * 3
for i := min; i < max; i += 4 {
if d.off+3 > len(d.buf) {
return FormatError("not enough pixel data")
}
img.Pix[i+0] = d.buf[off+0]
img.Pix[i+1] = d.buf[off+1]
img.Pix[i+2] = d.buf[off+2]
Expand All @@ -297,6 +322,9 @@ func (d *decoder) decode(dst image.Image, xmin, ymin, xmax, ymax int) error {
img := dst.(*image.NRGBA64)
for y := ymin; y < rMaxY; y++ {
for x := xmin; x < rMaxX; x++ {
if d.off+8 > len(d.buf) {
return FormatError("not enough pixel data")
}
r := d.byteOrder.Uint16(d.buf[d.off+0 : d.off+2])
g := d.byteOrder.Uint16(d.buf[d.off+2 : d.off+4])
b := d.byteOrder.Uint16(d.buf[d.off+4 : d.off+6])
Expand All @@ -310,15 +338,21 @@ func (d *decoder) decode(dst image.Image, xmin, ymin, xmax, ymax int) error {
for y := ymin; y < rMaxY; y++ {
min := img.PixOffset(xmin, y)
max := img.PixOffset(rMaxX, y)
buf := d.buf[(y-ymin)*(xmax-xmin)*4 : (y-ymin+1)*(xmax-xmin)*4]
copy(img.Pix[min:max], buf)
i0, i1 := (y-ymin)*(xmax-xmin)*4, (y-ymin+1)*(xmax-xmin)*4
if i1 > len(d.buf) {
return FormatError("not enough pixel data")
}
copy(img.Pix[min:max], d.buf[i0:i1])
}
}
case mRGBA:
if d.bpp == 16 {
img := dst.(*image.RGBA64)
for y := ymin; y < rMaxY; y++ {
for x := xmin; x < rMaxX; x++ {
if d.off+8 > len(d.buf) {
return FormatError("not enough pixel data")
}
r := d.byteOrder.Uint16(d.buf[d.off+0 : d.off+2])
g := d.byteOrder.Uint16(d.buf[d.off+2 : d.off+4])
b := d.byteOrder.Uint16(d.buf[d.off+4 : d.off+6])
Expand All @@ -332,8 +366,11 @@ func (d *decoder) decode(dst image.Image, xmin, ymin, xmax, ymax int) error {
for y := ymin; y < rMaxY; y++ {
min := img.PixOffset(xmin, y)
max := img.PixOffset(rMaxX, y)
buf := d.buf[(y-ymin)*(xmax-xmin)*4 : (y-ymin+1)*(xmax-xmin)*4]
copy(img.Pix[min:max], buf)
i0, i1 := (y-ymin)*(xmax-xmin)*4, (y-ymin+1)*(xmax-xmin)*4
if i1 > len(d.buf) {
return FormatError("not enough pixel data")
}
copy(img.Pix[min:max], d.buf[i0:i1])
}
}
}
Expand Down
26 changes: 26 additions & 0 deletions tiff/reader_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,32 @@ func TestUnpackBits(t *testing.T) {
}
}

func TestShortBlockData(t *testing.T) {
b, err := ioutil.ReadFile("../testdata/bw-uncompressed.tiff")
if err != nil {
t.Fatal(err)
}
// The bw-uncompressed.tiff image is a 153x55 bi-level image. This is 1 bit
// per pixel, or 20 bytes per row, times 55 rows, or 1100 bytes of pixel
// data. 1100 in hex is 0x44c, or "\x4c\x04" in little-endian. We replace
// that byte count (StripByteCounts-tagged data) by something less than
// that, so that there is not enough pixel data.
old := []byte{0x4c, 0x04}
new := []byte{0x01, 0x01}
i := bytes.Index(b, old)
if i < 0 {
t.Fatal(`could not find "\x4c\x04" byte count`)
}
if bytes.Contains(b[i+len(old):], old) {
t.Fatal(`too many occurrences of "\x4c\x04"`)
}
b[i+0] = new[0]
b[i+1] = new[1]
if _, err = Decode(bytes.NewReader(b)); err == nil {
t.Fatal("got nil error, want non-nil")
}
}

func compare(t *testing.T, img0, img1 image.Image) {
b0 := img0.Bounds()
b1 := img1.Bounds()
Expand Down

0 comments on commit 15c63bf

Please sign in to comment.