2007.08.13 10:40 "[Tiff] bug in 3.8.2", by John
Hi,
I've found a bug in libtiff 3.8.2 with files over 2GB, if anyone cares. Will there be another 3.x release? In case there is one planned, it's in TIFFFetchData(), in tif_dirread.c, around line 986.
This has:
if ((tsize_t)dir->tdir_offset + cc < (tsize_t)dir->tdir_offset
|| (tsize_t)dir->tdir_offset + cc < cc
|| (tsize_t)dir->tdir_offset + cc > (tsize_t)tif->tif_size)
goto bad;
The 3rd sanity check will break for memory mapped files over 2GB, since casting tif_size to tsize_t (which is int32) will produce a negative number. The first and second tests will break for directories which occur after the 2GB watershed, since again tdir_offset will become negative.
I changed these tests to be:
if (dir->tdir_offset + (toff_t)cc < dir->tdir_offset)
goto bad;
if (dir->tdir_offset + (toff_t)cc < (toff_t)cc)
goto bad;
if (dir->tdir_offset + (toff_t)cc > tif->tif_size)
goto bad;
since toff_t is a uint32. With this change I can successfully read and write 3GB multipage TIFF files.
tiff-4.0-alpha seems to work OK.
John