2018.04.23 16:00 "[Tiff] libTiff Bug", by SM

2018.04.23 16:29 "Re: [Tiff] libTiff Bug", by SM

Hi Bob,

Unfortunately the file cannot be shared. I tried debugging the code and I could debug only upto a point and after that the code was too complex for me to understand.

The crash happens at row 39424 and col 0 of the image.

The tile is successfully read at coordinate (39424,0). After reading the tile, there is a post processing stage where the tile has to rearranged in the RGB Format in contiguous fashion. Since the image is chunky, therefore the R, G and B components have to be arranged in contiguous fashion instead of separate.

The libTiff code that does this Post processing is the following

/*
* 8-bit packed samples, no Map => RGB
*/
DECLAREContigPutFunc(putRGBcontig8bittile)
{
int samplesperpixel = img->samplesperpixel;

(void) x; (void) y;
fromskew *= samplesperpixel;
for( ; h > 0; --h) {
UNROLL8(w, NOP,
*cp++ = PACK(pp[0], pp[1], pp[2]);
pp += samplesperpixel);
cp += toskew;
pp += fromskew;
}
}

Expanding the macro DECLAREContigPutFunC in the above, transforms the above code to the following format

static void putRGBcontif8bittile(TIFFRGBAImage* img,
uint32* cp,
uint32 x,
uint32 y,
uint32 w,
uint32 h,
int32 fromskew,
int32 toskew,
unsigned char **pp)

{
int samplesperpixel = img->samplesperpixel;
(void) x; (void) y;
fromskew *= samplesperpixel;
for( ; h > 0; --h) {
UNROLL8(w, NOP,
*cp++ = PACK(pp[0], pp[1], pp[2]);
pp += samplesperpixel);
cp += toskew;
pp += fromskew;
}
}

Expanding UNROLL8 and PACK transforms the code to another different format. But at this point the code is too much obfuscated for me to understand and debug the cause of crash.

This file crashes only when read in RGBA mode. In the regular mode, there is no issue.

Thanks,
SM

On Mon, Apr 23, 2018 at 12:17 PM, Even Rouault <even.rouault@spatialys.com>
wrote:

> > uint32 npixels=width*height;
>
>
>
> If it is large enough, it might be possible that the above multiplication
> overflows uint32, and thus the below memory allocation is not large enough
>
>
>
> > uint32* raster=(uint32 *) _TIFFmalloc(npixels *sizeof(uint32));
>
>
>
>
>
> --
>
> Spatialys - Geospatial professional services
>
> http://www.spatialys.com
>