16-bit Grayscale TIFF Load Failures Due to Buffer Underflow and Endian'ness (Patch #2601)
| Status: | Done | Start date: | 2012-12-05 |
|---|---|---|---|
| Priority: | Normal | Due date: | |
| Assignee: | Jeff Reeder |
% Done: | 100% |
| Category: | highgui-images | ||
| Target version: | 2.4.9 | Estimated time: | 0.00 hour |
| Affected version: | branch 'master' (3.0-dev) | Operating System: | Other |
| Difficulty: | HW Platform: | Other | |
| Pull request: | https://github.com/Itseez/opencv/pull/2323 |
Description
The TiffDecoder class incorrectly uses the LibTiff function TIFFGetField(). When trying to load a 16-bit grayscale TIFF image on Solaris 10 (SPARC), two methods of the TiffDecoder class that use LibTiff's TIFFGetField() function are implemented inappropriately. The data variable that is to be filled-in with TIFFGetField() function must point to an appropriately sized storage buffer. The implementation of TiffDecoder::readHeader() and TiffDecoder::readData() incorrectly use a pointer to an int in all places. This is not correct usage of LibTiff.
Different TIFF field values have various storage requirements - some being uint16 and others being uint32. For example the image width and height fields are uint32 values, whereas the bits-per-sample is a uint16. By using a normal int for all values retrieved, differing behavior is possible depending on the target environment's Big-Endian vs. Little-Endian status. If you pass a pointer to a 32-bit int into TIFFGetField() for the bits-per-sample value, only 16-bits of actual data will be copied to the target memory location. Depending on the Endian'ness, it could be the most-significant or least-significant bytes of the target that get filled. If you're trying to read a 16-bit grayscale (bpp=0x0010) image on the wrong target, then your BPP value will actually be 0x00100000, which will not be recognized by OpenCV as a valid BPP setting, and will load the file incorrectly.
To correct this issue, appropriate variable types must be used depending on the required sizeof() for which TIFF field being retrieved.
The repaired defect is isolated to two methods of TiffDecoder, and are implemented in the file attached to this Patch Issue (e.g., "modules/highgui/src/grfmt_tiff.cpp").
History
Updated by Anna Kogan over 12 years ago
Hello Jeff,
Thank you for reporting the issue! If you could fix the issue on your side, a patch or pull request there: http://opencv.org/opencv-pull-requests-test-results.html would be highly appreciated!
- Target version changed from 2.4.4 to 3.0
- Priority changed from Blocker to Normal
Updated by Jeff Reeder over 12 years ago
I did implement the bug-fix. It was implemented in the file attached to my first message.
Updated by Anna Kogan over 12 years ago
Hello Jeff,
Thank you! Could you please make a pull request for the fix?
Updated by Stuart Cunningham about 11 years ago
I've also encountered this exact bug. I've incorporated Jeff Reeder's fix and added a test for this issue in a pull request: https://github.com/Itseez/opencv/pull/2283
Since this is a bug in 2.4 which actually affects the loading of any TIFF files on a big endian host, it might be worth changing the target version to 2.4.9.
Updated by Dmitry Retinskiy about 11 years ago
- HW Platform set to Other
- Operating System set to Other
- Pull request set to https://github.com/Itseez/opencv/pull/2283
- Affected version set to branch 'master' (3.0-dev)
Updated by Stuart Cunningham about 11 years ago
On the advice of Kirill Kornyakov, who commented on pull request 2283 which was against master, I have closed that pull request and opened pull request https://github.com/Itseez/opencv/pull/2323 which is against 2.4. I've also set this issue's target version to 2.4.9.
- Target version changed from 3.0 to 2.4.9
Updated by Kirill Kornyakov about 11 years ago
- Status changed from Open to Done
- Pull request changed from https://github.com/Itseez/opencv/pull/2283 to https://github.com/Itseez/opencv/pull/2323