TIFF: guard against corrupt files with buffer overflows

src/tiff.imageio/tiffinput.cpp

@@ -294,10 +294,7 @@ class TIFFInput final : public ImageInput {
             // the file. Punt.
         }
         if (ok && s && *s) {
-            result = string_view(s, count);
-            // Strip off sometimes-errant extra null characters
-            while (result.size() && result.back() == '\0')
-                result.remove_suffix(1);
+            result = Strutil::safe_string_view(s, count);
         }
         return ok;
     }

testsuite/runtest.py

@@ -215,7 +215,8 @@ def oiio_app (app):
 # the file "out.txt".  If 'safematch' is nonzero, it will exclude printing
 # of fields that tend to change from run to run or release to release.
 def info_command (file, extraargs="", safematch=False, hash=True,
-                  verbose=True, info_program="oiiotool") :
+                  verbose=True, silent=False, concat=True, failureok=False,
+                  info_program="oiiotool") :
     args = ""
     if info_program == "oiiotool" :
         args += " --info"
@@ -225,8 +226,15 @@ def info_command (file, extraargs="", safematch=False, hash=True,
         args += " --no-metamatch \"DateTime|Software|OriginatingProgram|ImageHistory\""
     if hash :
         args += " --hash"
-    return (oiio_app(info_program) + args + " " + extraargs
-            + " " + make_relpath(file,tmpdir) + redirect + ";\n")
+    cmd = (oiio_app(info_program) + args + " " + extraargs
+            + " " + make_relpath(file,tmpdir))
+    if not silent :
+        cmd += redirect
+    if failureok :
+        cmd += " || true "
+    if concat:
+        cmd += " ;\n"
+    return cmd
 
 
 # Construct a command that will compare two images, appending output to

testsuite/tiff-misc/ref/out-libtiff403.txt

@@ -0,0 +1,21 @@
+Reading src/separate.tif
+src/separate.tif     :  128 x  128, 3 channel, uint8 tiff
+    SHA-1: 486088DECAE711C444FDCAB009C378F7783AD9C5
+    channel list: R, G, B
+    compression: "zip"
+    DateTime: "2020:10:25 15:32:04"
+    Orientation: 1 (normal)
+    planarconfig: "separate"
+    Software: "OpenImageIO 2.3.0dev : oiiotool --pattern fill:topleft=0,0,0:topright=1,0,0:bottomleft=0,1,0:bottomright=1,1,1 128x128 3 --planarconfig separate -scanline -attrib tiff:rowsperstrip 17 -d uint8 -o separate.tif"
+    oiio:BitsPerSample: 8
+    tiff:Compression: 8
+    tiff:PhotometricInterpretation: 2
+    tiff:PlanarConfiguration: 2
+    tiff:RowsPerStrip: 7
+Comparing "src/separate.tif" and "separate.tif"
+PASS
+oiiotool ERROR: read : "src/corrupt1.tif": Could not open file: IO error during reading of "StripOffsets"
+Full command line was:
+> oiiotool -colorconfig ../common/OpenColorIO/nuke-default/config.ocio --oiioattrib try_all_readers 0 --info -v src/corrupt1.tif
+Comparing "check1.tif" and "ref/check1.tif"
+PASS

testsuite/tiff-misc/ref/out.txt

@@ -14,5 +14,8 @@ src/separate.tif     :  128 x  128, 3 channel, uint8 tiff
     tiff:RowsPerStrip: 7
 Comparing "src/separate.tif" and "separate.tif"
 PASS
+oiiotool ERROR: read : No support for data format of "src/corrupt1.tif"
+Full command line was:
+> oiiotool -colorconfig ../common/OpenColorIO/nuke-default/config.ocio --oiioattrib try_all_readers 0 --info -v src/corrupt1.tif
 Comparing "check1.tif" and "ref/check1.tif"
 PASS

testsuite/tiff-misc/run.py

@@ -2,14 +2,19 @@
 
 # Miscellaneous TIFF-related tests
 
-outputs = [ ]
+# save the error output
+redirect = " >> out.txt 2>&1 "
 
 # Regression test -- we once had a bug where 'separate' planarconfig
 # tiled float files would have data corrupted by a buffer overwrite.
 command += oiiotool("--pattern checker 128x128 4 --tile 64 64 --planarconfig separate -d float -o check1.tif")
-outputs += [ "check1.tif" ]
 
 # Test bug we had until OIIO 2.3 when reading planarconfig=separate files
 # (fixed by #2757) that was not detected by the uncompressed file. So copy
 # to force compression in order to properly test:
 command += rw_command ("src", "separate.tif")
+
+# Test bug we had until OIIO 2.4 for this corrupt file
+command += oiiotool ("--oiioattrib try_all_readers 0 --info -v src/corrupt1.tif", failureok = True)
+
+outputs = [ "check1.tif", "out.txt" ]