Failure to decode some fax3 images
Summary
Some valid fax3-compressed images fail to decode, and report a "Fax3Decode1D: Buffer overflow" error.
This was reported on the mailing list last year, subject "group3 encoding/decoding", but doesn't seem to have been addressed.
Version
GitLab master branch as of Jan 12, 2023
Steps to reproduce
From a Unix shell:
$ printf 'P4\n32 2\n\xaa\xaa\xaa\xaa\x55\x55\x55\x55' > 1.pbm
$ ppm2tiff -c g3:1d 1a.tif < 1.pbm
$ tiffcp -c none 1a.tif 1b.tif
Fax3Decode1D: Buffer overflow at line 0 of strip 0.
1a.tif: Error, can't read strip 0.
Additional information
Libtiff incorrectly calculates the maximum number of "runs" that a row might need. A row might have to start with a zero-length run, and libtiff apparently counts zero-length runs as runs, so the maximum number that could be needed is one more than the image width in pixels. But in some cases, libtiff only allows for exactly the width in pixels.
The bug occurs if all the following are true:
- The image uses fax3 compression in the default 1-d mode.
- The image width is a multiple of 32 pixels.
- There is a row consisting entirely of alternating black and white pixels.
- The first pixel in that row is the foreground color (black if photometric=min-is-white, white if min-is-black).
I don't know if there are any issues with fax3-2d or fax4-compressed images. There might be, but the situation is different.
Suggested patch to libtiff/tif_fax3.c, around line 540:
- dsp->nruns = TIFFroundup_32(rowpixels, 32);
+ dsp->nruns = TIFFroundup_32(rowpixels+1, 32);