Hi folks,

I noticed a problem with vil when reading a TIFF image. I compiled VXL from the source code checked out 2 days ago using cvs. The compiler is MSVC 2005 SP1. It is using the TIFF library included in v3p/TIFF.  Here are the details of how the problem occurs:

The stack got corrupted in Visual Studio after Line 132 of vil_tiff_header.cxx:
  read_short_tag(tif_,TIFFTAG_EXTRASAMPLES, extra_samples);

So I used the debugger to follow into the function call. Here is the function of read_short_tag:
static void read_short_tag(TIFF* tif, ttag_t tag, ushort_tag& utag, vxl_uint_16 deflt =0)
{
  utag.valid = TIFFGetField(tif, tag, &(utag.val))>0;
  if (!utag.valid)
    utag.val = deflt;
}

Pay special attention to the number of arguments used in the function call to TIFFGetField, which takes a variable number of arguments after the first two arguments. In this case, the only variable argument presented is "&(utag.val)".

Here is the definition of TIFFGetField (defined in tif_dir.c)
int
TIFFGetField(TIFF* tif, ttag_t tag, ...)
{
    int status;
    va_list ap;

    va_start(ap, tag);
    status = TIFFVGetField(tif, tag, ap);
    va_end(ap);
    return (status);
}


Later on, it reaches line 745 of tif_dir.c:
    case TIFFTAG_EXTRASAMPLES:
            *va_arg(ap, uint16*) = td->td_extrasamples;
            *va_arg(ap, uint16**) = td->td_sampleinfo;
            break;


Notice in the snippet right above, it assigns values to TWO arguments while the function call only supply ONE!! I believe this is how the stack came to be corrupted.

Trying to follow the logic of these functions, I came up with the following fix:
yang@quadvision ~/vxl/vxlsrc/core/vil/file_formats
$ cvs diff -l -u
cvs diff: Diffing .
Index: vil_tiff_header.cxx
===================================================================
RCS file: /cvsroot/vxl/vxl/core/vil/file_formats/vil_tiff_header.cxx,v
retrieving revision 1.25
diff -u -r1.25 vil_tiff_header.cxx
--- vil_tiff_header.cxx 13 Aug 2008 20:06:47 -0000      1.25
+++ vil_tiff_header.cxx 2 Dec 2008 22:17:46 -0000
@@ -33,7 +33,8 @@

 static void read_short_tag(TIFF* tif, ttag_t tag, ushort_tag& utag, vxl_uint_16 deflt =0)
 {
-  utag.valid = TIFFGetField(tif, tag, &(utag.val))>0;
+  vxl_uint_16 * dummy;
+  utag.valid = TIFFGetField(tif, tag, &(utag.val), &dummy)>0;
   if (!utag.valid)
     utag.val = deflt;
 }

However, as I have no experience with TIFF internal structure, I am not sure if it is the correct fix.  Therefore, I would like to ask the community for comments on this fix.

Thanks!
Gary Yang
DualAlign LLC