Fix format string mismatches where the format specifier doesn't match
the argument type:
- Change %d to %u for unsigned int/uint32_t arguments
- Change %u to %d for signed int arguments
- Add casts where needed for printf family functions
- Use PRIu64/PRIi64 for uint64_t/int64_t arguments
Fix -Wformat-nonliteral warnings
Add TIFF_ATTRIBUTE((__format__(__printf__, N, 0))) to functions that
accept format strings as parameters (va_list style). The 0 indicates
no variadic arguments to check since the format is validated at the
call site.
* Split extra-warnings into extra-warnings and broken-warnings
* extra-warnings initially only uses -pedantic -Wextra
* Warnings will be moved from broken-warnings to extra-warnings
once the CI builds have proved them safe to use
This fixes a potential heap write buffer overflow when reading a
corrupted file, with multiple IFDs, and when iterating over those IFDs,
and when the file was opened in 'O' mode.
Fixes https://issues.oss-fuzz.com/issues/470691578
Add two new CMake options to help maintain C++ compatibility:
1. cxx-compat-warnings: Enables -Wc++-compat flag (GCC/Clang) which
warns about using C++ keywords as identifiers and some enum/int
conversions. This is limited and won't catch all issues.
2. cxx-compat-mode: Compiles C source files as C++17 using -x c++
(GCC/Clang) or /TP (MSVC). This catches all C++ incompatibilities
as compile errors, including:
- implicit void* to typed pointer conversions
- register storage class (removed in C++17)
- goto/switch jumping over variable initialization
- enum arithmetic and implicit conversions
Usage:
cmake -Dcxx-compat-warnings=ON .. # Light checking
cmake -Dcxx-compat-mode=ON .. # Full C++ compilation
- tif_compress.c: Cast const away for strcpy to initialized const char* field
- tif_jpeg.c: Add unsigned short* cast for malloc result
- tif_ojpeg.c: Add JSAMPARRAY and JSAMPIMAGE casts for jpeg functions
- tif_print.c: Change sep variable from char* to const char*
- mkspans.c: Convert K&R style functions to ANSI C, add return type to main
Additional C++ compatibility fixes for implicit void* to typed pointer
conversions that are not allowed in C++. These files had function calls
where void* (tdata_t) was passed to functions expecting typed pointers
like uint8_t* or unsigned char*.
C++ is stricter about type conversions than C:
1. void* to typed pointer: In C++ you cannot implicitly convert void*
to a typed pointer. Add explicit casts for custom tag value pointers
passed to TIFFWriteDirectoryTag* functions.
2. Integer to enum: C++ requires explicit casts when assigning integer
types to enum types. Add casts for:
- TIFFDataWidth() calls where tdir_type (uint16_t) is passed
- TIFFDataType assignments from uint16_t entry_type
Files modified:
- tif_dirwrite.c: Cast td_customValues[m].value to appropriate types
for each TIFF type (char*, uint8_t*, int8_t*, uint16_t*, etc.)
and cast entry_type to TIFFDataType where needed
- tif_dirread.c: Cast tdir_type to TIFFDataType for TIFFDataWidth calls
