bug#8336: off-by-one count in tiff_load

bug#8336: off-by-one count in tiff_load

[Paul Eggert]

src/image.c's tiff_load function counts the number of images in the
TIFF file incorrectly.  It always reports one more image than is
actually present.

This bug was found by static analysis, using gcc -Wstrict-overflow
(GCC 4.5.2, x86-64).

I plan to fix it with the following patch.

* image.c (tiff_load): Fix off-by-one image count.
=== modified file 'src/image.c'
--- src/image.c	2011-03-13 08:04:44 +0000
+++ src/image.c	2011-03-24 04:31:06 +0000
@@ -6754,7 +6754,7 @@
   TIFF *tiff;
   int width, height, x, y, count;
   uint32 *buf;
-  int rc, rc2;
+  int rc;
   XImagePtr ximg;
   tiff_memory_source memsrc;
   Lisp_Object image;
@@ -6842,8 +6842,8 @@
   rc = fn_TIFFReadRGBAImage (tiff, width, height, buf, 0);

   /* Count the number of images in the file.  */
-  for (count = 1, rc2 = 1; rc2; count++)
-    rc2 = fn_TIFFSetDirectory (tiff, count);
+  for (count = 1; fn_TIFFSetDirectory (tiff, count); count++)
+    continue;

   if (count > 1)
     img->data.lisp_val = Fcons (Qcount,

bug#8336: fix merged to trunk

[Paul Eggert]

I committed a fix to the trunk for this,
as part of a recent merge (bzr 103776).

For Bug#8344, the merge uses size_t rather
than EMACS_INT for argument counts as I proposed earlier,
since the argument counts are always nonnegative
and are limited just by sizes that can be counted
at the C level.