cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,574 Commits 1 Branch 0 Tags 11 MiB
rho-fork
Commit Graph

704 Commits

Author SHA1 Message Date
Even Rouault
3c47638aaa Merge branch 'issue-133' into 'master' 
tiff2pdf: avoid divide by 0

Closes #133

See merge request libtiff/libtiff!126
 2020-03-24 12:39:18 +00:00
Thomas Bernard
bd49c5810f
tiff2pdf: normalizePoint() macro to normalize the white point 2020-03-24 11:34:36 +01:00
Thomas Bernard
37121e1574
tiffdump: avoid unaligned memory access 
fixes #143
fixes #144
 2020-03-24 00:18:32 +01:00
Even Rouault
6c63f17749 Merge branch 'out-of-memory' into 'master' 
tiffcp/tiff2pdf/tiff2ps: enforce maximum malloc size

Closes #153, #84, #116 et #115

See merge request libtiff/libtiff!130
 2020-03-23 18:11:02 +00:00
Thomas Bernard
b738aaa834
tiffset: check memory allocation 
fixes #157 / http://bugzilla.maptools.org/show_bug.cgi?id=2850
 2020-03-23 17:17:17 +01:00
Thomas Bernard
dff30c4d5d
tiff2ps: enforce memory allocation limit 
fixes #153 / http://bugzilla.maptools.org/show_bug.cgi?id=2845
 2020-03-21 15:50:38 +01:00
Thomas Bernard
791046b3c6
tiff2pdf: enforce maximum data size 
fixes #116 / http://bugzilla.maptools.org/show_bug.cgi?id=2756
fixes #84 / http://bugzilla.maptools.org/show_bug.cgi?id=2683
 2020-03-21 15:30:43 +01:00
Thomas Bernard
035c1961d6
tiffcp.c: _TIFFmalloc() => limitMalloc() 2020-03-21 13:20:17 +01:00
Thomas Bernard
0a58e22b17
tiffcp: enforce maximum malloc size 
default is 256MB. use -m option to change

fixes #115 / http://bugzilla.maptools.org/show_bug.cgi?id=2755
 2020-03-21 13:20:12 +01:00
Thomas Bernard
f704878200
tiff2pdf: "" causes the relevant argument not to be written 
fixes #44
 2020-03-21 01:05:41 +01:00
Thomas Bernard
dbc90f9374
tiff2pdf: avoid divide by 0 
fixes #133 http://bugzilla.maptools.org/show_bug.cgi?id=2796
 2020-03-18 01:37:54 +01:00
Thomas Bernard
54ce8c5220
TIFFTAG_PREDICTOR is not supported for WebP 
fixes #158
https://gitlab.com/libtiff/libtiff/-/issues/158

this bug was introduced by 9eacd59fec
merge request !32
 2020-03-08 20:33:34 +01:00
Thomas Bernard
622492cb31
ppm2tiff: remove unused argument warning 2020-03-07 10:56:31 +01:00
Ludolf Holzheid
5582d0bfad
ppm2tiff: support any bps value from 1 to 16 
fix #55
http://bugzilla.maptools.org/show_bug.cgi?id=2505

Patch originally submited by Ludolf Holzheid <ludolf.holzheid@gmx.de>
 2020-03-07 10:56:31 +01:00
Even Rouault
06d6e36187 Merge branch 'division-by-zero' into 'master' 
tools/tiffcp.c: fix potential division by zero

See merge request libtiff/libtiff!83
 2020-02-26 21:37:54 +00:00
Even Rouault
2a4d9b4fab Merge branch 'bug2839' into 'master' 
raw2tiff: avoid divide by 0

Closes #151

See merge request libtiff/libtiff!103
 2020-02-26 21:22:26 +00:00
Even Rouault
2832b9829f Merge branch 'bug2669' into 'master' 
tiff2pdf: palette bound check in t2p_sample_realize_palette()

Closes #82

See merge request libtiff/libtiff!104
 2020-02-26 21:21:09 +00:00
Even Rouault
e9a124f52f Merge branch 'int-shift' into 'master' 
tiffcrop: fix asan runtime error caused by integer promotion

See merge request libtiff/libtiff!105
 2020-02-26 21:20:10 +00:00
Thomas Bernard
bdcf1add10
raw2tiff: avoid divide by 0 
fixes #151 / http://bugzilla.maptools.org/show_bug.cgi?id=2839

first memcmp() lines before computing corellation
and always avoid divide by 0 anyway
 2020-02-16 19:20:37 +01:00
Thomas Bernard
4f168b7368
tiffcrop: fix asan runtime error caused by integer promotion 
tiffcrop.c:4027:20: runtime error: left shift of 190 by 24 places cannot be represented in type 'int'

C treats (byte << 24) as an int expression.
casting explicitely to unsigned type uint32 avoids the problem.

the same issue has been fixed elsewhere with a242136916

I detected the bug with the test file of #86
 2020-02-08 13:43:35 +01:00
Thomas Bernard
3107393354
tiff2pdf: palette bound check in t2p_sample_realize_palette() 
fixes #82
 2020-02-08 13:27:51 +01:00
Thomas Bernard
ebf0864306
tiff2ps: fix heap buffer read overflow in PSDataColorContig() 
fixes #161 / http://bugzilla.maptools.org/show_bug.cgi?id=2855

in 05029fb7f1 I missed that 1 extra byte is read
in this loop.
 2020-02-08 12:10:56 +01:00
Bob Friesenhahn
58b16f47a8 Add nmake build support for manually configuring the 'port' files to be 
built based on MSVC features.
Include tif_config.h in tools/tiffset.c.
 2020-01-25 14:11:05 -06:00
Maarten Bent
a55183aada Create tag for v4.1.0 
-----BEGIN PGP SIGNATURE-----
 
 iHQEABEIAB0WIQTr39shsCDuj9FRqI3jAQR94RmJdQUCXb81vgAKCRDjAQR94RmJ
 dbHRAPjy7sZSwOMOGJXpE+/1q0OCWB7iWWQqy7TPb9+8HdtlAQCJXl0nJ423/DJ4
 JKmIRQXuXZ4SP33SCuh34O0VR/HX1g==
 =3q0Z
 -----END PGP SIGNATURE-----

Merge tag 'v4.1.0' into wx

Create tag for v4.1.0

# gpg verification failed.
 2020-01-16 21:43:13 +01:00
Bug Checkers
47656ccb3f adds missing checks on TIFFGetField in tiffcrop tool (fixes #170) 2019-11-04 21:14:38 +00:00
Mansour Ahmadi
f2f1289601 adds a missing TIFFClose in rgb2ycbcr tool 2019-11-04 14:48:13 -05:00
Bob Friesenhahn
f18e1a2db5 Fix Cmake HAVE_GETOPT for systems which declare getopt in stdio.h. 
Fix utility baked-in getopt prototype which appears when HAVE_GETOPT is not defined.
 2019-11-03 11:21:26 -06:00
Even Rouault
b04da30e11
tiff2ps: fix use of wrong data type that caused issues (/Height being written as 0) on 64-bit big endian platforms 2019-08-18 10:52:45 +02:00
Nikola Forró
e897442344 tools/tiffcp.c: fix potential division by zero 
Signed-off-by: Nikola Forró <nforro@redhat.com>
 2019-06-12 12:23:33 +02:00
Even Rouault
b9b93f661e Merge branch 'bug2799' into 'master' 
fix fax2tiff

See merge request libtiff/libtiff!55
 2019-05-08 08:36:34 +00:00
Even Rouault
3c0becb4aa Merge branch 'bug_2844' into 'master' 
tiff2ps.c: PSDataColorContig(): avoid heap buffer overrun

See merge request libtiff/libtiff!69
 2019-04-25 09:39:01 +00:00
Thomas Bernard
ea2e933b17
tiff2pdf.c: don't call t2p_tile_collapse_left() when buffer size is wrong 
see http://bugzilla.maptools.org/show_bug.cgi?id=2785
 2019-02-28 13:44:49 +01:00
Thomas Bernard
b7d479cf8b
tiff2pdf.c: check colormap pointers 
Avoid access to non initialized pointers
http://bugzilla.maptools.org/show_bug.cgi?id=2826
 2019-02-28 13:05:19 +01:00
Thomas Bernard
05029fb7f1
PSDataColorContig(): avoid heap buffer overrun 
fixes http://bugzilla.maptools.org/show_bug.cgi?id=2844
each iteration of the loop read nc bytes
 2019-02-24 00:50:12 +01:00
Thomas Bernard
a242136916
tiff2ps.c: fix warning caused by integer promotion 
uint8 value is promoted to int in (value << 24) so -fsanitize
yield runtime errors :
tiff2ps.c:2969:33: runtime error: left shift of 246 by 24 places cannot be represented in type 'int'
 2019-02-22 16:23:33 +01:00
Even Rouault
27124e9148 Merge branch 'issue_2833' into 'master' 
tiffcp.c: check that (Tile Width)*(Samples/Pixel) do no overflow

See merge request libtiff/libtiff!60
 2019-02-19 14:39:26 +00:00
Thomas Bernard
9cfa5c4691 tiffcrop.c: fix invertImage() for bps 2 and 4 
too much bytes were processed, causing a heap buffer overrun
    http://bugzilla.maptools.org/show_bug.cgi?id=2831
the loop counter must be
    for (col = 0; col < width; col += 8 / bps)

Also the values were not properly calculated. It should be
255-x, 15-x, 3-x for bps 8, 4, 2.

But anyway it is easyer to invert all bits as 255-x = ~x, etc.
(substracting from a binary number composed of all 1 is like inverting
the bits)
 2019-02-11 23:08:25 +01:00
Thomas Bernard
7cc76e9bc4 tiffcp.c: use INT_MAX 2019-02-11 21:42:03 +01:00
Thomas Bernard
2b0d0e6997 check that (Tile Width)*(Samples/Pixel) do no overflow 
fixes bug 2833
 2019-02-11 10:05:33 +01:00
Even Rouault
ae0bed1fe5 Merge branch 'master' into 'master' 
Fix for simple memory leak that was assigned CVE-2019-6128.

See merge request libtiff/libtiff!50
 2019-02-02 14:46:05 +00:00
Even Rouault
933784a10a Merge branch 'bug2835' into 'master' 
tiff2ps: fix heap-buffer-overflow

See merge request libtiff/libtiff!53
 2019-02-02 14:32:58 +00:00
Yuri Aksenov
88b410f800
fix fax2tiff 
see http://bugzilla.maptools.org/show_bug.cgi?id=2799
fixes d9bc8472e7
 2019-02-02 15:14:54 +01:00
Thomas Bernard
309bfd7f61
tiff2ps: fix heap-buffer-overflow 
http://bugzilla.maptools.org/show_bug.cgi?id=2834

usually the test (i < byte_count) is OK because the byte_count is divisible by samplesperpixel.
But if that is not the case, (i + ncomps) < byte_count should be used, or
maybe (i + samplesperpixel) <= byte_count
 2019-01-29 10:47:14 +01:00
Thomas Bernard
5c222ec96c
tiffcrop: shut up clang warnings 
make the out filename building a bit more simple
and remove the use of strcat()
 2019-01-28 16:10:28 +01:00
Scott Gayou
0c74a9f49b Fix for simple memory leak that was assigned CVE-2019-6128. 
pal2rgb failed to free memory on a few errors. This was reported
here: http://bugzilla.maptools.org/show_bug.cgi?id=2836.
 2019-01-23 15:09:59 -05:00
Bob Friesenhahn
a0e273fdca Fix tiff2ps error regarding "Inconsistent value of es" by allowing es to be zero. 
Problem was reported to the tiff mailing list by Julian H. Stacey on January 5, 2019.
 2019-01-05 13:56:09 -06:00
Even Rouault
ae0325a1ab Merge branch 'resource-leaks' into 'master' 
Fix two resource leaks

See merge request libtiff/libtiff!43
 2018-12-07 20:58:13 +00:00
Bob Friesenhahn
d6f7cf744c tiffcrop.c: Avoid new clang warning about tools/tiffcrop.c "size argument in 'strncat' call appears to be size of the source". 2018-12-01 09:16:10 -06:00
Maarten Bent
c70cb3d7b4 Rerun autogen.sh 2018-11-17 13:42:17 +01:00
Maarten Bent
0725740623 Create tag for v4.0.10 
-----BEGIN PGP SIGNATURE-----
 
 iHUEABEIAB0WIQTr39shsCDuj9FRqI3jAQR94RmJdQUCW+b+SgAKCRDjAQR94RmJ
 dVERAQCGCSozFaK8M9k0MEgvsWcg1lMr/5VfAmUCfiLIDL7OygEAz0ZoTuYxpAxt
 gz2+JmWNlJIlseQZemczpJh5lToiXuM=
 =bMQi
 -----END PGP SIGNATURE-----

Merge tag 'v4.0.10' into wx
 2018-11-17 13:24:09 +01:00
Bob Friesenhahn
2480971bba tiff2pdf: Eliminate compiler warning about snprintf output truncation when formatting pdf_datetime. 2018-11-03 13:27:20 -05:00
Bob Friesenhahn
ed624dfe48 tiffcrop.c: Eliminate compiler warning about snprintf output truncation when formatting filenum. 2018-11-03 10:00:11 -05:00
Bob Friesenhahn
34b5be5a2e Eliminate compiler warnings about duplicate definitions of streq/strneq macros. 2018-11-03 09:35:19 -05:00
Nikola Forró
2f694198f1 Fix two resource leaks 
Signed-off-by: Nikola Forró <nforro@redhat.com>
 2018-10-31 11:50:48 +01:00
Even Rouault
99b10edde9
tiff2bw: avoid null pointer dereference in case of out of memory situation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2819 / CVE-2018-18661 2018-10-30 18:50:27 +01:00
Even Rouault
1a926533b8 Merge branch 'tif_webp' into 'master' 
webp support

See merge request libtiff/libtiff!32
 2018-10-05 19:41:16 +00:00
Norman Barker
9eacd59fec webp in tiff 2018-10-05 11:21:17 -05:00
Young_X
97c95667f6 fix out-of-bound read on some tiled images. 2018-09-08 15:07:53 +08:00
Young_X
6da1fb3f64 avoid potential int32 overflows in multiply_ms() 2018-09-08 14:46:27 +08:00
Young_X
f1b94e8a3b only read/write TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4 2018-09-08 14:36:12 +08:00
Roger Leigh
43586d4105 tiffset: Add support for LONG8, SLONG8 and IFD8 field types 2018-03-23 22:11:17 +00:00
Stefan Weil
642b8f998e Fix some typos 
Most of them were found by codespell.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
 2018-02-24 21:47:52 +01:00
Even Rouault
442fa64e41 Merge branch 'zstd' 2018-02-14 15:41:04 +01:00
Nathan Baker
473851d211 Fix for bug 2772 
It is possible to craft a TIFF document where the IFD list is circular,
leading to an infinite loop while traversing the chain. The libtiff
directory reader has a failsafe that will break out of this loop after
reading 65535 directory entries, but it will continue processing,
consuming time and resources to process what is essentially a bogus TIFF
document.

This change fixes the above behavior by breaking out of processing when
a TIFF document has >= 65535 directories and terminating with an error.
 2018-02-12 09:43:34 -05:00
Nathan Baker
e9fa4baf1d Fix all compiler warnings for default build 2018-02-04 23:54:17 +00:00
Vadim Zeitlin
aa65abe076 Merge remote-tracking branch 'upstream/master' into wx 
Regenerate the files produced by autotools removed upstream as our build
system relies on having them.
 2018-01-28 17:20:14 +01:00
Even Rouault
c4d31e9b06 Merge branch 'patch-1' into 'master' 
Update CMakeLists.txt for build fix on Windows

See merge request libtiff/libtiff!14
 2018-01-27 11:22:09 +00:00
Even Rouault
fb0489937c Merge branch 'patch-2' into 'master' 
Update tiffgt.c for build fix on Windows

See merge request libtiff/libtiff!13
 2018-01-27 11:20:46 +00:00
Nathan Baker
9171da596c Add workaround to pal2rgb buffer overflow. 2018-01-25 21:28:15 +00:00
Andrea
a6195d0ad4 Update tiffgt.c for build fix on Windows 2018-01-24 01:25:13 +00:00
Andrea
e7b87e5d3e Update CMakeLists.txt for build fix on Windows 2018-01-24 01:19:44 +00:00
Even Rouault
62b9df5d2a Add ZSTD compression codec 
From https://github.com/facebook/zstd
"Zstandard, or zstd as short version, is a fast lossless compression
algorithm, targeting real-time compression scenarios at zlib-level
and better compression ratios. It's backed by a very fast entropy stage,
provided by Huff0 and FSE library."

We require libzstd >= 1.0.0 so as to be able to use streaming compression
and decompression methods.

The default compression level we have selected is 9 (range goes from 1 to 22),
which experimentally offers equivalent or better compression ratio than
the default deflate/ZIP level of 6, and much faster compression.

For example on a 6600x4400 16bit image, tiffcp -c zip runs in 10.7 seconds,
while tiffcp -c zstd runs in 5.3 seconds. Decompression time for zip is
840 ms, and for zstd 650 ms. File size is 42735936 for zip, and
42586822 for zstd. Similar findings on other images.

On a 25894x16701 16bit image,

                Compression time     Decompression time     File size

ZSTD                 35 s                   3.2 s          399 700 498
ZIP/Deflate       1m 20 s                   4.9 s          419 622 336
 2017-12-21 13:32:02 +01:00
Brian May
d4f213636b tiff2pdf: Fix apparent incorrect type for transfer table 
The standard says the transfer table contains unsigned 16 bit values,
I have no idea why we refer to them as floats.
 2017-12-11 07:35:41 +11:00
Brian May
3dd8f6a357 tiff2pdf: Fix CVE-2017-9935 
Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704

This vulnerability - at least for the supplied test case - is because we
assume that a tiff will only have one transfer function that is the same
for all pages. This is not required by the TIFF standards.

We than read the transfer function for every page.  Depending on the
transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
We allocate this memory after we read in the transfer function for the
page.

For the first exploit - POC1, this file has 3 pages. For the first page
we allocate 2 extra extra XREF entries. Then for the next page 2 more
entries. Then for the last page the transfer function changes and we
allocate 4 more entries.

When we read the file into memory, we assume we have 4 bytes extra for
each and every page (as per the last transfer function we read). Which
is not correct, we only have 2 bytes extra for the first 2 pages. As a
result, we end up writing past the end of the buffer.

There are also some related issues that this also fixes. For example,
TIFFGetField can return uninitalized pointer values, and the logic to
detect a N=3 vs N=1 transfer function seemed rather strange.

It is also strange that we declare the transfer functions to be of type
float, when the standard says they are unsigned 16 bit values. This is
fixed in another patch.

This patch will check to ensure that the N value for every transfer
function is the same for every page. If this changes, we abort with an
error. In theory, we should perhaps check that the transfer function
itself is identical for every page, however we don't do that due to the
confusion of the type of the data in the transfer function.
 2017-12-11 07:35:18 +11:00
Even Rouault
9c243a11a3 Merge branch 'remove_autogenerated_files' into 'master' 
Remove autogenerated files

See merge request libtiff/libtiff!5
 2017-12-02 22:10:48 +00:00
Bob Friesenhahn
79bb4d034f 'tif_config.h' or 'tiffio.h' must be included before any system header. 2017-12-02 14:45:03 -06:00
Even Rouault
c56eda4b7e Remove remaining .cvsignore files 2017-12-01 15:55:10 +01:00
Even Rouault
2440a113ea Remove autoconf/automake generated files, and add them to .gitignore 2017-12-01 15:54:48 +01:00
Even Rouault
8603db6cfa Regenerate autoconf files 2017-11-30 18:10:01 +01:00
Even Rouault
f0a54a4fa0 Remove all $Id and $Headers comments with CVS versions 2017-11-30 18:02:46 +01:00
Bob Friesenhahn
25f9ffa565 * tools/tiff2bw.c (main): Free memory allocated in the tiff2bw 
program.  This is in response to the report associated with
CVE-2017-16232 but does not solve the extremely high memory usage
with the associated POC file.
 2017-11-01 13:41:58 +00:00
Bob Friesenhahn
61d4eb3a01 tiff2pdf.c: Fix possible overflow in bounds check computation and eliminate signed/unsigned comparison. 2017-10-29 18:50:41 +00:00
Bob Friesenhahn
1cb6c46b9d fax2tiff: Pass the FAX_Client_Data struct as client data 2017-10-29 18:28:43 +00:00
Even Rouault
76a2b9d619 * tools/tiffset.c: fix setting a single value for the ExtraSamples tag 
(and other tags with variable number of values).
So 'tiffset -s ExtraSamples 1 X'. This only worked
when setting 2 or more values, but not just one.
 2017-10-01 17:38:12 +00:00
Even Rouault
979751c407 * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" 
mode on PlanarConfig=Contig input images.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
Reported by team OWL337
 2017-07-15 11:13:46 +00:00
Even Rouault
222083301a * refresh autoconf/make stuff with what is on Ubuntu 16.04 (minor changes) 2017-07-11 09:10:28 +00:00
Even Rouault
d606ea22bb * tools/tiff2bw.c: close TIFF handle in error code path. 
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2677
 2017-04-28 18:08:47 +00:00
Even Rouault
fa55777370 * litiff/tif_fax3.c: avoid crash in Fax3Close() on empty file. 
Patch by Alan Coopersmith  + complement by myself.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2673
* tools/fax2tiff.c: emit appropriate message if the input file is
empty. Patch by Alan Coopersmith.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2672
 2017-04-27 19:50:01 +00:00
Even Rouault
697bfd9f39 * libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD 
mode (ie default) when there is both a StripOffsets and
TileOffsets tag, or a StripByteCounts and TileByteCounts
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689
* tools/tiff2ps.c: call TIFFClose() in error code paths.
 2017-04-27 15:46:22 +00:00
Even Rouault
55e5962794 * tools/raw2tiff.c: avoid integer division by zero. 
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2631
 2017-01-14 13:12:33 +00:00
Even Rouault
480167a350 * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and 
cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
http://bugzilla.maptools.org/show_bug.cgi?id=2657
 2017-01-11 19:25:44 +00:00
Even Rouault
9f839d9233 * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace 
assertion by runtime check to error out if passed value is strictly
negative.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535

* tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that
caused double free.
Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535
 2017-01-11 12:51:59 +00:00
Even Rouault
6d97ea6dcc * tools/tiff2pdf.c: avoid potential heap-based overflow in 
t2p_readwrite_pdf_image_tile().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640
 2016-12-20 17:28:17 +00:00
Even Rouault
5e95f6a34c * tools/tiff2pdf.c: avoid potential invalid memory read in 
t2p_writeproc.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
 2016-12-20 17:24:35 +00:00
Even Rouault
7fb75582f4 * tools/tiff2pdf.c: fix wrong usage of memcpy() that can trigger 
unspecified behaviour.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2638
 2016-12-20 17:13:26 +00:00
Even Rouault
732f8e0b46 * tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode 
on a paletted image. Note: this fix errors out before the overflow
happens. There could probably be a better fix.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635
 2016-12-18 10:37:59 +00:00
Even Rouault
0a85b00c8b * tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW 
and PSDataColorContig). Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and
http://bugzilla.maptools.org/show_bug.cgi?id=2634.
 2016-12-17 19:45:28 +00:00
Even Rouault
2766c8583d * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert check. 
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605
 2016-12-03 16:50:02 +00:00
Even Rouault
bae8284136 * tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based 
buffer overflow.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
 2016-12-03 16:40:01 +00:00
Even Rouault
b1e5ae5984 * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is 
missing.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
 2016-12-03 15:44:15 +00:00