writeBufferToSeparateStrips(), writeBufferToContigTiles() and
writeBufferToSeparateTiles() that could cause heap buffer overflows.
Reported by Henri Salo from Nixu Corporation.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
compressed images. Reported by Tyler Bohan of Cisco Talos as
TALOS-CAN-0187 / CVE-2016-5652.
Also prevents writing 2 extra uninitialized bytes to the file stream.
t2p_readwrite_pdf_image_tile(), causing crash, when reading a
JPEG compressed image with TIFFTAG_JPEGTABLES length being one.
Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from
the MSRC Vulnerabilities & Mitigations team.
required tags. Found on test case of MSVR 35100.
* tools/tiffcrop.c: fix read of undefined buffer in
readContigStripsIntoBuffer() due to uint16 overflow. Probably not a
security issue but I can be wrong. Reported as MSVR 35100 by Axel
Souchet from the MSRC Vulnerabilities & Mitigations team.
in heap or stack allocated buffers. Reported as MSVR 35093,
MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal
Chauhan from the MSRC Vulnerabilities & Mitigations team.
* tools/tiff2pdf.c: fix out-of-bounds write vulnerabilities in
heap allocate buffer in t2p_process_jpeg_strip(). Reported as MSVR
35098. Discovered by Axel Souchet and Vishal Chauhan from the MSRC
Vulnerabilities & Mitigations team.
* libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities
in heap allocated buffers. Reported as MSVR 35094. Discovered by
Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
* libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1()
that didn't reset the tif_rawcc and tif_rawcp members. I'm not
completely sure if that could happen in practice outside of the odd
behaviour of t2p_seekproc() of tiff2pdf). The report points that a
better fix could be to check the return value of TIFFFlushData1() in
places where it isn't done currently, but it seems this patch is enough.
Reported as MSVR 35095. Discovered by Axel Souchet & Vishal Chauhan &
Suha Can from the MSRC Vulnerabilities & Mitigations team.
buffer, when -b mode is enabled, that could result in out-of-bounds
write. Based initially on patch tiff-CVE-2016-3945.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
invalid tests that rejected valid files.
on a tiled separate TIFF with more than 8 samples per pixel.
Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
(CVE-2016-5321, bugzilla #2558)
ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from
the distribution. The libtiff tools rgb2ycbcr and thumbnail are
only built in the build tree for testing. Old files are put in
new 'archive' subdirectory of the source repository, but not in
distribution archives. These changes are made in order to lessen
the maintenance burden.
Roger Leigh (via tiff mailing list on 2015-09-01) to fix issue
with BSD make and to make use of cmake in 'distcheck' target
conditional on if cmake is available.
libtiff mailing list on Mon, 22 Jun 2015 21:21:01 +0100. Several
corrections to ensure that the autotools build still works were
added by me. I have not yet tested the build using 'cmake' or
MSVC with 'nmake'.
definitions that configure produces, including for WIN64. Still
needs to be tested.
'lld' is not assured by the run-time DLLs and so GCC warns.
Add TIFF_SIZE_T and TIFF_SIZE_FORMAT to provide a type definition
and printf format specifier to deal with printing values of
'size_t' type. In particular, this was necessary for WIN64.
Added a configure test for if the system headers provide 'optarg'
(normal case) and block out the many explicit 'extern' statements
in the utilities. This was found to be necessary under Windows
when getopt is in a DLL and the symbols are already imported with
dllimport via standard header files.
An Ubuntu user noticed that tiffgt was not appropriately calling glFlush(),
which was causing tiffgt to open blank windows in some cases. I'm not sure
what the cases are, but my system happened to be one that saw blank windows,
and the one-line fix the user provided was sufficient to solve it in my case.
1. libtiffcrop-fix.patch fixes a small problem in tiffcrop, it seems it
was incorrectly using TIFFSetField instead of CopyField.
And in libtiff-correct-fax-scaling.patch we have some other changes:
2. I had to remove a check in main() that didn't allow maxPageWidth to
be bigger than pageWidth.
3. [ Omitted due to question on universality ]
4. the pagewidth variable was being set as the maxpagewidth instead,
which made all the calculations bad. This made sense when the check in
point 2 was in place, but not anymore. I've modified it so that
pagewidth is set with the specified pagewidth when maxpagewidth is
bigger.
5. The remaining lines of the patch - in exportMaskedImage() -
basically fix the scaling.
http://bugzilla.maptools.org/show_bug.cgi?id=2078#c9
The problem is that TIFF library attempts to write TIFF header as soon as the
tiff2pdf utility initializes the library. Fortunately, the library contains an
I/O abstraction feature, so there are no hardcoded writes to a file descriptor
anywhere. In particular, it appears that the utility's output suppression
feature can be used to suppress the initial write of the header.
There are a lot of code like this:
buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
written += t2pWriteFile(output, (tdata_t) buffer, buflen );
in tiff2pdf. This is seriously broken: when formatted string is larger than
buffer, snprintf return value is >= sizeof(buffer) [current standard] or -1
[legacy]. And in case of other errors, snprintf returns -1.
Both would result in reading unallocated memory and possible SIGSEGV (DoS).
I doubt it can be really exploitable (to begin with, in most cases buffer was
large enough and sprintf->snprintf change was pure paranoia, IMO), but /if/ you
decided previous code was not safe and snprintf is necessary, /then/ you MUST
check its return value.
value as argument".
(checksignature): Fix Coverity 1024894 "Ignoring number of bytes
read".
(readextension): Fix Coverity 1024893 "Ignoring number of bytes
read".
(readgifimage): Fix Coverity 1024890 "Ignoring number of bytes
read".
(readraster): Fix Coverity 1024891 "Ignoring number of bytes
read".
(readgifimage): Fix Coverity 1024892 "Ignoring number of bytes
read".
value from library".
(guessSize): Fix Coverity 1024888 "Unchecked return value from
library".
(guessSize): Fix Coverity 1214162 "Ignoring number of bytes read".
(guessSize): Fix Coverity 1024889 "Unchecked return value from
library".
as argument".
(main): Fix Coverity 1024678 "Unchecked return value from
library".
(main): Fix Coverity 1024679 "Unchecked return value from
library".
(main): Fix Coverity 1214160 "Ignoring number of bytes read".
