Commit Graph

546 Commits

Author SHA1 Message Date
Even Rouault
c80c06ce45 * tools/tiffcrop.c: Fix memory leak in (recent) error code path.
Fixes Coverity 1394415.
2016-11-18 14:58:46 +00:00
Bob Friesenhahn
c22e3e5b42 * tools/tiffinfo.c (TIFFReadContigTileData): Fix signed/unsigned
comparison warning.
(TIFFReadSeparateTileData): Fix signed/unsigned comparison
warning.
2016-11-12 20:06:05 +00:00
Bob Friesenhahn
b6779d1454 tmsize_t is a signed type so change casting to cast to unsigned type before compare 2016-11-12 19:57:16 +00:00
Bob Friesenhahn
d2c7f195f1 * tools/tiffcrop.c (readContigTilesIntoBuffer): Fix
signed/unsigned comparison warning.
2016-11-12 18:35:11 +00:00
Even Rouault
34e2075125 Fix typo in comment 2016-11-11 21:28:24 +00:00
Even Rouault
57b0f8ba24 * tools/tiff2pdf.c: avoid undefined behaviour related to overlapping
of source and destination buffer in memcpy() call in
t2p_sample_rgbaa_to_rgb()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577
2016-11-11 21:22:50 +00:00
Even Rouault
16e71ae0a2 * tools/tiff2pdf.c: fix potential integer overflows on 32 bit builds
in t2p_read_tiff_size()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2576
2016-11-11 21:15:25 +00:00
Even Rouault
49062afa56 * tools/tiffcrop.c: fix multiple uint32 overflows in
writeBufferToSeparateStrips(), writeBufferToContigTiles() and
writeBufferToSeparateTiles() that could cause heap buffer overflows.
Reported by Henri Salo from Nixu Corporation.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
2016-11-11 19:33:06 +00:00
Even Rouault
124d8fc810 * tools/fax2tiff.c: fix segfault when specifying -r without
argument. Patch by Yuriy M. Kaminskiy.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2572
2016-10-25 22:22:45 +00:00
Even Rouault
0c05834d05 * tools/tiffinfo.c: fix out-of-bound read on some tiled images.
(http://bugzilla.maptools.org/show_bug.cgi?id=2517)

* libtiff/tif_compress.c: make TIFFNoDecode() return 0 to indicate an
error and make upper level read routines treat it accordingly.
(linked to the test case of http://bugzilla.maptools.org/show_bug.cgi?id=2517)
2016-10-25 20:04:21 +00:00
Even Rouault
0d521dfab0 * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
& Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
2016-10-14 19:13:20 +00:00
Even Rouault
0937638efd * tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG
compressed images. Reported by Tyler Bohan of Cisco Talos as
TALOS-CAN-0187 / CVE-2016-5652.
Also prevents writing 2 extra uninitialized bytes to the file stream.
2016-10-09 11:03:36 +00:00
Even Rouault
6f13bf391a * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
tile width vs image width. Reported as MSVR 35103
by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
2016-10-08 15:54:56 +00:00
Even Rouault
7399a6f13b * tools/tiff2pdf.c: fix read -largely- outsize of buffer in
t2p_readwrite_pdf_image_tile(), causing crash, when reading a
JPEG compressed image with TIFFTAG_JPEGTABLES length being one.
Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from
the MSRC Vulnerabilities & Mitigations team.
2016-10-08 15:14:42 +00:00
Even Rouault
5707841070 * tools/tiffcp.c: fix read of undefined variable in case of missing
required tags. Found on test case of MSVR 35100.
* tools/tiffcrop.c: fix read of undefined buffer in
readContigStripsIntoBuffer() due to uint16 overflow. Probably not a
security issue but I can be wrong. Reported as MSVR 35100 by Axel
Souchet from the MSRC Vulnerabilities & Mitigations team.
2016-10-08 15:04:31 +00:00
Even Rouault
edde1c583a * tools/tiffcrop.c: fix various out-of-bounds write vulnerabilities
in heap or stack allocated buffers. Reported as MSVR 35093,
MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal
Chauhan from the MSRC Vulnerabilities & Mitigations team.
* tools/tiff2pdf.c: fix out-of-bounds write vulnerabilities in
heap allocate buffer in t2p_process_jpeg_strip(). Reported as MSVR
35098. Discovered by Axel Souchet and Vishal Chauhan from the MSRC
Vulnerabilities & Mitigations team.
* libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities
in heap allocated buffers. Reported as MSVR 35094. Discovered by
Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
* libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1()
that didn't reset the tif_rawcc and tif_rawcp members. I'm not
completely sure if that could happen in practice outside of the odd
behaviour of t2p_seekproc() of tiff2pdf). The report points that a
better fix could be to check the return value of TIFFFlushData1() in
places where it isn't done currently, but it seems this patch is enough.
Reported as MSVR 35095. Discovered by Axel Souchet & Vishal Chauhan &
Suha Can from the MSRC Vulnerabilities & Mitigations team.
2016-09-23 22:12:18 +00:00
Even Rouault
cbdc8d8ae9 * tools/tiffcrop.c: fix C99'ism. 2016-08-16 08:54:01 +00:00
Even Rouault
ac16d2213c * tools/tiff2bw.c: fix weight computation that could result of color
value overflow (no security implication). Fix bugzilla #2550.
Patch by Frank Freudenberg.
2016-08-15 22:01:31 +00:00
Even Rouault
f18e33b3a5 * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
2016-08-15 21:26:56 +00:00
Even Rouault
5dd73c2b77 * tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
From patch libtiff-CVE-2016-3991.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
2016-08-15 21:05:40 +00:00
Even Rouault
01bac25a5a * tools/tiff2rgba.c: Fix integer overflow in size of allocated
buffer, when -b mode is enabled, that could result in out-of-bounds
write. Based initially on patch tiff-CVE-2016-3945.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
invalid tests that rejected valid files.
2016-08-15 20:06:40 +00:00
Even Rouault
e54eac223b (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559) 2016-07-11 21:38:31 +00:00
Even Rouault
a1277756ad * tools/tiffcrop.c: Avoid access outside of stack allocated array
on a tiled separate TIFF with more than 8 samples per pixel.
Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
(CVE-2016-5321, bugzilla #2558)
2016-07-11 21:26:03 +00:00
Even Rouault
a0faaf8910 Fix build failure due to previous commit 2016-07-10 16:56:18 +00:00
Even Rouault
292c431e5d * tools/tiffdump.c: fix a few misaligned 64-bit reads warned
by -fsanitize
2016-07-10 15:34:06 +00:00
Bob Friesenhahn
30366c9f22 * tools/Makefile.am: The libtiff tools bmp2tiff, gif2tiff,
ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from
the distribution.  The libtiff tools rgb2ycbcr and thumbnail are
only built in the build tree for testing.  Old files are put in
new 'archive' subdirectory of the source repository, but not in
distribution archives.  These changes are made in order to lessen
the maintenance burden.
2016-06-05 19:53:59 +00:00
Bob Friesenhahn
c7ff695d1b * html/bugs.html: Replace Andrey Kiselev with Bob Friesenhahn for
purposes of security issue reporting.
2016-04-08 02:34:00 +00:00
Even Rouault
87f02eaced * libtiff/*.c: fix clang -Wshorten-64-to-32 warnings 2015-11-18 20:35:07 +00:00
Bob Friesenhahn
d1fabc4db1 * tools/tiffgt.c: Silence glut API deprecation warnings on MacOS
X.  Patch by Roger Leigh.
2015-09-06 20:42:20 +00:00
Bob Friesenhahn
7bc7b77e78 * tools/tiff2pdf.c: Fix compiler warning about unused function
when JPEG is not available.

* tools/fax2ps.c (main): Detect failure to write to temporary
file.
2015-09-06 18:24:27 +00:00
Bob Friesenhahn
a9afad2a9f * Makefile.am (distcheck-hook), configure.ac: Applied patches by
Roger Leigh (via tiff mailing list on 2015-09-01) to fix issue
with BSD make and to make use of cmake in 'distcheck' target
conditional on if cmake is available.
2015-09-01 19:23:16 +00:00
Bob Friesenhahn
1fea0da266 All the CMakeLists.txt files were missing from the distribution tarball. 2015-08-30 21:26:45 +00:00
Bob Friesenhahn
d9bc8472e7 fax2tiff eliminate warning about cast to thandle_t. 2015-08-23 15:40:45 +00:00
Bob Friesenhahn
c65c70205c Fix Cmake build issues caused by Windows large file updates. 2015-08-21 01:59:33 +00:00
Bob Friesenhahn
8ba4a1c894 Support large files under Windows using tif_unix.c and libtiff tools. 2015-08-19 02:31:04 +00:00
Bob Friesenhahn
5b90af247e * CMakeLists.txt: Add CMake patchset by Roger Leigh as posted to
libtiff mailing list on Mon, 22 Jun 2015 21:21:01 +0100. Several
corrections to ensure that the autotools build still works were
added by me.  I have not yet tested the build using 'cmake' or
MSVC with 'nmake'.
2015-06-25 02:27:58 +00:00
Bob Friesenhahn
d21d2b3057 * libtiff/tif_config.vc.h: Make adjustments to match the new
definitions that configure produces, including for WIN64.  Still
needs to be tested.

'lld' is not assured by the run-time DLLs and so GCC warns.
Add TIFF_SIZE_T and TIFF_SIZE_FORMAT to provide a type definition
and printf format specifier to deal with printing values of
'size_t' type.  In particular, this was necessary for WIN64.
Added a configure test for if the system headers provide 'optarg'
(normal case) and block out the many explicit 'extern' statements
in the utilities.  This was found to be necessary under Windows
when getopt is in a DLL and the symbols are already imported with
dllimport via standard header files.
2015-06-21 01:09:09 +00:00
Lee Howard
76939f073f From Jay Berkenbilt on Bug 2401.
An Ubuntu user noticed that tiffgt was not appropriately calling glFlush(),
which was causing tiffgt to open blank windows in some cases.  I'm not sure
what the cases are, but my system happened to be one that saw blank windows,
and the one-line fix the user provided was sufficient to solve it in my case.
2015-06-14 21:44:17 +00:00
Lee Howard
106157e7d7 change ColorTransform from "0" to "1" following Bugzilla Bug #2150. 2015-06-14 20:54:32 +00:00
Lee Howard
b8335269b6 From Eduardo Robles Elvira:
1. libtiffcrop-fix.patch fixes a small problem in tiffcrop, it seems it
was incorrectly using TIFFSetField instead of CopyField.

And in libtiff-correct-fax-scaling.patch we have some other changes:

2. I had to remove a check in main() that didn't allow maxPageWidth to
be bigger than pageWidth.

3. [ Omitted due to question on universality ]

4. the pagewidth variable was being set as the maxpagewidth instead,
which made all the calculations bad. This made sense when the check in
point 2 was in place, but not anymore. I've modified it so that
pagewidth is set with the specified pagewidth when maxpagewidth is
bigger.

5. The remaining lines of the patch  - in exportMaskedImage() -
basically fix the scaling.
2015-06-13 05:49:18 +00:00
Lee Howard
b6346f6672 From Antti S. Lankila on:
http://bugzilla.maptools.org/show_bug.cgi?id=2078#c9

The problem is that TIFF library attempts to write TIFF header as soon as the
tiff2pdf utility initializes the library. Fortunately, the library contains an
I/O abstraction feature, so there are no hardcoded writes to a file descriptor
anywhere. In particular, it appears that the utility's output suppression
feature can be used to suppress the initial write of the header.
2015-06-13 05:32:13 +00:00
Lee Howard
a3f0d4471b From Yuriy M. Kaminskiy:
There are a lot of code like this:

	buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
	written += t2pWriteFile(output, (tdata_t) buffer, buflen );

in tiff2pdf. This is seriously broken: when formatted string is larger than
buffer, snprintf return value is >= sizeof(buffer) [current standard] or -1
[legacy]. And in case of other errors, snprintf returns -1.
Both would result in reading unallocated memory and possible SIGSEGV (DoS).

I doubt it can be really exploitable (to begin with, in most cases buffer was
large enough and sprintf->snprintf change was pure paranoia, IMO), but /if/ you
decided previous code was not safe and snprintf is necessary, /then/ you MUST
check its return value.
2015-06-13 05:14:57 +00:00
Bob Friesenhahn
478e51124b * tools/gif2tiff.c (readgifimage): Fix Coverity 1024222 "Untrusted
value as argument".
(checksignature): Fix Coverity 1024894 "Ignoring number of bytes
read".
(readextension): Fix Coverity 1024893 "Ignoring number of bytes
read".
(readgifimage): Fix Coverity 1024890 "Ignoring number of bytes
read".
(readraster): Fix Coverity 1024891 "Ignoring number of bytes
read".
(readgifimage): Fix Coverity 1024892 "Ignoring number of bytes
read".
2015-05-30 20:15:59 +00:00
Bob Friesenhahn
5d43ae368e * tools/tiff2pdf.c (t2p_readwrite_pdf_image): Fix Coverity 1024181
"Structurally dead code".
2015-05-30 17:07:53 +00:00
Bob Friesenhahn
e18809068d * tools/raw2tiff.c (main): Fix Coverity 1024887 "Unchecked return
value from library".
(guessSize): Fix Coverity 1024888 "Unchecked return value from
library".
(guessSize): Fix Coverity 1214162 "Ignoring number of bytes read".
(guessSize): Fix Coverity 1024889 "Unchecked return value from
library".
2015-05-30 16:13:29 +00:00
Bob Friesenhahn
cf204cbace * tools/tiff2pdf.c (t2p_readwrite_pdf_image): Fix Coverity 298621
"Resource leak".
(t2p_readwrite_pdf_image): Fix Coverity 1024181 "Structurally dead
code".
(t2p_write_pdf): Fix Coverity 1227690 "Unused value".
2015-05-30 15:33:54 +00:00
Bob Friesenhahn
b22be0db67 * tools/bmp2tiff.c (main): Fix Coverity 1024225 "Untrusted value
as argument".
(main): Fix Coverity 1024678 "Unchecked return value from
library".
(main): Fix Coverity 1024679 "Unchecked return value from
library".
(main): Fix Coverity 1214160 "Ignoring number of bytes read".
2015-05-29 02:37:56 +00:00
Bob Friesenhahn
8942af3dfe * tools/tiffcp.c: Fix Coverity 1024306, 1024307, 1024308, 1024309
"Resource leak".
2015-05-28 13:17:35 +00:00
Bob Friesenhahn
defff15535 * tools/tiffsplit.c (cpTiles): Fix Coverity 1024304 "Resource
leak".
(cpStrips): Fix Coverity 1024305 "Resource leak".
2015-05-28 13:10:26 +00:00
Bob Friesenhahn
547c3ecfcf (main): Quiet Coverity 1024223 "Untrusted value as argument". 2015-05-28 04:07:30 +00:00