Commit Graph

1164 Commits

Author SHA1 Message Date
Bob Friesenhahn
ca5b774b0c * libtiff/tif_getimage.c: Fix some benign warnings which appear in
64-bit compilation under Microsoft Visual Studio of the form
"Arithmetic overflow: 32-bit value is shifted, then cast to 64-bit
value.  Results might not be an expected value.".  Problem was
reported on November 16, 2016 on the tiff mailing list.
2016-11-18 02:47:45 +00:00
Even Rouault
6d055b4f99 * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not dereference
NULL pointer when values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are 0-byte arrays.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression introduced
by previous fix done on 2016-11-11 for CVE-2016-9297).
Reported by Henri Salo.
2016-11-16 15:14:15 +00:00
Even Rouault
5936de5bae Assign CVE-2016-9297 number 2016-11-14 19:08:24 +00:00
Bob Friesenhahn
c22e3e5b42 * tools/tiffinfo.c (TIFFReadContigTileData): Fix signed/unsigned
comparison warning.
(TIFFReadSeparateTileData): Fix signed/unsigned comparison
warning.
2016-11-12 20:06:05 +00:00
Bob Friesenhahn
d2c7f195f1 * tools/tiffcrop.c (readContigTilesIntoBuffer): Fix
signed/unsigned comparison warning.
2016-11-12 18:35:11 +00:00
Bob Friesenhahn
35b7f035a7 * html/v4.0.7.html: Add a file to document the pending 4.0.7
release.
2016-11-12 18:30:47 +00:00
Even Rouault
57b0f8ba24 * tools/tiff2pdf.c: avoid undefined behaviour related to overlapping
of source and destination buffer in memcpy() call in
t2p_sample_rgbaa_to_rgb()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577
2016-11-11 21:22:50 +00:00
Even Rouault
16e71ae0a2 * tools/tiff2pdf.c: fix potential integer overflows on 32 bit builds
in t2p_read_tiff_size()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2576
2016-11-11 21:15:25 +00:00
Even Rouault
1a64e2ccd1 Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587 (CVE-2016-9273) 2016-11-11 21:09:07 +00:00
Even Rouault
56f3e29d18 * libtiff/tif_aux.c: fix crash in TIFFVGetFieldDefaulted()
when requesting Predictor tag and that the zip/lzw codec is not
configured.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2591
2016-11-11 20:45:53 +00:00
Even Rouault
9bddab5035 * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that
values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are null terminated, to avoid potential read outside buffer
in _TIFFPrintField().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590
2016-11-11 20:22:01 +00:00
Even Rouault
1120426ba0 * libtiff/tif_dirread.c: reject images with OJPEG compression that
have no TileOffsets/StripOffsets tag, when OJPEG compression is
disabled. Prevent null pointer dereference in TIFFReadRawStrip1()
and other functions that expect td_stripbytecount to be non NULL.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2585
2016-11-11 20:01:55 +00:00
Even Rouault
49062afa56 * tools/tiffcrop.c: fix multiple uint32 overflows in
writeBufferToSeparateStrips(), writeBufferToContigTiles() and
writeBufferToSeparateTiles() that could cause heap buffer overflows.
Reported by Henri Salo from Nixu Corporation.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
2016-11-11 19:33:06 +00:00
Even Rouault
a7abf0ba90 * libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips
value when it is non-zero, instead of recomputing it. This is needed in
TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of
array in tiffsplit (or other utilities using TIFFNumberOfStrips()).
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587
2016-11-09 23:00:49 +00:00
Even Rouault
3f5f68e91b * libtiff/tif_predic.c: fix memory leaks in error code paths added in
previous commit (fix for MSVR 35105)
2016-11-04 09:19:13 +00:00
Even Rouault
a41c294c3f * libtiff/tif_predict.h, libtiff/tif_predict.c:
Replace assertions by runtime checks to avoid assertions in debug mode,
or buffer overflows in release mode. Can happen when dealing with
unusual tile size like YCbCr with subsampling. Reported as MSVR 35105
by Axel Souchet	& Vishal Chauhan from the MSRC Vulnerabilities & Mitigations
team.
2016-10-31 17:24:26 +00:00
Even Rouault
124d8fc810 * tools/fax2tiff.c: fix segfault when specifying -r without
argument. Patch by Yuriy M. Kaminskiy.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2572
2016-10-25 22:22:45 +00:00
Even Rouault
c1a5a07a3a Fixing last ChangeLog entry 2016-10-25 21:38:35 +00:00
Even Rouault
739dcd28a0 * libtiff/tif_dir.c: discard values of SMinSampleValue and
SMaxSampleValue when they have been read and the value of
SamplesPerPixel is changed afterwards (like when reading a
OJPEG compressed image with a missing SamplesPerPixel tag,
and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
being 3). Otherwise when rewriting the directory (for example
with tiffset, we will expect 3 values whereas the array had been
allocated with just one), thus causing a out of bound read access.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
(CVE-2014-8127, duplicate: CVE-2016-3658)

* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
when writing directory, if FIELD_STRIPOFFSETS was artificially set
for a hack case	in OJPEG case.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
(CVE-2014-8127, duplicate: CVE-2016-3658)
2016-10-25 21:35:15 +00:00
Even Rouault
0c05834d05 * tools/tiffinfo.c: fix out-of-bound read on some tiled images.
(http://bugzilla.maptools.org/show_bug.cgi?id=2517)

* libtiff/tif_compress.c: make TIFFNoDecode() return 0 to indicate an
error and make upper level read routines treat it accordingly.
(linked to the test case of http://bugzilla.maptools.org/show_bug.cgi?id=2517)
2016-10-25 20:04:21 +00:00
Even Rouault
0d521dfab0 * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
& Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
2016-10-14 19:13:20 +00:00
Even Rouault
0937638efd * tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG
compressed images. Reported by Tyler Bohan of Cisco Talos as
TALOS-CAN-0187 / CVE-2016-5652.
Also prevents writing 2 extra uninitialized bytes to the file stream.
2016-10-09 11:03:36 +00:00
Even Rouault
6f13bf391a * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
tile width vs image width. Reported as MSVR 35103
by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
2016-10-08 15:54:56 +00:00
Even Rouault
7399a6f13b * tools/tiff2pdf.c: fix read -largely- outsize of buffer in
t2p_readwrite_pdf_image_tile(), causing crash, when reading a
JPEG compressed image with TIFFTAG_JPEGTABLES length being one.
Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from
the MSRC Vulnerabilities & Mitigations team.
2016-10-08 15:14:42 +00:00
Even Rouault
5707841070 * tools/tiffcp.c: fix read of undefined variable in case of missing
required tags. Found on test case of MSVR 35100.
* tools/tiffcrop.c: fix read of undefined buffer in
readContigStripsIntoBuffer() due to uint16 overflow. Probably not a
security issue but I can be wrong. Reported as MSVR 35100 by Axel
Souchet from the MSRC Vulnerabilities & Mitigations team.
2016-10-08 15:04:31 +00:00
Bob Friesenhahn
d4dd6ccc1e * html: Change as many remotesensing.org broken links to a working
URL as possible.
2016-09-25 20:05:44 +00:00
Bob Friesenhahn
65d7db09a5 * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
read floating point images.

* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
requirements of floating point predictor (3).  Fixes CVE-2016-3622
"Divide By Zero in the tiff2rgba tool."

places where it isn't done currently, but it seems this patch is enough.
2016-09-24 23:11:55 +00:00
Even Rouault
edde1c583a * tools/tiffcrop.c: fix various out-of-bounds write vulnerabilities
in heap or stack allocated buffers. Reported as MSVR 35093,
MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal
Chauhan from the MSRC Vulnerabilities & Mitigations team.
* tools/tiff2pdf.c: fix out-of-bounds write vulnerabilities in
heap allocate buffer in t2p_process_jpeg_strip(). Reported as MSVR
35098. Discovered by Axel Souchet and Vishal Chauhan from the MSRC
Vulnerabilities & Mitigations team.
* libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities
in heap allocated buffers. Reported as MSVR 35094. Discovered by
Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
* libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1()
that didn't reset the tif_rawcc and tif_rawcp members. I'm not
completely sure if that could happen in practice outside of the odd
behaviour of t2p_seekproc() of tiff2pdf). The report points that a
better fix could be to check the return value of TIFFFlushData1() in
places where it isn't done currently, but it seems this patch is enough.
Reported as MSVR 35095. Discovered by Axel Souchet & Vishal Chauhan &
Suha Can from the MSRC Vulnerabilities & Mitigations team.
2016-09-23 22:12:18 +00:00
Bob Friesenhahn
645af692f6 * html/man/index.html: Comment out links to documentation for
abandoned utilities.
2016-09-20 13:35:17 +00:00
Even Rouault
b7ec5fe89c * libtiff/tif_lzma.c: typo fix in comment 2016-09-17 09:18:58 +00:00
Even Rouault
4fd5fe674a * libtiff/*.c: fix warnings raised by clang 3.9 -Wcomma 2016-09-04 21:32:55 +00:00
Even Rouault
e85c35f54e * libtiff/tif_dirwrite.c, libtiff/tif_color.c: fix warnings raised
by GCC 5 / clang -Wfloat-conversion
2016-09-03 20:15:35 +00:00
Even Rouault
3318c65cbb * libtiff/tif_dirwrite.c: fix warnings raised by GCC 5 -Wfloat-conversion 2016-09-02 22:42:00 +00:00
Even Rouault
cbdc8d8ae9 * tools/tiffcrop.c: fix C99'ism. 2016-08-16 08:54:01 +00:00
Even Rouault
ac16d2213c * tools/tiff2bw.c: fix weight computation that could result of color
value overflow (no security implication). Fix bugzilla #2550.
Patch by Frank Freudenberg.
2016-08-15 22:01:31 +00:00
Even Rouault
f18e33b3a5 * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
2016-08-15 21:26:56 +00:00
Even Rouault
5dd73c2b77 * tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
From patch libtiff-CVE-2016-3991.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
2016-08-15 21:05:40 +00:00
Even Rouault
a71b62bcff * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode
if more input samples are provided than expected by PixarLogSetupEncode.
Idea based on libtiff-CVE-2016-3990.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
simpler check. (bugzilla #2544)


invalid tests that rejected valid files. (bugzilla #2545)
2016-08-15 20:49:48 +00:00
Even Rouault
01bac25a5a * tools/tiff2rgba.c: Fix integer overflow in size of allocated
buffer, when -b mode is enabled, that could result in out-of-bounds
write. Based initially on patch tiff-CVE-2016-3945.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
invalid tests that rejected valid files.
2016-08-15 20:06:40 +00:00
Even Rouault
e54eac223b (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559) 2016-07-11 21:38:31 +00:00
Even Rouault
a1277756ad * tools/tiffcrop.c: Avoid access outside of stack allocated array
on a tiled separate TIFF with more than 8 samples per pixel.
Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
(CVE-2016-5321, bugzilla #2558)
2016-07-11 21:26:03 +00:00
Even Rouault
febda236ac * libtiff/tif_read.c: Fix out-of-bounds read on
memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1()
when stripoffset is beyond tmsize_t max value (reported by
Mathias Svensson)
2016-07-10 18:00:20 +00:00
Even Rouault
292c431e5d * tools/tiffdump.c: fix a few misaligned 64-bit reads warned
by -fsanitize
2016-07-10 15:34:06 +00:00
Even Rouault
234b8543a8 Fix typo in CVE number for CVE-2016-5875 2016-07-10 10:15:07 +00:00
Even Rouault
b46aa51809 * libtiff/tif_read.c: make TIFFReadEncodedStrip() and
TIFFReadEncodedTile() directly use user provided buffer when
no compression (and other conditions) to save a memcpy().

* libtiff/tif_write.c: make TIFFWriteEncodedStrip() and
TIFFWriteEncodedTile() directly use user provided buffer when
no compression to save a memcpy().
2016-07-03 16:02:17 +00:00
Even Rouault
33c391eff4 * libtiff/tif_luv.c: validate that for COMPRESSION_SGILOG and
PHOTOMETRIC_LOGL, there is only one sample per pixel. Avoid
potential invalid memory write on corrupted/unexpected images when
using the TIFFRGBAImageBegin() interface (reported by
Clay Wood)

(CVE-2016-587)
2016-07-01 11:06:04 +00:00
Even Rouault
bf5b698868 * libtiff/tif_pixarlog.c: fix potential buffer write overrun in
PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson)
2016-06-28 15:12:19 +00:00
Bob Friesenhahn
c0eb1847f4 * libtiff/libtiff.def: Added _TIFFMultiply32 and _TIFFMultiply64
to libtiff.def
2016-06-15 13:28:11 +00:00
Bob Friesenhahn
30366c9f22 * tools/Makefile.am: The libtiff tools bmp2tiff, gif2tiff,
ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from
the distribution.  The libtiff tools rgb2ycbcr and thumbnail are
only built in the build tree for testing.  Old files are put in
new 'archive' subdirectory of the source repository, but not in
distribution archives.  These changes are made in order to lessen
the maintenance burden.
2016-06-05 19:53:59 +00:00
Bob Friesenhahn
01c8ca66b3 * libtiff/tif_config.vc.h (HAVE_SNPRINTF): Add a '1' to the
HAVE_SNPRINTF definition.'
2016-05-10 13:04:48 +00:00