Commit Graph

470 Commits

Author SHA1 Message Date
Even Rouault
2dae28a91b * tools/tiffcp.c: fix crash when converting YCbCr JPEG-compressed to none.
Based on patch by Tomasz Buchert (http://bugzilla.maptools.org/show_bug.cgi?id=2480)
Description: fix for Debian bug #741451
tiffcp crashes when converting JPEG-encoded TIFF to a different
encoding (like none or lzw). For example this will probably fail:
tiffcp -c none jpeg_encoded_file.tif output.tif
The reason is that when the input file contains JPEG data,
the tiffcp code forces conversion to RGB space. However,
the output normally inherits YCbCr subsampling parameters
from the input, which leads to a smaller working buffer
than necessary. The buffer is subsequently overrun inside
cpStripToTile() (called from writeBufferToContigTiles).
Note that the resulting TIFF file would be scrambled even
if tiffcp wouldn't crash, since the output file would contain
RGB data intepreted as subsampled YCbCr values.
This patch fixes the problem by forcing RGB space on the output
TIF if the input is JPEG-encoded and output is *not* JPEG-encoded.
Author: Tomasz Buchert <tomasz.buchert@inria.fr>
2014-12-21 16:28:37 +00:00
Even Rouault
89bef1935b Fix various crasher bugs on fuzzed images.
* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
the directory
* libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or
TransferFunction if BitsPerSample has not yet been read, otherwise reading
it later will cause user code to crash if BitsPerSample > 1
* libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
* libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
instead of imagewidth to avoid crash
* tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions
* tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by
libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB
* tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight
* tools/tiffdump.c: fix crash due to overflow of entry count.
2014-12-21 15:15:31 +00:00
Bob Friesenhahn
570fd679f6 * tools/tiff2pdf.c: Assure that memory size calculations for
_TIFFmalloc() do not overflow the range of tmsize_t.
2014-12-10 02:53:30 +00:00
Even Rouault
3f2b81f2c2 tools/thumbnail.c, tools/tiffcrop.c: fix heap read over-run found with Valgrind and Address Sanitizer on test suite 2014-12-07 22:33:06 +00:00
Bob Friesenhahn
02567e23b9 * tools/tiff2pdf.c (t2p_read_tiff_init): TIFFTAG_TRANSFERFUNCTION
tag can return one channel, with the other two channels set to
NULL.  The tiff2pdf code was expecting that other two channels
were duplicate pointers in the case where there is only one
channel.  Detect this condition in order to avoid a crash, and
presumably perform correctly with just one channel.
2014-12-07 19:32:25 +00:00
Bob Friesenhahn
3c92b0efc1 * tools/tiffdump.c: Fix double-free bug. 2014-12-06 15:58:40 +00:00
Even Rouault
abea4b2b04 * libtiff/tif_lzw.c: prevent potential null dereference of
sp->dec_codetab in LZWPreDecode (bug #2459)

* libtiff/tif_read.c: in TIFFReadBufferSetup(), avoid passing -1 size
to TIFFmalloc() if passed user buffer size is 0 (bug #2459)

* libtiff/tif_ojpeg.c: make Coverity happier (not a bug, #2459)

* libtiff/tif_dir.c: in _TIFFVGetField() and _TIFFVSetField(), make
Coverity happier (not a bug, #2459)

* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make Coverity happier
(not a bug, #2459)

* tools/tiff2pdf.c: close PDF file (bug #2479)

* tools/fax2ps.c: check malloc()/realloc() result (bug #2470)

* tools/tiffdump.c: detect cycle in TIFF directory chaining (bug #2463)
and avoid passing a NULL pointer to read() if seek() failed before (bug #2459)

* tools/tiffcrop.c: fix segfault if bad value passed to -Z option
(bug #2459) and add missing va_end in dump_info (#2459)

* tools/gif2tif.c: apply patch for CVE-2013-4243 (#2451)
2014-11-20 16:47:21 +00:00
Even Rouault
d1be5cb7ad * automake: updated to 1.14.1
* libtool: updated to 2.4.3
* HOWTO-RELEASE: small update about autotools building order
2014-11-20 14:28:16 +00:00
Olivier Paquet
e4f269ed3f * tools/tiff2pdf.c: Preserve input file directory order when pages
are tagged with the same page number.
2014-10-20 17:52:05 +00:00
Bob Friesenhahn
f6fc518396 * tools/tiff2rgba.c (]): Fixed tiff2rgba usage message in that zip
was wrongly described.  Fix suggested by Miguel Medalha.
2014-06-08 03:37:01 +00:00
Lee Howard
e289d76bce Resolves a couple of buffer overflow issues pointed out by Pedro Ribeiro (pedrib@gmail.com). 2013-09-20 16:09:01 +00:00
Lee Howard
7b8ee1facf From: David Ryskalczyk <d235j.1@gmail.com>
Date: Thu, 18 Jul 2013 14:36:47 -0400

Here's a patch to correct an issue with creating G4-compressed PDFs.

The issue is caused by == being used to compare bitfields when only
one bit is intended to be compared. Some of the tiffs I have had both
T2P_CS_ICCBASED and T2P_CS_BILEVEL set; therefore, the current code
will fail, producing certain pages that are inverted.

The patch follows, and is also attached.

--David
2013-09-20 15:35:37 +00:00
Frank Warmerdam
163627448a fix possible OOB write in gif2tiff.c 2013-08-14 13:59:16 +00:00
Frank Warmerdam
44650c28f1 make more resistent to corrupt/hostile input files (#2450, CVE-2013-4231) 2013-08-14 05:18:53 +00:00
Frank Warmerdam
67d92d90f8 ensure return after memory allocation failure (#2449, CVS-2013-4232) 2013-08-14 05:11:36 +00:00
Frank Warmerdam
4e7465a311 initialize TIFFGetField() fetched values in tiffinfo.c 2013-07-10 00:44:22 +00:00
Tom Lane
96ceea8c8a Rewrite t2p_process_jpeg_strip(), to fix CVE-2013-1960. 2013-05-02 14:54:08 +00:00
Tom Lane
b6d66f9f30 Replace sprintf with snprintf, to fix CVE-2013-1961. 2013-05-02 14:44:29 +00:00
Tom Lane
feb6bd9f1d Sync tool usage printouts and man pages with reality. 2013-03-06 03:35:09 +00:00
Bob Friesenhahn
c204ef2a2f * tools/tiff2ps.c:Fix bug in auto rotate option code. Once a
rotation angle was set by the auto rotate check, it was retained
for all pages that followed instead of being retested for each
page.  Patch by Richard Nolde.
2013-01-26 02:24:05 +00:00
Tom Lane
800527edd2 Improve previous patch for CVE-2012-4564. 2012-12-10 18:19:11 +00:00
Bob Friesenhahn
74295b7487 * tools/tiffset.c: tiffset now supports a -u option to unset a
tag.  Patch by Zach Baker. See
http://bugzilla.maptools.org/show_bug.cgi?id=2419
2012-12-04 03:02:37 +00:00
Bob Friesenhahn
281ba91d09 * automake: Update Automake to 1.12.5 release. 2012-11-18 18:08:31 +00:00
Frank Warmerdam
37671b36b9 fix zero size buffer exploit (CVE-2012-4564) in ppm2tiff 2012-11-02 05:13:24 +00:00
Bob Friesenhahn
f458c10308 * Makefile.am: Update to Automake 1.12.4 2012-09-20 13:50:27 +00:00
Bob Friesenhahn
ec5ce9c2b3 * Makefile.in: Update to Automake 1.12.3 2012-08-19 17:00:46 +00:00
Bob Friesenhahn
7d38024b8d * libtiff{tiff.h, tif_print.c, tif_dirinfo.c, tif_dirread.c}: Add
some TIFF/FX support in libtiff.  Add the tag definitions to
tiff.h.  Add the related TIFF field definitions to tif_dirinfo.c,
and also fixes an error in a comment.  Adds the photometric values
to tif_print.c, and fixes a bug.  These changes are by Steve
Underwood.

* libtiff/tif_write.c: Fix bug rewriting image tiles in a
2012-08-19 16:56:32 +00:00
Tom Lane
84595b4fd7 Add accessor functions for the opaque type TIFFField. 2012-07-29 15:45:29 +00:00
Tom Lane
73dec72e8a Fix a couple more tiff2pdf bugs. 2012-07-19 15:43:41 +00:00
Tom Lane
7e000dd360 In tiff2pdf.c, fail when TIFFSetDirectory() fails. 2012-07-18 15:07:55 +00:00
Frank Warmerdam
ee51ab00b3 ignore various windows intermediate files 2012-06-16 17:05:37 +00:00
Frank Warmerdam
0055471655 avoid some clang warnings 2012-06-15 21:51:54 +00:00
Tom Lane
f5077ed7ed Fix CVE-2012-2113 2012-06-15 21:44:31 +00:00
Frank Warmerdam
b246f148ff nicer way to avoid reading data for non-image directories 2012-06-06 06:05:29 +00:00
Frank Warmerdam
b3dadc7ff3 avoid reading imagery with -D in EXIF directories 2012-06-01 23:22:53 +00:00
Frank Warmerdam
920688aac5 avoid uninitialized variable for degenerate files 2012-05-24 03:50:31 +00:00
Bob Friesenhahn
d766e7c5a0 * Update automake used to 1.11.3. 2012-02-18 21:58:02 +00:00
Bob Friesenhahn
d338f7fe22 * configure.ac: Add libtiff private dependency on -llzma for
pkg-config.  Patch by Mark Brand.
Updated Automake to 1.11.2.
2011-12-22 17:03:48 +00:00
Bob Friesenhahn
cae87ed58a * tools/tiffsplit.c (tiffcp): TIFFGetField count field should be
uint32 type for TIFFTAG_JPEGTABLES.  Patch by Christophe
Deroulers.
2011-10-22 17:03:00 +00:00
Bob Friesenhahn
c51502913d * libtiff/tif_dirread.c (TIFFFetchStripThing): Free "data" also
upon failure to allocate "resizeddata".
* tools/tiff2ps.c (PSDataBW): Zero buffer *after* checking for
allocation failure, not before.
2011-05-31 17:10:18 +00:00
Bob Friesenhahn
d73e9e8b19 * tools/rgb2ycbcr.c (cvtRaster): unchecked malloc 2011-05-31 17:03:16 +00:00
Bob Friesenhahn
bd77483087 * libtiff/tif_jpeg.c, tools/tiff2pdf.c, tools/tiff2ps.c: mark
NULL-deref and possible overflow
2011-05-31 17:00:03 +00:00
Bob Friesenhahn
e66a15f97e * tools/tiff2pdf.c: remove decl+set of set-but-not-used local, "written" 2011-05-31 16:57:10 +00:00
Bob Friesenhahn
959042fdcf Fix spelling typo in tiff2ps. 2011-04-09 16:53:08 +00:00
Bob Friesenhahn
c546a4ccf8 * configure.ac: Should use AC_CANONICAL_HOST since host specifies
the run-time target whereas target is used to specify the final
output target if the package is a build tool (like a compiler),
which libtiff is not.  Resolves libtiff bug 2307 "Use
AC_CANONICAL_HOST macro".
2011-04-09 15:43:03 +00:00
Bob Friesenhahn
519b727004 * configure.ac: Support configuring TIFF_INT64_FORMAT and
TIFF_UINT64_FORMAT appropriately for MinGW32.

* tools/tiffdump.c (ReadDirectory): MinGW32 needs to use WIN32
printf conventions for 64-bit types because it uses the WIN32 CRT.

* libtiff/{tif_dumpmode.c,tif_luv.c,tif_lzw.c,tif_print.c,
tif_read.c,tif_strip.c,tif_thunder.c}: MinGW32 needs to use WIN32
printf conventions for 64-bit types because it uses the WIN32 CRT.

* tools/tiff2pdf.c (t2p_write_pdf_string): Fix printf syntax not
understood by WIN32 CRT.
2011-04-02 20:54:08 +00:00
Bob Friesenhahn
b69a1998be * libtiff/tif_ojpeg.c: Fixes to compile with MinGW32 GCC.
* tools/fax2ps.c (main): Use tmpfile() rather than mkstemp() since
it is much more portable.  Tmpfile is included in ISO/IEC
9899:1990 and the WIN32 CRT.
2011-04-02 19:30:20 +00:00
Frank Warmerdam
a9a1d1c65f Add -d and -sd switches to tiffset to allow operation on a particular
directory instead of just the first (jef)
2011-03-26 12:07:20 +00:00
Frank Warmerdam
91479f4d42 avoid leaks if TIFFRGBAImageBegin() fails (#2295) 2011-02-23 21:46:09 +00:00
Andrey Kiselev
d499ffbfcd Added support for specifying the compression level parameter (preset) for
Deflate and LZMA encoders, e.g "-c lzma:p1" or "-c zip:p9".
2010-12-23 13:38:47 +00:00