Commit Graph

113 Commits

Author SHA1 Message Date
Thomas Bernard
ea2e933b17
tiff2pdf.c: don't call t2p_tile_collapse_left() when buffer size is wrong
see http://bugzilla.maptools.org/show_bug.cgi?id=2785
2019-02-28 13:44:49 +01:00
Thomas Bernard
b7d479cf8b
tiff2pdf.c: check colormap pointers
Avoid access to non initialized pointers
http://bugzilla.maptools.org/show_bug.cgi?id=2826
2019-02-28 13:05:19 +01:00
Even Rouault
ae0325a1ab Merge branch 'resource-leaks' into 'master'
Fix two resource leaks

See merge request libtiff/libtiff!43
2018-12-07 20:58:13 +00:00
Bob Friesenhahn
2480971bba tiff2pdf: Eliminate compiler warning about snprintf output truncation when formatting pdf_datetime. 2018-11-03 13:27:20 -05:00
Nikola Forró
2f694198f1 Fix two resource leaks
Signed-off-by: Nikola Forró <nforro@redhat.com>
2018-10-31 11:50:48 +01:00
Nathan Baker
473851d211 Fix for bug 2772
It is possible to craft a TIFF document where the IFD list is circular,
leading to an infinite loop while traversing the chain. The libtiff
directory reader has a failsafe that will break out of this loop after
reading 65535 directory entries, but it will continue processing,
consuming time and resources to process what is essentially a bogus TIFF
document.

This change fixes the above behavior by breaking out of processing when
a TIFF document has >= 65535 directories and terminating with an error.
2018-02-12 09:43:34 -05:00
Nathan Baker
e9fa4baf1d Fix all compiler warnings for default build 2018-02-04 23:54:17 +00:00
Brian May
d4f213636b tiff2pdf: Fix apparent incorrect type for transfer table
The standard says the transfer table contains unsigned 16 bit values,
I have no idea why we refer to them as floats.
2017-12-11 07:35:41 +11:00
Brian May
3dd8f6a357 tiff2pdf: Fix CVE-2017-9935
Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704

This vulnerability - at least for the supplied test case - is because we
assume that a tiff will only have one transfer function that is the same
for all pages. This is not required by the TIFF standards.

We than read the transfer function for every page.  Depending on the
transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
We allocate this memory after we read in the transfer function for the
page.

For the first exploit - POC1, this file has 3 pages. For the first page
we allocate 2 extra extra XREF entries. Then for the next page 2 more
entries. Then for the last page the transfer function changes and we
allocate 4 more entries.

When we read the file into memory, we assume we have 4 bytes extra for
each and every page (as per the last transfer function we read). Which
is not correct, we only have 2 bytes extra for the first 2 pages. As a
result, we end up writing past the end of the buffer.

There are also some related issues that this also fixes. For example,
TIFFGetField can return uninitalized pointer values, and the logic to
detect a N=3 vs N=1 transfer function seemed rather strange.

It is also strange that we declare the transfer functions to be of type
float, when the standard says they are unsigned 16 bit values. This is
fixed in another patch.

This patch will check to ensure that the N value for every transfer
function is the same for every page. If this changes, we abort with an
error. In theory, we should perhaps check that the transfer function
itself is identical for every page, however we don't do that due to the
confusion of the type of the data in the transfer function.
2017-12-11 07:35:18 +11:00
Even Rouault
f0a54a4fa0 Remove all $Id and $Headers comments with CVS versions 2017-11-30 18:02:46 +01:00
Bob Friesenhahn
61d4eb3a01 tiff2pdf.c: Fix possible overflow in bounds check computation and eliminate signed/unsigned comparison. 2017-10-29 18:50:41 +00:00
Even Rouault
979751c407 * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
mode on PlanarConfig=Contig input images.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
Reported by team OWL337
2017-07-15 11:13:46 +00:00
Even Rouault
6d97ea6dcc * tools/tiff2pdf.c: avoid potential heap-based overflow in
t2p_readwrite_pdf_image_tile().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640
2016-12-20 17:28:17 +00:00
Even Rouault
5e95f6a34c * tools/tiff2pdf.c: avoid potential invalid memory read in
t2p_writeproc.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
2016-12-20 17:24:35 +00:00
Even Rouault
7fb75582f4 * tools/tiff2pdf.c: fix wrong usage of memcpy() that can trigger
unspecified behaviour.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2638
2016-12-20 17:13:26 +00:00
Even Rouault
732f8e0b46 * tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode
on a paletted image. Note: this fix errors out before the overflow
happens. There could probably be a better fix.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635
2016-12-18 10:37:59 +00:00
Even Rouault
34e2075125 Fix typo in comment 2016-11-11 21:28:24 +00:00
Even Rouault
57b0f8ba24 * tools/tiff2pdf.c: avoid undefined behaviour related to overlapping
of source and destination buffer in memcpy() call in
t2p_sample_rgbaa_to_rgb()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577
2016-11-11 21:22:50 +00:00
Even Rouault
16e71ae0a2 * tools/tiff2pdf.c: fix potential integer overflows on 32 bit builds
in t2p_read_tiff_size()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2576
2016-11-11 21:15:25 +00:00
Even Rouault
0937638efd * tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG
compressed images. Reported by Tyler Bohan of Cisco Talos as
TALOS-CAN-0187 / CVE-2016-5652.
Also prevents writing 2 extra uninitialized bytes to the file stream.
2016-10-09 11:03:36 +00:00
Even Rouault
7399a6f13b * tools/tiff2pdf.c: fix read -largely- outsize of buffer in
t2p_readwrite_pdf_image_tile(), causing crash, when reading a
JPEG compressed image with TIFFTAG_JPEGTABLES length being one.
Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from
the MSRC Vulnerabilities & Mitigations team.
2016-10-08 15:14:42 +00:00
Even Rouault
edde1c583a * tools/tiffcrop.c: fix various out-of-bounds write vulnerabilities
in heap or stack allocated buffers. Reported as MSVR 35093,
MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal
Chauhan from the MSRC Vulnerabilities & Mitigations team.
* tools/tiff2pdf.c: fix out-of-bounds write vulnerabilities in
heap allocate buffer in t2p_process_jpeg_strip(). Reported as MSVR
35098. Discovered by Axel Souchet and Vishal Chauhan from the MSRC
Vulnerabilities & Mitigations team.
* libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities
in heap allocated buffers. Reported as MSVR 35094. Discovered by
Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
* libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1()
that didn't reset the tif_rawcc and tif_rawcp members. I'm not
completely sure if that could happen in practice outside of the odd
behaviour of t2p_seekproc() of tiff2pdf). The report points that a
better fix could be to check the return value of TIFFFlushData1() in
places where it isn't done currently, but it seems this patch is enough.
Reported as MSVR 35095. Discovered by Axel Souchet & Vishal Chauhan &
Suha Can from the MSRC Vulnerabilities & Mitigations team.
2016-09-23 22:12:18 +00:00
Bob Friesenhahn
7bc7b77e78 * tools/tiff2pdf.c: Fix compiler warning about unused function
when JPEG is not available.

* tools/fax2ps.c (main): Detect failure to write to temporary
file.
2015-09-06 18:24:27 +00:00
Bob Friesenhahn
8ba4a1c894 Support large files under Windows using tif_unix.c and libtiff tools. 2015-08-19 02:31:04 +00:00
Bob Friesenhahn
d21d2b3057 * libtiff/tif_config.vc.h: Make adjustments to match the new
definitions that configure produces, including for WIN64.  Still
needs to be tested.

'lld' is not assured by the run-time DLLs and so GCC warns.
Add TIFF_SIZE_T and TIFF_SIZE_FORMAT to provide a type definition
and printf format specifier to deal with printing values of
'size_t' type.  In particular, this was necessary for WIN64.
Added a configure test for if the system headers provide 'optarg'
(normal case) and block out the many explicit 'extern' statements
in the utilities.  This was found to be necessary under Windows
when getopt is in a DLL and the symbols are already imported with
dllimport via standard header files.
2015-06-21 01:09:09 +00:00
Lee Howard
106157e7d7 change ColorTransform from "0" to "1" following Bugzilla Bug #2150. 2015-06-14 20:54:32 +00:00
Lee Howard
b6346f6672 From Antti S. Lankila on:
http://bugzilla.maptools.org/show_bug.cgi?id=2078#c9

The problem is that TIFF library attempts to write TIFF header as soon as the
tiff2pdf utility initializes the library. Fortunately, the library contains an
I/O abstraction feature, so there are no hardcoded writes to a file descriptor
anywhere. In particular, it appears that the utility's output suppression
feature can be used to suppress the initial write of the header.
2015-06-13 05:32:13 +00:00
Lee Howard
a3f0d4471b From Yuriy M. Kaminskiy:
There are a lot of code like this:

	buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
	written += t2pWriteFile(output, (tdata_t) buffer, buflen );

in tiff2pdf. This is seriously broken: when formatted string is larger than
buffer, snprintf return value is >= sizeof(buffer) [current standard] or -1
[legacy]. And in case of other errors, snprintf returns -1.
Both would result in reading unallocated memory and possible SIGSEGV (DoS).

I doubt it can be really exploitable (to begin with, in most cases buffer was
large enough and sprintf->snprintf change was pure paranoia, IMO), but /if/ you
decided previous code was not safe and snprintf is necessary, /then/ you MUST
check its return value.
2015-06-13 05:14:57 +00:00
Bob Friesenhahn
5d43ae368e * tools/tiff2pdf.c (t2p_readwrite_pdf_image): Fix Coverity 1024181
"Structurally dead code".
2015-05-30 17:07:53 +00:00
Bob Friesenhahn
cf204cbace * tools/tiff2pdf.c (t2p_readwrite_pdf_image): Fix Coverity 298621
"Resource leak".
(t2p_readwrite_pdf_image): Fix Coverity 1024181 "Structurally dead
code".
(t2p_write_pdf): Fix Coverity 1227690 "Unused value".
2015-05-30 15:33:54 +00:00
Even Rouault
45922132cf * tools/tiff2pdf.c: Fix two crashes (oCERT-2014-013) 2015-01-22 09:58:49 +00:00
Olivier Paquet
79676ae61c * tools/tiff2pdf.c: Fixed unsigned integer addition overflow detection. 2015-01-05 19:03:11 +00:00
Even Rouault
34d71374cc * tools/tiff2pdf.c: fix buffer overflow on some YCbCr JPEG compressed images.
http://bugzilla.maptools.org/show_bug.cgi?id=2445
2014-12-24 16:32:28 +00:00
Even Rouault
a42442d21f * tools/tiff2pdf.c: fix buffer overflow on YCbCr JPEG compressed image.
Derived from patch by Petr Gajdos,
http://bugzilla.maptools.org/show_bug.cgi?id=2443
2014-12-24 15:38:11 +00:00
Even Rouault
29f531aeec * tools/tiff2pdf.c: check return code of TIFFGetField() when reading
TIFFTAG_SAMPLESPERPIXEL
2014-12-21 17:36:36 +00:00
Even Rouault
89bef1935b Fix various crasher bugs on fuzzed images.
* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
the directory
* libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or
TransferFunction if BitsPerSample has not yet been read, otherwise reading
it later will cause user code to crash if BitsPerSample > 1
* libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
* libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
instead of imagewidth to avoid crash
* tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions
* tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by
libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB
* tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight
* tools/tiffdump.c: fix crash due to overflow of entry count.
2014-12-21 15:15:31 +00:00
Bob Friesenhahn
570fd679f6 * tools/tiff2pdf.c: Assure that memory size calculations for
_TIFFmalloc() do not overflow the range of tmsize_t.
2014-12-10 02:53:30 +00:00
Bob Friesenhahn
02567e23b9 * tools/tiff2pdf.c (t2p_read_tiff_init): TIFFTAG_TRANSFERFUNCTION
tag can return one channel, with the other two channels set to
NULL.  The tiff2pdf code was expecting that other two channels
were duplicate pointers in the case where there is only one
channel.  Detect this condition in order to avoid a crash, and
presumably perform correctly with just one channel.
2014-12-07 19:32:25 +00:00
Even Rouault
abea4b2b04 * libtiff/tif_lzw.c: prevent potential null dereference of
sp->dec_codetab in LZWPreDecode (bug #2459)

* libtiff/tif_read.c: in TIFFReadBufferSetup(), avoid passing -1 size
to TIFFmalloc() if passed user buffer size is 0 (bug #2459)

* libtiff/tif_ojpeg.c: make Coverity happier (not a bug, #2459)

* libtiff/tif_dir.c: in _TIFFVGetField() and _TIFFVSetField(), make
Coverity happier (not a bug, #2459)

* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make Coverity happier
(not a bug, #2459)

* tools/tiff2pdf.c: close PDF file (bug #2479)

* tools/fax2ps.c: check malloc()/realloc() result (bug #2470)

* tools/tiffdump.c: detect cycle in TIFF directory chaining (bug #2463)
and avoid passing a NULL pointer to read() if seek() failed before (bug #2459)

* tools/tiffcrop.c: fix segfault if bad value passed to -Z option
(bug #2459) and add missing va_end in dump_info (#2459)

* tools/gif2tif.c: apply patch for CVE-2013-4243 (#2451)
2014-11-20 16:47:21 +00:00
Olivier Paquet
e4f269ed3f * tools/tiff2pdf.c: Preserve input file directory order when pages
are tagged with the same page number.
2014-10-20 17:52:05 +00:00
Lee Howard
7b8ee1facf From: David Ryskalczyk <d235j.1@gmail.com>
Date: Thu, 18 Jul 2013 14:36:47 -0400

Here's a patch to correct an issue with creating G4-compressed PDFs.

The issue is caused by == being used to compare bitfields when only
one bit is intended to be compared. Some of the tiffs I have had both
T2P_CS_ICCBASED and T2P_CS_BILEVEL set; therefore, the current code
will fail, producing certain pages that are inverted.

The patch follows, and is also attached.

--David
2013-09-20 15:35:37 +00:00
Frank Warmerdam
67d92d90f8 ensure return after memory allocation failure (#2449, CVS-2013-4232) 2013-08-14 05:11:36 +00:00
Tom Lane
96ceea8c8a Rewrite t2p_process_jpeg_strip(), to fix CVE-2013-1960. 2013-05-02 14:54:08 +00:00
Tom Lane
b6d66f9f30 Replace sprintf with snprintf, to fix CVE-2013-1961. 2013-05-02 14:44:29 +00:00
Tom Lane
73dec72e8a Fix a couple more tiff2pdf bugs. 2012-07-19 15:43:41 +00:00
Tom Lane
7e000dd360 In tiff2pdf.c, fail when TIFFSetDirectory() fails. 2012-07-18 15:07:55 +00:00
Frank Warmerdam
0055471655 avoid some clang warnings 2012-06-15 21:51:54 +00:00
Tom Lane
f5077ed7ed Fix CVE-2012-2113 2012-06-15 21:44:31 +00:00
Bob Friesenhahn
bd77483087 * libtiff/tif_jpeg.c, tools/tiff2pdf.c, tools/tiff2ps.c: mark
NULL-deref and possible overflow
2011-05-31 17:00:03 +00:00
Bob Friesenhahn
e66a15f97e * tools/tiff2pdf.c: remove decl+set of set-but-not-used local, "written" 2011-05-31 16:57:10 +00:00