Even Rouault
1d658302f8
* libtiff/tif_swab.c: if DISABLE_CHECK_TIFFSWABMACROS is defined, do not do
...
the #ifdef TIFFSwabXXX checks. Make it easier for GDAL to rename the symbols
of its internal libtiff copy.
2017-06-08 16:39:50 +00:00
Even Rouault
6281927e03
* libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
...
and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
to behave differently depending on whether the codec is enabled or not, and
thus can avoid stack based buffer overflows in a number of TIFF utilities
such as tiffsplit, tiffcmp, thumbnail, etc.
Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
(http://bugzilla.maptools.org/show_bug.cgi?id=2580 ) by Raphaël Hertzog.
Fixes:
http://bugzilla.maptools.org/show_bug.cgi?id=2580
http://bugzilla.maptools.org/show_bug.cgi?id=2693
http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
http://bugzilla.maptools.org/show_bug.cgi?id=2441
http://bugzilla.maptools.org/show_bug.cgi?id=2433
2017-06-01 12:44:04 +00:00
Even Rouault
ed38dcc52c
* libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for
...
refBlackWhite coefficients values. To avoid invalid float->int32 conversion
(when refBlackWhite[0] == 2147483648.f)
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907
Credit to OSS Fuzz
2017-05-29 11:29:06 +00:00
Even Rouault
4d3c3eec0c
Fix date in changelog entry
2017-05-29 10:14:26 +00:00
Even Rouault
2b3a489164
* libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid
...
int32 overflow in TIFFYCbCrtoRGB().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844
Credit to OSS Fuzz
2017-05-29 10:12:54 +00:00
Bob Friesenhahn
84e1f1b66d
libtiff 4.0.8 released
2017-05-21 19:10:50 +00:00
Bob Friesenhahn
c714d5b5a7
html/v4.0.8.html: Add description of changes targeting the 4.0.8 release.
2017-05-21 17:47:46 +00:00
Even Rouault
1a690c0e10
* libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for
...
refBlackWhite coefficients values. To avoid invalid float->int32 conversion.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1718
Credit to OSS Fuzz
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663
2017-05-20 11:29:02 +00:00
Even Rouault
3d5081d29b
* libtiff/tif_getimage.c: initYCbCrConversion(): check luma[1] is not zero
...
to avoid division by zero.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665
Credit to OSS Fuzz
2017-05-18 06:44:35 +00:00
Even Rouault
cbe0307490
* libtiff/tif_read.c: _TIFFVSetField(): fix outside range cast of double to
...
float.
Credit to Google Autofuzz project
2017-05-17 21:54:04 +00:00
Even Rouault
bda5be3a14
* libtiff/tif_getimage.c: initYCbCrConversion(): add basic validation of
...
luma and refBlackWhite coefficients (just check they are not NaN for now),
to avoid potential float to int overflows.
Fixes ://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663
Credit to OSS Fuzz
2017-05-17 13:48:34 +00:00
Even Rouault
f277dbaff0
* libtiff/tif_pixarlog.c: PixarLogDecode(): resync tif_rawcp with
...
next_in and tif_rawcc with avail_in at beginning and end of function,
similarly to what is done in LZWDecode(). Likely needed so that it
works properly with latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT
mode. But untested...
2017-05-17 09:53:06 +00:00
Even Rouault
3f72698b8a
* libtiff/tif_lzw.c: update dec_bitsleft at beginning of LZWDecode(),
...
and update tif_rawcc at end of LZWDecode(). This is needed to properly
work with the latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT
mode.
2017-05-17 09:38:58 +00:00
Even Rouault
352c653057
* libtiff/tif_luv.c: LogL16InitState(): avoid excessive memory
...
allocation when RowsPerStrip tag is missing.
Credit to OSS-Fuzz (locally run, on GDAL)
2017-05-14 10:17:27 +00:00
Even Rouault
8d4e459102
* libtiff/tif_packbits.c: fix out-of-buffer read in PackBitsDecode()
...
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563
Credit to OSS-Fuzz
2017-05-14 02:26:07 +00:00
Even Rouault
99e8fb373e
* libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32
...
overflows in multiply_ms() and add_ms().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558
Credit to OSS-Fuzz
2017-05-13 18:29:38 +00:00
Even Rouault
0a6763b5a0
* libtiff/tif_color.c: avoid potential int32 overflow in
...
TIFFYCbCrToRGBInit()
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533
Credit to OSS-Fuzz
2017-05-13 18:17:34 +00:00
Even Rouault
0a5c524577
* libtiff/tif_read.c: update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT
...
mode with tif_rawdataloaded when calling TIFFStartStrip() or
TIFFFillStripPartial(). This avoids reading beyond tif_rawdata
when bytecount > tif_rawdatasize.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545 .
Credit to OSS-Fuzz
2017-05-13 15:34:06 +00:00
Even Rouault
2d7b1f8c16
* libtiff/tif_read.c: TIFFFillStripPartial():
...
avoid excessive memory allocation in case of shorten files.
Only effective on 64 bit builds.
Credit to OSS-Fuzz (locally run, on GDAL)
2017-05-12 21:12:24 +00:00
Even Rouault
76084fb831
* libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(),
...
avoid potential integer overflows with read_ahead in
CHUNKY_STRIP_READ_SUPPORT mode. Should
especially occur on 32 bit platforms.
2017-05-12 20:16:37 +00:00
Even Rouault
80ee713d88
Rename variable added in previous commit to avoid symbol clash
2017-05-10 19:54:54 +00:00
Even Rouault
c9a6cfc51a
* libtiff/tif_read.c: TIFFFillStrip() and TIFFFillTile():
...
avoid excessive memory allocation in case of shorten files.
Only effective on 64 bit builds and non-mapped cases.
Credit to OSS-Fuzz (locally run, on GDAL)
2017-05-10 19:38:49 +00:00
Even Rouault
328189565b
* libtiff/tif_zip.c, tif_pixarlog.c, tif_predict.c: fix memory
...
leak when the underlying codec (ZIP, PixarLog) succeeds its
setupdecode() method, but PredictorSetup fails.
Credit to OSS-Fuzz (locally run, on GDAL)
2017-05-10 15:21:16 +00:00
Even Rouault
8fb8265260
* libtiff/tif_read.c: TIFFFillStrip(): add limitation to the number
...
of bytes read in case td_stripbytecount[strip] is bigger than
reasonable, so as to avoid excessive memory allocation.
2017-05-10 13:37:19 +00:00
Even Rouault
d606ea22bb
* tools/tiff2bw.c: close TIFF handle in error code path.
...
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2677
2017-04-28 18:08:47 +00:00
Even Rouault
fa55777370
* litiff/tif_fax3.c: avoid crash in Fax3Close() on empty file.
...
Patch by Alan Coopersmith + complement by myself.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2673
* tools/fax2tiff.c: emit appropriate message if the input file is
empty. Patch by Alan Coopersmith.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2672
2017-04-27 19:50:01 +00:00
Even Rouault
bb30ee4f09
* libtiff/tif_ojpeg.c: fix potential memory leak in
...
OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable
and OJPEGReadHeaderInfoSecTablesAcTable
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2670
2017-04-27 17:29:26 +00:00
Even Rouault
697bfd9f39
* libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD
...
mode (ie default) when there is both a StripOffsets and
TileOffsets tag, or a StripByteCounts and TileByteCounts
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689
* tools/tiff2ps.c: call TIFFClose() in error code paths.
2017-04-27 15:46:22 +00:00
Even Rouault
8a752e1e3a
* libtiff/tif_fax3.c, tif_predict.c, tif_getimage.c: fix GCC 7
...
-Wimplicit-fallthrough warnings.
2017-02-25 17:05:12 +00:00
Even Rouault
19a159d7c4
* libtiff/tif_pixarlog.c: fix memory leak in error code path of
...
PixarLogSetupDecode(). Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2665
2017-02-18 20:30:26 +00:00
Even Rouault
09a7433335
* libtiff/tif_lzw.c: in LZWPostEncode(), increase, if necessary, the
...
code bit-width after flushing the remaining code and before emitting
the EOI code.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=1982
2017-02-18 18:46:00 +00:00
Even Rouault
62473b596b
* libtiff/tif_jpeg.c: only run JPEGFixupTagsSubsampling() if the
...
YCbCrSubsampling tag is not explicitly present. This helps a bit to reduce
the I/O amount when te tag is present (especially on cloud hosted files).
2017-01-31 13:02:27 +00:00
Even Rouault
55e5962794
* tools/raw2tiff.c: avoid integer division by zero.
...
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2631
2017-01-14 13:12:33 +00:00
Even Rouault
ab7f27a984
* libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable,
...
OJPEGReadHeaderInfoSecTablesDcTable and OJPEGReadHeaderInfoSecTablesAcTable
2017-01-12 19:23:20 +00:00
Even Rouault
ad7aea728d
* libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable
...
when read fails.
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
2017-01-12 17:43:25 +00:00
Even Rouault
d043ca1be9
* libtiff/tif_luv.c, tif_lzw.c, tif_packbits.c: return 0 in Encode
...
functions instead of -1 when TIFFFlushData1() fails.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2130
2017-01-11 20:33:35 +00:00
Even Rouault
480167a350
* tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
...
cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
http://bugzilla.maptools.org/show_bug.cgi?id=2657
2017-01-11 19:25:44 +00:00
Even Rouault
f5858f50b5
Fix commit message
2017-01-11 19:03:18 +00:00
Even Rouault
33e002a170
* libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc()
...
* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
initialize tif_rawdata.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
2017-01-11 19:02:49 +00:00
Even Rouault
537cd1da18
Initialize variable to fix MSVC warning (caused by previous commit)
2017-01-11 17:48:11 +00:00
Even Rouault
a48c640a01
* libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
...
avoid UndefinedBehaviorSanitizer warning.
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2658
2017-01-11 16:38:26 +00:00
Even Rouault
50b48786d5
* libtiff/tif_read.c: avoid potential undefined behaviour on signed integer
...
addition in TIFFReadRawStrip1() in isMapped() case.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
2017-01-11 16:33:34 +00:00
Even Rouault
153418c943
* libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid
...
undefined behaviour caused by invalid shift exponent.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
2017-01-11 16:13:50 +00:00
Even Rouault
d2e6964efc
* libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings
...
of double to other data types to avoid undefined behaviour if the output range
isn't big enough to hold the input value.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643
http://bugzilla.maptools.org/show_bug.cgi?id=2642
http://bugzilla.maptools.org/show_bug.cgi?id=2646
http://bugzilla.maptools.org/show_bug.cgi?id=2647
2017-01-11 16:09:02 +00:00
Even Rouault
a39f613104
* libtiff/tif_dirread.c: avoid division by floating point 0 in
...
TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(),
and return 0 in that case (instead of infinity as before presumably)
Apparently some sanitizers do not like those divisions by zero.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644
2017-01-11 13:28:01 +00:00
Even Rouault
9f839d9233
* libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace
...
assertion by runtime check to error out if passed value is strictly
negative.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535
* tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that
caused double free.
Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535
2017-01-11 12:51:59 +00:00
Even Rouault
20dd00743c
* libtiff/tif_jpeg.c: avoid integer division by zero in
...
JPEGSetupEncode() when horizontal or vertical sampling is set to 0.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653
2017-01-11 12:15:01 +00:00
Even Rouault
553d4c5d05
* libtiff/tif_jpeg.c: increase libjpeg max memory usable to
...
10 MB instead of libjpeg 1MB default. This helps when creating files
with "big" tile, without using libjpeg temporary files.
Related to https://trac.osgeo.org/gdal/ticket/6757
2017-01-03 17:22:49 +00:00
Even Rouault
6d97ea6dcc
* tools/tiff2pdf.c: avoid potential heap-based overflow in
...
t2p_readwrite_pdf_image_tile().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640
2016-12-20 17:28:17 +00:00
Even Rouault
5e95f6a34c
* tools/tiff2pdf.c: avoid potential invalid memory read in
...
t2p_writeproc.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
2016-12-20 17:24:35 +00:00