Even Rouault
55e5962794
* tools/raw2tiff.c: avoid integer division by zero.
...
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2631
2017-01-14 13:12:33 +00:00
Even Rouault
ab7f27a984
* libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable,
...
OJPEGReadHeaderInfoSecTablesDcTable and OJPEGReadHeaderInfoSecTablesAcTable
2017-01-12 19:23:20 +00:00
Even Rouault
ad7aea728d
* libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable
...
when read fails.
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
2017-01-12 17:43:25 +00:00
Even Rouault
d043ca1be9
* libtiff/tif_luv.c, tif_lzw.c, tif_packbits.c: return 0 in Encode
...
functions instead of -1 when TIFFFlushData1() fails.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2130
2017-01-11 20:33:35 +00:00
Even Rouault
480167a350
* tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
...
cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
http://bugzilla.maptools.org/show_bug.cgi?id=2657
2017-01-11 19:25:44 +00:00
Even Rouault
f5858f50b5
Fix commit message
2017-01-11 19:03:18 +00:00
Even Rouault
33e002a170
* libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc()
...
* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
initialize tif_rawdata.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
2017-01-11 19:02:49 +00:00
Even Rouault
537cd1da18
Initialize variable to fix MSVC warning (caused by previous commit)
2017-01-11 17:48:11 +00:00
Even Rouault
a48c640a01
* libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
...
avoid UndefinedBehaviorSanitizer warning.
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2658
2017-01-11 16:38:26 +00:00
Even Rouault
50b48786d5
* libtiff/tif_read.c: avoid potential undefined behaviour on signed integer
...
addition in TIFFReadRawStrip1() in isMapped() case.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
2017-01-11 16:33:34 +00:00
Even Rouault
153418c943
* libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid
...
undefined behaviour caused by invalid shift exponent.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
2017-01-11 16:13:50 +00:00
Even Rouault
d2e6964efc
* libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings
...
of double to other data types to avoid undefined behaviour if the output range
isn't big enough to hold the input value.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643
http://bugzilla.maptools.org/show_bug.cgi?id=2642
http://bugzilla.maptools.org/show_bug.cgi?id=2646
http://bugzilla.maptools.org/show_bug.cgi?id=2647
2017-01-11 16:09:02 +00:00
Even Rouault
a39f613104
* libtiff/tif_dirread.c: avoid division by floating point 0 in
...
TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(),
and return 0 in that case (instead of infinity as before presumably)
Apparently some sanitizers do not like those divisions by zero.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644
2017-01-11 13:28:01 +00:00
Even Rouault
9f839d9233
* libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace
...
assertion by runtime check to error out if passed value is strictly
negative.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535
* tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that
caused double free.
Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535
2017-01-11 12:51:59 +00:00
Even Rouault
20dd00743c
* libtiff/tif_jpeg.c: avoid integer division by zero in
...
JPEGSetupEncode() when horizontal or vertical sampling is set to 0.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653
2017-01-11 12:15:01 +00:00
Even Rouault
553d4c5d05
* libtiff/tif_jpeg.c: increase libjpeg max memory usable to
...
10 MB instead of libjpeg 1MB default. This helps when creating files
with "big" tile, without using libjpeg temporary files.
Related to https://trac.osgeo.org/gdal/ticket/6757
2017-01-03 17:22:49 +00:00
Even Rouault
6d97ea6dcc
* tools/tiff2pdf.c: avoid potential heap-based overflow in
...
t2p_readwrite_pdf_image_tile().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640
2016-12-20 17:28:17 +00:00
Even Rouault
5e95f6a34c
* tools/tiff2pdf.c: avoid potential invalid memory read in
...
t2p_writeproc.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
2016-12-20 17:24:35 +00:00
Even Rouault
7fb75582f4
* tools/tiff2pdf.c: fix wrong usage of memcpy() that can trigger
...
unspecified behaviour.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2638
2016-12-20 17:13:26 +00:00
Even Rouault
7d919c7849
* libtiff/tif_getimage.c: fix potential memory leaks in error code
...
path of TIFFRGBAImageBegin().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2627
2016-12-18 22:28:42 +00:00
Even Rouault
732f8e0b46
* tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode
...
on a paletted image. Note: this fix errors out before the overflow
happens. There could probably be a better fix.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635
2016-12-18 10:37:59 +00:00
Even Rouault
f9f8686c7d
* libtiff/tiffio.h, libtiff/tif_getimage.c: add TIFFReadRGBAStripExt()
...
and TIFFReadRGBATileExt() variants of the functions without ext, with
an extra argument to control the stop_on_error behaviour.
2016-12-17 22:33:11 +00:00
Even Rouault
0a85b00c8b
* tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW
...
and PSDataColorContig). Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and
http://bugzilla.maptools.org/show_bug.cgi?id=2634 .
2016-12-17 19:45:28 +00:00
Lee Howard
709f14f258
HylaFAX not Halyfax
2016-12-14 18:36:27 +00:00
Even Rouault
6e3867b3e6
Fix spelling in ChangeLog
2016-12-13 18:27:47 +00:00
Even Rouault
27d6152ddd
* libtiff/tif_fax3.h: revert change done on 2016-01-09 that made
...
Param member of TIFFFaxTabEnt structure a uint16 to reduce size of
the binary. It happens that the Hylafax software uses the tables that
follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable,
TIFFFaxBlackTable), also they are not in a public libtiff header.
Raised by Lee Howard.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2636
2016-12-13 18:15:48 +00:00
Even Rouault
a3196dff73
* html/man/Makefile.am: remove thumbnail.1.html and rgb2ycbcr.1.html
...
from installed pages since the corresponding utilities are no longer
installed. Reported by Havard Eidnes
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2606
2016-12-04 17:56:18 +00:00
Even Rouault
ef0803fc75
* libtiff/tif_write.c: fix misleading indentation as warned by GCC.
2016-12-03 21:57:44 +00:00
Even Rouault
2766c8583d
* tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert check.
...
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605
2016-12-03 16:50:02 +00:00
Even Rouault
bae8284136
* tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based
...
buffer overflow.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
2016-12-03 16:40:01 +00:00
Even Rouault
b1e5ae5984
* tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is
...
missing.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
2016-12-03 15:44:15 +00:00
Even Rouault
f703a4c7b3
* man/Makefile.am: remove thumbnail.1 and rgb2ycbcr.1 from installed man
...
pages since the corresponding utilities are no longer installed.
Reported by Havard Eidnes
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2606
2016-12-03 15:39:49 +00:00
Even Rouault
1f7151900c
* tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called,
...
limit the return number of inks to SamplesPerPixel, so that code that parses
ink names doesn't go past the end of the buffer.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
Reported by Agostino Sarubbo.
2016-12-03 15:30:31 +00:00
Even Rouault
5b52559d39
* tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is
...
missing.
Reported by Agostino sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597
2016-12-03 14:42:40 +00:00
Even Rouault
2deb7183ca
* tools/tiffinfo.c: fix null pointer dereference in -r mode when the image has
...
no StripByteCount tag.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594
2016-12-03 14:18:48 +00:00
Even Rouault
4dc0503820
Fix typo on reporter name
2016-12-03 13:30:45 +00:00
Even Rouault
5c47f33899
* tools/tiffcrop.c: fix integer division by zero when BitsPerSample is missing.
...
Reported by Agostina Sarubo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619
2016-12-03 13:00:03 +00:00
Even Rouault
7aad042fc8
* tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in
...
readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer.
Reported by Agostina Sarubo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621
2016-12-03 12:19:32 +00:00
Even Rouault
3a1c5ac67b
* tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so
...
that the output buffer is correctly incremented to avoid write outside bounds.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620
2016-12-03 11:35:56 +00:00
Even Rouault
45ba019d0f
* libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure in
...
OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611
2016-12-03 11:15:18 +00:00
Even Rouault
9e9a0bbfb2
* libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
...
instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
instead of a logic based on the total size of data. Which is faulty is
the total size of data is not sufficient to fill the whole image, and thus
results in reading outside of the StripByCounts/StripOffsets arrays when
using TIFFReadScanline().
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608 .
* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
the above change is a better fix that makes it unnecessary.
2016-12-03 11:02:15 +00:00
Even Rouault
cec2d959be
* libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
...
overflow on generation of PixarLog / LUV compressed files, with
ColorMap, TransferFunction attached and nasty plays with bitspersample.
The fix for LUV has not been tested, but suffers from the same kind
of issue of PixarLog.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
2016-12-02 23:05:51 +00:00
Even Rouault
78dab0996f
* tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that
...
can cause various issues, such as buffer overflows in the library.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598
2016-12-02 22:13:32 +00:00
Even Rouault
30703a1677
* libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
...
TIFFReadEncodedStrip() that caused an integer division by zero.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
2016-12-02 21:56:56 +00:00
Even Rouault
523e4e33e8
Add CVE number
2016-11-22 10:58:57 +00:00
Even Rouault
58788e4ea1
* libtiff/tif_predict.c, libtiff/tif_print.c: fix printf unsigned
...
vs signed formatting (cppcheck invalidPrintfArgType_uint warnings)
2016-11-20 22:31:21 +00:00
Even Rouault
cdc3c9b7e1
Commit changes that should have gone with previous commit
2016-11-20 22:29:47 +00:00
Even Rouault
a9cf335a77
* libtiff/tif_getimage.c, libtiff/tif_open.c: add parenthesis to
...
fix cppcheck clarifyCalculation warnings
2016-11-20 22:20:46 +00:00
Bob Friesenhahn
5ba49e2beb
* tools/fax2tiff.c (main): Applied patch by Jörg Ahrens to fix
...
passing client data for Win32 builds using tif_win32.c
(USE_WIN32_FILEIO defined) for file I/O. Patch was provided via
email on November 20, 2016.
2016-11-20 18:04:52 +00:00
Bob Friesenhahn
884f973652
* libtiff 4.0.7 released.
...
* configure.ac: Update for 4.0.7 release.
2016-11-19 17:47:39 +00:00