Commit Graph

1295 Commits

Author SHA1 Message Date
Bob Friesenhahn
020bd2fd3b * configure.ac: libtiff 4.0.9 released. 2017-11-18 20:00:43 +00:00
Bob Friesenhahn
737c52ae13 * html/v4.0.9.html: Add HTML file to document changes in libtiff
v4.0.9.
2017-11-18 19:38:06 +00:00
Even Rouault
5426f499e8 * libtiff/tif_aux.c, tif_getimage.c, tif_read.c: typo fixes in
comments.
2017-11-17 20:20:59 +00:00
Bob Friesenhahn
45065882ae * test/Makefile.am: Add some tests for tiff2bw. 2017-11-02 13:51:22 +00:00
Bob Friesenhahn
25f9ffa565 * tools/tiff2bw.c (main): Free memory allocated in the tiff2bw
program.  This is in response to the report associated with
CVE-2017-16232 but does not solve the extremely high memory usage
with the associated POC file.
2017-11-01 13:41:58 +00:00
Bob Friesenhahn
61d4eb3a01 tiff2pdf.c: Fix possible overflow in bounds check computation and eliminate signed/unsigned comparison. 2017-10-29 18:50:41 +00:00
Bob Friesenhahn
1cb6c46b9d fax2tiff: Pass the FAX_Client_Data struct as client data 2017-10-29 18:28:43 +00:00
Even Rouault
f258b80230 * libtiff/tif_getimage.c: avoid floating point division by zero in
initCIELabConversion()
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3733
Credit to OSS Fuzz
2017-10-23 11:34:26 +00:00
Even Rouault
5bf07456da * libtiff/tif_jpeg.c: add compatibility with libjpeg-turbo 1.5.2 that
honours max_memory_to_use > 0.
Cf https://github.com/libjpeg-turbo/libjpeg-turbo/issues/162
2017-10-17 19:04:47 +00:00
Even Rouault
7c1a32bb9f * nmake.opt: support a DEBUG=1 option, so as to adjust OPTFLAGS and use
/MDd runtime in debug mode.
2017-10-10 14:39:43 +00:00
Even Rouault
76a2b9d619 * tools/tiffset.c: fix setting a single value for the ExtraSamples tag
(and other tags with variable number of values).
So 'tiffset -s ExtraSamples 1 X'. This only worked
when setting 2 or more values, but not just one.
2017-10-01 17:38:12 +00:00
Even Rouault
28bf544f33 * libtiff/libtiff.def: add TIFFReadRGBAStripExt and TIFFReadRGBATileExt
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2735
2017-09-29 11:18:50 +00:00
Even Rouault
dfbdd88c5a dummy commit to check CVS is working 2017-09-22 13:55:49 +00:00
Even Rouault
46c51095d6 * libtiff/tif_dirread.c: add NULL check to avoid likely false positive
null-pointer dereference warning by CLang Static Analyzer.
2017-09-09 21:44:42 +00:00
Even Rouault
c4a2f72e9d * libtiff/tiffiop.h, tif_aux.c: redirect SeekOK() macro to a _TIFFSeekoK()
function that checks if the offset is not bigger than INT64_MAX, so as
to avoid a -1 error return code of TIFFSeekFile() to match a required
seek to UINT64_MAX/-1.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2726
Adapted from proposal by Nicolas Ruff.
2017-09-07 14:02:52 +00:00
Even Rouault
860943a370 * libtiff/tif_jpeg.c: accept reading the last strip of a JPEG compressed
file if the codestream height is larger than the truncated height of the
strip. Emit a warning in this situation since this is non compliant.


* test/Makefile.am: add missing reference to images/quad-lzw-compat.tiff
to fix "make distcheck". Patch by Roger Leigh
2017-08-29 07:30:07 +00:00
Even Rouault
fe7f0e43ee * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
on uint32 when selecting the value of SubIFD tag by runtime check
(in TIFFWriteDirectoryTagSubifd()).
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
Reported by team OWL337


SubIFD tag by runtime check (in TIFFWriteDirectorySec())
2017-08-23 13:33:42 +00:00
Even Rouault
4958e19fae * libtiff/tif_dirwrite.c: replace assertion related to not finding the
SubIFD tag by runtime check.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
Reported by team OWL337
2017-08-23 13:21:41 +00:00
Even Rouault
8ad1c70dc1 * libtiff/tif_luv.c: further reduce memory requirements for temporary
buffer when RowsPerStrip >= image_length in LogLuvInitState() and
LogL16InitState().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2700
Credit to OSS Fuzz
2017-07-24 12:47:30 +00:00
Even Rouault
06155116f6 * libtiff/tif_getimage.c: fix fromskew computation when to-be-skipped
pixel number is not a multiple of the horizontal subsampling, and
also in some other cases. Impact putcontig8bitYCbCr44tile,
putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile,
putcontig8bitYCbCr21tile and putcontig8bitYCbCr12tile
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2637 (discovered
by Agostino Sarubbo)
and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2691 (credit
to OSS Fuzz)
2017-07-24 10:34:14 +00:00
Even Rouault
ec4d8e0895 * libtiff/tif_getimage.c: gtTileContig() and gtTileSeparate():
properly break from loops on error when stoponerr is set, instead
of going on iterating on row based loop.
2017-07-24 09:52:23 +00:00
Even Rouault
c3980af085 * libtiff/tif_luv.c: LogLuvInitState(): avoid excessive memory
allocation when RowsPerStrip tag is missing.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2683
Credit to OSS-Fuzz
2017-07-18 19:45:11 +00:00
Even Rouault
d99c422dbf * libtiff/tif_read.c: add protection against excessive memory
allocation attempts in TIFFReadDirEntryArray() on short files.
Effective for mmap'ed case. And non-mmap'ed case, but restricted
to 64bit builds.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2675
2017-07-15 13:23:09 +00:00
Even Rouault
02271af177 * libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the
arrays that hold StripOffsets/StripByteCounts, when they are smaller
than the expected number of striles, up to 1 million striles, and
error out beyond. Can be tweaked by setting the environment variable
LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT.
This partially goes against a change added on 2002-12-17 to accept
those arrays of wrong sizes, but is needed to avoid denial of services.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350
Credit to OSS Fuzz
2017-07-15 13:19:56 +00:00
Even Rouault
5b7f711586 * libtiff/tif_read.c: TIFFFillStrip() / TIFFFillTile().
Complementary fix for http://bugzilla.maptools.org/show_bug.cgi?id=2708
in the isMapped() case, so as to avoid excessive memory allocation
when we need a temporary buffer but the file is truncated.
2017-07-15 12:33:25 +00:00
Even Rouault
979751c407 * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
mode on PlanarConfig=Contig input images.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
Reported by team OWL337
2017-07-15 11:13:46 +00:00
Even Rouault
2ac7bddb78 * libtiff/tif_dir.c: avoid potential null pointer dereference in
_TIFFVGetField() on corrupted TIFFTAG_NUMBEROFINKS tag instance.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2713
2017-07-11 21:38:04 +00:00
Even Rouault
c8665b503c * libtiff/tif_lzw.c: fix potential out-of-buffer read on 1-byte LZW
strips. Crashing issue only on memory mapped files, where the strip
offset is the last byte of the file, and the file size is a multiple
of one page size on the CPU architecture (typically 4096). Credit
to myself :-)
2017-07-11 10:54:29 +00:00
Even Rouault
abc862b594 * test/tiffcp-lzw-compat.sh, test/images/quad-lzw-compat.tiff: new files
to test old-style LZW decompression
* test/common.sh, Makefile.am, CMakeList.txt: updated with above
2017-07-11 09:20:31 +00:00
Even Rouault
222083301a * refresh autoconf/make stuff with what is on Ubuntu 16.04 (minor changes) 2017-07-11 09:10:28 +00:00
Even Rouault
311af0ba08 * libtiff/tif_lzw.c: fix 4.0.8 regression in the decoding of old-style LZW
compressed files.
2017-07-11 08:55:07 +00:00
Even Rouault
d69a373ecf * libtiff/tif_pixarlog.c: avoid excessive memory allocation on decoding
when RowsPerStrip tag is not defined (and thus td_rowsperstrip == UINT_MAX)
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2554
Credit to OSS Fuzz
2017-07-10 10:40:27 +00:00
Even Rouault
c2be1447d9 * libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedTileAndAllocBuffer()
and _TIFFReadTileAndAllocBuffer() variants of TIFFReadEncodedTile() and
TIFFReadTile() that allocates the decoded buffer only after a first
successful TIFFFillTile(). This avoids excessive memory allocation
on corrupted files.
* libtiff/tif_getimage.c: use _TIFFReadTileAndAllocBuffer().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2470
Credit to OSS Fuzz.
2017-07-04 13:27:45 +00:00
Even Rouault
733109e510 * libtiff/tif_error.c, tif_warning.c: correctly use va_list when both
an old-style and new-style warning/error handlers are installed.
Patch by Paavo Helde (sent on the mailing list)
2017-07-04 12:54:42 +00:00
Even Rouault
8eff533db2 * libtiff/tif_read.c: TIFFStartTile(): set tif_rawcc to
tif_rawdataloaded when it is set. Similarly to TIFFStartStrip().
This issue was revealed by the change of 2017-06-30 in TIFFFileTile(),
limiting the number of bytes read. But it could probably have been hit
too in CHUNKY_STRIP_READ_SUPPORT mode previously ?
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454
Credit to OSS Fuzz
2017-07-02 14:13:39 +00:00
Even Rouault
0f83a86b7b * man: update documentation regarding SubIFD tag and
TIFFSetSubDirectory() data type.
Patch by Eric Piel
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2671
2017-06-30 17:40:02 +00:00
Even Rouault
3cb621f5cf * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
functions associated with LONG8/SLONG8 data type, replace assertion that
the file is BigTIFF, by a non-fatal error.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
Reported by team OWL337
2017-06-30 17:29:44 +00:00
Even Rouault
5ba0b3116f * libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedStripAndAllocBuffer()
function, variant of TIFFReadEncodedStrip() that allocates the
decoded buffer only after a first successful TIFFFillStrip(). This avoids
excessive memory allocation on corrupted files.
* libtiff/tif_getimage.c: use _TIFFReadEncodedStripAndAllocBuffer().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2708 and
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2433 .
Credit to OSS Fuzz
2017-06-30 13:11:18 +00:00
Even Rouault
12bb476389 * libtiff/tif_read.c: TIFFFillTile(): add limitation to the number
of bytes read in case td_stripbytecount[strip] is bigger than
reasonable, so as to avoid excessive memory allocation (similarly to
what was done for TIFFFileStrip() on 2017-05-10)
2017-06-30 11:29:22 +00:00
Even Rouault
385edd37e9 * libtiff/tiffiop.h, libtiff/tif_jpeg.c, libtiff/tif_jpeg_12.c,
libtiff/tif_read.c: make TIFFReadScanline() works in
CHUNKY_STRIP_READ_SUPPORT mode with JPEG stream with multiple scans.
Also make configurable through a LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER
environment variable the maximum number of scans allowed. Defaults to
100.
2017-06-29 07:37:12 +00:00
Even Rouault
976774deac * libtiff/tif_dirread.c: in TIFFReadDirEntryFloat(), check that a
double value can fit in a float before casting. Patch by Nicolas RUFF
2017-06-27 13:44:44 +00:00
Even Rouault
ede7b68218 * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706
Reported by team OWL337

* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg
2017-06-26 15:19:59 +00:00
Even Rouault
a85d5f09dd * libjpeg/tif_jpeg.c: error out at decoding time if anticipated libjpeg
memory allocation is above 100 MB. libjpeg in case of multiple scans,
which is allowed even in baseline JPEG, if components are spread over several
scans and not interleavedin a single one, needs to allocate memory (or
backing store) for the whole strip/tile.
See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf
This limitation may be overriden by setting the
LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC environment variable, or recompiling
libtiff with a custom value of TIFF_LIBJPEG_LARGEST_MEM_ALLOC macro.
2017-06-24 15:33:28 +00:00
Even Rouault
b1ee48b775 * libtiff/tif_jpeg.c: add anti-denial of service measure to avoid excessive
CPU consumption on progressive JPEGs with a huge number of scans.
See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf
Note: only affects libtiff since 2014-12-29 where support of non-baseline JPEG
was added.
2017-06-24 13:03:25 +00:00
Even Rouault
df51988637 * libtiff/tiffiop.h: add TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW macro to
disable CLang warnings raised by -fsanitize=undefined,unsigned-integer-overflow
* libtiff/tif_predict.c: decorate legitimate functions where unsigned int
overflow occur with TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
* libtiff/tif_dirread.c: avoid unsigned int overflow in EstimateStripByteCounts()
and BYTECOUNTLOOKSBAD when file is too short.
* libtiff/tif_jpeg.c: avoid (harmless) unsigned int overflow on tiled images.
* libtiff/tif_fax3.c: avoid unsigned int overflow in Fax3Encode2DRow(). Could
potentially be a bug with huge rows.
* libtiff/tif_getimage.c: avoid many (harmless) unsigned int overflows.
2017-06-18 10:31:50 +00:00
Even Rouault
7057734d98 * libtiff/tif_dirread.c: TIFFFetchStripThing(): limit the number of items
read in StripOffsets/StripByteCounts tags to the number of strips to avoid
excessive memory allocation.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2215
Credit to OSS Fuzz
2017-06-12 19:13:49 +00:00
Even Rouault
56d802d409 Reference GDAL ticket 2017-06-12 10:48:25 +00:00
Even Rouault
1cdea8b9e9 * libtiff/tif_dirread.c: fix regression of libtiff 4.0.8 in
ChopUpSingleUncompressedStrip() regarding update of newly single-strip
uncompressed files whose bytecount is 0. Before the change of 2016-12-03,
the condition bytecount==0 used to trigger an early exit/disabling of
strip chop. Re-introduce that in update mode. Otherwise this cause
later incorrect setting for the value of StripByCounts/StripOffsets.
2017-06-12 10:45:35 +00:00
Even Rouault
ea6228c185 * .appveyor.yml, .travis.yml, build/travis-ci: apply patches
0001-ci-Travis-script-improvements.patch and
0002-ci-Invoke-helper-script-via-shell.patch by Roger Leigh
(sent to mailing list)
2017-06-09 22:07:08 +00:00
Even Rouault
f2a3b02040 * .travis.yml, build/travis-ci: new files from
0001-ci-Add-Travis-support-for-Linux-builds-with-Autoconf.patch by
Roger Leigh (sent to mailing list on 2017-06-08)
This patch adds support for the Travis-CI service.

* .appveyor.yml: new file from
0002-ci-Add-AppVeyor-support.patch by Roger Leigh (sent to mailing
list on 2017-06-08)
This patch adds a .appveyor.yml file to the top-level.  This allows
one to opt in to having a branch built on Windows with Cygwin,
MinGW and MSVC automatically when a branch is pushed to GitHub,
GitLab, BitBucket or any other supported git hosting service.

* CMakeLists.txt, test/CMakeLists.txt, test/TiffTestCommon.cmake: apply
patch 0001-cmake-Improve-Cygwin-and-MingGW-test-support.patch from Roger
Leigh (sent to mailing list on 2017-06-08)
This patch makes the CMake build system support running the tests
with MinGW or Cygwin.
2017-06-08 20:46:10 +00:00