Commit Graph

981 Commits

Author SHA1 Message Date
Even Rouault
5b79c1f364 * libtiff/tif_next.c: add new tests to check that we don't read outside of
the compressed input stream buffer.

* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height
2014-12-29 12:09:11 +00:00
Even Rouault
5b06ac3f28 * libtiff/tif_dir.c: in TIFFDefaultDirectory(), reset any already existing
extented tags installed by user code through the extender mechaninm before
calling the extender callback (GDAL #5054)
2014-12-27 15:20:42 +00:00
Bob Friesenhahn
fdfa1a026f * tools/tiffcrop.c: Fix warnings about variables set but not used. 2014-12-26 16:32:31 +00:00
Bob Friesenhahn
a7ced11ff1 * contrib/iptcutil/iptcutil.c: Fix warnings about variables set
but not used.
2014-12-26 16:10:08 +00:00
Bob Friesenhahn
3b48ce4c7b * tools/tiffgt.c: Fix warnings about unused parameters. 2014-12-26 16:06:41 +00:00
Bob Friesenhahn
e501767856 * libtiff/tif_stream.cxx: Fix warnings about unused parameters. 2014-12-26 16:01:04 +00:00
Even Rouault
5ecaadc951 * libtiff/tif_getimage.c, libtiff/tif_ojpeg.c, libtiff/tif_zip.c: fix
various typos found by Debian lintian tool (GDAL #5756)
2014-12-25 18:29:11 +00:00
Even Rouault
65577375d4 * libtiff/tif_getimage.c: avoid divide by zero on invalid YCbCr subsampling.
http://bugzilla.maptools.org/show_bug.cgi?id=2235
2014-12-24 16:57:18 +00:00
Even Rouault
34d71374cc * tools/tiff2pdf.c: fix buffer overflow on some YCbCr JPEG compressed images.
http://bugzilla.maptools.org/show_bug.cgi?id=2445
2014-12-24 16:32:28 +00:00
Even Rouault
a42442d21f * tools/tiff2pdf.c: fix buffer overflow on YCbCr JPEG compressed image.
Derived from patch by Petr Gajdos,
http://bugzilla.maptools.org/show_bug.cgi?id=2443
2014-12-24 15:38:11 +00:00
Even Rouault
59e876aeeb * libtiff/tif_dirread.c: In EstimateStripByteCounts(), check return code
of _TIFFFillStriles(). This solves crashing bug on corrupted
images generated by afl.
2014-12-23 11:06:54 +00:00
Even Rouault
ed7dd273d5 * libtiff/tif_read.c: fix several invalid comparisons of a uint64 value with
<= 0 by casting it to int64 first. This solves crashing bug on corrupted
images generated by afl.
2014-12-23 10:15:35 +00:00
Bob Friesenhahn
53c7c58dd7 * tools/tiffdump.c: Guard against arithmetic overflow when
calculating allocation buffer sizes.
2014-12-22 02:52:38 +00:00
Even Rouault
5db18217c3 * tools/tiff2bw.c: when Photometric=RGB, the utility only works if
SamplesPerPixel = 3. Enforce that
http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127)
2014-12-21 20:58:29 +00:00
Even Rouault
aaf52fa411 * tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling TIFFTAG_INKNAMES
copying. The right fix would be to properly copy it, but not worth the burden
for those esoteric utilities.
http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
2014-12-21 20:04:31 +00:00
Even Rouault
47647443c1 * tools/thumbnail.c: fix out-of-buffer write
http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128)
2014-12-21 19:53:59 +00:00
Even Rouault
1246f97138 * tools/thumbnail.c, tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS
or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
COMPRESSION_CCITTFAX4
http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128)
2014-12-21 18:52:42 +00:00
Even Rouault
7d3b9da6cb * libtiff/tif_next.c: check that BitsPerSample = 2. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129)
2014-12-21 18:07:48 +00:00
Even Rouault
29f531aeec * tools/tiff2pdf.c: check return code of TIFFGetField() when reading
TIFFTAG_SAMPLESPERPIXEL
2014-12-21 17:36:36 +00:00
Even Rouault
2dae28a91b * tools/tiffcp.c: fix crash when converting YCbCr JPEG-compressed to none.
Based on patch by Tomasz Buchert (http://bugzilla.maptools.org/show_bug.cgi?id=2480)
Description: fix for Debian bug #741451
tiffcp crashes when converting JPEG-encoded TIFF to a different
encoding (like none or lzw). For example this will probably fail:
tiffcp -c none jpeg_encoded_file.tif output.tif
The reason is that when the input file contains JPEG data,
the tiffcp code forces conversion to RGB space. However,
the output normally inherits YCbCr subsampling parameters
from the input, which leads to a smaller working buffer
than necessary. The buffer is subsequently overrun inside
cpStripToTile() (called from writeBufferToContigTiles).
Note that the resulting TIFF file would be scrambled even
if tiffcp wouldn't crash, since the output file would contain
RGB data intepreted as subsampled YCbCr values.
This patch fixes the problem by forcing RGB space on the output
TIF if the input is JPEG-encoded and output is *not* JPEG-encoded.
Author: Tomasz Buchert <tomasz.buchert@inria.fr>
2014-12-21 16:28:37 +00:00
Even Rouault
89bef1935b Fix various crasher bugs on fuzzed images.
* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
the directory
* libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or
TransferFunction if BitsPerSample has not yet been read, otherwise reading
it later will cause user code to crash if BitsPerSample > 1
* libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
* libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
instead of imagewidth to avoid crash
* tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions
* tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by
libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB
* tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight
* tools/tiffdump.c: fix crash due to overflow of entry count.
2014-12-21 15:15:31 +00:00
Even Rouault
59d4cb0b11 libtiff/tif_jpeg.c: Fix regression introduced on 2010-05-07 that caused all tiles/strips to include quantization tables even when the jpegtablesmode had the JPEGTABLESMODE_QUANT bit set. Also add explicit removal of Huffman tables when jpegtablesmode has the JPEGTABLESMODE_HUFF bit set, which avoids Huffman tables to be emitted in the first tile/strip (only useful in update scenarios. create-only was fine) 2014-12-15 15:40:06 +00:00
Bob Friesenhahn
570fd679f6 * tools/tiff2pdf.c: Assure that memory size calculations for
_TIFFmalloc() do not overflow the range of tmsize_t.
2014-12-10 02:53:30 +00:00
Even Rouault
3f2b81f2c2 tools/thumbnail.c, tools/tiffcrop.c: fix heap read over-run found with Valgrind and Address Sanitizer on test suite 2014-12-07 22:33:06 +00:00
Bob Friesenhahn
02567e23b9 * tools/tiff2pdf.c (t2p_read_tiff_init): TIFFTAG_TRANSFERFUNCTION
tag can return one channel, with the other two channels set to
NULL.  The tiff2pdf code was expecting that other two channels
were duplicate pointers in the case where there is only one
channel.  Detect this condition in order to avoid a crash, and
presumably perform correctly with just one channel.
2014-12-07 19:32:25 +00:00
Bob Friesenhahn
3c92b0efc1 * tools/tiffdump.c: Fix double-free bug. 2014-12-06 15:58:40 +00:00
Even Rouault
8f38bc8e2d * libtiff/tif_config.vc.h: no longer use "#define snprintf _snprintf" with
Visual Studio 2015 aka VC 14 aka MSVC 1900
2014-11-27 17:22:10 +00:00
Even Rouault
abea4b2b04 * libtiff/tif_lzw.c: prevent potential null dereference of
sp->dec_codetab in LZWPreDecode (bug #2459)

* libtiff/tif_read.c: in TIFFReadBufferSetup(), avoid passing -1 size
to TIFFmalloc() if passed user buffer size is 0 (bug #2459)

* libtiff/tif_ojpeg.c: make Coverity happier (not a bug, #2459)

* libtiff/tif_dir.c: in _TIFFVGetField() and _TIFFVSetField(), make
Coverity happier (not a bug, #2459)

* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make Coverity happier
(not a bug, #2459)

* tools/tiff2pdf.c: close PDF file (bug #2479)

* tools/fax2ps.c: check malloc()/realloc() result (bug #2470)

* tools/tiffdump.c: detect cycle in TIFF directory chaining (bug #2463)
and avoid passing a NULL pointer to read() if seek() failed before (bug #2459)

* tools/tiffcrop.c: fix segfault if bad value passed to -Z option
(bug #2459) and add missing va_end in dump_info (#2459)

* tools/gif2tif.c: apply patch for CVE-2013-4243 (#2451)
2014-11-20 16:47:21 +00:00
Even Rouault
7af4d827dd * libtiff/tif_jpeg.c: fix segfault in JPEGFixupTagsSubsampling() on
corrupted image where tif->tif_dir.td_stripoffset == NULL (bug #2471)
2014-11-20 14:34:51 +00:00
Even Rouault
d1be5cb7ad * automake: updated to 1.14.1
* libtool: updated to 2.4.3
* HOWTO-RELEASE: small update about autotools building order
2014-11-20 14:28:16 +00:00
Olivier Paquet
e4f269ed3f * tools/tiff2pdf.c: Preserve input file directory order when pages
are tagged with the same page number.
2014-10-20 17:52:05 +00:00
Bob Friesenhahn
9885124f1e * libtiff/tif_dirread.c (TIFFReadDirEntryOutputErr): Incorrect
count for tag should be a warning rather than an error since
errors terminate processing.
2014-08-31 20:32:53 +00:00
Bob Friesenhahn
f6fc518396 * tools/tiff2rgba.c (]): Fixed tiff2rgba usage message in that zip
was wrongly described.  Fix suggested by Miguel Medalha.
2014-06-08 03:37:01 +00:00
Bob Friesenhahn
3d49c58cf8 Clarify that patch was by Steve Underwood but forwarded to me by Lee Howard 2014-05-07 13:31:11 +00:00
Bob Friesenhahn
f9f939b5e6 * libtiff/tif_dirinfo.c (TIFFField) : Fix data type for
TIFFTAG_GLOBALPARAMETERSIFD tag.  Patch by Lee Howard.
2014-05-07 01:54:29 +00:00
Frank Warmerdam
de103a76f8 fix last fix to TIFFNumberOfDirectories() 2013-11-30 20:24:36 +00:00
Frank Warmerdam
e2f7c06cc5 Error out on directory counting overflow. 2013-10-21 18:23:48 +00:00
Bob Friesenhahn
f4203fa738 * libtiff/tif_dir.c (TIFFAdvanceDirectory): If nextdir is found to
be defective, then set it to zero before returning error in order
to terminate processing of truncated TIFF.  Issue found and fix
suggested by Richard Nolde.

* tools/gif2tiff.c: fix possible OOB write (#2452, CVE-2013-4244)
* tools/tiff2pdf.c: terminate after failure of allocating
* tools/tiffinfo.c: Default various values fetched with
2013-09-13 02:34:50 +00:00
Frank Warmerdam
163627448a fix possible OOB write in gif2tiff.c 2013-08-14 13:59:16 +00:00
Frank Warmerdam
44650c28f1 make more resistent to corrupt/hostile input files (#2450, CVE-2013-4231) 2013-08-14 05:18:53 +00:00
Frank Warmerdam
67d92d90f8 ensure return after memory allocation failure (#2449, CVS-2013-4232) 2013-08-14 05:11:36 +00:00
Frank Warmerdam
4e7465a311 initialize TIFFGetField() fetched values in tiffinfo.c 2013-07-10 00:44:22 +00:00
Tom Lane
96ceea8c8a Rewrite t2p_process_jpeg_strip(), to fix CVE-2013-1960. 2013-05-02 14:54:08 +00:00
Tom Lane
b6d66f9f30 Replace sprintf with snprintf, to fix CVE-2013-1961. 2013-05-02 14:44:29 +00:00
Bob Friesenhahn
e90c73e611 * configure.ac: Applied patch by Brad Smith to improve pkg-config
static linking by adding -lm to Libs.private when needed.
2013-03-29 16:50:11 +00:00
Tom Lane
feb6bd9f1d Sync tool usage printouts and man pages with reality. 2013-03-06 03:35:09 +00:00
Bob Friesenhahn
c9aee05b27 Strip extraneous trailing white-space from ChangeLog 2013-01-26 02:35:44 +00:00
Bob Friesenhahn
c204ef2a2f * tools/tiff2ps.c:Fix bug in auto rotate option code. Once a
rotation angle was set by the auto rotate check, it was retained
for all pages that followed instead of being retested for each
page.  Patch by Richard Nolde.
2013-01-26 02:24:05 +00:00
Frank Warmerdam
859bdf7523 avoid type cast warnings 2013-01-18 21:57:12 +00:00
Frank Warmerdam
f6bca3f994 avoid warnings on MSVC (bug 2427) 2013-01-18 21:37:13 +00:00