Commit Graph

573 Commits

Author SHA1 Message Date
Bob Friesenhahn
61d4eb3a01 tiff2pdf.c: Fix possible overflow in bounds check computation and eliminate signed/unsigned comparison. 2017-10-29 18:50:41 +00:00
Bob Friesenhahn
1cb6c46b9d fax2tiff: Pass the FAX_Client_Data struct as client data 2017-10-29 18:28:43 +00:00
Even Rouault
76a2b9d619 * tools/tiffset.c: fix setting a single value for the ExtraSamples tag
(and other tags with variable number of values).
So 'tiffset -s ExtraSamples 1 X'. This only worked
when setting 2 or more values, but not just one.
2017-10-01 17:38:12 +00:00
Even Rouault
979751c407 * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
mode on PlanarConfig=Contig input images.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
Reported by team OWL337
2017-07-15 11:13:46 +00:00
Even Rouault
222083301a * refresh autoconf/make stuff with what is on Ubuntu 16.04 (minor changes) 2017-07-11 09:10:28 +00:00
Even Rouault
d606ea22bb * tools/tiff2bw.c: close TIFF handle in error code path.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2677
2017-04-28 18:08:47 +00:00
Even Rouault
fa55777370 * litiff/tif_fax3.c: avoid crash in Fax3Close() on empty file.
Patch by Alan Coopersmith  + complement by myself.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2673
* tools/fax2tiff.c: emit appropriate message if the input file is
empty. Patch by Alan Coopersmith.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2672
2017-04-27 19:50:01 +00:00
Even Rouault
697bfd9f39 * libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD
mode (ie default) when there is both a StripOffsets and
TileOffsets tag, or a StripByteCounts and TileByteCounts
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689
* tools/tiff2ps.c: call TIFFClose() in error code paths.
2017-04-27 15:46:22 +00:00
Even Rouault
55e5962794 * tools/raw2tiff.c: avoid integer division by zero.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2631
2017-01-14 13:12:33 +00:00
Even Rouault
480167a350 * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
http://bugzilla.maptools.org/show_bug.cgi?id=2657
2017-01-11 19:25:44 +00:00
Even Rouault
9f839d9233 * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace
assertion by runtime check to error out if passed value is strictly
negative.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535

* tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that
caused double free.
Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535
2017-01-11 12:51:59 +00:00
Even Rouault
6d97ea6dcc * tools/tiff2pdf.c: avoid potential heap-based overflow in
t2p_readwrite_pdf_image_tile().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640
2016-12-20 17:28:17 +00:00
Even Rouault
5e95f6a34c * tools/tiff2pdf.c: avoid potential invalid memory read in
t2p_writeproc.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
2016-12-20 17:24:35 +00:00
Even Rouault
7fb75582f4 * tools/tiff2pdf.c: fix wrong usage of memcpy() that can trigger
unspecified behaviour.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2638
2016-12-20 17:13:26 +00:00
Even Rouault
732f8e0b46 * tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode
on a paletted image. Note: this fix errors out before the overflow
happens. There could probably be a better fix.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635
2016-12-18 10:37:59 +00:00
Even Rouault
0a85b00c8b * tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW
and PSDataColorContig). Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and
http://bugzilla.maptools.org/show_bug.cgi?id=2634.
2016-12-17 19:45:28 +00:00
Even Rouault
2766c8583d * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert check.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605
2016-12-03 16:50:02 +00:00
Even Rouault
bae8284136 * tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based
buffer overflow.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
2016-12-03 16:40:01 +00:00
Even Rouault
b1e5ae5984 * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is
missing.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
2016-12-03 15:44:15 +00:00
Even Rouault
5b52559d39 * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is
missing.
Reported by Agostino sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597
2016-12-03 14:42:40 +00:00
Even Rouault
2deb7183ca * tools/tiffinfo.c: fix null pointer dereference in -r mode when the image has
no StripByteCount tag.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594
2016-12-03 14:18:48 +00:00
Even Rouault
5c47f33899 * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is missing.
Reported by Agostina Sarubo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619
2016-12-03 13:00:03 +00:00
Even Rouault
7aad042fc8 * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in
readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer.
Reported by Agostina Sarubo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621
2016-12-03 12:19:32 +00:00
Even Rouault
3a1c5ac67b * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so
that the output buffer is correctly incremented to avoid write outside bounds.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620
2016-12-03 11:35:56 +00:00
Even Rouault
78dab0996f * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that
can cause various issues, such as buffer overflows in the library.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598
2016-12-02 22:13:32 +00:00
Bob Friesenhahn
5ba49e2beb * tools/fax2tiff.c (main): Applied patch by Jörg Ahrens to fix
passing client data for Win32 builds using tif_win32.c
(USE_WIN32_FILEIO defined) for file I/O.  Patch was provided via
email on November 20, 2016.
2016-11-20 18:04:52 +00:00
Bob Friesenhahn
07e63bcdf8 * tools/tiffdump.c (ReadDirectory): Remove uint32 cast to
_TIFFmalloc() argument which resulted in Coverity report.  Added
more mutiplication overflow checks.
2016-11-19 15:42:46 +00:00
Even Rouault
c80c06ce45 * tools/tiffcrop.c: Fix memory leak in (recent) error code path.
Fixes Coverity 1394415.
2016-11-18 14:58:46 +00:00
Bob Friesenhahn
c22e3e5b42 * tools/tiffinfo.c (TIFFReadContigTileData): Fix signed/unsigned
comparison warning.
(TIFFReadSeparateTileData): Fix signed/unsigned comparison
warning.
2016-11-12 20:06:05 +00:00
Bob Friesenhahn
b6779d1454 tmsize_t is a signed type so change casting to cast to unsigned type before compare 2016-11-12 19:57:16 +00:00
Bob Friesenhahn
d2c7f195f1 * tools/tiffcrop.c (readContigTilesIntoBuffer): Fix
signed/unsigned comparison warning.
2016-11-12 18:35:11 +00:00
Even Rouault
34e2075125 Fix typo in comment 2016-11-11 21:28:24 +00:00
Even Rouault
57b0f8ba24 * tools/tiff2pdf.c: avoid undefined behaviour related to overlapping
of source and destination buffer in memcpy() call in
t2p_sample_rgbaa_to_rgb()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577
2016-11-11 21:22:50 +00:00
Even Rouault
16e71ae0a2 * tools/tiff2pdf.c: fix potential integer overflows on 32 bit builds
in t2p_read_tiff_size()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2576
2016-11-11 21:15:25 +00:00
Even Rouault
49062afa56 * tools/tiffcrop.c: fix multiple uint32 overflows in
writeBufferToSeparateStrips(), writeBufferToContigTiles() and
writeBufferToSeparateTiles() that could cause heap buffer overflows.
Reported by Henri Salo from Nixu Corporation.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
2016-11-11 19:33:06 +00:00
Even Rouault
124d8fc810 * tools/fax2tiff.c: fix segfault when specifying -r without
argument. Patch by Yuriy M. Kaminskiy.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2572
2016-10-25 22:22:45 +00:00
Even Rouault
0c05834d05 * tools/tiffinfo.c: fix out-of-bound read on some tiled images.
(http://bugzilla.maptools.org/show_bug.cgi?id=2517)

* libtiff/tif_compress.c: make TIFFNoDecode() return 0 to indicate an
error and make upper level read routines treat it accordingly.
(linked to the test case of http://bugzilla.maptools.org/show_bug.cgi?id=2517)
2016-10-25 20:04:21 +00:00
Even Rouault
0d521dfab0 * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
& Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
2016-10-14 19:13:20 +00:00
Even Rouault
0937638efd * tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG
compressed images. Reported by Tyler Bohan of Cisco Talos as
TALOS-CAN-0187 / CVE-2016-5652.
Also prevents writing 2 extra uninitialized bytes to the file stream.
2016-10-09 11:03:36 +00:00
Even Rouault
6f13bf391a * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
tile width vs image width. Reported as MSVR 35103
by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
2016-10-08 15:54:56 +00:00
Even Rouault
7399a6f13b * tools/tiff2pdf.c: fix read -largely- outsize of buffer in
t2p_readwrite_pdf_image_tile(), causing crash, when reading a
JPEG compressed image with TIFFTAG_JPEGTABLES length being one.
Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from
the MSRC Vulnerabilities & Mitigations team.
2016-10-08 15:14:42 +00:00
Even Rouault
5707841070 * tools/tiffcp.c: fix read of undefined variable in case of missing
required tags. Found on test case of MSVR 35100.
* tools/tiffcrop.c: fix read of undefined buffer in
readContigStripsIntoBuffer() due to uint16 overflow. Probably not a
security issue but I can be wrong. Reported as MSVR 35100 by Axel
Souchet from the MSRC Vulnerabilities & Mitigations team.
2016-10-08 15:04:31 +00:00
Even Rouault
edde1c583a * tools/tiffcrop.c: fix various out-of-bounds write vulnerabilities
in heap or stack allocated buffers. Reported as MSVR 35093,
MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal
Chauhan from the MSRC Vulnerabilities & Mitigations team.
* tools/tiff2pdf.c: fix out-of-bounds write vulnerabilities in
heap allocate buffer in t2p_process_jpeg_strip(). Reported as MSVR
35098. Discovered by Axel Souchet and Vishal Chauhan from the MSRC
Vulnerabilities & Mitigations team.
* libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities
in heap allocated buffers. Reported as MSVR 35094. Discovered by
Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
* libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1()
that didn't reset the tif_rawcc and tif_rawcp members. I'm not
completely sure if that could happen in practice outside of the odd
behaviour of t2p_seekproc() of tiff2pdf). The report points that a
better fix could be to check the return value of TIFFFlushData1() in
places where it isn't done currently, but it seems this patch is enough.
Reported as MSVR 35095. Discovered by Axel Souchet & Vishal Chauhan &
Suha Can from the MSRC Vulnerabilities & Mitigations team.
2016-09-23 22:12:18 +00:00
Even Rouault
cbdc8d8ae9 * tools/tiffcrop.c: fix C99'ism. 2016-08-16 08:54:01 +00:00
Even Rouault
ac16d2213c * tools/tiff2bw.c: fix weight computation that could result of color
value overflow (no security implication). Fix bugzilla #2550.
Patch by Frank Freudenberg.
2016-08-15 22:01:31 +00:00
Even Rouault
f18e33b3a5 * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
2016-08-15 21:26:56 +00:00
Even Rouault
5dd73c2b77 * tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
From patch libtiff-CVE-2016-3991.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
2016-08-15 21:05:40 +00:00
Even Rouault
01bac25a5a * tools/tiff2rgba.c: Fix integer overflow in size of allocated
buffer, when -b mode is enabled, that could result in out-of-bounds
write. Based initially on patch tiff-CVE-2016-3945.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
invalid tests that rejected valid files.
2016-08-15 20:06:40 +00:00
Even Rouault
e54eac223b (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559) 2016-07-11 21:38:31 +00:00
Even Rouault
a1277756ad * tools/tiffcrop.c: Avoid access outside of stack allocated array
on a tiled separate TIFF with more than 8 samples per pixel.
Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
(CVE-2016-5321, bugzilla #2558)
2016-07-11 21:26:03 +00:00