Even Rouault
7475a28508
tif_ojpeg.c: avoid use of uninitialized memory on edge/broken file. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16844
2019-09-02 16:21:02 +02:00
Even Rouault
4b2a343001
tiff_read_rgba_fuzzer.cc: add a -DSTANDALONE mode for easier reproduction of oss-fuzz reports
2019-09-02 15:33:46 +02:00
Even Rouault
760ecced1e
tif_dirread.c: allocChoppedUpStripArrays(). avoid unsigned integer overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16846
2019-09-01 15:57:17 +02:00
Even Rouault
c22f319eb4
tif_ojpeg.c: avoid unsigned integer overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16793
2019-08-27 10:58:21 +02:00
Even Rouault
9034afb440
TIFFReadDirEntryData(): rewrite to avoid unsigned integer overflow (not a bug). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16792
2019-08-27 00:02:29 +02:00
Even Rouault
244dfb46af
TIFFFetchDirectory(): fix invalid cast from uint64 to tmsize_t. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16784
2019-08-26 18:57:29 +02:00
Even Rouault
1a4efdd151
JPEG: avoid use of unintialized memory on corrupted files
...
Follow-up of cf3ce6fab8
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16602
Credit to OSS Fuzz
2019-08-25 14:54:26 +02:00
Even Rouault
804f40f3bf
_TIFFPartialReadStripArray(): avoid unsigned integer overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16685
2019-08-24 00:37:17 +02:00
Even Rouault
7db298e3a8
OJPEGWriteHeaderInfo(): avoid unsigned integer overflow on strile dimensions close to UINT32_MAX. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16683
2019-08-23 23:03:15 +02:00
Even Rouault
67f7561e70
TIFFFillStrip(): avoid harmless unsigned integer overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16653
2019-08-23 14:54:26 +02:00
Even Rouault
ea271d7434
EstimateStripByteCounts(): avoid unsigned integer overflow. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16643&
2019-08-23 13:03:44 +02:00
Even Rouault
5f6349d3f8
tif_ojpeg: avoid unsigned integer overflow (probably not a bug). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16635
2019-08-23 12:38:46 +02:00
Even Rouault
c9edebfdb0
tif_thunder: avoid unsigned integer overflow (not a bug). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16632
2019-08-23 12:28:25 +02:00
Even Rouault
f277541bd8
_TIFFMultiply32() / _TIFFMultiply64(): avoid relying on unsigned integer overflow (not a bug)
2019-08-22 13:02:07 +02:00
Even Rouault
c8f268ef1b
EstimateStripByteCounts(): avoid unsigned integer overflow
2019-08-22 10:19:44 +02:00
Even Rouault
761d50e34d
EstimateStripByteCounts(): avoid unsigned integer overflow
2019-08-21 17:59:15 +02:00
Even Rouault
324aa65c0d
EstimateStripByteCounts(): avoid harmless unsigned integer overflow
2019-08-20 18:09:46 +02:00
Even Rouault
dd50fedc2f
_TIFFPartialReadStripArray(): avoid triggering unsigned integer overflow with -fsanitize=unsigned-integer-overflow (not a bug, this is well defined by itself)
2019-08-20 15:29:06 +02:00
Even Rouault
b04da30e11
tiff2ps: fix use of wrong data type that caused issues (/Height being written as 0) on 64-bit big endian platforms
2019-08-18 10:52:45 +02:00
Even Rouault
1a11c9df6e
setByteArray(): fix previous commit
2019-08-16 19:59:18 +02:00
Even Rouault
1302ffb350
setByteArray(): avoid potential signed integer overflow. Pointed by Hendra Gunadi. No actual problem known (which does not mean there wouldn't be any. Particularly on 32bit builds)
2019-08-16 19:47:42 +02:00
Even Rouault
4bb584a35f
RGBA interface: fix integer overflow potentially causing write heap buffer overflow, especially on 32 bit builds. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443 . Credit to OSS Fuzz
2019-08-15 15:05:28 +02:00
Even Rouault
2218055ca6
Merge branch 'fix_integer_overflow' into 'master'
...
Fix integer overflow in _TIFFCheckMalloc() and other implementation-defined behaviour (CVE-2019-14973)
See merge request libtiff/libtiff!90
2019-08-14 09:47:58 +00:00
Even Rouault
1b5e3b6a23
Fix integer overflow in _TIFFCheckMalloc() and other implementation-defined behaviour (CVE-2019-14973)
...
_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow
in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus
signed), which was especially easily triggered on 32-bit builds (with recent
enough compilers that assume that signed multiplication cannot overflow, since
this is undefined behaviour by the C standard). The original issue which lead to
this fix was trigged from tif_fax3.c
There were also unsafe (implementation defied), and broken in practice on 64bit
builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing
(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known
at that time exploits, but are better to fix in a more bullet-proof way.
Or similarly use of (int64)uint64_var <= 0.
2019-08-13 10:40:08 +02:00
Even Rouault
12768a24b1
TIFFClientOpen(): fix memory leak if one of the required callbacks is not provided. Fixed Coverity GDAL CID 1404110
2019-08-12 22:51:09 +02:00
Even Rouault
ea69462ea2
OJPEGReadBufferFill(): avoid very long processing time on corrupted files. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16400 . master only
2019-08-12 17:55:56 +02:00
Even Rouault
187e596861
oss-fuzz/tiff_read_rgba_fuzzer.cc: fix wrong env variable value in previous commit
2019-08-11 00:36:31 +02:00
Even Rouault
2c7e74245a
oss-fuzz/tiff_read_rgba_fuzzer.cc: avoid issue with libjpeg-turbo and MSAN
2019-08-11 00:24:41 +02:00
Even Rouault
43908ce15e
OJPEG: fix integer division by zero on corrupted subsampling factors. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15824 . Credit to OSS Fuzz
2019-08-10 19:36:09 +02:00
Even Rouault
75c1cf5e91
Merge branch 'ossfuzz_i386'
2019-08-10 18:45:16 +02:00
Even Rouault
76f1531f5f
contrib/oss-fuzz/build.sh: fix for i386 build of jbigkit, and use $LIB_FUZZING_ENGINE
2019-08-10 18:40:50 +02:00
Even Rouault
a7fa3410d9
Merge branch 'patch-1' into 'master'
...
fix two tiny typos
See merge request libtiff/libtiff!89
2019-08-10 16:00:00 +00:00
Reto Kromer
3fd6bb95dc
fix two tiny typos
2019-08-10 15:54:23 +00:00
Even Rouault
66ff50ec79
Merge branch 'patch-1' into 'master'
...
fix a typo in man page
See merge request libtiff/libtiff!88
2019-08-09 17:26:44 +00:00
Reto Kromer
2d4bb5bdc2
fix typo
2019-08-09 17:20:26 +00:00
Even Rouault
c9cb49177b
Merge branch 'TIFFTAGID_Zero_reading_IGNORE' into 'master'
...
Suppressed Reading of Tiff tags with ID = 0 (like GPSVERSIONID) corrected.
See merge request libtiff/libtiff!77
2019-08-04 13:23:07 +00:00
Su Laus
6f5c9477dd
Reading of Tiff tags with ID = 0 (like GPSVERSIONID) corrected.
...
IGNORE placeholder in tif_dirread.c is now replaced by a field dir_ignore in the TIFFDirEntry structure
Currently, in tif_dirread.c a special IGNORE value for the tif tags is defined
in order to flag status preventing already processed tags from further processing.
This irrational behaviour prevents reading of custom tags with id code 0 - like tag GPSVERSIONID from EXIF 2.31 definition.
An additional field 'tdir_ignore' is now added to the TIFFDirEntry structure and code is changed
to allow tags with id code 0 to be read correctly.
This change was already proposed as pending improvement in tif_dirread.c around line 32.
Reference is also made to:
- Discussion in https://gitlab.com/libtiff/libtiff/merge_requests/39
- http://bugzilla.maptools.org/show_bug.cgi?id=2540
Comments and indention adapted.
Preparation to rebase onto master
2019-08-04 13:23:07 +00:00
Even Rouault
d8e707a953
Merge branch 'cmake_amd64' into 'master'
...
CMakeLists.txt: properly set value of HOST_FILLORDER to LSB2MSB for Windows CMake builds
See merge request libtiff/libtiff!87
2019-07-16 09:54:55 +00:00
Even Rouault
5e7e9b597f
CMakeLists.txt: properly set value of HOST_FILLORDER to LSB2MSB for Windows CMake builds
...
As can be seen in https://ci.appveyor.com/project/rleigh-codelibre/libtiff-didfs/builds/25846668/job/ory5w098j8wcij9x
log, the HOST_FILLORDER is not properly set:
[00:02:58] -- CMAKE_HOST_SYSTEM_PROCESSOR set to AMD64
[00:02:58] -- HOST_FILLORDER set to FILLORDER_MSB2LSB
Ther reason is that we match the "amd64.*" lowercase string whereas
CMAKE_HOST_SYSTEM_PROCESSOR is set to AMD64 uppercase.
2019-07-15 12:19:27 +02:00
Even Rouault
a21714f028
TIFFWriteCheck(): call TIFFForceStrileArrayWriting() when needed (should have gone with eaeca6274a
) (master only)
2019-07-09 13:56:18 +02:00
Even Rouault
6662e2b388
Merge branch 'fix_chromium_925269' into 'master'
...
OJPEG: avoid use of unintialized memory on corrupted files
See merge request libtiff/libtiff!86
2019-07-09 11:47:43 +00:00
Even Rouault
cf3ce6fab8
OJPEG: avoid use of unintialized memory on corrupted files
...
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=925269
Patch from Lei Zhang with little adaptations.
2019-07-05 18:51:46 +02:00
Even Rouault
ab3204b167
Merge branch 'fix-division-by-zero' into 'master'
...
Return infinite distance when denominator is zero.
See merge request libtiff/libtiff!85
2019-06-29 16:54:50 +00:00
Dirk Lemstra
b381187db6
Return infinite distance when denominator is zero.
2019-06-29 18:44:38 +02:00
Even Rouault
424972255f
Merge branch 'typetests' into 'master'
...
Add test to check that libtiff types have the correct size
See merge request libtiff/libtiff!57
2019-06-29 09:41:17 +00:00
Nikola Forró
e897442344
tools/tiffcp.c: fix potential division by zero
...
Signed-off-by: Nikola Forró <nforro@redhat.com>
2019-06-12 12:23:33 +02:00
Thomas Bernard
4d26884a15
make TIFF_SSIZE_T the same bitwidth as TIFF_SIZE_T
...
it was previously the same bitwidth as unsigned char *
Pointers can be larger than size_t.
2019-05-31 20:10:51 +02:00
Thomas Bernard
69ce2652ef
Add test to check that libtiff types have the correct size
...
in configure/CMakeList.txt :
- TIFF_INT8_T/TIFF_UINT8_T is signed/unsigned char
sizeof(char)==1 in C standard
- TIFF_INT16_T/TIFF_UINT16_T is signed/unsigned short
sizeof(short)>=2 in C standard
- TIFF_INT32_T/TIFF_UINT32_T is defined so its sizeof() is 4
- TIFF_INT64_T/TIFF_UINT64_T is defined so its sizeof() is 8
- TIFF_SIZE_T is defined so it has same sizeof() than size_t
- TIFF_SSIZE_T is defined so it has same sizeof() than unsigned char *
2019-05-31 20:10:51 +02:00
Even Rouault
91480d3d3c
Merge branch 'defer_strile_writing' into 'master'
...
Add TIFFDeferStrileArrayWriting() and TIFFForceStrileArrayWriting()
See merge request libtiff/libtiff!82
2019-05-29 20:11:57 +00:00
Even Rouault
9cf3a97bea
Merge branch 'TIFFReadFromUserBuffer' into 'master'
...
Add TIFFReadFromUserBuffer()
See merge request libtiff/libtiff!81
2019-05-29 20:11:43 +00:00