Commit Graph

3137 Commits

Author SHA1 Message Date
Even Rouault
bda5be3a14 * libtiff/tif_getimage.c: initYCbCrConversion(): add basic validation of
luma and refBlackWhite coefficients (just check they are not NaN for now),
to avoid potential float to int overflows.
Fixes ://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663
Credit to OSS Fuzz
2017-05-17 13:48:34 +00:00
Even Rouault
f277dbaff0 * libtiff/tif_pixarlog.c: PixarLogDecode(): resync tif_rawcp with
next_in and tif_rawcc with avail_in at beginning and end of function,
similarly to what is done in LZWDecode(). Likely needed so that it
works properly with latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT
mode. But untested...
2017-05-17 09:53:06 +00:00
Even Rouault
3f72698b8a * libtiff/tif_lzw.c: update dec_bitsleft at beginning of LZWDecode(),
and update tif_rawcc at end of LZWDecode(). This is needed to properly
work with the latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT
mode.
2017-05-17 09:38:58 +00:00
Even Rouault
352c653057 * libtiff/tif_luv.c: LogL16InitState(): avoid excessive memory
allocation when RowsPerStrip tag is missing.
Credit to OSS-Fuzz (locally run, on GDAL)
2017-05-14 10:17:27 +00:00
Even Rouault
8d4e459102 * libtiff/tif_packbits.c: fix out-of-buffer read in PackBitsDecode()
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563
Credit to OSS-Fuzz
2017-05-14 02:26:07 +00:00
Even Rouault
99e8fb373e * libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32
overflows in multiply_ms() and add_ms().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558
Credit to OSS-Fuzz
2017-05-13 18:29:38 +00:00
Even Rouault
0a6763b5a0 * libtiff/tif_color.c: avoid potential int32 overflow in
TIFFYCbCrToRGBInit()
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533
Credit to OSS-Fuzz
2017-05-13 18:17:34 +00:00
Even Rouault
0a5c524577 * libtiff/tif_read.c: update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT
mode with tif_rawdataloaded when calling TIFFStartStrip() or
TIFFFillStripPartial(). This avoids reading beyond tif_rawdata
when bytecount > tif_rawdatasize.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545.
Credit to OSS-Fuzz
2017-05-13 15:34:06 +00:00
Even Rouault
2d7b1f8c16 * libtiff/tif_read.c: TIFFFillStripPartial():
avoid excessive memory allocation in case of shorten files.
Only effective on 64 bit builds.
Credit to OSS-Fuzz (locally run, on GDAL)
2017-05-12 21:12:24 +00:00
Even Rouault
76084fb831 * libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(),
avoid potential integer overflows with read_ahead in
CHUNKY_STRIP_READ_SUPPORT mode. Should
especially occur on 32 bit platforms.
2017-05-12 20:16:37 +00:00
Even Rouault
80ee713d88 Rename variable added in previous commit to avoid symbol clash 2017-05-10 19:54:54 +00:00
Even Rouault
c9a6cfc51a * libtiff/tif_read.c: TIFFFillStrip() and TIFFFillTile():
avoid excessive memory allocation in case of shorten files.
Only effective on 64 bit builds and non-mapped cases.
Credit to OSS-Fuzz (locally run, on GDAL)
2017-05-10 19:38:49 +00:00
Even Rouault
328189565b * libtiff/tif_zip.c, tif_pixarlog.c, tif_predict.c: fix memory
leak when the underlying codec (ZIP, PixarLog) succeeds its
setupdecode() method, but PredictorSetup fails.
Credit to OSS-Fuzz (locally run, on GDAL)
2017-05-10 15:21:16 +00:00
Even Rouault
8fb8265260 * libtiff/tif_read.c: TIFFFillStrip(): add limitation to the number
of bytes read in case td_stripbytecount[strip] is bigger than
reasonable, so as to avoid excessive memory allocation.
2017-05-10 13:37:19 +00:00
Even Rouault
d606ea22bb * tools/tiff2bw.c: close TIFF handle in error code path.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2677
2017-04-28 18:08:47 +00:00
Even Rouault
fa55777370 * litiff/tif_fax3.c: avoid crash in Fax3Close() on empty file.
Patch by Alan Coopersmith  + complement by myself.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2673
* tools/fax2tiff.c: emit appropriate message if the input file is
empty. Patch by Alan Coopersmith.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2672
2017-04-27 19:50:01 +00:00
Even Rouault
bb30ee4f09 * libtiff/tif_ojpeg.c: fix potential memory leak in
OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable
and OJPEGReadHeaderInfoSecTablesAcTable
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2670
2017-04-27 17:29:26 +00:00
Even Rouault
697bfd9f39 * libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD
mode (ie default) when there is both a StripOffsets and
TileOffsets tag, or a StripByteCounts and TileByteCounts
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689
* tools/tiff2ps.c: call TIFFClose() in error code paths.
2017-04-27 15:46:22 +00:00
Even Rouault
8a752e1e3a * libtiff/tif_fax3.c, tif_predict.c, tif_getimage.c: fix GCC 7
-Wimplicit-fallthrough warnings.
2017-02-25 17:05:12 +00:00
Even Rouault
19a159d7c4 * libtiff/tif_pixarlog.c: fix memory leak in error code path of
PixarLogSetupDecode(). Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2665
2017-02-18 20:30:26 +00:00
Even Rouault
09a7433335 * libtiff/tif_lzw.c: in LZWPostEncode(), increase, if necessary, the
code bit-width after flushing the remaining code and before emitting
the EOI code.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=1982
2017-02-18 18:46:00 +00:00
Even Rouault
62473b596b * libtiff/tif_jpeg.c: only run JPEGFixupTagsSubsampling() if the
YCbCrSubsampling tag is not explicitly present. This helps a bit to reduce
the I/O amount when te tag is present (especially on cloud hosted files).
2017-01-31 13:02:27 +00:00
Even Rouault
55e5962794 * tools/raw2tiff.c: avoid integer division by zero.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2631
2017-01-14 13:12:33 +00:00
Even Rouault
ab7f27a984 * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable,
OJPEGReadHeaderInfoSecTablesDcTable and OJPEGReadHeaderInfoSecTablesAcTable
2017-01-12 19:23:20 +00:00
Even Rouault
ad7aea728d * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable
when read fails.
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
2017-01-12 17:43:25 +00:00
Even Rouault
d043ca1be9 * libtiff/tif_luv.c, tif_lzw.c, tif_packbits.c: return 0 in Encode
functions instead of -1 when TIFFFlushData1() fails.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2130
2017-01-11 20:33:35 +00:00
Even Rouault
480167a350 * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
http://bugzilla.maptools.org/show_bug.cgi?id=2657
2017-01-11 19:25:44 +00:00
Even Rouault
f5858f50b5 Fix commit message 2017-01-11 19:03:18 +00:00
Even Rouault
33e002a170 * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc()
* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
initialize tif_rawdata.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
2017-01-11 19:02:49 +00:00
Even Rouault
537cd1da18 Initialize variable to fix MSVC warning (caused by previous commit) 2017-01-11 17:48:11 +00:00
Even Rouault
a48c640a01 * libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
avoid UndefinedBehaviorSanitizer warning.
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2658
2017-01-11 16:38:26 +00:00
Even Rouault
50b48786d5 * libtiff/tif_read.c: avoid potential undefined behaviour on signed integer
addition in TIFFReadRawStrip1() in isMapped() case.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
2017-01-11 16:33:34 +00:00
Even Rouault
153418c943 * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid
undefined behaviour caused by invalid shift exponent.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
2017-01-11 16:13:50 +00:00
Even Rouault
d2e6964efc * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings
of double to other data types to avoid undefined behaviour if the output range
isn't big enough to hold the input value.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643
http://bugzilla.maptools.org/show_bug.cgi?id=2642
http://bugzilla.maptools.org/show_bug.cgi?id=2646
http://bugzilla.maptools.org/show_bug.cgi?id=2647
2017-01-11 16:09:02 +00:00
Even Rouault
a39f613104 * libtiff/tif_dirread.c: avoid division by floating point 0 in
TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(),
and return 0 in that case (instead of infinity as before presumably)
Apparently some sanitizers do not like those divisions by zero.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644
2017-01-11 13:28:01 +00:00
Even Rouault
9f839d9233 * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace
assertion by runtime check to error out if passed value is strictly
negative.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535

* tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that
caused double free.
Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535
2017-01-11 12:51:59 +00:00
Even Rouault
20dd00743c * libtiff/tif_jpeg.c: avoid integer division by zero in
JPEGSetupEncode() when horizontal or vertical sampling is set to 0.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653
2017-01-11 12:15:01 +00:00
Even Rouault
553d4c5d05 * libtiff/tif_jpeg.c: increase libjpeg max memory usable to
10 MB instead of libjpeg 1MB default. This helps when creating files
with "big" tile, without using libjpeg temporary files.
Related to https://trac.osgeo.org/gdal/ticket/6757
2017-01-03 17:22:49 +00:00
Even Rouault
6d97ea6dcc * tools/tiff2pdf.c: avoid potential heap-based overflow in
t2p_readwrite_pdf_image_tile().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640
2016-12-20 17:28:17 +00:00
Even Rouault
5e95f6a34c * tools/tiff2pdf.c: avoid potential invalid memory read in
t2p_writeproc.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
2016-12-20 17:24:35 +00:00
Even Rouault
7fb75582f4 * tools/tiff2pdf.c: fix wrong usage of memcpy() that can trigger
unspecified behaviour.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2638
2016-12-20 17:13:26 +00:00
Even Rouault
7d919c7849 * libtiff/tif_getimage.c: fix potential memory leaks in error code
path of TIFFRGBAImageBegin().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2627
2016-12-18 22:28:42 +00:00
Even Rouault
732f8e0b46 * tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode
on a paletted image. Note: this fix errors out before the overflow
happens. There could probably be a better fix.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635
2016-12-18 10:37:59 +00:00
Even Rouault
f9f8686c7d * libtiff/tiffio.h, libtiff/tif_getimage.c: add TIFFReadRGBAStripExt()
and TIFFReadRGBATileExt() variants of the functions without ext, with
an extra argument to control the stop_on_error behaviour.
2016-12-17 22:33:11 +00:00
Even Rouault
0a85b00c8b * tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW
and PSDataColorContig). Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and
http://bugzilla.maptools.org/show_bug.cgi?id=2634.
2016-12-17 19:45:28 +00:00
Lee Howard
709f14f258 HylaFAX not Halyfax 2016-12-14 18:36:27 +00:00
Even Rouault
6e3867b3e6 Fix spelling in ChangeLog 2016-12-13 18:27:47 +00:00
Even Rouault
27d6152ddd * libtiff/tif_fax3.h: revert change done on 2016-01-09 that made
Param member of TIFFFaxTabEnt structure a uint16 to reduce size of
the binary. It happens that the Hylafax software uses the tables that
follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable,
TIFFFaxBlackTable), also they are not in a public libtiff header.
Raised by Lee Howard.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2636
2016-12-13 18:15:48 +00:00
Even Rouault
a3196dff73 * html/man/Makefile.am: remove thumbnail.1.html and rgb2ycbcr.1.html
from installed pages since the corresponding utilities are no longer
installed. Reported by Havard Eidnes
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2606
2016-12-04 17:56:18 +00:00
Even Rouault
ef0803fc75 * libtiff/tif_write.c: fix misleading indentation as warned by GCC. 2016-12-03 21:57:44 +00:00