cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,057 Commits 1 Branch 0 Tags 11 MiB
781bdb7263
Commit Graph

588 Commits

Author SHA1 Message Date
Nathan Baker
e9fa4baf1d Fix all compiler warnings for default build 2018-02-04 23:54:17 +00:00
Even Rouault
c4d31e9b06 Merge branch 'patch-1' into 'master' 
Update CMakeLists.txt for build fix on Windows

See merge request libtiff/libtiff!14
 2018-01-27 11:22:09 +00:00
Even Rouault
fb0489937c Merge branch 'patch-2' into 'master' 
Update tiffgt.c for build fix on Windows

See merge request libtiff/libtiff!13
 2018-01-27 11:20:46 +00:00
Nathan Baker
9171da596c Add workaround to pal2rgb buffer overflow. 2018-01-25 21:28:15 +00:00
Andrea
a6195d0ad4 Update tiffgt.c for build fix on Windows 2018-01-24 01:25:13 +00:00
Andrea
e7b87e5d3e Update CMakeLists.txt for build fix on Windows 2018-01-24 01:19:44 +00:00
Brian May
d4f213636b tiff2pdf: Fix apparent incorrect type for transfer table 
The standard says the transfer table contains unsigned 16 bit values,
I have no idea why we refer to them as floats.
 2017-12-11 07:35:41 +11:00
Brian May
3dd8f6a357 tiff2pdf: Fix CVE-2017-9935 
Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704

This vulnerability - at least for the supplied test case - is because we
assume that a tiff will only have one transfer function that is the same
for all pages. This is not required by the TIFF standards.

We than read the transfer function for every page.  Depending on the
transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
We allocate this memory after we read in the transfer function for the
page.

For the first exploit - POC1, this file has 3 pages. For the first page
we allocate 2 extra extra XREF entries. Then for the next page 2 more
entries. Then for the last page the transfer function changes and we
allocate 4 more entries.

When we read the file into memory, we assume we have 4 bytes extra for
each and every page (as per the last transfer function we read). Which
is not correct, we only have 2 bytes extra for the first 2 pages. As a
result, we end up writing past the end of the buffer.

There are also some related issues that this also fixes. For example,
TIFFGetField can return uninitalized pointer values, and the logic to
detect a N=3 vs N=1 transfer function seemed rather strange.

It is also strange that we declare the transfer functions to be of type
float, when the standard says they are unsigned 16 bit values. This is
fixed in another patch.

This patch will check to ensure that the N value for every transfer
function is the same for every page. If this changes, we abort with an
error. In theory, we should perhaps check that the transfer function
itself is identical for every page, however we don't do that due to the
confusion of the type of the data in the transfer function.
 2017-12-11 07:35:18 +11:00
Even Rouault
9c243a11a3 Merge branch 'remove_autogenerated_files' into 'master' 
Remove autogenerated files

See merge request libtiff/libtiff!5
 2017-12-02 22:10:48 +00:00
Bob Friesenhahn
79bb4d034f 'tif_config.h' or 'tiffio.h' must be included before any system header. 2017-12-02 14:45:03 -06:00
Even Rouault
c56eda4b7e Remove remaining .cvsignore files 2017-12-01 15:55:10 +01:00
Even Rouault
2440a113ea Remove autoconf/automake generated files, and add them to .gitignore 2017-12-01 15:54:48 +01:00
Even Rouault
8603db6cfa Regenerate autoconf files 2017-11-30 18:10:01 +01:00
Even Rouault
f0a54a4fa0 Remove all $Id and $Headers comments with CVS versions 2017-11-30 18:02:46 +01:00
Bob Friesenhahn
25f9ffa565 * tools/tiff2bw.c (main): Free memory allocated in the tiff2bw 
program.  This is in response to the report associated with
CVE-2017-16232 but does not solve the extremely high memory usage
with the associated POC file.
 2017-11-01 13:41:58 +00:00
Bob Friesenhahn
61d4eb3a01 tiff2pdf.c: Fix possible overflow in bounds check computation and eliminate signed/unsigned comparison. 2017-10-29 18:50:41 +00:00
Bob Friesenhahn
1cb6c46b9d fax2tiff: Pass the FAX_Client_Data struct as client data 2017-10-29 18:28:43 +00:00
Even Rouault
76a2b9d619 * tools/tiffset.c: fix setting a single value for the ExtraSamples tag 
(and other tags with variable number of values).
So 'tiffset -s ExtraSamples 1 X'. This only worked
when setting 2 or more values, but not just one.
 2017-10-01 17:38:12 +00:00
Even Rouault
979751c407 * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" 
mode on PlanarConfig=Contig input images.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
Reported by team OWL337
 2017-07-15 11:13:46 +00:00
Even Rouault
222083301a * refresh autoconf/make stuff with what is on Ubuntu 16.04 (minor changes) 2017-07-11 09:10:28 +00:00
Even Rouault
d606ea22bb * tools/tiff2bw.c: close TIFF handle in error code path. 
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2677
 2017-04-28 18:08:47 +00:00
Even Rouault
fa55777370 * litiff/tif_fax3.c: avoid crash in Fax3Close() on empty file. 
Patch by Alan Coopersmith  + complement by myself.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2673
* tools/fax2tiff.c: emit appropriate message if the input file is
empty. Patch by Alan Coopersmith.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2672
 2017-04-27 19:50:01 +00:00
Even Rouault
697bfd9f39 * libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD 
mode (ie default) when there is both a StripOffsets and
TileOffsets tag, or a StripByteCounts and TileByteCounts
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689
* tools/tiff2ps.c: call TIFFClose() in error code paths.
 2017-04-27 15:46:22 +00:00
Even Rouault
55e5962794 * tools/raw2tiff.c: avoid integer division by zero. 
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2631
 2017-01-14 13:12:33 +00:00
Even Rouault
480167a350 * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and 
cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
http://bugzilla.maptools.org/show_bug.cgi?id=2657
 2017-01-11 19:25:44 +00:00
Even Rouault
9f839d9233 * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace 
assertion by runtime check to error out if passed value is strictly
negative.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535

* tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that
caused double free.
Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535
 2017-01-11 12:51:59 +00:00
Even Rouault
6d97ea6dcc * tools/tiff2pdf.c: avoid potential heap-based overflow in 
t2p_readwrite_pdf_image_tile().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640
 2016-12-20 17:28:17 +00:00
Even Rouault
5e95f6a34c * tools/tiff2pdf.c: avoid potential invalid memory read in 
t2p_writeproc.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
 2016-12-20 17:24:35 +00:00
Even Rouault
7fb75582f4 * tools/tiff2pdf.c: fix wrong usage of memcpy() that can trigger 
unspecified behaviour.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2638
 2016-12-20 17:13:26 +00:00
Even Rouault
732f8e0b46 * tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode 
on a paletted image. Note: this fix errors out before the overflow
happens. There could probably be a better fix.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635
 2016-12-18 10:37:59 +00:00
Even Rouault
0a85b00c8b * tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW 
and PSDataColorContig). Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and
http://bugzilla.maptools.org/show_bug.cgi?id=2634.
 2016-12-17 19:45:28 +00:00
Even Rouault
2766c8583d * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert check. 
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605
 2016-12-03 16:50:02 +00:00
Even Rouault
bae8284136 * tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based 
buffer overflow.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
 2016-12-03 16:40:01 +00:00
Even Rouault
b1e5ae5984 * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is 
missing.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
 2016-12-03 15:44:15 +00:00
Even Rouault
5b52559d39 * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is 
missing.
Reported by Agostino sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597
 2016-12-03 14:42:40 +00:00
Even Rouault
2deb7183ca * tools/tiffinfo.c: fix null pointer dereference in -r mode when the image has 
no StripByteCount tag.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594
 2016-12-03 14:18:48 +00:00
Even Rouault
5c47f33899 * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is missing. 
Reported by Agostina Sarubo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619
 2016-12-03 13:00:03 +00:00
Even Rouault
7aad042fc8 * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in 
readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer.
Reported by Agostina Sarubo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621
 2016-12-03 12:19:32 +00:00
Even Rouault
3a1c5ac67b * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so 
that the output buffer is correctly incremented to avoid write outside bounds.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620
 2016-12-03 11:35:56 +00:00
Even Rouault
78dab0996f * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that 
can cause various issues, such as buffer overflows in the library.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598
 2016-12-02 22:13:32 +00:00
Bob Friesenhahn
5ba49e2beb * tools/fax2tiff.c (main): Applied patch by Jörg Ahrens to fix 
passing client data for Win32 builds using tif_win32.c
(USE_WIN32_FILEIO defined) for file I/O.  Patch was provided via
email on November 20, 2016.
 2016-11-20 18:04:52 +00:00
Bob Friesenhahn
07e63bcdf8 * tools/tiffdump.c (ReadDirectory): Remove uint32 cast to 
_TIFFmalloc() argument which resulted in Coverity report.  Added
more mutiplication overflow checks.
 2016-11-19 15:42:46 +00:00
Even Rouault
c80c06ce45 * tools/tiffcrop.c: Fix memory leak in (recent) error code path. 
Fixes Coverity 1394415.
 2016-11-18 14:58:46 +00:00
Bob Friesenhahn
c22e3e5b42 * tools/tiffinfo.c (TIFFReadContigTileData): Fix signed/unsigned 
comparison warning.
(TIFFReadSeparateTileData): Fix signed/unsigned comparison
warning.
 2016-11-12 20:06:05 +00:00
Bob Friesenhahn
b6779d1454 tmsize_t is a signed type so change casting to cast to unsigned type before compare 2016-11-12 19:57:16 +00:00
Bob Friesenhahn
d2c7f195f1 * tools/tiffcrop.c (readContigTilesIntoBuffer): Fix 
signed/unsigned comparison warning.
 2016-11-12 18:35:11 +00:00
Even Rouault
34e2075125 Fix typo in comment 2016-11-11 21:28:24 +00:00
Even Rouault
57b0f8ba24 * tools/tiff2pdf.c: avoid undefined behaviour related to overlapping 
of source and destination buffer in memcpy() call in
t2p_sample_rgbaa_to_rgb()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577
 2016-11-11 21:22:50 +00:00
Even Rouault
16e71ae0a2 * tools/tiff2pdf.c: fix potential integer overflows on 32 bit builds 
in t2p_read_tiff_size()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2576
 2016-11-11 21:15:25 +00:00
Even Rouault
49062afa56 * tools/tiffcrop.c: fix multiple uint32 overflows in 
writeBufferToSeparateStrips(), writeBufferToContigTiles() and
writeBufferToSeparateTiles() that could cause heap buffer overflows.
Reported by Henri Salo from Nixu Corporation.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
 2016-11-11 19:33:06 +00:00