instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
instead of a logic based on the total size of data. Which is faulty is
the total size of data is not sufficient to fill the whole image, and thus
results in reading outside of the StripByCounts/StripOffsets arrays when
using TIFFReadScanline().
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
the above change is a better fix that makes it unnecessary.
overflow on generation of PixarLog / LUV compressed files, with
ColorMap, TransferFunction attached and nasty plays with bitspersample.
The fix for LUV has not been tested, but suffers from the same kind
of issue of PixarLog.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
64-bit compilation under Microsoft Visual Studio of the form
"Arithmetic overflow: 32-bit value is shifted, then cast to 64-bit
value. Results might not be an expected value.". Problem was
reported on November 16, 2016 on the tiff mailing list.
NULL pointer when values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are 0-byte arrays.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression introduced
by previous fix done on 2016-11-11 for CVE-2016-9297).
Reported by Henri Salo.
values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are null terminated, to avoid potential read outside buffer
in _TIFFPrintField().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590
have no TileOffsets/StripOffsets tag, when OJPEG compression is
disabled. Prevent null pointer dereference in TIFFReadRawStrip1()
and other functions that expect td_stripbytecount to be non NULL.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2585
writeBufferToSeparateStrips(), writeBufferToContigTiles() and
writeBufferToSeparateTiles() that could cause heap buffer overflows.
Reported by Henri Salo from Nixu Corporation.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
value when it is non-zero, instead of recomputing it. This is needed in
TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of
array in tiffsplit (or other utilities using TIFFNumberOfStrips()).
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587
Replace assertions by runtime checks to avoid assertions in debug mode,
or buffer overflows in release mode. Can happen when dealing with
unusual tile size like YCbCr with subsampling. Reported as MSVR 35105
by Axel Souchet & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations
team.
SMaxSampleValue when they have been read and the value of
SamplesPerPixel is changed afterwards (like when reading a
OJPEG compressed image with a missing SamplesPerPixel tag,
and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
being 3). Otherwise when rewriting the directory (for example
with tiffset, we will expect 3 values whereas the array had been
allocated with just one), thus causing a out of bound read access.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
(CVE-2014-8127, duplicate: CVE-2016-3658)
* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
when writing directory, if FIELD_STRIPOFFSETS was artificially set
for a hack case in OJPEG case.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
(CVE-2014-8127, duplicate: CVE-2016-3658)
compressed images. Reported by Tyler Bohan of Cisco Talos as
TALOS-CAN-0187 / CVE-2016-5652.
Also prevents writing 2 extra uninitialized bytes to the file stream.
t2p_readwrite_pdf_image_tile(), causing crash, when reading a
JPEG compressed image with TIFFTAG_JPEGTABLES length being one.
Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from
the MSRC Vulnerabilities & Mitigations team.
required tags. Found on test case of MSVR 35100.
* tools/tiffcrop.c: fix read of undefined buffer in
readContigStripsIntoBuffer() due to uint16 overflow. Probably not a
security issue but I can be wrong. Reported as MSVR 35100 by Axel
Souchet from the MSRC Vulnerabilities & Mitigations team.
read floating point images.
* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
requirements of floating point predictor (3). Fixes CVE-2016-3622
"Divide By Zero in the tiff2rgba tool."
places where it isn't done currently, but it seems this patch is enough.
in heap or stack allocated buffers. Reported as MSVR 35093,
MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal
Chauhan from the MSRC Vulnerabilities & Mitigations team.
* tools/tiff2pdf.c: fix out-of-bounds write vulnerabilities in
heap allocate buffer in t2p_process_jpeg_strip(). Reported as MSVR
35098. Discovered by Axel Souchet and Vishal Chauhan from the MSRC
Vulnerabilities & Mitigations team.
* libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities
in heap allocated buffers. Reported as MSVR 35094. Discovered by
Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
* libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1()
that didn't reset the tif_rawcc and tif_rawcp members. I'm not
completely sure if that could happen in practice outside of the odd
behaviour of t2p_seekproc() of tiff2pdf). The report points that a
better fix could be to check the return value of TIFFFlushData1() in
places where it isn't done currently, but it seems this patch is enough.
Reported as MSVR 35095. Discovered by Axel Souchet & Vishal Chauhan &
Suha Can from the MSRC Vulnerabilities & Mitigations team.
