Commit Graph

2966 Commits

Author SHA1 Message Date
Even Rouault
8eff533db2 * libtiff/tif_read.c: TIFFStartTile(): set tif_rawcc to
tif_rawdataloaded when it is set. Similarly to TIFFStartStrip().
This issue was revealed by the change of 2017-06-30 in TIFFFileTile(),
limiting the number of bytes read. But it could probably have been hit
too in CHUNKY_STRIP_READ_SUPPORT mode previously ?
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454
Credit to OSS Fuzz
2017-07-02 14:13:39 +00:00
Even Rouault
0f83a86b7b * man: update documentation regarding SubIFD tag and
TIFFSetSubDirectory() data type.
Patch by Eric Piel
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2671
2017-06-30 17:40:02 +00:00
Even Rouault
170f9a6019 Fix module names in error message 2017-06-30 17:31:45 +00:00
Even Rouault
3cb621f5cf * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
functions associated with LONG8/SLONG8 data type, replace assertion that
the file is BigTIFF, by a non-fatal error.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
Reported by team OWL337
2017-06-30 17:29:44 +00:00
Even Rouault
5ba0b3116f * libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedStripAndAllocBuffer()
function, variant of TIFFReadEncodedStrip() that allocates the
decoded buffer only after a first successful TIFFFillStrip(). This avoids
excessive memory allocation on corrupted files.
* libtiff/tif_getimage.c: use _TIFFReadEncodedStripAndAllocBuffer().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2708 and
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2433 .
Credit to OSS Fuzz
2017-06-30 13:11:18 +00:00
Even Rouault
12bb476389 * libtiff/tif_read.c: TIFFFillTile(): add limitation to the number
of bytes read in case td_stripbytecount[strip] is bigger than
reasonable, so as to avoid excessive memory allocation (similarly to
what was done for TIFFFileStrip() on 2017-05-10)
2017-06-30 11:29:22 +00:00
Even Rouault
385edd37e9 * libtiff/tiffiop.h, libtiff/tif_jpeg.c, libtiff/tif_jpeg_12.c,
libtiff/tif_read.c: make TIFFReadScanline() works in
CHUNKY_STRIP_READ_SUPPORT mode with JPEG stream with multiple scans.
Also make configurable through a LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER
environment variable the maximum number of scans allowed. Defaults to
100.
2017-06-29 07:37:12 +00:00
Even Rouault
976774deac * libtiff/tif_dirread.c: in TIFFReadDirEntryFloat(), check that a
double value can fit in a float before casting. Patch by Nicolas RUFF
2017-06-27 13:44:44 +00:00
Even Rouault
ede7b68218 * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706
Reported by team OWL337

* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg
2017-06-26 15:19:59 +00:00
Even Rouault
a85d5f09dd * libjpeg/tif_jpeg.c: error out at decoding time if anticipated libjpeg
memory allocation is above 100 MB. libjpeg in case of multiple scans,
which is allowed even in baseline JPEG, if components are spread over several
scans and not interleavedin a single one, needs to allocate memory (or
backing store) for the whole strip/tile.
See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf
This limitation may be overriden by setting the
LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC environment variable, or recompiling
libtiff with a custom value of TIFF_LIBJPEG_LARGEST_MEM_ALLOC macro.
2017-06-24 15:33:28 +00:00
Even Rouault
b1ee48b775 * libtiff/tif_jpeg.c: add anti-denial of service measure to avoid excessive
CPU consumption on progressive JPEGs with a huge number of scans.
See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf
Note: only affects libtiff since 2014-12-29 where support of non-baseline JPEG
was added.
2017-06-24 13:03:25 +00:00
Even Rouault
df51988637 * libtiff/tiffiop.h: add TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW macro to
disable CLang warnings raised by -fsanitize=undefined,unsigned-integer-overflow
* libtiff/tif_predict.c: decorate legitimate functions where unsigned int
overflow occur with TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
* libtiff/tif_dirread.c: avoid unsigned int overflow in EstimateStripByteCounts()
and BYTECOUNTLOOKSBAD when file is too short.
* libtiff/tif_jpeg.c: avoid (harmless) unsigned int overflow on tiled images.
* libtiff/tif_fax3.c: avoid unsigned int overflow in Fax3Encode2DRow(). Could
potentially be a bug with huge rows.
* libtiff/tif_getimage.c: avoid many (harmless) unsigned int overflows.
2017-06-18 10:31:50 +00:00
Even Rouault
7057734d98 * libtiff/tif_dirread.c: TIFFFetchStripThing(): limit the number of items
read in StripOffsets/StripByteCounts tags to the number of strips to avoid
excessive memory allocation.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2215
Credit to OSS Fuzz
2017-06-12 19:13:49 +00:00
Even Rouault
56d802d409 Reference GDAL ticket 2017-06-12 10:48:25 +00:00
Even Rouault
1cdea8b9e9 * libtiff/tif_dirread.c: fix regression of libtiff 4.0.8 in
ChopUpSingleUncompressedStrip() regarding update of newly single-strip
uncompressed files whose bytecount is 0. Before the change of 2016-12-03,
the condition bytecount==0 used to trigger an early exit/disabling of
strip chop. Re-introduce that in update mode. Otherwise this cause
later incorrect setting for the value of StripByCounts/StripOffsets.
2017-06-12 10:45:35 +00:00
Even Rouault
ea6228c185 * .appveyor.yml, .travis.yml, build/travis-ci: apply patches
0001-ci-Travis-script-improvements.patch and
0002-ci-Invoke-helper-script-via-shell.patch by Roger Leigh
(sent to mailing list)
2017-06-09 22:07:08 +00:00
Even Rouault
fb19084f4d Re-add build/travis-ci with execution bit 2017-06-09 11:04:33 +00:00
Even Rouault
ff179125e2 remove build/travis-ci to re-add it with +x bit 2017-06-09 11:03:51 +00:00
Even Rouault
f2a3b02040 * .travis.yml, build/travis-ci: new files from
0001-ci-Add-Travis-support-for-Linux-builds-with-Autoconf.patch by
Roger Leigh (sent to mailing list on 2017-06-08)
This patch adds support for the Travis-CI service.

* .appveyor.yml: new file from
0002-ci-Add-AppVeyor-support.patch by Roger Leigh (sent to mailing
list on 2017-06-08)
This patch adds a .appveyor.yml file to the top-level.  This allows
one to opt in to having a branch built on Windows with Cygwin,
MinGW and MSVC automatically when a branch is pushed to GitHub,
GitLab, BitBucket or any other supported git hosting service.

* CMakeLists.txt, test/CMakeLists.txt, test/TiffTestCommon.cmake: apply
patch 0001-cmake-Improve-Cygwin-and-MingGW-test-support.patch from Roger
Leigh (sent to mailing list on 2017-06-08)
This patch makes the CMake build system support running the tests
with MinGW or Cygwin.
2017-06-08 20:46:10 +00:00
Even Rouault
1d658302f8 * libtiff/tif_swab.c: if DISABLE_CHECK_TIFFSWABMACROS is defined, do not do
the #ifdef TIFFSwabXXX checks. Make it easier for GDAL to rename the symbols
of its internal libtiff copy.
2017-06-08 16:39:50 +00:00
Even Rouault
6281927e03 * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
to behave differently depending on whether the codec is enabled or not, and
thus can avoid stack based buffer overflows in a number of TIFF utilities
such as tiffsplit, tiffcmp, thumbnail, etc.
Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
Fixes:
http://bugzilla.maptools.org/show_bug.cgi?id=2580
http://bugzilla.maptools.org/show_bug.cgi?id=2693
http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
http://bugzilla.maptools.org/show_bug.cgi?id=2441
http://bugzilla.maptools.org/show_bug.cgi?id=2433
2017-06-01 12:44:04 +00:00
Even Rouault
ed38dcc52c * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for
refBlackWhite coefficients values. To avoid invalid float->int32 conversion
(when refBlackWhite[0] == 2147483648.f)
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907
Credit to OSS Fuzz
2017-05-29 11:29:06 +00:00
Even Rouault
4d3c3eec0c Fix date in changelog entry 2017-05-29 10:14:26 +00:00
Even Rouault
2b3a489164 * libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid
int32 overflow in TIFFYCbCrtoRGB().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844
Credit to OSS Fuzz
2017-05-29 10:12:54 +00:00
Bob Friesenhahn
84e1f1b66d libtiff 4.0.8 released 2017-05-21 19:10:50 +00:00
Bob Friesenhahn
c714d5b5a7 html/v4.0.8.html: Add description of changes targeting the 4.0.8 release. 2017-05-21 17:47:46 +00:00
Even Rouault
1a690c0e10 * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for
refBlackWhite coefficients values. To avoid invalid float->int32 conversion.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1718
Credit to OSS Fuzz

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663
2017-05-20 11:29:02 +00:00
Even Rouault
3d5081d29b * libtiff/tif_getimage.c: initYCbCrConversion(): check luma[1] is not zero
to avoid division by zero.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665
Credit to OSS Fuzz
2017-05-18 06:44:35 +00:00
Even Rouault
cbe0307490 * libtiff/tif_read.c: _TIFFVSetField(): fix outside range cast of double to
float.
Credit to Google Autofuzz project
2017-05-17 21:54:04 +00:00
Even Rouault
bda5be3a14 * libtiff/tif_getimage.c: initYCbCrConversion(): add basic validation of
luma and refBlackWhite coefficients (just check they are not NaN for now),
to avoid potential float to int overflows.
Fixes ://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663
Credit to OSS Fuzz
2017-05-17 13:48:34 +00:00
Even Rouault
f277dbaff0 * libtiff/tif_pixarlog.c: PixarLogDecode(): resync tif_rawcp with
next_in and tif_rawcc with avail_in at beginning and end of function,
similarly to what is done in LZWDecode(). Likely needed so that it
works properly with latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT
mode. But untested...
2017-05-17 09:53:06 +00:00
Even Rouault
3f72698b8a * libtiff/tif_lzw.c: update dec_bitsleft at beginning of LZWDecode(),
and update tif_rawcc at end of LZWDecode(). This is needed to properly
work with the latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT
mode.
2017-05-17 09:38:58 +00:00
Even Rouault
352c653057 * libtiff/tif_luv.c: LogL16InitState(): avoid excessive memory
allocation when RowsPerStrip tag is missing.
Credit to OSS-Fuzz (locally run, on GDAL)
2017-05-14 10:17:27 +00:00
Even Rouault
8d4e459102 * libtiff/tif_packbits.c: fix out-of-buffer read in PackBitsDecode()
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563
Credit to OSS-Fuzz
2017-05-14 02:26:07 +00:00
Even Rouault
99e8fb373e * libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32
overflows in multiply_ms() and add_ms().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558
Credit to OSS-Fuzz
2017-05-13 18:29:38 +00:00
Even Rouault
0a6763b5a0 * libtiff/tif_color.c: avoid potential int32 overflow in
TIFFYCbCrToRGBInit()
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533
Credit to OSS-Fuzz
2017-05-13 18:17:34 +00:00
Even Rouault
0a5c524577 * libtiff/tif_read.c: update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT
mode with tif_rawdataloaded when calling TIFFStartStrip() or
TIFFFillStripPartial(). This avoids reading beyond tif_rawdata
when bytecount > tif_rawdatasize.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545.
Credit to OSS-Fuzz
2017-05-13 15:34:06 +00:00
Even Rouault
2d7b1f8c16 * libtiff/tif_read.c: TIFFFillStripPartial():
avoid excessive memory allocation in case of shorten files.
Only effective on 64 bit builds.
Credit to OSS-Fuzz (locally run, on GDAL)
2017-05-12 21:12:24 +00:00
Even Rouault
76084fb831 * libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(),
avoid potential integer overflows with read_ahead in
CHUNKY_STRIP_READ_SUPPORT mode. Should
especially occur on 32 bit platforms.
2017-05-12 20:16:37 +00:00
Even Rouault
80ee713d88 Rename variable added in previous commit to avoid symbol clash 2017-05-10 19:54:54 +00:00
Even Rouault
c9a6cfc51a * libtiff/tif_read.c: TIFFFillStrip() and TIFFFillTile():
avoid excessive memory allocation in case of shorten files.
Only effective on 64 bit builds and non-mapped cases.
Credit to OSS-Fuzz (locally run, on GDAL)
2017-05-10 19:38:49 +00:00
Even Rouault
328189565b * libtiff/tif_zip.c, tif_pixarlog.c, tif_predict.c: fix memory
leak when the underlying codec (ZIP, PixarLog) succeeds its
setupdecode() method, but PredictorSetup fails.
Credit to OSS-Fuzz (locally run, on GDAL)
2017-05-10 15:21:16 +00:00
Even Rouault
8fb8265260 * libtiff/tif_read.c: TIFFFillStrip(): add limitation to the number
of bytes read in case td_stripbytecount[strip] is bigger than
reasonable, so as to avoid excessive memory allocation.
2017-05-10 13:37:19 +00:00
Even Rouault
d606ea22bb * tools/tiff2bw.c: close TIFF handle in error code path.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2677
2017-04-28 18:08:47 +00:00
Even Rouault
fa55777370 * litiff/tif_fax3.c: avoid crash in Fax3Close() on empty file.
Patch by Alan Coopersmith  + complement by myself.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2673
* tools/fax2tiff.c: emit appropriate message if the input file is
empty. Patch by Alan Coopersmith.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2672
2017-04-27 19:50:01 +00:00
Even Rouault
bb30ee4f09 * libtiff/tif_ojpeg.c: fix potential memory leak in
OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable
and OJPEGReadHeaderInfoSecTablesAcTable
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2670
2017-04-27 17:29:26 +00:00
Even Rouault
697bfd9f39 * libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD
mode (ie default) when there is both a StripOffsets and
TileOffsets tag, or a StripByteCounts and TileByteCounts
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689
* tools/tiff2ps.c: call TIFFClose() in error code paths.
2017-04-27 15:46:22 +00:00
Even Rouault
8a752e1e3a * libtiff/tif_fax3.c, tif_predict.c, tif_getimage.c: fix GCC 7
-Wimplicit-fallthrough warnings.
2017-02-25 17:05:12 +00:00
Even Rouault
19a159d7c4 * libtiff/tif_pixarlog.c: fix memory leak in error code path of
PixarLogSetupDecode(). Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2665
2017-02-18 20:30:26 +00:00
Even Rouault
09a7433335 * libtiff/tif_lzw.c: in LZWPostEncode(), increase, if necessary, the
code bit-width after flushing the remaining code and before emitting
the EOI code.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=1982
2017-02-18 18:46:00 +00:00