cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,914 Commits 1 Branch 0 Tags 11 MiB
ab7f27a984
Commit Graph

564 Commits

Author SHA1 Message Date
Even Rouault
480167a350 * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and 
cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
http://bugzilla.maptools.org/show_bug.cgi?id=2657
 2017-01-11 19:25:44 +00:00
Even Rouault
9f839d9233 * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace 
assertion by runtime check to error out if passed value is strictly
negative.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535

* tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that
caused double free.
Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535
 2017-01-11 12:51:59 +00:00
Even Rouault
6d97ea6dcc * tools/tiff2pdf.c: avoid potential heap-based overflow in 
t2p_readwrite_pdf_image_tile().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640
 2016-12-20 17:28:17 +00:00
Even Rouault
5e95f6a34c * tools/tiff2pdf.c: avoid potential invalid memory read in 
t2p_writeproc.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
 2016-12-20 17:24:35 +00:00
Even Rouault
7fb75582f4 * tools/tiff2pdf.c: fix wrong usage of memcpy() that can trigger 
unspecified behaviour.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2638
 2016-12-20 17:13:26 +00:00
Even Rouault
732f8e0b46 * tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode 
on a paletted image. Note: this fix errors out before the overflow
happens. There could probably be a better fix.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635
 2016-12-18 10:37:59 +00:00
Even Rouault
0a85b00c8b * tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW 
and PSDataColorContig). Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and
http://bugzilla.maptools.org/show_bug.cgi?id=2634.
 2016-12-17 19:45:28 +00:00
Even Rouault
2766c8583d * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert check. 
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605
 2016-12-03 16:50:02 +00:00
Even Rouault
bae8284136 * tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based 
buffer overflow.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
 2016-12-03 16:40:01 +00:00
Even Rouault
b1e5ae5984 * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is 
missing.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
 2016-12-03 15:44:15 +00:00
Even Rouault
5b52559d39 * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is 
missing.
Reported by Agostino sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597
 2016-12-03 14:42:40 +00:00
Even Rouault
2deb7183ca * tools/tiffinfo.c: fix null pointer dereference in -r mode when the image has 
no StripByteCount tag.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594
 2016-12-03 14:18:48 +00:00
Even Rouault
5c47f33899 * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is missing. 
Reported by Agostina Sarubo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619
 2016-12-03 13:00:03 +00:00
Even Rouault
7aad042fc8 * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in 
readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer.
Reported by Agostina Sarubo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621
 2016-12-03 12:19:32 +00:00
Even Rouault
3a1c5ac67b * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so 
that the output buffer is correctly incremented to avoid write outside bounds.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620
 2016-12-03 11:35:56 +00:00
Even Rouault
78dab0996f * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that 
can cause various issues, such as buffer overflows in the library.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598
 2016-12-02 22:13:32 +00:00
Bob Friesenhahn
5ba49e2beb * tools/fax2tiff.c (main): Applied patch by Jörg Ahrens to fix 
passing client data for Win32 builds using tif_win32.c
(USE_WIN32_FILEIO defined) for file I/O.  Patch was provided via
email on November 20, 2016.
 2016-11-20 18:04:52 +00:00
Bob Friesenhahn
07e63bcdf8 * tools/tiffdump.c (ReadDirectory): Remove uint32 cast to 
_TIFFmalloc() argument which resulted in Coverity report.  Added
more mutiplication overflow checks.
 2016-11-19 15:42:46 +00:00
Even Rouault
c80c06ce45 * tools/tiffcrop.c: Fix memory leak in (recent) error code path. 
Fixes Coverity 1394415.
 2016-11-18 14:58:46 +00:00
Bob Friesenhahn
c22e3e5b42 * tools/tiffinfo.c (TIFFReadContigTileData): Fix signed/unsigned 
comparison warning.
(TIFFReadSeparateTileData): Fix signed/unsigned comparison
warning.
 2016-11-12 20:06:05 +00:00
Bob Friesenhahn
b6779d1454 tmsize_t is a signed type so change casting to cast to unsigned type before compare 2016-11-12 19:57:16 +00:00
Bob Friesenhahn
d2c7f195f1 * tools/tiffcrop.c (readContigTilesIntoBuffer): Fix 
signed/unsigned comparison warning.
 2016-11-12 18:35:11 +00:00
Even Rouault
34e2075125 Fix typo in comment 2016-11-11 21:28:24 +00:00
Even Rouault
57b0f8ba24 * tools/tiff2pdf.c: avoid undefined behaviour related to overlapping 
of source and destination buffer in memcpy() call in
t2p_sample_rgbaa_to_rgb()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577
 2016-11-11 21:22:50 +00:00
Even Rouault
16e71ae0a2 * tools/tiff2pdf.c: fix potential integer overflows on 32 bit builds 
in t2p_read_tiff_size()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2576
 2016-11-11 21:15:25 +00:00
Even Rouault
49062afa56 * tools/tiffcrop.c: fix multiple uint32 overflows in 
writeBufferToSeparateStrips(), writeBufferToContigTiles() and
writeBufferToSeparateTiles() that could cause heap buffer overflows.
Reported by Henri Salo from Nixu Corporation.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
 2016-11-11 19:33:06 +00:00
Even Rouault
124d8fc810 * tools/fax2tiff.c: fix segfault when specifying -r without 
argument. Patch by Yuriy M. Kaminskiy.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2572
 2016-10-25 22:22:45 +00:00
Even Rouault
0c05834d05 * tools/tiffinfo.c: fix out-of-bound read on some tiled images. 
(http://bugzilla.maptools.org/show_bug.cgi?id=2517)

* libtiff/tif_compress.c: make TIFFNoDecode() return 0 to indicate an
error and make upper level read routines treat it accordingly.
(linked to the test case of http://bugzilla.maptools.org/show_bug.cgi?id=2517)
 2016-10-25 20:04:21 +00:00
Even Rouault
0d521dfab0 * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in 
readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
& Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
 2016-10-14 19:13:20 +00:00
Even Rouault
0937638efd * tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG 
compressed images. Reported by Tyler Bohan of Cisco Talos as
TALOS-CAN-0187 / CVE-2016-5652.
Also prevents writing 2 extra uninitialized bytes to the file stream.
 2016-10-09 11:03:36 +00:00
Even Rouault
6f13bf391a * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd 
tile width vs image width. Reported as MSVR 35103
by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
 2016-10-08 15:54:56 +00:00
Even Rouault
7399a6f13b * tools/tiff2pdf.c: fix read -largely- outsize of buffer in 
t2p_readwrite_pdf_image_tile(), causing crash, when reading a
JPEG compressed image with TIFFTAG_JPEGTABLES length being one.
Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from
the MSRC Vulnerabilities & Mitigations team.
 2016-10-08 15:14:42 +00:00
Even Rouault
5707841070 * tools/tiffcp.c: fix read of undefined variable in case of missing 
required tags. Found on test case of MSVR 35100.
* tools/tiffcrop.c: fix read of undefined buffer in
readContigStripsIntoBuffer() due to uint16 overflow. Probably not a
security issue but I can be wrong. Reported as MSVR 35100 by Axel
Souchet from the MSRC Vulnerabilities & Mitigations team.
 2016-10-08 15:04:31 +00:00
Even Rouault
edde1c583a * tools/tiffcrop.c: fix various out-of-bounds write vulnerabilities 
in heap or stack allocated buffers. Reported as MSVR 35093,
MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal
Chauhan from the MSRC Vulnerabilities & Mitigations team.
* tools/tiff2pdf.c: fix out-of-bounds write vulnerabilities in
heap allocate buffer in t2p_process_jpeg_strip(). Reported as MSVR
35098. Discovered by Axel Souchet and Vishal Chauhan from the MSRC
Vulnerabilities & Mitigations team.
* libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities
in heap allocated buffers. Reported as MSVR 35094. Discovered by
Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
* libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1()
that didn't reset the tif_rawcc and tif_rawcp members. I'm not
completely sure if that could happen in practice outside of the odd
behaviour of t2p_seekproc() of tiff2pdf). The report points that a
better fix could be to check the return value of TIFFFlushData1() in
places where it isn't done currently, but it seems this patch is enough.
Reported as MSVR 35095. Discovered by Axel Souchet & Vishal Chauhan &
Suha Can from the MSRC Vulnerabilities & Mitigations team.
 2016-09-23 22:12:18 +00:00
Even Rouault
cbdc8d8ae9 * tools/tiffcrop.c: fix C99'ism. 2016-08-16 08:54:01 +00:00
Even Rouault
ac16d2213c * tools/tiff2bw.c: fix weight computation that could result of color 
value overflow (no security implication). Fix bugzilla #2550.
Patch by Frank Freudenberg.
 2016-08-15 22:01:31 +00:00
Even Rouault
f18e33b3a5 * tools/rgb2ycbcr.c: validate values of -v and -h parameters to 
avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
 2016-08-15 21:26:56 +00:00
Even Rouault
5dd73c2b77 * tools/tiffcrop.c: Fix out-of-bounds write in loadImage(). 
From patch libtiff-CVE-2016-3991.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
 2016-08-15 21:05:40 +00:00
Even Rouault
01bac25a5a * tools/tiff2rgba.c: Fix integer overflow in size of allocated 
buffer, when -b mode is enabled, that could result in out-of-bounds
write. Based initially on patch tiff-CVE-2016-3945.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
invalid tests that rejected valid files.
 2016-08-15 20:06:40 +00:00
Even Rouault
e54eac223b (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559) 2016-07-11 21:38:31 +00:00
Even Rouault
a1277756ad * tools/tiffcrop.c: Avoid access outside of stack allocated array 
on a tiled separate TIFF with more than 8 samples per pixel.
Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
(CVE-2016-5321, bugzilla #2558)
 2016-07-11 21:26:03 +00:00
Even Rouault
a0faaf8910 Fix build failure due to previous commit 2016-07-10 16:56:18 +00:00
Even Rouault
292c431e5d * tools/tiffdump.c: fix a few misaligned 64-bit reads warned 
by -fsanitize
 2016-07-10 15:34:06 +00:00
Bob Friesenhahn
30366c9f22 * tools/Makefile.am: The libtiff tools bmp2tiff, gif2tiff, 
ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from
the distribution.  The libtiff tools rgb2ycbcr and thumbnail are
only built in the build tree for testing.  Old files are put in
new 'archive' subdirectory of the source repository, but not in
distribution archives.  These changes are made in order to lessen
the maintenance burden.
 2016-06-05 19:53:59 +00:00
Bob Friesenhahn
c7ff695d1b * html/bugs.html: Replace Andrey Kiselev with Bob Friesenhahn for 
purposes of security issue reporting.
 2016-04-08 02:34:00 +00:00
Even Rouault
87f02eaced * libtiff/*.c: fix clang -Wshorten-64-to-32 warnings 2015-11-18 20:35:07 +00:00
Bob Friesenhahn
d1fabc4db1 * tools/tiffgt.c: Silence glut API deprecation warnings on MacOS 
X.  Patch by Roger Leigh.
 2015-09-06 20:42:20 +00:00
Bob Friesenhahn
7bc7b77e78 * tools/tiff2pdf.c: Fix compiler warning about unused function 
when JPEG is not available.

* tools/fax2ps.c (main): Detect failure to write to temporary
file.
 2015-09-06 18:24:27 +00:00
Bob Friesenhahn
a9afad2a9f * Makefile.am (distcheck-hook), configure.ac: Applied patches by 
Roger Leigh (via tiff mailing list on 2015-09-01) to fix issue
with BSD make and to make use of cmake in 'distcheck' target
conditional on if cmake is available.
 2015-09-01 19:23:16 +00:00
Bob Friesenhahn
1fea0da266 All the CMakeLists.txt files were missing from the distribution tarball. 2015-08-30 21:26:45 +00:00