Even Rouault
cbe0307490
* libtiff/tif_read.c: _TIFFVSetField(): fix outside range cast of double to
...
float.
Credit to Google Autofuzz project
2017-05-17 21:54:04 +00:00
Even Rouault
bda5be3a14
* libtiff/tif_getimage.c: initYCbCrConversion(): add basic validation of
...
luma and refBlackWhite coefficients (just check they are not NaN for now),
to avoid potential float to int overflows.
Fixes ://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663
Credit to OSS Fuzz
2017-05-17 13:48:34 +00:00
Even Rouault
f277dbaff0
* libtiff/tif_pixarlog.c: PixarLogDecode(): resync tif_rawcp with
...
next_in and tif_rawcc with avail_in at beginning and end of function,
similarly to what is done in LZWDecode(). Likely needed so that it
works properly with latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT
mode. But untested...
2017-05-17 09:53:06 +00:00
Even Rouault
3f72698b8a
* libtiff/tif_lzw.c: update dec_bitsleft at beginning of LZWDecode(),
...
and update tif_rawcc at end of LZWDecode(). This is needed to properly
work with the latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT
mode.
2017-05-17 09:38:58 +00:00
Even Rouault
352c653057
* libtiff/tif_luv.c: LogL16InitState(): avoid excessive memory
...
allocation when RowsPerStrip tag is missing.
Credit to OSS-Fuzz (locally run, on GDAL)
2017-05-14 10:17:27 +00:00
Even Rouault
8d4e459102
* libtiff/tif_packbits.c: fix out-of-buffer read in PackBitsDecode()
...
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563
Credit to OSS-Fuzz
2017-05-14 02:26:07 +00:00
Even Rouault
99e8fb373e
* libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32
...
overflows in multiply_ms() and add_ms().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558
Credit to OSS-Fuzz
2017-05-13 18:29:38 +00:00
Even Rouault
0a6763b5a0
* libtiff/tif_color.c: avoid potential int32 overflow in
...
TIFFYCbCrToRGBInit()
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533
Credit to OSS-Fuzz
2017-05-13 18:17:34 +00:00
Even Rouault
0a5c524577
* libtiff/tif_read.c: update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT
...
mode with tif_rawdataloaded when calling TIFFStartStrip() or
TIFFFillStripPartial(). This avoids reading beyond tif_rawdata
when bytecount > tif_rawdatasize.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545 .
Credit to OSS-Fuzz
2017-05-13 15:34:06 +00:00
Even Rouault
2d7b1f8c16
* libtiff/tif_read.c: TIFFFillStripPartial():
...
avoid excessive memory allocation in case of shorten files.
Only effective on 64 bit builds.
Credit to OSS-Fuzz (locally run, on GDAL)
2017-05-12 21:12:24 +00:00
Even Rouault
76084fb831
* libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(),
...
avoid potential integer overflows with read_ahead in
CHUNKY_STRIP_READ_SUPPORT mode. Should
especially occur on 32 bit platforms.
2017-05-12 20:16:37 +00:00
Even Rouault
80ee713d88
Rename variable added in previous commit to avoid symbol clash
2017-05-10 19:54:54 +00:00
Even Rouault
c9a6cfc51a
* libtiff/tif_read.c: TIFFFillStrip() and TIFFFillTile():
...
avoid excessive memory allocation in case of shorten files.
Only effective on 64 bit builds and non-mapped cases.
Credit to OSS-Fuzz (locally run, on GDAL)
2017-05-10 19:38:49 +00:00
Even Rouault
328189565b
* libtiff/tif_zip.c, tif_pixarlog.c, tif_predict.c: fix memory
...
leak when the underlying codec (ZIP, PixarLog) succeeds its
setupdecode() method, but PredictorSetup fails.
Credit to OSS-Fuzz (locally run, on GDAL)
2017-05-10 15:21:16 +00:00
Even Rouault
8fb8265260
* libtiff/tif_read.c: TIFFFillStrip(): add limitation to the number
...
of bytes read in case td_stripbytecount[strip] is bigger than
reasonable, so as to avoid excessive memory allocation.
2017-05-10 13:37:19 +00:00
Even Rouault
d606ea22bb
* tools/tiff2bw.c: close TIFF handle in error code path.
...
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2677
2017-04-28 18:08:47 +00:00
Even Rouault
fa55777370
* litiff/tif_fax3.c: avoid crash in Fax3Close() on empty file.
...
Patch by Alan Coopersmith + complement by myself.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2673
* tools/fax2tiff.c: emit appropriate message if the input file is
empty. Patch by Alan Coopersmith.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2672
2017-04-27 19:50:01 +00:00
Even Rouault
bb30ee4f09
* libtiff/tif_ojpeg.c: fix potential memory leak in
...
OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable
and OJPEGReadHeaderInfoSecTablesAcTable
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2670
2017-04-27 17:29:26 +00:00
Even Rouault
697bfd9f39
* libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD
...
mode (ie default) when there is both a StripOffsets and
TileOffsets tag, or a StripByteCounts and TileByteCounts
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689
* tools/tiff2ps.c: call TIFFClose() in error code paths.
2017-04-27 15:46:22 +00:00
Even Rouault
8a752e1e3a
* libtiff/tif_fax3.c, tif_predict.c, tif_getimage.c: fix GCC 7
...
-Wimplicit-fallthrough warnings.
2017-02-25 17:05:12 +00:00
Even Rouault
19a159d7c4
* libtiff/tif_pixarlog.c: fix memory leak in error code path of
...
PixarLogSetupDecode(). Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2665
2017-02-18 20:30:26 +00:00
Even Rouault
09a7433335
* libtiff/tif_lzw.c: in LZWPostEncode(), increase, if necessary, the
...
code bit-width after flushing the remaining code and before emitting
the EOI code.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=1982
2017-02-18 18:46:00 +00:00
Even Rouault
62473b596b
* libtiff/tif_jpeg.c: only run JPEGFixupTagsSubsampling() if the
...
YCbCrSubsampling tag is not explicitly present. This helps a bit to reduce
the I/O amount when te tag is present (especially on cloud hosted files).
2017-01-31 13:02:27 +00:00
Even Rouault
55e5962794
* tools/raw2tiff.c: avoid integer division by zero.
...
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2631
2017-01-14 13:12:33 +00:00
Even Rouault
ab7f27a984
* libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable,
...
OJPEGReadHeaderInfoSecTablesDcTable and OJPEGReadHeaderInfoSecTablesAcTable
2017-01-12 19:23:20 +00:00
Even Rouault
ad7aea728d
* libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable
...
when read fails.
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
2017-01-12 17:43:25 +00:00
Even Rouault
d043ca1be9
* libtiff/tif_luv.c, tif_lzw.c, tif_packbits.c: return 0 in Encode
...
functions instead of -1 when TIFFFlushData1() fails.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2130
2017-01-11 20:33:35 +00:00
Even Rouault
480167a350
* tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
...
cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
http://bugzilla.maptools.org/show_bug.cgi?id=2657
2017-01-11 19:25:44 +00:00
Even Rouault
f5858f50b5
Fix commit message
2017-01-11 19:03:18 +00:00
Even Rouault
33e002a170
* libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc()
...
* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
initialize tif_rawdata.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
2017-01-11 19:02:49 +00:00
Even Rouault
537cd1da18
Initialize variable to fix MSVC warning (caused by previous commit)
2017-01-11 17:48:11 +00:00
Even Rouault
a48c640a01
* libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
...
avoid UndefinedBehaviorSanitizer warning.
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2658
2017-01-11 16:38:26 +00:00
Even Rouault
50b48786d5
* libtiff/tif_read.c: avoid potential undefined behaviour on signed integer
...
addition in TIFFReadRawStrip1() in isMapped() case.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
2017-01-11 16:33:34 +00:00
Even Rouault
153418c943
* libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid
...
undefined behaviour caused by invalid shift exponent.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
2017-01-11 16:13:50 +00:00
Even Rouault
d2e6964efc
* libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings
...
of double to other data types to avoid undefined behaviour if the output range
isn't big enough to hold the input value.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643
http://bugzilla.maptools.org/show_bug.cgi?id=2642
http://bugzilla.maptools.org/show_bug.cgi?id=2646
http://bugzilla.maptools.org/show_bug.cgi?id=2647
2017-01-11 16:09:02 +00:00
Even Rouault
a39f613104
* libtiff/tif_dirread.c: avoid division by floating point 0 in
...
TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(),
and return 0 in that case (instead of infinity as before presumably)
Apparently some sanitizers do not like those divisions by zero.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644
2017-01-11 13:28:01 +00:00
Even Rouault
9f839d9233
* libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace
...
assertion by runtime check to error out if passed value is strictly
negative.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535
* tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that
caused double free.
Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535
2017-01-11 12:51:59 +00:00
Even Rouault
20dd00743c
* libtiff/tif_jpeg.c: avoid integer division by zero in
...
JPEGSetupEncode() when horizontal or vertical sampling is set to 0.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653
2017-01-11 12:15:01 +00:00
Even Rouault
553d4c5d05
* libtiff/tif_jpeg.c: increase libjpeg max memory usable to
...
10 MB instead of libjpeg 1MB default. This helps when creating files
with "big" tile, without using libjpeg temporary files.
Related to https://trac.osgeo.org/gdal/ticket/6757
2017-01-03 17:22:49 +00:00
Even Rouault
6d97ea6dcc
* tools/tiff2pdf.c: avoid potential heap-based overflow in
...
t2p_readwrite_pdf_image_tile().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640
2016-12-20 17:28:17 +00:00
Even Rouault
5e95f6a34c
* tools/tiff2pdf.c: avoid potential invalid memory read in
...
t2p_writeproc.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
2016-12-20 17:24:35 +00:00
Even Rouault
7fb75582f4
* tools/tiff2pdf.c: fix wrong usage of memcpy() that can trigger
...
unspecified behaviour.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2638
2016-12-20 17:13:26 +00:00
Even Rouault
7d919c7849
* libtiff/tif_getimage.c: fix potential memory leaks in error code
...
path of TIFFRGBAImageBegin().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2627
2016-12-18 22:28:42 +00:00
Even Rouault
732f8e0b46
* tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode
...
on a paletted image. Note: this fix errors out before the overflow
happens. There could probably be a better fix.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635
2016-12-18 10:37:59 +00:00
Even Rouault
f9f8686c7d
* libtiff/tiffio.h, libtiff/tif_getimage.c: add TIFFReadRGBAStripExt()
...
and TIFFReadRGBATileExt() variants of the functions without ext, with
an extra argument to control the stop_on_error behaviour.
2016-12-17 22:33:11 +00:00
Even Rouault
0a85b00c8b
* tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW
...
and PSDataColorContig). Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and
http://bugzilla.maptools.org/show_bug.cgi?id=2634 .
2016-12-17 19:45:28 +00:00
Lee Howard
709f14f258
HylaFAX not Halyfax
2016-12-14 18:36:27 +00:00
Even Rouault
6e3867b3e6
Fix spelling in ChangeLog
2016-12-13 18:27:47 +00:00
Even Rouault
27d6152ddd
* libtiff/tif_fax3.h: revert change done on 2016-01-09 that made
...
Param member of TIFFFaxTabEnt structure a uint16 to reduce size of
the binary. It happens that the Hylafax software uses the tables that
follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable,
TIFFFaxBlackTable), also they are not in a public libtiff header.
Raised by Lee Howard.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2636
2016-12-13 18:15:48 +00:00
Even Rouault
a3196dff73
* html/man/Makefile.am: remove thumbnail.1.html and rgb2ycbcr.1.html
...
from installed pages since the corresponding utilities are no longer
installed. Reported by Havard Eidnes
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2606
2016-12-04 17:56:18 +00:00