Commit Graph

2938 Commits

Author SHA1 Message Date
Even Rouault
ef0803fc75 * libtiff/tif_write.c: fix misleading indentation as warned by GCC. 2016-12-03 21:57:44 +00:00
Even Rouault
2766c8583d * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert check.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605
2016-12-03 16:50:02 +00:00
Even Rouault
bae8284136 * tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based
buffer overflow.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
2016-12-03 16:40:01 +00:00
Even Rouault
b1e5ae5984 * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is
missing.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
2016-12-03 15:44:15 +00:00
Even Rouault
f703a4c7b3 * man/Makefile.am: remove thumbnail.1 and rgb2ycbcr.1 from installed man
pages since the corresponding utilities are no longer installed.
Reported by Havard Eidnes
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2606
2016-12-03 15:39:49 +00:00
Even Rouault
1f7151900c * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called,
limit the return number of inks to SamplesPerPixel, so that code that parses
ink names doesn't go past the end of the buffer.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599


Reported by Agostino Sarubbo.
2016-12-03 15:30:31 +00:00
Even Rouault
5b52559d39 * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is
missing.
Reported by Agostino sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597
2016-12-03 14:42:40 +00:00
Even Rouault
2deb7183ca * tools/tiffinfo.c: fix null pointer dereference in -r mode when the image has
no StripByteCount tag.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594
2016-12-03 14:18:48 +00:00
Even Rouault
4dc0503820 Fix typo on reporter name 2016-12-03 13:30:45 +00:00
Even Rouault
5c47f33899 * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is missing.
Reported by Agostina Sarubo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619
2016-12-03 13:00:03 +00:00
Even Rouault
7aad042fc8 * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in
readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer.
Reported by Agostina Sarubo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621
2016-12-03 12:19:32 +00:00
Even Rouault
3a1c5ac67b * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so
that the output buffer is correctly incremented to avoid write outside bounds.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620
2016-12-03 11:35:56 +00:00
Even Rouault
45ba019d0f * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure in
OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611
2016-12-03 11:15:18 +00:00
Even Rouault
9e9a0bbfb2 * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
instead of a logic based on the total size of data. Which is faulty is
the total size of data is not sufficient to fill the whole image, and thus
results in reading outside of the StripByCounts/StripOffsets arrays when
using TIFFReadScanline().
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.

* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
the above change is a better fix that makes it unnecessary.
2016-12-03 11:02:15 +00:00
Even Rouault
cec2d959be * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
overflow on generation of PixarLog / LUV compressed files, with
ColorMap, TransferFunction attached and nasty plays with bitspersample.
The fix for LUV has not been tested, but suffers from the same kind
of issue of PixarLog.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
2016-12-02 23:05:51 +00:00
Even Rouault
78dab0996f * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that
can cause various issues, such as buffer overflows in the library.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598
2016-12-02 22:13:32 +00:00
Even Rouault
30703a1677 * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
TIFFReadEncodedStrip() that caused an integer division by zero.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
2016-12-02 21:56:56 +00:00
Even Rouault
523e4e33e8 Add CVE number 2016-11-22 10:58:57 +00:00
Even Rouault
58788e4ea1 * libtiff/tif_predict.c, libtiff/tif_print.c: fix printf unsigned
vs signed formatting (cppcheck invalidPrintfArgType_uint warnings)
2016-11-20 22:31:21 +00:00
Even Rouault
cdc3c9b7e1 Commit changes that should have gone with previous commit 2016-11-20 22:29:47 +00:00
Even Rouault
a9cf335a77 * libtiff/tif_getimage.c, libtiff/tif_open.c: add parenthesis to
fix cppcheck clarifyCalculation warnings
2016-11-20 22:20:46 +00:00
Bob Friesenhahn
5ba49e2beb * tools/fax2tiff.c (main): Applied patch by Jörg Ahrens to fix
passing client data for Win32 builds using tif_win32.c
(USE_WIN32_FILEIO defined) for file I/O.  Patch was provided via
email on November 20, 2016.
2016-11-20 18:04:52 +00:00
Bob Friesenhahn
884f973652 * libtiff 4.0.7 released.
* configure.ac: Update for 4.0.7 release.
2016-11-19 17:47:39 +00:00
Bob Friesenhahn
07e63bcdf8 * tools/tiffdump.c (ReadDirectory): Remove uint32 cast to
_TIFFmalloc() argument which resulted in Coverity report.  Added
more mutiplication overflow checks.
2016-11-19 15:42:46 +00:00
Even Rouault
1aa4ee54c8 Assign CVE numbers 2016-11-19 10:33:19 +00:00
Even Rouault
c80c06ce45 * tools/tiffcrop.c: Fix memory leak in (recent) error code path.
Fixes Coverity 1394415.
2016-11-18 14:58:46 +00:00
Bob Friesenhahn
2c81e2ffa9 Cast away unused return value from snprintf() to possibly eliminate a compilation warning. 2016-11-18 02:52:13 +00:00
Bob Friesenhahn
ca5b774b0c * libtiff/tif_getimage.c: Fix some benign warnings which appear in
64-bit compilation under Microsoft Visual Studio of the form
"Arithmetic overflow: 32-bit value is shifted, then cast to 64-bit
value.  Results might not be an expected value.".  Problem was
reported on November 16, 2016 on the tiff mailing list.
2016-11-18 02:47:45 +00:00
Even Rouault
6d055b4f99 * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not dereference
NULL pointer when values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are 0-byte arrays.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression introduced
by previous fix done on 2016-11-11 for CVE-2016-9297).
Reported by Henri Salo.
2016-11-16 15:14:15 +00:00
Even Rouault
5936de5bae Assign CVE-2016-9297 number 2016-11-14 19:08:24 +00:00
Bob Friesenhahn
6ff69f4673 Move mis-classified change note. 2016-11-12 21:43:44 +00:00
Bob Friesenhahn
c22e3e5b42 * tools/tiffinfo.c (TIFFReadContigTileData): Fix signed/unsigned
comparison warning.
(TIFFReadSeparateTileData): Fix signed/unsigned comparison
warning.
2016-11-12 20:06:05 +00:00
Bob Friesenhahn
b6779d1454 tmsize_t is a signed type so change casting to cast to unsigned type before compare 2016-11-12 19:57:16 +00:00
Bob Friesenhahn
d2c7f195f1 * tools/tiffcrop.c (readContigTilesIntoBuffer): Fix
signed/unsigned comparison warning.
2016-11-12 18:35:11 +00:00
Bob Friesenhahn
35b7f035a7 * html/v4.0.7.html: Add a file to document the pending 4.0.7
release.
2016-11-12 18:30:47 +00:00
Even Rouault
17d6936499 Fix typo in comment 2016-11-12 16:48:28 +00:00
Even Rouault
34e2075125 Fix typo in comment 2016-11-11 21:28:24 +00:00
Even Rouault
57b0f8ba24 * tools/tiff2pdf.c: avoid undefined behaviour related to overlapping
of source and destination buffer in memcpy() call in
t2p_sample_rgbaa_to_rgb()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577
2016-11-11 21:22:50 +00:00
Even Rouault
16e71ae0a2 * tools/tiff2pdf.c: fix potential integer overflows on 32 bit builds
in t2p_read_tiff_size()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2576
2016-11-11 21:15:25 +00:00
Even Rouault
1a64e2ccd1 Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587 (CVE-2016-9273) 2016-11-11 21:09:07 +00:00
Even Rouault
56f3e29d18 * libtiff/tif_aux.c: fix crash in TIFFVGetFieldDefaulted()
when requesting Predictor tag and that the zip/lzw codec is not
configured.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2591
2016-11-11 20:45:53 +00:00
Even Rouault
9bddab5035 * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that
values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are null terminated, to avoid potential read outside buffer
in _TIFFPrintField().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590
2016-11-11 20:22:01 +00:00
Even Rouault
1120426ba0 * libtiff/tif_dirread.c: reject images with OJPEG compression that
have no TileOffsets/StripOffsets tag, when OJPEG compression is
disabled. Prevent null pointer dereference in TIFFReadRawStrip1()
and other functions that expect td_stripbytecount to be non NULL.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2585
2016-11-11 20:01:55 +00:00
Even Rouault
49062afa56 * tools/tiffcrop.c: fix multiple uint32 overflows in
writeBufferToSeparateStrips(), writeBufferToContigTiles() and
writeBufferToSeparateTiles() that could cause heap buffer overflows.
Reported by Henri Salo from Nixu Corporation.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
2016-11-11 19:33:06 +00:00
Even Rouault
a7abf0ba90 * libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips
value when it is non-zero, instead of recomputing it. This is needed in
TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of
array in tiffsplit (or other utilities using TIFFNumberOfStrips()).
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587
2016-11-09 23:00:49 +00:00
Even Rouault
3f5f68e91b * libtiff/tif_predic.c: fix memory leaks in error code paths added in
previous commit (fix for MSVR 35105)
2016-11-04 09:19:13 +00:00
Even Rouault
a41c294c3f * libtiff/tif_predict.h, libtiff/tif_predict.c:
Replace assertions by runtime checks to avoid assertions in debug mode,
or buffer overflows in release mode. Can happen when dealing with
unusual tile size like YCbCr with subsampling. Reported as MSVR 35105
by Axel Souchet	& Vishal Chauhan from the MSRC Vulnerabilities & Mitigations
team.
2016-10-31 17:24:26 +00:00
Even Rouault
124d8fc810 * tools/fax2tiff.c: fix segfault when specifying -r without
argument. Patch by Yuriy M. Kaminskiy.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2572
2016-10-25 22:22:45 +00:00
Even Rouault
c1a5a07a3a Fixing last ChangeLog entry 2016-10-25 21:38:35 +00:00
Even Rouault
739dcd28a0 * libtiff/tif_dir.c: discard values of SMinSampleValue and
SMaxSampleValue when they have been read and the value of
SamplesPerPixel is changed afterwards (like when reading a
OJPEG compressed image with a missing SamplesPerPixel tag,
and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
being 3). Otherwise when rewriting the directory (for example
with tiffset, we will expect 3 values whereas the array had been
allocated with just one), thus causing a out of bound read access.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
(CVE-2014-8127, duplicate: CVE-2016-3658)

* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
when writing directory, if FIELD_STRIPOFFSETS was artificially set
for a hack case	in OJPEG case.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
(CVE-2014-8127, duplicate: CVE-2016-3658)
2016-10-25 21:35:15 +00:00