Commit Graph

2938 Commits

Author SHA1 Message Date
Even Rouault
0c05834d05 * tools/tiffinfo.c: fix out-of-bound read on some tiled images.
(http://bugzilla.maptools.org/show_bug.cgi?id=2517)

* libtiff/tif_compress.c: make TIFFNoDecode() return 0 to indicate an
error and make upper level read routines treat it accordingly.
(linked to the test case of http://bugzilla.maptools.org/show_bug.cgi?id=2517)
2016-10-25 20:04:21 +00:00
Even Rouault
0d521dfab0 * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
& Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
2016-10-14 19:13:20 +00:00
Even Rouault
0937638efd * tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG
compressed images. Reported by Tyler Bohan of Cisco Talos as
TALOS-CAN-0187 / CVE-2016-5652.
Also prevents writing 2 extra uninitialized bytes to the file stream.
2016-10-09 11:03:36 +00:00
Even Rouault
6f13bf391a * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
tile width vs image width. Reported as MSVR 35103
by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
2016-10-08 15:54:56 +00:00
Even Rouault
7399a6f13b * tools/tiff2pdf.c: fix read -largely- outsize of buffer in
t2p_readwrite_pdf_image_tile(), causing crash, when reading a
JPEG compressed image with TIFFTAG_JPEGTABLES length being one.
Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from
the MSRC Vulnerabilities & Mitigations team.
2016-10-08 15:14:42 +00:00
Even Rouault
5707841070 * tools/tiffcp.c: fix read of undefined variable in case of missing
required tags. Found on test case of MSVR 35100.
* tools/tiffcrop.c: fix read of undefined buffer in
readContigStripsIntoBuffer() due to uint16 overflow. Probably not a
security issue but I can be wrong. Reported as MSVR 35100 by Axel
Souchet from the MSRC Vulnerabilities & Mitigations team.
2016-10-08 15:04:31 +00:00
Bob Friesenhahn
d4dd6ccc1e * html: Change as many remotesensing.org broken links to a working
URL as possible.
2016-09-25 20:05:44 +00:00
Bob Friesenhahn
65d7db09a5 * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
read floating point images.

* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
requirements of floating point predictor (3).  Fixes CVE-2016-3622
"Divide By Zero in the tiff2rgba tool."

places where it isn't done currently, but it seems this patch is enough.
2016-09-24 23:11:55 +00:00
Even Rouault
edde1c583a * tools/tiffcrop.c: fix various out-of-bounds write vulnerabilities
in heap or stack allocated buffers. Reported as MSVR 35093,
MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal
Chauhan from the MSRC Vulnerabilities & Mitigations team.
* tools/tiff2pdf.c: fix out-of-bounds write vulnerabilities in
heap allocate buffer in t2p_process_jpeg_strip(). Reported as MSVR
35098. Discovered by Axel Souchet and Vishal Chauhan from the MSRC
Vulnerabilities & Mitigations team.
* libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities
in heap allocated buffers. Reported as MSVR 35094. Discovered by
Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
* libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1()
that didn't reset the tif_rawcc and tif_rawcp members. I'm not
completely sure if that could happen in practice outside of the odd
behaviour of t2p_seekproc() of tiff2pdf). The report points that a
better fix could be to check the return value of TIFFFlushData1() in
places where it isn't done currently, but it seems this patch is enough.
Reported as MSVR 35095. Discovered by Axel Souchet & Vishal Chauhan &
Suha Can from the MSRC Vulnerabilities & Mitigations team.
2016-09-23 22:12:18 +00:00
Bob Friesenhahn
645af692f6 * html/man/index.html: Comment out links to documentation for
abandoned utilities.
2016-09-20 13:35:17 +00:00
Even Rouault
b7ec5fe89c * libtiff/tif_lzma.c: typo fix in comment 2016-09-17 09:18:58 +00:00
Even Rouault
4fd5fe674a * libtiff/*.c: fix warnings raised by clang 3.9 -Wcomma 2016-09-04 21:32:55 +00:00
Even Rouault
e85c35f54e * libtiff/tif_dirwrite.c, libtiff/tif_color.c: fix warnings raised
by GCC 5 / clang -Wfloat-conversion
2016-09-03 20:15:35 +00:00
Even Rouault
3318c65cbb * libtiff/tif_dirwrite.c: fix warnings raised by GCC 5 -Wfloat-conversion 2016-09-02 22:42:00 +00:00
Even Rouault
cbdc8d8ae9 * tools/tiffcrop.c: fix C99'ism. 2016-08-16 08:54:01 +00:00
Even Rouault
ac16d2213c * tools/tiff2bw.c: fix weight computation that could result of color
value overflow (no security implication). Fix bugzilla #2550.
Patch by Frank Freudenberg.
2016-08-15 22:01:31 +00:00
Even Rouault
ee80566cd1 Fix signed vs unsigned comparison 2016-08-15 21:36:43 +00:00
Even Rouault
f18e33b3a5 * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
2016-08-15 21:26:56 +00:00
Even Rouault
5dd73c2b77 * tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
From patch libtiff-CVE-2016-3991.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
2016-08-15 21:05:40 +00:00
Even Rouault
a71b62bcff * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode
if more input samples are provided than expected by PixarLogSetupEncode.
Idea based on libtiff-CVE-2016-3990.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
simpler check. (bugzilla #2544)


invalid tests that rejected valid files. (bugzilla #2545)
2016-08-15 20:49:48 +00:00
Even Rouault
01bac25a5a * tools/tiff2rgba.c: Fix integer overflow in size of allocated
buffer, when -b mode is enabled, that could result in out-of-bounds
write. Based initially on patch tiff-CVE-2016-3945.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
invalid tests that rejected valid files.
2016-08-15 20:06:40 +00:00
Even Rouault
e54eac223b (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559) 2016-07-11 21:38:31 +00:00
Even Rouault
a1277756ad * tools/tiffcrop.c: Avoid access outside of stack allocated array
on a tiled separate TIFF with more than 8 samples per pixel.
Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
(CVE-2016-5321, bugzilla #2558)
2016-07-11 21:26:03 +00:00
Even Rouault
febda236ac * libtiff/tif_read.c: Fix out-of-bounds read on
memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1()
when stripoffset is beyond tmsize_t max value (reported by
Mathias Svensson)
2016-07-10 18:00:20 +00:00
Even Rouault
a0faaf8910 Fix build failure due to previous commit 2016-07-10 16:56:18 +00:00
Even Rouault
292c431e5d * tools/tiffdump.c: fix a few misaligned 64-bit reads warned
by -fsanitize
2016-07-10 15:34:06 +00:00
Even Rouault
234b8543a8 Fix typo in CVE number for CVE-2016-5875 2016-07-10 10:15:07 +00:00
Even Rouault
b46aa51809 * libtiff/tif_read.c: make TIFFReadEncodedStrip() and
TIFFReadEncodedTile() directly use user provided buffer when
no compression (and other conditions) to save a memcpy().

* libtiff/tif_write.c: make TIFFWriteEncodedStrip() and
TIFFWriteEncodedTile() directly use user provided buffer when
no compression to save a memcpy().
2016-07-03 16:02:17 +00:00
Even Rouault
33c391eff4 * libtiff/tif_luv.c: validate that for COMPRESSION_SGILOG and
PHOTOMETRIC_LOGL, there is only one sample per pixel. Avoid
potential invalid memory write on corrupted/unexpected images when
using the TIFFRGBAImageBegin() interface (reported by
Clay Wood)

(CVE-2016-587)
2016-07-01 11:06:04 +00:00
Even Rouault
f8b7c3de4d Fix warning about unsigned vs signed comparison 2016-06-28 15:37:33 +00:00
Even Rouault
bf5b698868 * libtiff/tif_pixarlog.c: fix potential buffer write overrun in
PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson)
2016-06-28 15:12:19 +00:00
Bob Friesenhahn
c0eb1847f4 * libtiff/libtiff.def: Added _TIFFMultiply32 and _TIFFMultiply64
to libtiff.def
2016-06-15 13:28:11 +00:00
Bob Friesenhahn
30366c9f22 * tools/Makefile.am: The libtiff tools bmp2tiff, gif2tiff,
ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from
the distribution.  The libtiff tools rgb2ycbcr and thumbnail are
only built in the build tree for testing.  Old files are put in
new 'archive' subdirectory of the source repository, but not in
distribution archives.  These changes are made in order to lessen
the maintenance burden.
2016-06-05 19:53:59 +00:00
Bob Friesenhahn
01c8ca66b3 * libtiff/tif_config.vc.h (HAVE_SNPRINTF): Add a '1' to the
HAVE_SNPRINTF definition.'
2016-05-10 13:04:48 +00:00
Bob Friesenhahn
d7aa10673b * libtiff/tif_config.vc.h (HAVE_SNPRINTF): Applied patch by Edward
Lam to define HAVE_SNPRINTF for Visual Studio 2015.
2016-05-10 01:01:09 +00:00
Even Rouault
958d9b5a8d * libtiff/tif_dirread.c: when compiled with DEFER_STRILE_LOAD,
fix regression, introduced on 2014-12-23, when reading a one-strip
file without a StripByteCounts tag. GDAL #6490
2016-04-27 11:38:00 +00:00
Bob Friesenhahn
c7ff695d1b * html/bugs.html: Replace Andrey Kiselev with Bob Friesenhahn for
purposes of security issue reporting.
2016-04-08 02:34:00 +00:00
Even Rouault
caf986e723 * libtiff/*: upstream typo fixes (mostly contributed by Kurt Schwehr)
coming from GDAL internal libtiff
2016-01-23 21:20:34 +00:00
Even Rouault
eb52becbb9 * libtiff/tif_fax3.h: make Param member of TIFFFaxTabEnt structure
a uint16 to reduce size of the binary.
2016-01-09 22:19:21 +00:00
Even Rouault
2794a67c27 * libtiff/tif_read.c, tif_dirread.c: fix indentation issues raised
by GCC 6 -Wmisleading-indentation
2016-01-03 10:01:25 +00:00
Even Rouault
62382d0653 * libtiff/tif_pixarlog.c: avoid zlib error messages to pass a NULL
string to %s formatter, which is undefined behaviour in sprintf().
2015-12-27 20:14:11 +00:00
Even Rouault
7dfc35c299 Fix MSVC breakage in previous commit 2015-12-27 17:14:52 +00:00
Even Rouault
a1506aa413 * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
(bugzilla #2508)
2015-12-27 16:55:20 +00:00
Even Rouault
13963114dd * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
functions in non debug builds by replacing assert()s by regular if
checks (bugzilla #2522).
Fix potential out-of-bound reads in case of short input data.
2015-12-27 16:25:11 +00:00
Even Rouault
b7cc3e5902 * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
interface in case of unsupported values of SamplesPerPixel/ExtraSamples
for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
CVE-2015-8683 reported by zzf of Alibaba.
2015-12-26 17:32:03 +00:00
Even Rouault
212816f6e4 * libtiff/tif_dirread.c: workaround false positive warning of Clang Static
Analyzer about null pointer dereference in TIFFCheckDirOffset().
2015-12-20 23:18:51 +00:00
Even Rouault
a292bc2d27 * libtiff/tif_fax3.c: remove dead assignment in Fax3PutEOLgdal(). Found
by Clang Static Analyzer
2015-12-19 21:50:51 +00:00
Even Rouault
22ee4bcd8d offsets on a even offset (affects BigTIFF). This was a regression of the
changeset of 2015-10-19.
2015-12-18 14:08:11 +00:00
Even Rouault
56ae8c1ee3 * libtiff/tif_dirwrite.c: fix truncation to 32 bit of file offsets in
TIFFLinkDirectory() and TIFFWriteDirectorySec() when aligning directory
offsets on a even offset (affects BigTIFF)
2015-12-18 11:11:00 +00:00
Even Rouault
845ee2f85b * libtiff/tif_write.c: TIFFWriteEncodedStrip() and TIFFWriteEncodedTile()
should return -1 in case of failure of tif_encodestrip() as documented
* libtiff/tif_dumpmode.c: DumpModeEncode() should return 0 in case of
failure so that the above mentionned functions detect the error.
2015-12-12 18:04:26 +00:00