Commit Graph

2832 Commits

Author SHA1 Message Date
Even Rouault
1246f97138 * tools/thumbnail.c, tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS
or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
COMPRESSION_CCITTFAX4
http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128)
2014-12-21 18:52:42 +00:00
Even Rouault
7d3b9da6cb * libtiff/tif_next.c: check that BitsPerSample = 2. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129)
2014-12-21 18:07:48 +00:00
Even Rouault
29f531aeec * tools/tiff2pdf.c: check return code of TIFFGetField() when reading
TIFFTAG_SAMPLESPERPIXEL
2014-12-21 17:36:36 +00:00
Even Rouault
2dae28a91b * tools/tiffcp.c: fix crash when converting YCbCr JPEG-compressed to none.
Based on patch by Tomasz Buchert (http://bugzilla.maptools.org/show_bug.cgi?id=2480)
Description: fix for Debian bug #741451
tiffcp crashes when converting JPEG-encoded TIFF to a different
encoding (like none or lzw). For example this will probably fail:
tiffcp -c none jpeg_encoded_file.tif output.tif
The reason is that when the input file contains JPEG data,
the tiffcp code forces conversion to RGB space. However,
the output normally inherits YCbCr subsampling parameters
from the input, which leads to a smaller working buffer
than necessary. The buffer is subsequently overrun inside
cpStripToTile() (called from writeBufferToContigTiles).
Note that the resulting TIFF file would be scrambled even
if tiffcp wouldn't crash, since the output file would contain
RGB data intepreted as subsampled YCbCr values.
This patch fixes the problem by forcing RGB space on the output
TIF if the input is JPEG-encoded and output is *not* JPEG-encoded.
Author: Tomasz Buchert <tomasz.buchert@inria.fr>
2014-12-21 16:28:37 +00:00
Even Rouault
89bef1935b Fix various crasher bugs on fuzzed images.
* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
the directory
* libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or
TransferFunction if BitsPerSample has not yet been read, otherwise reading
it later will cause user code to crash if BitsPerSample > 1
* libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
* libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
instead of imagewidth to avoid crash
* tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions
* tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by
libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB
* tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight
* tools/tiffdump.c: fix crash due to overflow of entry count.
2014-12-21 15:15:31 +00:00
Even Rouault
59d4cb0b11 libtiff/tif_jpeg.c: Fix regression introduced on 2010-05-07 that caused all tiles/strips to include quantization tables even when the jpegtablesmode had the JPEGTABLESMODE_QUANT bit set. Also add explicit removal of Huffman tables when jpegtablesmode has the JPEGTABLESMODE_HUFF bit set, which avoids Huffman tables to be emitted in the first tile/strip (only useful in update scenarios. create-only was fine) 2014-12-15 15:40:06 +00:00
Bob Friesenhahn
570fd679f6 * tools/tiff2pdf.c: Assure that memory size calculations for
_TIFFmalloc() do not overflow the range of tmsize_t.
2014-12-10 02:53:30 +00:00
Even Rouault
3f2b81f2c2 tools/thumbnail.c, tools/tiffcrop.c: fix heap read over-run found with Valgrind and Address Sanitizer on test suite 2014-12-07 22:33:06 +00:00
Bob Friesenhahn
02567e23b9 * tools/tiff2pdf.c (t2p_read_tiff_init): TIFFTAG_TRANSFERFUNCTION
tag can return one channel, with the other two channels set to
NULL.  The tiff2pdf code was expecting that other two channels
were duplicate pointers in the case where there is only one
channel.  Detect this condition in order to avoid a crash, and
presumably perform correctly with just one channel.
2014-12-07 19:32:25 +00:00
Bob Friesenhahn
12f78c491f Update the valgrind memcheck recipe for the test suite. 2014-12-06 20:36:14 +00:00
Bob Friesenhahn
3c92b0efc1 * tools/tiffdump.c: Fix double-free bug. 2014-12-06 15:58:40 +00:00
Even Rouault
8f38bc8e2d * libtiff/tif_config.vc.h: no longer use "#define snprintf _snprintf" with
Visual Studio 2015 aka VC 14 aka MSVC 1900
2014-11-27 17:22:10 +00:00
Even Rouault
abea4b2b04 * libtiff/tif_lzw.c: prevent potential null dereference of
sp->dec_codetab in LZWPreDecode (bug #2459)

* libtiff/tif_read.c: in TIFFReadBufferSetup(), avoid passing -1 size
to TIFFmalloc() if passed user buffer size is 0 (bug #2459)

* libtiff/tif_ojpeg.c: make Coverity happier (not a bug, #2459)

* libtiff/tif_dir.c: in _TIFFVGetField() and _TIFFVSetField(), make
Coverity happier (not a bug, #2459)

* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make Coverity happier
(not a bug, #2459)

* tools/tiff2pdf.c: close PDF file (bug #2479)

* tools/fax2ps.c: check malloc()/realloc() result (bug #2470)

* tools/tiffdump.c: detect cycle in TIFF directory chaining (bug #2463)
and avoid passing a NULL pointer to read() if seek() failed before (bug #2459)

* tools/tiffcrop.c: fix segfault if bad value passed to -Z option
(bug #2459) and add missing va_end in dump_info (#2459)

* tools/gif2tif.c: apply patch for CVE-2013-4243 (#2451)
2014-11-20 16:47:21 +00:00
Even Rouault
7af4d827dd * libtiff/tif_jpeg.c: fix segfault in JPEGFixupTagsSubsampling() on
corrupted image where tif->tif_dir.td_stripoffset == NULL (bug #2471)
2014-11-20 14:34:51 +00:00
Even Rouault
d1be5cb7ad * automake: updated to 1.14.1
* libtool: updated to 2.4.3
* HOWTO-RELEASE: small update about autotools building order
2014-11-20 14:28:16 +00:00
Even Rouault
e6552f5de1 Add myself to COMMITTERS 2014-11-19 22:26:42 +00:00
Olivier Paquet
e4f269ed3f * tools/tiff2pdf.c: Preserve input file directory order when pages
are tagged with the same page number.
2014-10-20 17:52:05 +00:00
Bob Friesenhahn
9885124f1e * libtiff/tif_dirread.c (TIFFReadDirEntryOutputErr): Incorrect
count for tag should be a warning rather than an error since
errors terminate processing.
2014-08-31 20:32:53 +00:00
Bob Friesenhahn
f6fc518396 * tools/tiff2rgba.c (]): Fixed tiff2rgba usage message in that zip
was wrongly described.  Fix suggested by Miguel Medalha.
2014-06-08 03:37:01 +00:00
Bob Friesenhahn
3d49c58cf8 Clarify that patch was by Steve Underwood but forwarded to me by Lee Howard 2014-05-07 13:31:11 +00:00
Bob Friesenhahn
0056d44683 Consistently indent tiffFields. 2014-05-07 01:58:46 +00:00
Bob Friesenhahn
f9f939b5e6 * libtiff/tif_dirinfo.c (TIFFField) : Fix data type for
TIFFTAG_GLOBALPARAMETERSIFD tag.  Patch by Lee Howard.
2014-05-07 01:54:29 +00:00
Frank Warmerdam
3363eda09d Actually apply TIFF/EP tags I thought I had done earlier (bug #2457) 2014-04-02 17:23:06 +00:00
Bob Friesenhahn
65f22eacee Check return status from TIFFWriteScanline() correctly in test programs. 2013-12-17 14:41:57 +00:00
Frank Warmerdam
de103a76f8 fix last fix to TIFFNumberOfDirectories() 2013-11-30 20:24:36 +00:00
Frank Warmerdam
e2f7c06cc5 Error out on directory counting overflow. 2013-10-21 18:23:48 +00:00
Lee Howard
e289d76bce Resolves a couple of buffer overflow issues pointed out by Pedro Ribeiro (pedrib@gmail.com). 2013-09-20 16:09:01 +00:00
Lee Howard
7b8ee1facf From: David Ryskalczyk <d235j.1@gmail.com>
Date: Thu, 18 Jul 2013 14:36:47 -0400

Here's a patch to correct an issue with creating G4-compressed PDFs.

The issue is caused by == being used to compare bitfields when only
one bit is intended to be compared. Some of the tiffs I have had both
T2P_CS_ICCBASED and T2P_CS_BILEVEL set; therefore, the current code
will fail, producing certain pages that are inverted.

The patch follows, and is also attached.

--David
2013-09-20 15:35:37 +00:00
Bob Friesenhahn
f4203fa738 * libtiff/tif_dir.c (TIFFAdvanceDirectory): If nextdir is found to
be defective, then set it to zero before returning error in order
to terminate processing of truncated TIFF.  Issue found and fix
suggested by Richard Nolde.

* tools/gif2tiff.c: fix possible OOB write (#2452, CVE-2013-4244)
* tools/tiff2pdf.c: terminate after failure of allocating
* tools/tiffinfo.c: Default various values fetched with
2013-09-13 02:34:50 +00:00
Frank Warmerdam
163627448a fix possible OOB write in gif2tiff.c 2013-08-14 13:59:16 +00:00
Frank Warmerdam
44650c28f1 make more resistent to corrupt/hostile input files (#2450, CVE-2013-4231) 2013-08-14 05:18:53 +00:00
Frank Warmerdam
67d92d90f8 ensure return after memory allocation failure (#2449, CVS-2013-4232) 2013-08-14 05:11:36 +00:00
Frank Warmerdam
4e7465a311 initialize TIFFGetField() fetched values in tiffinfo.c 2013-07-10 00:44:22 +00:00
Tom Lane
96ceea8c8a Rewrite t2p_process_jpeg_strip(), to fix CVE-2013-1960. 2013-05-02 14:54:08 +00:00
Tom Lane
b6d66f9f30 Replace sprintf with snprintf, to fix CVE-2013-1961. 2013-05-02 14:44:29 +00:00
Bob Friesenhahn
e90c73e611 * configure.ac: Applied patch by Brad Smith to improve pkg-config
static linking by adding -lm to Libs.private when needed.
2013-03-29 16:50:11 +00:00
Tom Lane
feb6bd9f1d Sync tool usage printouts and man pages with reality. 2013-03-06 03:35:09 +00:00
Bob Friesenhahn
c9aee05b27 Strip extraneous trailing white-space from ChangeLog 2013-01-26 02:35:44 +00:00
Bob Friesenhahn
c204ef2a2f * tools/tiff2ps.c:Fix bug in auto rotate option code. Once a
rotation angle was set by the auto rotate check, it was retained
for all pages that followed instead of being retested for each
page.  Patch by Richard Nolde.
2013-01-26 02:24:05 +00:00
Frank Warmerdam
859bdf7523 avoid type cast warnings 2013-01-18 21:57:12 +00:00
Frank Warmerdam
f6bca3f994 avoid warnings on MSVC (bug 2427) 2013-01-18 21:37:13 +00:00
Tom Lane
46618e9d97 Fix raw_decode test to pass with more versions of libjpeg 2012-12-20 18:08:07 +00:00
Tom Lane
f752daaaab Fix TIFF_VARIABLE/TIFF_VARIABLE2 confusion in TIFFPrintDirectory. 2012-12-12 22:50:18 +00:00
Tom Lane
800527edd2 Improve previous patch for CVE-2012-4564. 2012-12-10 18:19:11 +00:00
Tom Lane
bff7f45716 Detect integer overflow in addition when computing buffer size. 2012-12-10 17:27:13 +00:00
Bob Friesenhahn
74295b7487 * tools/tiffset.c: tiffset now supports a -u option to unset a
tag.  Patch by Zach Baker. See
http://bugzilla.maptools.org/show_bug.cgi?id=2419
2012-12-04 03:02:37 +00:00
Bob Friesenhahn
281ba91d09 * automake: Update Automake to 1.12.5 release. 2012-11-18 18:08:31 +00:00
Bob Friesenhahn
b47e5f1a73 * libtiff/tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not
require malloc() to return NULL pointer if requested allocation
size is zero.  Assure that _TIFFmalloc does.
2012-11-18 17:51:52 +00:00
Frank Warmerdam
37671b36b9 fix zero size buffer exploit (CVE-2012-4564) in ppm2tiff 2012-11-02 05:13:24 +00:00
Frank Warmerdam
98fc7e047a avoid crash on null zip error messages 2012-10-18 17:34:59 +00:00