Commit Graph

634 Commits

Author SHA1 Message Date
Even Rouault
2a4d9b4fab Merge branch 'bug2839' into 'master'
raw2tiff: avoid divide by 0

Closes #151

See merge request libtiff/libtiff!103
2020-02-26 21:22:26 +00:00
Even Rouault
2832b9829f Merge branch 'bug2669' into 'master'
tiff2pdf: palette bound check in t2p_sample_realize_palette()

Closes #82

See merge request libtiff/libtiff!104
2020-02-26 21:21:09 +00:00
Even Rouault
e9a124f52f Merge branch 'int-shift' into 'master'
tiffcrop: fix asan runtime error caused by integer promotion

See merge request libtiff/libtiff!105
2020-02-26 21:20:10 +00:00
Thomas Bernard
bdcf1add10
raw2tiff: avoid divide by 0
fixes #151 / http://bugzilla.maptools.org/show_bug.cgi?id=2839

first memcmp() lines before computing corellation
and always avoid divide by 0 anyway
2020-02-16 19:20:37 +01:00
Thomas Bernard
4f168b7368
tiffcrop: fix asan runtime error caused by integer promotion
tiffcrop.c:4027:20: runtime error: left shift of 190 by 24 places cannot be represented in type 'int'

C treats (byte << 24) as an int expression.
casting explicitely to unsigned type uint32 avoids the problem.

the same issue has been fixed elsewhere with a242136916

I detected the bug with the test file of #86
2020-02-08 13:43:35 +01:00
Thomas Bernard
3107393354
tiff2pdf: palette bound check in t2p_sample_realize_palette()
fixes #82
2020-02-08 13:27:51 +01:00
Thomas Bernard
ebf0864306
tiff2ps: fix heap buffer read overflow in PSDataColorContig()
fixes #161 / http://bugzilla.maptools.org/show_bug.cgi?id=2855

in 05029fb7f1 I missed that 1 extra byte is read
in this loop.
2020-02-08 12:10:56 +01:00
Bob Friesenhahn
58b16f47a8 Add nmake build support for manually configuring the 'port' files to be
built based on MSVC features.
Include tif_config.h in tools/tiffset.c.
2020-01-25 14:11:05 -06:00
Bug Checkers
47656ccb3f adds missing checks on TIFFGetField in tiffcrop tool (fixes #170) 2019-11-04 21:14:38 +00:00
Mansour Ahmadi
f2f1289601 adds a missing TIFFClose in rgb2ycbcr tool 2019-11-04 14:48:13 -05:00
Bob Friesenhahn
f18e1a2db5 Fix Cmake HAVE_GETOPT for systems which declare getopt in stdio.h.
Fix utility baked-in getopt prototype which appears when HAVE_GETOPT is not defined.
2019-11-03 11:21:26 -06:00
Even Rouault
b04da30e11
tiff2ps: fix use of wrong data type that caused issues (/Height being written as 0) on 64-bit big endian platforms 2019-08-18 10:52:45 +02:00
Even Rouault
b9b93f661e Merge branch 'bug2799' into 'master'
fix fax2tiff

See merge request libtiff/libtiff!55
2019-05-08 08:36:34 +00:00
Even Rouault
3c0becb4aa Merge branch 'bug_2844' into 'master'
tiff2ps.c: PSDataColorContig(): avoid heap buffer overrun

See merge request libtiff/libtiff!69
2019-04-25 09:39:01 +00:00
Thomas Bernard
ea2e933b17
tiff2pdf.c: don't call t2p_tile_collapse_left() when buffer size is wrong
see http://bugzilla.maptools.org/show_bug.cgi?id=2785
2019-02-28 13:44:49 +01:00
Thomas Bernard
b7d479cf8b
tiff2pdf.c: check colormap pointers
Avoid access to non initialized pointers
http://bugzilla.maptools.org/show_bug.cgi?id=2826
2019-02-28 13:05:19 +01:00
Thomas Bernard
05029fb7f1
PSDataColorContig(): avoid heap buffer overrun
fixes http://bugzilla.maptools.org/show_bug.cgi?id=2844
each iteration of the loop read nc bytes
2019-02-24 00:50:12 +01:00
Thomas Bernard
a242136916
tiff2ps.c: fix warning caused by integer promotion
uint8 value is promoted to int in (value << 24) so -fsanitize
yield runtime errors :
tiff2ps.c:2969:33: runtime error: left shift of 246 by 24 places cannot be represented in type 'int'
2019-02-22 16:23:33 +01:00
Even Rouault
27124e9148 Merge branch 'issue_2833' into 'master'
tiffcp.c: check that (Tile Width)*(Samples/Pixel) do no overflow

See merge request libtiff/libtiff!60
2019-02-19 14:39:26 +00:00
Thomas Bernard
9cfa5c4691 tiffcrop.c: fix invertImage() for bps 2 and 4
too much bytes were processed, causing a heap buffer overrun
    http://bugzilla.maptools.org/show_bug.cgi?id=2831
the loop counter must be
    for (col = 0; col < width; col += 8 / bps)

Also the values were not properly calculated. It should be
255-x, 15-x, 3-x for bps 8, 4, 2.

But anyway it is easyer to invert all bits as 255-x = ~x, etc.
(substracting from a binary number composed of all 1 is like inverting
the bits)
2019-02-11 23:08:25 +01:00
Thomas Bernard
7cc76e9bc4 tiffcp.c: use INT_MAX 2019-02-11 21:42:03 +01:00
Thomas Bernard
2b0d0e6997 check that (Tile Width)*(Samples/Pixel) do no overflow
fixes bug 2833
2019-02-11 10:05:33 +01:00
Even Rouault
ae0bed1fe5 Merge branch 'master' into 'master'
Fix for simple memory leak that was assigned CVE-2019-6128.

See merge request libtiff/libtiff!50
2019-02-02 14:46:05 +00:00
Even Rouault
933784a10a Merge branch 'bug2835' into 'master'
tiff2ps: fix heap-buffer-overflow

See merge request libtiff/libtiff!53
2019-02-02 14:32:58 +00:00
Yuri Aksenov
88b410f800
fix fax2tiff
see http://bugzilla.maptools.org/show_bug.cgi?id=2799
fixes d9bc8472e7
2019-02-02 15:14:54 +01:00
Thomas Bernard
309bfd7f61
tiff2ps: fix heap-buffer-overflow
http://bugzilla.maptools.org/show_bug.cgi?id=2834

usually the test (i < byte_count) is OK because the byte_count is divisible by samplesperpixel.
But if that is not the case, (i + ncomps) < byte_count should be used, or
maybe (i + samplesperpixel) <= byte_count
2019-01-29 10:47:14 +01:00
Thomas Bernard
5c222ec96c
tiffcrop: shut up clang warnings
make the out filename building a bit more simple
and remove the use of strcat()
2019-01-28 16:10:28 +01:00
Scott Gayou
0c74a9f49b Fix for simple memory leak that was assigned CVE-2019-6128.
pal2rgb failed to free memory on a few errors. This was reported
here: http://bugzilla.maptools.org/show_bug.cgi?id=2836.
2019-01-23 15:09:59 -05:00
Bob Friesenhahn
a0e273fdca Fix tiff2ps error regarding "Inconsistent value of es" by allowing es to be zero.
Problem was reported to the tiff mailing list by Julian H. Stacey on January 5, 2019.
2019-01-05 13:56:09 -06:00
Even Rouault
ae0325a1ab Merge branch 'resource-leaks' into 'master'
Fix two resource leaks

See merge request libtiff/libtiff!43
2018-12-07 20:58:13 +00:00
Bob Friesenhahn
d6f7cf744c tiffcrop.c: Avoid new clang warning about tools/tiffcrop.c "size argument in 'strncat' call appears to be size of the source". 2018-12-01 09:16:10 -06:00
Bob Friesenhahn
2480971bba tiff2pdf: Eliminate compiler warning about snprintf output truncation when formatting pdf_datetime. 2018-11-03 13:27:20 -05:00
Bob Friesenhahn
ed624dfe48 tiffcrop.c: Eliminate compiler warning about snprintf output truncation when formatting filenum. 2018-11-03 10:00:11 -05:00
Bob Friesenhahn
34b5be5a2e Eliminate compiler warnings about duplicate definitions of streq/strneq macros. 2018-11-03 09:35:19 -05:00
Nikola Forró
2f694198f1 Fix two resource leaks
Signed-off-by: Nikola Forró <nforro@redhat.com>
2018-10-31 11:50:48 +01:00
Even Rouault
99b10edde9
tiff2bw: avoid null pointer dereference in case of out of memory situation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2819 / CVE-2018-18661 2018-10-30 18:50:27 +01:00
Even Rouault
1a926533b8 Merge branch 'tif_webp' into 'master'
webp support

See merge request libtiff/libtiff!32
2018-10-05 19:41:16 +00:00
Norman Barker
9eacd59fec webp in tiff 2018-10-05 11:21:17 -05:00
Young_X
97c95667f6 fix out-of-bound read on some tiled images. 2018-09-08 15:07:53 +08:00
Young_X
6da1fb3f64 avoid potential int32 overflows in multiply_ms() 2018-09-08 14:46:27 +08:00
Young_X
f1b94e8a3b only read/write TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4 2018-09-08 14:36:12 +08:00
Roger Leigh
43586d4105 tiffset: Add support for LONG8, SLONG8 and IFD8 field types 2018-03-23 22:11:17 +00:00
Stefan Weil
642b8f998e Fix some typos
Most of them were found by codespell.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
2018-02-24 21:47:52 +01:00
Even Rouault
442fa64e41 Merge branch 'zstd' 2018-02-14 15:41:04 +01:00
Nathan Baker
473851d211 Fix for bug 2772
It is possible to craft a TIFF document where the IFD list is circular,
leading to an infinite loop while traversing the chain. The libtiff
directory reader has a failsafe that will break out of this loop after
reading 65535 directory entries, but it will continue processing,
consuming time and resources to process what is essentially a bogus TIFF
document.

This change fixes the above behavior by breaking out of processing when
a TIFF document has >= 65535 directories and terminating with an error.
2018-02-12 09:43:34 -05:00
Nathan Baker
e9fa4baf1d Fix all compiler warnings for default build 2018-02-04 23:54:17 +00:00
Even Rouault
c4d31e9b06 Merge branch 'patch-1' into 'master'
Update CMakeLists.txt for build fix on Windows

See merge request libtiff/libtiff!14
2018-01-27 11:22:09 +00:00
Even Rouault
fb0489937c Merge branch 'patch-2' into 'master'
Update tiffgt.c for build fix on Windows

See merge request libtiff/libtiff!13
2018-01-27 11:20:46 +00:00
Nathan Baker
9171da596c Add workaround to pal2rgb buffer overflow. 2018-01-25 21:28:15 +00:00
Andrea
a6195d0ad4 Update tiffgt.c for build fix on Windows 2018-01-24 01:25:13 +00:00