Commit Graph

2817 Commits

Author SHA1 Message Date
Bob Friesenhahn
c05bbbe6e8 (loadImage): Fix Coverity 1299740 "Out-of-bounds write". 2015-05-28 02:19:16 +00:00
Bob Friesenhahn
022cd04c80 (loadImage): Fix Coverity 1299741 "Dereference before null check". 2015-05-28 02:16:08 +00:00
Bob Friesenhahn
4d8fac3be8 (writeCroppedImage): Fix Coverity 1024797 "Nesting level does not
match indentation".
2015-05-28 02:11:00 +00:00
Bob Friesenhahn
e6aabe4992 (writeSingleSection): Fix Coverity 1024796 "Nesting level does not
match indentation".
2015-05-28 02:07:59 +00:00
Bob Friesenhahn
0ba4515b24 (readContigTilesIntoBuffer): Fix Coverity 1024586 "Logically dead
code".
2015-05-28 02:02:09 +00:00
Bob Friesenhahn
7a8431b414 (readContigStripsIntoBuffer): Fix Coverity 1024545 "Division or
modulo by zero".
2015-05-28 01:59:10 +00:00
Bob Friesenhahn
1752529e75 * tools/tiffcrop.c (ROTATE_ANY): Fix Coverity 1294542 "Logical
vs. bitwise operator".
2015-05-28 01:50:20 +00:00
Even Rouault
7bed6738f2 * tools/tiffdither.c: check memory allocations to avoid writing to
NULL pointer. Also check multiplication overflow. Fixes #2501,
CVE-2014-8128. Derived from patch by Petr Gajdos.
2015-03-02 16:16:38 +00:00
Even Rouault
cb66df4e65 * add html/v4.0.4beta.html under version control
* HOWTO-RELEASE: write that cvs add html/vX.X.html must be used
2015-01-26 15:14:45 +00:00
Even Rouault
a1caf14ce4 * libtiff 4.0.4beta released 2015-01-26 12:24:11 +00:00
Even Rouault
a17a6e5ecd * automake: updated to 1.15
* libtool: updated to 2.4.5
2015-01-26 10:29:40 +00:00
Even Rouault
45922132cf * tools/tiff2pdf.c: Fix two crashes (oCERT-2014-013) 2015-01-22 09:58:49 +00:00
Frank Warmerdam
09dfa00849 remove note about requiring approval to join tiff list 2015-01-05 19:49:37 +00:00
Olivier Paquet
79676ae61c * tools/tiff2pdf.c: Fixed unsigned integer addition overflow detection. 2015-01-05 19:03:11 +00:00
Even Rouault
7f884b953c * libtiff/tif_dirread.c: in TIFFCheckDirOffset(), avoid uint16 overflow
when reading more than 65535 directories, and effectively error out when
reaching that limit.
2015-01-03 18:03:40 +00:00
Even Rouault
376ee1fc20 * libtiff/tif_jpeg.c: in JPEGFixupTags(), recognize SOF2, SOF9 and SOF10
markers to avoid emitting a warning (even if, according to the TechNote,
there are admitedly unusual/not recommended or even forbidden variants, but
they do work well with libjpeg for SOF2, and with libjpeg-turbo for SOF2,
SOF9 and SOF10).
Define in_color_space and input_components to the right values in
JPEGSetupEncode(), before calling jpeg_set_defaults(), as specified by
libjpeg API documentation, so as to be compatible with mozjpeg library.
Note: the default settings of mozjpeg will produce progressive scans, which
is forbidden by the TechNote.
2014-12-30 16:37:22 +00:00
Even Rouault
f828693705 * libtiff/tif_getimage.c: move test on vertical value of YCbCr subsampling.
to avoid buffer leak (fix previous fix, found by Coverity scan)
2014-12-29 18:28:46 +00:00
Bob Friesenhahn
70239ee78e Remove mention of freshmeat since the site is frozen. 2014-12-29 15:39:02 +00:00
Bob Friesenhahn
429b3fdc90 * Update bundled libtool to 2.4.4 release. 2014-12-29 15:34:22 +00:00
Even Rouault
5b79c1f364 * libtiff/tif_next.c: add new tests to check that we don't read outside of
the compressed input stream buffer.

* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height
2014-12-29 12:09:11 +00:00
Even Rouault
5b06ac3f28 * libtiff/tif_dir.c: in TIFFDefaultDirectory(), reset any already existing
extented tags installed by user code through the extender mechaninm before
calling the extender callback (GDAL #5054)
2014-12-27 15:20:42 +00:00
Bob Friesenhahn
fdfa1a026f * tools/tiffcrop.c: Fix warnings about variables set but not used. 2014-12-26 16:32:31 +00:00
Bob Friesenhahn
a7ced11ff1 * contrib/iptcutil/iptcutil.c: Fix warnings about variables set
but not used.
2014-12-26 16:10:08 +00:00
Bob Friesenhahn
3b48ce4c7b * tools/tiffgt.c: Fix warnings about unused parameters. 2014-12-26 16:06:41 +00:00
Bob Friesenhahn
e501767856 * libtiff/tif_stream.cxx: Fix warnings about unused parameters. 2014-12-26 16:01:04 +00:00
Even Rouault
5ecaadc951 * libtiff/tif_getimage.c, libtiff/tif_ojpeg.c, libtiff/tif_zip.c: fix
various typos found by Debian lintian tool (GDAL #5756)
2014-12-25 18:29:11 +00:00
Even Rouault
65577375d4 * libtiff/tif_getimage.c: avoid divide by zero on invalid YCbCr subsampling.
http://bugzilla.maptools.org/show_bug.cgi?id=2235
2014-12-24 16:57:18 +00:00
Even Rouault
34d71374cc * tools/tiff2pdf.c: fix buffer overflow on some YCbCr JPEG compressed images.
http://bugzilla.maptools.org/show_bug.cgi?id=2445
2014-12-24 16:32:28 +00:00
Even Rouault
a42442d21f * tools/tiff2pdf.c: fix buffer overflow on YCbCr JPEG compressed image.
Derived from patch by Petr Gajdos,
http://bugzilla.maptools.org/show_bug.cgi?id=2443
2014-12-24 15:38:11 +00:00
Even Rouault
59e876aeeb * libtiff/tif_dirread.c: In EstimateStripByteCounts(), check return code
of _TIFFFillStriles(). This solves crashing bug on corrupted
images generated by afl.
2014-12-23 11:06:54 +00:00
Even Rouault
ed7dd273d5 * libtiff/tif_read.c: fix several invalid comparisons of a uint64 value with
<= 0 by casting it to int64 first. This solves crashing bug on corrupted
images generated by afl.
2014-12-23 10:15:35 +00:00
Bob Friesenhahn
53c7c58dd7 * tools/tiffdump.c: Guard against arithmetic overflow when
calculating allocation buffer sizes.
2014-12-22 02:52:38 +00:00
Even Rouault
5db18217c3 * tools/tiff2bw.c: when Photometric=RGB, the utility only works if
SamplesPerPixel = 3. Enforce that
http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127)
2014-12-21 20:58:29 +00:00
Even Rouault
aaf52fa411 * tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling TIFFTAG_INKNAMES
copying. The right fix would be to properly copy it, but not worth the burden
for those esoteric utilities.
http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
2014-12-21 20:04:31 +00:00
Even Rouault
47647443c1 * tools/thumbnail.c: fix out-of-buffer write
http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128)
2014-12-21 19:53:59 +00:00
Even Rouault
1246f97138 * tools/thumbnail.c, tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS
or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
COMPRESSION_CCITTFAX4
http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128)
2014-12-21 18:52:42 +00:00
Even Rouault
7d3b9da6cb * libtiff/tif_next.c: check that BitsPerSample = 2. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129)
2014-12-21 18:07:48 +00:00
Even Rouault
29f531aeec * tools/tiff2pdf.c: check return code of TIFFGetField() when reading
TIFFTAG_SAMPLESPERPIXEL
2014-12-21 17:36:36 +00:00
Even Rouault
2dae28a91b * tools/tiffcp.c: fix crash when converting YCbCr JPEG-compressed to none.
Based on patch by Tomasz Buchert (http://bugzilla.maptools.org/show_bug.cgi?id=2480)
Description: fix for Debian bug #741451
tiffcp crashes when converting JPEG-encoded TIFF to a different
encoding (like none or lzw). For example this will probably fail:
tiffcp -c none jpeg_encoded_file.tif output.tif
The reason is that when the input file contains JPEG data,
the tiffcp code forces conversion to RGB space. However,
the output normally inherits YCbCr subsampling parameters
from the input, which leads to a smaller working buffer
than necessary. The buffer is subsequently overrun inside
cpStripToTile() (called from writeBufferToContigTiles).
Note that the resulting TIFF file would be scrambled even
if tiffcp wouldn't crash, since the output file would contain
RGB data intepreted as subsampled YCbCr values.
This patch fixes the problem by forcing RGB space on the output
TIF if the input is JPEG-encoded and output is *not* JPEG-encoded.
Author: Tomasz Buchert <tomasz.buchert@inria.fr>
2014-12-21 16:28:37 +00:00
Even Rouault
89bef1935b Fix various crasher bugs on fuzzed images.
* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
the directory
* libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or
TransferFunction if BitsPerSample has not yet been read, otherwise reading
it later will cause user code to crash if BitsPerSample > 1
* libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
* libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
instead of imagewidth to avoid crash
* tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions
* tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by
libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB
* tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight
* tools/tiffdump.c: fix crash due to overflow of entry count.
2014-12-21 15:15:31 +00:00
Even Rouault
59d4cb0b11 libtiff/tif_jpeg.c: Fix regression introduced on 2010-05-07 that caused all tiles/strips to include quantization tables even when the jpegtablesmode had the JPEGTABLESMODE_QUANT bit set. Also add explicit removal of Huffman tables when jpegtablesmode has the JPEGTABLESMODE_HUFF bit set, which avoids Huffman tables to be emitted in the first tile/strip (only useful in update scenarios. create-only was fine) 2014-12-15 15:40:06 +00:00
Bob Friesenhahn
570fd679f6 * tools/tiff2pdf.c: Assure that memory size calculations for
_TIFFmalloc() do not overflow the range of tmsize_t.
2014-12-10 02:53:30 +00:00
Even Rouault
3f2b81f2c2 tools/thumbnail.c, tools/tiffcrop.c: fix heap read over-run found with Valgrind and Address Sanitizer on test suite 2014-12-07 22:33:06 +00:00
Bob Friesenhahn
02567e23b9 * tools/tiff2pdf.c (t2p_read_tiff_init): TIFFTAG_TRANSFERFUNCTION
tag can return one channel, with the other two channels set to
NULL.  The tiff2pdf code was expecting that other two channels
were duplicate pointers in the case where there is only one
channel.  Detect this condition in order to avoid a crash, and
presumably perform correctly with just one channel.
2014-12-07 19:32:25 +00:00
Bob Friesenhahn
12f78c491f Update the valgrind memcheck recipe for the test suite. 2014-12-06 20:36:14 +00:00
Bob Friesenhahn
3c92b0efc1 * tools/tiffdump.c: Fix double-free bug. 2014-12-06 15:58:40 +00:00
Even Rouault
8f38bc8e2d * libtiff/tif_config.vc.h: no longer use "#define snprintf _snprintf" with
Visual Studio 2015 aka VC 14 aka MSVC 1900
2014-11-27 17:22:10 +00:00
Even Rouault
abea4b2b04 * libtiff/tif_lzw.c: prevent potential null dereference of
sp->dec_codetab in LZWPreDecode (bug #2459)

* libtiff/tif_read.c: in TIFFReadBufferSetup(), avoid passing -1 size
to TIFFmalloc() if passed user buffer size is 0 (bug #2459)

* libtiff/tif_ojpeg.c: make Coverity happier (not a bug, #2459)

* libtiff/tif_dir.c: in _TIFFVGetField() and _TIFFVSetField(), make
Coverity happier (not a bug, #2459)

* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make Coverity happier
(not a bug, #2459)

* tools/tiff2pdf.c: close PDF file (bug #2479)

* tools/fax2ps.c: check malloc()/realloc() result (bug #2470)

* tools/tiffdump.c: detect cycle in TIFF directory chaining (bug #2463)
and avoid passing a NULL pointer to read() if seek() failed before (bug #2459)

* tools/tiffcrop.c: fix segfault if bad value passed to -Z option
(bug #2459) and add missing va_end in dump_info (#2459)

* tools/gif2tif.c: apply patch for CVE-2013-4243 (#2451)
2014-11-20 16:47:21 +00:00
Even Rouault
7af4d827dd * libtiff/tif_jpeg.c: fix segfault in JPEGFixupTagsSubsampling() on
corrupted image where tif->tif_dir.td_stripoffset == NULL (bug #2471)
2014-11-20 14:34:51 +00:00
Even Rouault
d1be5cb7ad * automake: updated to 1.14.1
* libtool: updated to 2.4.3
* HOWTO-RELEASE: small update about autotools building order
2014-11-20 14:28:16 +00:00