cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,526 Commits 1 Branch 0 Tags 11 MiB
e9e504193e
Commit Graph

1299 Commits

Author SHA1 Message Date
Even Rouault
56d802d409 Reference GDAL ticket 2017-06-12 10:48:25 +00:00
Even Rouault
1cdea8b9e9 * libtiff/tif_dirread.c: fix regression of libtiff 4.0.8 in 
ChopUpSingleUncompressedStrip() regarding update of newly single-strip
uncompressed files whose bytecount is 0. Before the change of 2016-12-03,
the condition bytecount==0 used to trigger an early exit/disabling of
strip chop. Re-introduce that in update mode. Otherwise this cause
later incorrect setting for the value of StripByCounts/StripOffsets.
 2017-06-12 10:45:35 +00:00
Even Rouault
ea6228c185 * .appveyor.yml, .travis.yml, build/travis-ci: apply patches 
0001-ci-Travis-script-improvements.patch and
0002-ci-Invoke-helper-script-via-shell.patch by Roger Leigh
(sent to mailing list)
 2017-06-09 22:07:08 +00:00
Even Rouault
f2a3b02040 * .travis.yml, build/travis-ci: new files from 
0001-ci-Add-Travis-support-for-Linux-builds-with-Autoconf.patch by
Roger Leigh (sent to mailing list on 2017-06-08)
This patch adds support for the Travis-CI service.

* .appveyor.yml: new file from
0002-ci-Add-AppVeyor-support.patch by Roger Leigh (sent to mailing
list on 2017-06-08)
This patch adds a .appveyor.yml file to the top-level.  This allows
one to opt in to having a branch built on Windows with Cygwin,
MinGW and MSVC automatically when a branch is pushed to GitHub,
GitLab, BitBucket or any other supported git hosting service.

* CMakeLists.txt, test/CMakeLists.txt, test/TiffTestCommon.cmake: apply
patch 0001-cmake-Improve-Cygwin-and-MingGW-test-support.patch from Roger
Leigh (sent to mailing list on 2017-06-08)
This patch makes the CMake build system support running the tests
with MinGW or Cygwin.
 2017-06-08 20:46:10 +00:00
Even Rouault
1d658302f8 * libtiff/tif_swab.c: if DISABLE_CHECK_TIFFSWABMACROS is defined, do not do 
the #ifdef TIFFSwabXXX checks. Make it easier for GDAL to rename the symbols
of its internal libtiff copy.
 2017-06-08 16:39:50 +00:00
Even Rouault
6281927e03 * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), 
and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
to behave differently depending on whether the codec is enabled or not, and
thus can avoid stack based buffer overflows in a number of TIFF utilities
such as tiffsplit, tiffcmp, thumbnail, etc.
Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
Fixes:
http://bugzilla.maptools.org/show_bug.cgi?id=2580
http://bugzilla.maptools.org/show_bug.cgi?id=2693
http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
http://bugzilla.maptools.org/show_bug.cgi?id=2441
http://bugzilla.maptools.org/show_bug.cgi?id=2433
 2017-06-01 12:44:04 +00:00
Even Rouault
ed38dcc52c * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for 
refBlackWhite coefficients values. To avoid invalid float->int32 conversion
(when refBlackWhite[0] == 2147483648.f)
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907
Credit to OSS Fuzz
 2017-05-29 11:29:06 +00:00
Even Rouault
4d3c3eec0c Fix date in changelog entry 2017-05-29 10:14:26 +00:00
Even Rouault
2b3a489164 * libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid 
int32 overflow in TIFFYCbCrtoRGB().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844
Credit to OSS Fuzz
 2017-05-29 10:12:54 +00:00
Bob Friesenhahn
84e1f1b66d libtiff 4.0.8 released 2017-05-21 19:10:50 +00:00
Bob Friesenhahn
c714d5b5a7 html/v4.0.8.html: Add description of changes targeting the 4.0.8 release. 2017-05-21 17:47:46 +00:00
Even Rouault
1a690c0e10 * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for 
refBlackWhite coefficients values. To avoid invalid float->int32 conversion.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1718
Credit to OSS Fuzz

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663
 2017-05-20 11:29:02 +00:00
Even Rouault
3d5081d29b * libtiff/tif_getimage.c: initYCbCrConversion(): check luma[1] is not zero 
to avoid division by zero.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665
Credit to OSS Fuzz
 2017-05-18 06:44:35 +00:00
Even Rouault
cbe0307490 * libtiff/tif_read.c: _TIFFVSetField(): fix outside range cast of double to 
float.
Credit to Google Autofuzz project
 2017-05-17 21:54:04 +00:00
Even Rouault
bda5be3a14 * libtiff/tif_getimage.c: initYCbCrConversion(): add basic validation of 
luma and refBlackWhite coefficients (just check they are not NaN for now),
to avoid potential float to int overflows.
Fixes ://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663
Credit to OSS Fuzz
 2017-05-17 13:48:34 +00:00
Even Rouault
f277dbaff0 * libtiff/tif_pixarlog.c: PixarLogDecode(): resync tif_rawcp with 
next_in and tif_rawcc with avail_in at beginning and end of function,
similarly to what is done in LZWDecode(). Likely needed so that it
works properly with latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT
mode. But untested...
 2017-05-17 09:53:06 +00:00
Even Rouault
3f72698b8a * libtiff/tif_lzw.c: update dec_bitsleft at beginning of LZWDecode(), 
and update tif_rawcc at end of LZWDecode(). This is needed to properly
work with the latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT
mode.
 2017-05-17 09:38:58 +00:00
Even Rouault
352c653057 * libtiff/tif_luv.c: LogL16InitState(): avoid excessive memory 
allocation when RowsPerStrip tag is missing.
Credit to OSS-Fuzz (locally run, on GDAL)
 2017-05-14 10:17:27 +00:00
Even Rouault
8d4e459102 * libtiff/tif_packbits.c: fix out-of-buffer read in PackBitsDecode() 
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563
Credit to OSS-Fuzz
 2017-05-14 02:26:07 +00:00
Even Rouault
99e8fb373e * libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32 
overflows in multiply_ms() and add_ms().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558
Credit to OSS-Fuzz
 2017-05-13 18:29:38 +00:00
Even Rouault
0a6763b5a0 * libtiff/tif_color.c: avoid potential int32 overflow in 
TIFFYCbCrToRGBInit()
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533
Credit to OSS-Fuzz
 2017-05-13 18:17:34 +00:00
Even Rouault
0a5c524577 * libtiff/tif_read.c: update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT 
mode with tif_rawdataloaded when calling TIFFStartStrip() or
TIFFFillStripPartial(). This avoids reading beyond tif_rawdata
when bytecount > tif_rawdatasize.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545.
Credit to OSS-Fuzz
 2017-05-13 15:34:06 +00:00
Even Rouault
2d7b1f8c16 * libtiff/tif_read.c: TIFFFillStripPartial(): 
avoid excessive memory allocation in case of shorten files.
Only effective on 64 bit builds.
Credit to OSS-Fuzz (locally run, on GDAL)
 2017-05-12 21:12:24 +00:00
Even Rouault
76084fb831 * libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(), 
avoid potential integer overflows with read_ahead in
CHUNKY_STRIP_READ_SUPPORT mode. Should
especially occur on 32 bit platforms.
 2017-05-12 20:16:37 +00:00
Even Rouault
c9a6cfc51a * libtiff/tif_read.c: TIFFFillStrip() and TIFFFillTile(): 
avoid excessive memory allocation in case of shorten files.
Only effective on 64 bit builds and non-mapped cases.
Credit to OSS-Fuzz (locally run, on GDAL)
 2017-05-10 19:38:49 +00:00
Even Rouault
328189565b * libtiff/tif_zip.c, tif_pixarlog.c, tif_predict.c: fix memory 
leak when the underlying codec (ZIP, PixarLog) succeeds its
setupdecode() method, but PredictorSetup fails.
Credit to OSS-Fuzz (locally run, on GDAL)
 2017-05-10 15:21:16 +00:00
Even Rouault
8fb8265260 * libtiff/tif_read.c: TIFFFillStrip(): add limitation to the number 
of bytes read in case td_stripbytecount[strip] is bigger than
reasonable, so as to avoid excessive memory allocation.
 2017-05-10 13:37:19 +00:00
Even Rouault
d606ea22bb * tools/tiff2bw.c: close TIFF handle in error code path. 
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2677
 2017-04-28 18:08:47 +00:00
Even Rouault
fa55777370 * litiff/tif_fax3.c: avoid crash in Fax3Close() on empty file. 
Patch by Alan Coopersmith  + complement by myself.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2673
* tools/fax2tiff.c: emit appropriate message if the input file is
empty. Patch by Alan Coopersmith.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2672
 2017-04-27 19:50:01 +00:00
Even Rouault
bb30ee4f09 * libtiff/tif_ojpeg.c: fix potential memory leak in 
OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable
and OJPEGReadHeaderInfoSecTablesAcTable
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2670
 2017-04-27 17:29:26 +00:00
Even Rouault
697bfd9f39 * libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD 
mode (ie default) when there is both a StripOffsets and
TileOffsets tag, or a StripByteCounts and TileByteCounts
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689
* tools/tiff2ps.c: call TIFFClose() in error code paths.
 2017-04-27 15:46:22 +00:00
Even Rouault
8a752e1e3a * libtiff/tif_fax3.c, tif_predict.c, tif_getimage.c: fix GCC 7 
-Wimplicit-fallthrough warnings.
 2017-02-25 17:05:12 +00:00
Even Rouault
19a159d7c4 * libtiff/tif_pixarlog.c: fix memory leak in error code path of 
PixarLogSetupDecode(). Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2665
 2017-02-18 20:30:26 +00:00
Even Rouault
09a7433335 * libtiff/tif_lzw.c: in LZWPostEncode(), increase, if necessary, the 
code bit-width after flushing the remaining code and before emitting
the EOI code.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=1982
 2017-02-18 18:46:00 +00:00
Even Rouault
62473b596b * libtiff/tif_jpeg.c: only run JPEGFixupTagsSubsampling() if the 
YCbCrSubsampling tag is not explicitly present. This helps a bit to reduce
the I/O amount when te tag is present (especially on cloud hosted files).
 2017-01-31 13:02:27 +00:00
Even Rouault
55e5962794 * tools/raw2tiff.c: avoid integer division by zero. 
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2631
 2017-01-14 13:12:33 +00:00
Even Rouault
ab7f27a984 * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable, 
OJPEGReadHeaderInfoSecTablesDcTable and OJPEGReadHeaderInfoSecTablesAcTable
 2017-01-12 19:23:20 +00:00
Even Rouault
ad7aea728d * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable 
when read fails.
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
 2017-01-12 17:43:25 +00:00
Even Rouault
d043ca1be9 * libtiff/tif_luv.c, tif_lzw.c, tif_packbits.c: return 0 in Encode 
functions instead of -1 when TIFFFlushData1() fails.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2130
 2017-01-11 20:33:35 +00:00
Even Rouault
480167a350 * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and 
cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
http://bugzilla.maptools.org/show_bug.cgi?id=2657
 2017-01-11 19:25:44 +00:00
Even Rouault
f5858f50b5 Fix commit message 2017-01-11 19:03:18 +00:00
Even Rouault
33e002a170 * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc() 
* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
initialize tif_rawdata.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
 2017-01-11 19:02:49 +00:00
Even Rouault
a48c640a01 * libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to 
avoid UndefinedBehaviorSanitizer warning.
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2658
 2017-01-11 16:38:26 +00:00
Even Rouault
50b48786d5 * libtiff/tif_read.c: avoid potential undefined behaviour on signed integer 
addition in TIFFReadRawStrip1() in isMapped() case.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
 2017-01-11 16:33:34 +00:00
Even Rouault
153418c943 * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid 
undefined behaviour caused by invalid shift exponent.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
 2017-01-11 16:13:50 +00:00
Even Rouault
d2e6964efc * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings 
of double to other data types to avoid undefined behaviour if the output range
isn't big enough to hold the input value.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643
http://bugzilla.maptools.org/show_bug.cgi?id=2642
http://bugzilla.maptools.org/show_bug.cgi?id=2646
http://bugzilla.maptools.org/show_bug.cgi?id=2647
 2017-01-11 16:09:02 +00:00
Even Rouault
a39f613104 * libtiff/tif_dirread.c: avoid division by floating point 0 in 
TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(),
and return 0 in that case (instead of infinity as before presumably)
Apparently some sanitizers do not like those divisions by zero.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644
 2017-01-11 13:28:01 +00:00
Even Rouault
9f839d9233 * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace 
assertion by runtime check to error out if passed value is strictly
negative.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535

* tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that
caused double free.
Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535
 2017-01-11 12:51:59 +00:00
Even Rouault
20dd00743c * libtiff/tif_jpeg.c: avoid integer division by zero in 
JPEGSetupEncode() when horizontal or vertical sampling is set to 0.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653
 2017-01-11 12:15:01 +00:00
Even Rouault
553d4c5d05 * libtiff/tif_jpeg.c: increase libjpeg max memory usable to 
10 MB instead of libjpeg 1MB default. This helps when creating files
with "big" tile, without using libjpeg temporary files.
Related to https://trac.osgeo.org/gdal/ticket/6757
 2017-01-03 17:22:49 +00:00
Even Rouault
6d97ea6dcc * tools/tiff2pdf.c: avoid potential heap-based overflow in 
t2p_readwrite_pdf_image_tile().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640
 2016-12-20 17:28:17 +00:00
Even Rouault
5e95f6a34c * tools/tiff2pdf.c: avoid potential invalid memory read in 
t2p_writeproc.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
 2016-12-20 17:24:35 +00:00
Even Rouault
7fb75582f4 * tools/tiff2pdf.c: fix wrong usage of memcpy() that can trigger 
unspecified behaviour.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2638
 2016-12-20 17:13:26 +00:00
Even Rouault
7d919c7849 * libtiff/tif_getimage.c: fix potential memory leaks in error code 
path of TIFFRGBAImageBegin().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2627
 2016-12-18 22:28:42 +00:00
Even Rouault
732f8e0b46 * tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode 
on a paletted image. Note: this fix errors out before the overflow
happens. There could probably be a better fix.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635
 2016-12-18 10:37:59 +00:00
Even Rouault
f9f8686c7d * libtiff/tiffio.h, libtiff/tif_getimage.c: add TIFFReadRGBAStripExt() 
and TIFFReadRGBATileExt() variants of the functions without ext, with
an extra argument to control the stop_on_error behaviour.
 2016-12-17 22:33:11 +00:00
Even Rouault
0a85b00c8b * tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW 
and PSDataColorContig). Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and
http://bugzilla.maptools.org/show_bug.cgi?id=2634.
 2016-12-17 19:45:28 +00:00
Even Rouault
6e3867b3e6 Fix spelling in ChangeLog 2016-12-13 18:27:47 +00:00
Even Rouault
27d6152ddd * libtiff/tif_fax3.h: revert change done on 2016-01-09 that made 
Param member of TIFFFaxTabEnt structure a uint16 to reduce size of
the binary. It happens that the Hylafax software uses the tables that
follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable,
TIFFFaxBlackTable), also they are not in a public libtiff header.
Raised by Lee Howard.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2636
 2016-12-13 18:15:48 +00:00
Even Rouault
a3196dff73 * html/man/Makefile.am: remove thumbnail.1.html and rgb2ycbcr.1.html 
from installed pages since the corresponding utilities are no longer
installed. Reported by Havard Eidnes
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2606
 2016-12-04 17:56:18 +00:00
Even Rouault
ef0803fc75 * libtiff/tif_write.c: fix misleading indentation as warned by GCC. 2016-12-03 21:57:44 +00:00
Even Rouault
2766c8583d * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert check. 
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605
 2016-12-03 16:50:02 +00:00
Even Rouault
bae8284136 * tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based 
buffer overflow.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
 2016-12-03 16:40:01 +00:00
Even Rouault
b1e5ae5984 * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is 
missing.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
 2016-12-03 15:44:15 +00:00
Even Rouault
f703a4c7b3 * man/Makefile.am: remove thumbnail.1 and rgb2ycbcr.1 from installed man 
pages since the corresponding utilities are no longer installed.
Reported by Havard Eidnes
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2606
 2016-12-03 15:39:49 +00:00
Even Rouault
1f7151900c * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called, 
limit the return number of inks to SamplesPerPixel, so that code that parses
ink names doesn't go past the end of the buffer.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599


Reported by Agostino Sarubbo.
 2016-12-03 15:30:31 +00:00
Even Rouault
5b52559d39 * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is 
missing.
Reported by Agostino sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597
 2016-12-03 14:42:40 +00:00
Even Rouault
2deb7183ca * tools/tiffinfo.c: fix null pointer dereference in -r mode when the image has 
no StripByteCount tag.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594
 2016-12-03 14:18:48 +00:00
Even Rouault
4dc0503820 Fix typo on reporter name 2016-12-03 13:30:45 +00:00
Even Rouault
5c47f33899 * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is missing. 
Reported by Agostina Sarubo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619
 2016-12-03 13:00:03 +00:00
Even Rouault
7aad042fc8 * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in 
readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer.
Reported by Agostina Sarubo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621
 2016-12-03 12:19:32 +00:00
Even Rouault
3a1c5ac67b * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so 
that the output buffer is correctly incremented to avoid write outside bounds.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620
 2016-12-03 11:35:56 +00:00
Even Rouault
45ba019d0f * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure in 
OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611
 2016-12-03 11:15:18 +00:00
Even Rouault
9e9a0bbfb2 * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to 
instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
instead of a logic based on the total size of data. Which is faulty is
the total size of data is not sufficient to fill the whole image, and thus
results in reading outside of the StripByCounts/StripOffsets arrays when
using TIFFReadScanline().
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.

* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
the above change is a better fix that makes it unnecessary.
 2016-12-03 11:02:15 +00:00
Even Rouault
cec2d959be * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer 
overflow on generation of PixarLog / LUV compressed files, with
ColorMap, TransferFunction attached and nasty plays with bitspersample.
The fix for LUV has not been tested, but suffers from the same kind
of issue of PixarLog.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
 2016-12-02 23:05:51 +00:00
Even Rouault
78dab0996f * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that 
can cause various issues, such as buffer overflows in the library.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598
 2016-12-02 22:13:32 +00:00
Even Rouault
30703a1677 * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in 
TIFFReadEncodedStrip() that caused an integer division by zero.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
 2016-12-02 21:56:56 +00:00
Even Rouault
523e4e33e8 Add CVE number 2016-11-22 10:58:57 +00:00
Even Rouault
58788e4ea1 * libtiff/tif_predict.c, libtiff/tif_print.c: fix printf unsigned 
vs signed formatting (cppcheck invalidPrintfArgType_uint warnings)
 2016-11-20 22:31:21 +00:00
Even Rouault
a9cf335a77 * libtiff/tif_getimage.c, libtiff/tif_open.c: add parenthesis to 
fix cppcheck clarifyCalculation warnings
 2016-11-20 22:20:46 +00:00
Bob Friesenhahn
5ba49e2beb * tools/fax2tiff.c (main): Applied patch by Jörg Ahrens to fix 
passing client data for Win32 builds using tif_win32.c
(USE_WIN32_FILEIO defined) for file I/O.  Patch was provided via
email on November 20, 2016.
 2016-11-20 18:04:52 +00:00
Bob Friesenhahn
884f973652 * libtiff 4.0.7 released. 
* configure.ac: Update for 4.0.7 release.
 2016-11-19 17:47:39 +00:00
Bob Friesenhahn
07e63bcdf8 * tools/tiffdump.c (ReadDirectory): Remove uint32 cast to 
_TIFFmalloc() argument which resulted in Coverity report.  Added
more mutiplication overflow checks.
 2016-11-19 15:42:46 +00:00
Even Rouault
1aa4ee54c8 Assign CVE numbers 2016-11-19 10:33:19 +00:00
Even Rouault
c80c06ce45 * tools/tiffcrop.c: Fix memory leak in (recent) error code path. 
Fixes Coverity 1394415.
 2016-11-18 14:58:46 +00:00
Bob Friesenhahn
ca5b774b0c * libtiff/tif_getimage.c: Fix some benign warnings which appear in 
64-bit compilation under Microsoft Visual Studio of the form
"Arithmetic overflow: 32-bit value is shifted, then cast to 64-bit
value.  Results might not be an expected value.".  Problem was
reported on November 16, 2016 on the tiff mailing list.
 2016-11-18 02:47:45 +00:00
Even Rouault
6d055b4f99 * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not dereference 
NULL pointer when values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are 0-byte arrays.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression introduced
by previous fix done on 2016-11-11 for CVE-2016-9297).
Reported by Henri Salo.
 2016-11-16 15:14:15 +00:00
Even Rouault
5936de5bae Assign CVE-2016-9297 number 2016-11-14 19:08:24 +00:00
Bob Friesenhahn
c22e3e5b42 * tools/tiffinfo.c (TIFFReadContigTileData): Fix signed/unsigned 
comparison warning.
(TIFFReadSeparateTileData): Fix signed/unsigned comparison
warning.
 2016-11-12 20:06:05 +00:00
Bob Friesenhahn
d2c7f195f1 * tools/tiffcrop.c (readContigTilesIntoBuffer): Fix 
signed/unsigned comparison warning.
 2016-11-12 18:35:11 +00:00
Bob Friesenhahn
35b7f035a7 * html/v4.0.7.html: Add a file to document the pending 4.0.7 
release.
 2016-11-12 18:30:47 +00:00
Even Rouault
57b0f8ba24 * tools/tiff2pdf.c: avoid undefined behaviour related to overlapping 
of source and destination buffer in memcpy() call in
t2p_sample_rgbaa_to_rgb()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577
 2016-11-11 21:22:50 +00:00
Even Rouault
16e71ae0a2 * tools/tiff2pdf.c: fix potential integer overflows on 32 bit builds 
in t2p_read_tiff_size()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2576
 2016-11-11 21:15:25 +00:00
Even Rouault
1a64e2ccd1 Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587 (CVE-2016-9273) 2016-11-11 21:09:07 +00:00
Even Rouault
56f3e29d18 * libtiff/tif_aux.c: fix crash in TIFFVGetFieldDefaulted() 
when requesting Predictor tag and that the zip/lzw codec is not
configured.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2591
 2016-11-11 20:45:53 +00:00
Even Rouault
9bddab5035 * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that 
values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are null terminated, to avoid potential read outside buffer
in _TIFFPrintField().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590
 2016-11-11 20:22:01 +00:00
Even Rouault
1120426ba0 * libtiff/tif_dirread.c: reject images with OJPEG compression that 
have no TileOffsets/StripOffsets tag, when OJPEG compression is
disabled. Prevent null pointer dereference in TIFFReadRawStrip1()
and other functions that expect td_stripbytecount to be non NULL.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2585
 2016-11-11 20:01:55 +00:00
Even Rouault
49062afa56 * tools/tiffcrop.c: fix multiple uint32 overflows in 
writeBufferToSeparateStrips(), writeBufferToContigTiles() and
writeBufferToSeparateTiles() that could cause heap buffer overflows.
Reported by Henri Salo from Nixu Corporation.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
 2016-11-11 19:33:06 +00:00
Even Rouault
a7abf0ba90 * libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips 
value when it is non-zero, instead of recomputing it. This is needed in
TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of
array in tiffsplit (or other utilities using TIFFNumberOfStrips()).
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587
 2016-11-09 23:00:49 +00:00
Even Rouault
3f5f68e91b * libtiff/tif_predic.c: fix memory leaks in error code paths added in 
previous commit (fix for MSVR 35105)
 2016-11-04 09:19:13 +00:00