libtiff

Author	SHA1	Message	Date
Thomas Bernard	bdcf1add10	raw2tiff: avoid divide by 0 fixes #151 / http://bugzilla.maptools.org/show_bug.cgi?id=2839 first memcmp() lines before computing corellation and always avoid divide by 0 anyway	2020-02-16 19:20:37 +01:00
Thomas Bernard	4f168b7368	tiffcrop: fix asan runtime error caused by integer promotion tiffcrop.c:4027:20: runtime error: left shift of 190 by 24 places cannot be represented in type 'int' C treats (byte << 24) as an int expression. casting explicitely to unsigned type uint32 avoids the problem. the same issue has been fixed elsewhere with `a242136916` I detected the bug with the test file of #86	2020-02-08 13:43:35 +01:00
Thomas Bernard	3107393354	tiff2pdf: palette bound check in t2p_sample_realize_palette() fixes #82	2020-02-08 13:27:51 +01:00
Thomas Bernard	ebf0864306	tiff2ps: fix heap buffer read overflow in PSDataColorContig() fixes #161 / http://bugzilla.maptools.org/show_bug.cgi?id=2855 in `05029fb7f1` I missed that 1 extra byte is read in this loop.	2020-02-08 12:10:56 +01:00
Bob Friesenhahn	58b16f47a8	Add nmake build support for manually configuring the 'port' files to be built based on MSVC features. Include tif_config.h in tools/tiffset.c.	2020-01-25 14:11:05 -06:00
Bug Checkers	47656ccb3f	adds missing checks on TIFFGetField in tiffcrop tool (fixes #170 )	2019-11-04 21:14:38 +00:00
Mansour Ahmadi	f2f1289601	adds a missing TIFFClose in rgb2ycbcr tool	2019-11-04 14:48:13 -05:00
Bob Friesenhahn	f18e1a2db5	Fix Cmake HAVE_GETOPT for systems which declare getopt in stdio.h. Fix utility baked-in getopt prototype which appears when HAVE_GETOPT is not defined.	2019-11-03 11:21:26 -06:00
Even Rouault	b04da30e11	tiff2ps: fix use of wrong data type that caused issues (/Height being written as 0) on 64-bit big endian platforms	2019-08-18 10:52:45 +02:00
Nikola Forró	e897442344	tools/tiffcp.c: fix potential division by zero Signed-off-by: Nikola Forró <nforro@redhat.com>	2019-06-12 12:23:33 +02:00
Even Rouault	b9b93f661e	Merge branch 'bug2799' into 'master' fix fax2tiff See merge request libtiff/libtiff!55	2019-05-08 08:36:34 +00:00
Even Rouault	3c0becb4aa	Merge branch 'bug_2844' into 'master' tiff2ps.c: PSDataColorContig(): avoid heap buffer overrun See merge request libtiff/libtiff!69	2019-04-25 09:39:01 +00:00
Thomas Bernard	ea2e933b17	tiff2pdf.c: don't call t2p_tile_collapse_left() when buffer size is wrong see http://bugzilla.maptools.org/show_bug.cgi?id=2785	2019-02-28 13:44:49 +01:00
Thomas Bernard	b7d479cf8b	tiff2pdf.c: check colormap pointers Avoid access to non initialized pointers http://bugzilla.maptools.org/show_bug.cgi?id=2826	2019-02-28 13:05:19 +01:00
Thomas Bernard	05029fb7f1	PSDataColorContig(): avoid heap buffer overrun fixes http://bugzilla.maptools.org/show_bug.cgi?id=2844 each iteration of the loop read nc bytes	2019-02-24 00:50:12 +01:00
Thomas Bernard	a242136916	tiff2ps.c: fix warning caused by integer promotion uint8 value is promoted to int in (value << 24) so -fsanitize yield runtime errors : tiff2ps.c:2969:33: runtime error: left shift of 246 by 24 places cannot be represented in type 'int'	2019-02-22 16:23:33 +01:00
Even Rouault	27124e9148	Merge branch 'issue_2833' into 'master' tiffcp.c: check that (Tile Width)*(Samples/Pixel) do no overflow See merge request libtiff/libtiff!60	2019-02-19 14:39:26 +00:00
Thomas Bernard	9cfa5c4691	tiffcrop.c: fix invertImage() for bps 2 and 4 too much bytes were processed, causing a heap buffer overrun http://bugzilla.maptools.org/show_bug.cgi?id=2831 the loop counter must be for (col = 0; col < width; col += 8 / bps) Also the values were not properly calculated. It should be 255-x, 15-x, 3-x for bps 8, 4, 2. But anyway it is easyer to invert all bits as 255-x = ~x, etc. (substracting from a binary number composed of all 1 is like inverting the bits)	2019-02-11 23:08:25 +01:00
Thomas Bernard	7cc76e9bc4	tiffcp.c: use INT_MAX	2019-02-11 21:42:03 +01:00
Thomas Bernard	2b0d0e6997	check that (Tile Width)*(Samples/Pixel) do no overflow fixes bug 2833	2019-02-11 10:05:33 +01:00
Even Rouault	ae0bed1fe5	Merge branch 'master' into 'master' Fix for simple memory leak that was assigned CVE-2019-6128. See merge request libtiff/libtiff!50	2019-02-02 14:46:05 +00:00
Even Rouault	933784a10a	Merge branch 'bug2835' into 'master' tiff2ps: fix heap-buffer-overflow See merge request libtiff/libtiff!53	2019-02-02 14:32:58 +00:00
Yuri Aksenov	88b410f800	fix fax2tiff see http://bugzilla.maptools.org/show_bug.cgi?id=2799 fixes `d9bc8472e7`	2019-02-02 15:14:54 +01:00
Thomas Bernard	309bfd7f61	tiff2ps: fix heap-buffer-overflow http://bugzilla.maptools.org/show_bug.cgi?id=2834 usually the test (i < byte_count) is OK because the byte_count is divisible by samplesperpixel. But if that is not the case, (i + ncomps) < byte_count should be used, or maybe (i + samplesperpixel) <= byte_count	2019-01-29 10:47:14 +01:00
Thomas Bernard	5c222ec96c	tiffcrop: shut up clang warnings make the out filename building a bit more simple and remove the use of strcat()	2019-01-28 16:10:28 +01:00
Scott Gayou	0c74a9f49b	Fix for simple memory leak that was assigned CVE-2019-6128. pal2rgb failed to free memory on a few errors. This was reported here: http://bugzilla.maptools.org/show_bug.cgi?id=2836.	2019-01-23 15:09:59 -05:00
Bob Friesenhahn	a0e273fdca	Fix tiff2ps error regarding "Inconsistent value of es" by allowing es to be zero. Problem was reported to the tiff mailing list by Julian H. Stacey on January 5, 2019.	2019-01-05 13:56:09 -06:00
Even Rouault	ae0325a1ab	Merge branch 'resource-leaks' into 'master' Fix two resource leaks See merge request libtiff/libtiff!43	2018-12-07 20:58:13 +00:00
Bob Friesenhahn	d6f7cf744c	tiffcrop.c: Avoid new clang warning about tools/tiffcrop.c "size argument in 'strncat' call appears to be size of the source".	2018-12-01 09:16:10 -06:00
Bob Friesenhahn	2480971bba	tiff2pdf: Eliminate compiler warning about snprintf output truncation when formatting pdf_datetime.	2018-11-03 13:27:20 -05:00
Bob Friesenhahn	ed624dfe48	tiffcrop.c: Eliminate compiler warning about snprintf output truncation when formatting filenum.	2018-11-03 10:00:11 -05:00
Bob Friesenhahn	34b5be5a2e	Eliminate compiler warnings about duplicate definitions of streq/strneq macros.	2018-11-03 09:35:19 -05:00
Nikola Forró	2f694198f1	Fix two resource leaks Signed-off-by: Nikola Forró <nforro@redhat.com>	2018-10-31 11:50:48 +01:00
Even Rouault	99b10edde9	tiff2bw: avoid null pointer dereference in case of out of memory situation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2819 / CVE-2018-18661	2018-10-30 18:50:27 +01:00
Even Rouault	1a926533b8	Merge branch 'tif_webp' into 'master' webp support See merge request libtiff/libtiff!32	2018-10-05 19:41:16 +00:00
Norman Barker	9eacd59fec	webp in tiff	2018-10-05 11:21:17 -05:00
Young_X	97c95667f6	fix out-of-bound read on some tiled images.	2018-09-08 15:07:53 +08:00
Young_X	6da1fb3f64	avoid potential int32 overflows in multiply_ms()	2018-09-08 14:46:27 +08:00
Young_X	f1b94e8a3b	only read/write TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4	2018-09-08 14:36:12 +08:00
Roger Leigh	43586d4105	tiffset: Add support for LONG8, SLONG8 and IFD8 field types	2018-03-23 22:11:17 +00:00
Stefan Weil	642b8f998e	Fix some typos Most of them were found by codespell. Signed-off-by: Stefan Weil <sw@weilnetz.de>	2018-02-24 21:47:52 +01:00
Even Rouault	442fa64e41	Merge branch 'zstd'	2018-02-14 15:41:04 +01:00
Nathan Baker	473851d211	Fix for bug 2772 It is possible to craft a TIFF document where the IFD list is circular, leading to an infinite loop while traversing the chain. The libtiff directory reader has a failsafe that will break out of this loop after reading 65535 directory entries, but it will continue processing, consuming time and resources to process what is essentially a bogus TIFF document. This change fixes the above behavior by breaking out of processing when a TIFF document has >= 65535 directories and terminating with an error.	2018-02-12 09:43:34 -05:00
Nathan Baker	e9fa4baf1d	Fix all compiler warnings for default build	2018-02-04 23:54:17 +00:00
Even Rouault	c4d31e9b06	Merge branch 'patch-1' into 'master' Update CMakeLists.txt for build fix on Windows See merge request libtiff/libtiff!14	2018-01-27 11:22:09 +00:00
Even Rouault	fb0489937c	Merge branch 'patch-2' into 'master' Update tiffgt.c for build fix on Windows See merge request libtiff/libtiff!13	2018-01-27 11:20:46 +00:00
Nathan Baker	9171da596c	Add workaround to pal2rgb buffer overflow.	2018-01-25 21:28:15 +00:00
Andrea	a6195d0ad4	Update tiffgt.c for build fix on Windows	2018-01-24 01:25:13 +00:00
Andrea	e7b87e5d3e	Update CMakeLists.txt for build fix on Windows	2018-01-24 01:19:44 +00:00
Even Rouault	62b9df5d2a	Add ZSTD compression codec From https://github.com/facebook/zstd "Zstandard, or zstd as short version, is a fast lossless compression algorithm, targeting real-time compression scenarios at zlib-level and better compression ratios. It's backed by a very fast entropy stage, provided by Huff0 and FSE library." We require libzstd >= 1.0.0 so as to be able to use streaming compression and decompression methods. The default compression level we have selected is 9 (range goes from 1 to 22), which experimentally offers equivalent or better compression ratio than the default deflate/ZIP level of 6, and much faster compression. For example on a 6600x4400 16bit image, tiffcp -c zip runs in 10.7 seconds, while tiffcp -c zstd runs in 5.3 seconds. Decompression time for zip is 840 ms, and for zstd 650 ms. File size is 42735936 for zip, and 42586822 for zstd. Similar findings on other images. On a 25894x16701 16bit image, Compression time Decompression time File size ZSTD 35 s 3.2 s 399 700 498 ZIP/Deflate 1m 20 s 4.9 s 419 622 336	2017-12-21 13:32:02 +01:00
Brian May	d4f213636b	tiff2pdf: Fix apparent incorrect type for transfer table The standard says the transfer table contains unsigned 16 bit values, I have no idea why we refer to them as floats.	2017-12-11 07:35:41 +11:00
Brian May	3dd8f6a357	tiff2pdf: Fix CVE-2017-9935 Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 This vulnerability - at least for the supplied test case - is because we assume that a tiff will only have one transfer function that is the same for all pages. This is not required by the TIFF standards. We than read the transfer function for every page. Depending on the transfer function, we allocate either 2 or 4 bytes to the XREF buffer. We allocate this memory after we read in the transfer function for the page. For the first exploit - POC1, this file has 3 pages. For the first page we allocate 2 extra extra XREF entries. Then for the next page 2 more entries. Then for the last page the transfer function changes and we allocate 4 more entries. When we read the file into memory, we assume we have 4 bytes extra for each and every page (as per the last transfer function we read). Which is not correct, we only have 2 bytes extra for the first 2 pages. As a result, we end up writing past the end of the buffer. There are also some related issues that this also fixes. For example, TIFFGetField can return uninitalized pointer values, and the logic to detect a N=3 vs N=1 transfer function seemed rather strange. It is also strange that we declare the transfer functions to be of type float, when the standard says they are unsigned 16 bit values. This is fixed in another patch. This patch will check to ensure that the N value for every transfer function is the same for every page. If this changes, we abort with an error. In theory, we should perhaps check that the transfer function itself is identical for every page, however we don't do that due to the confusion of the type of the data in the transfer function.	2017-12-11 07:35:18 +11:00
Even Rouault	9c243a11a3	Merge branch 'remove_autogenerated_files' into 'master' Remove autogenerated files See merge request libtiff/libtiff!5	2017-12-02 22:10:48 +00:00
Bob Friesenhahn	79bb4d034f	'tif_config.h' or 'tiffio.h' must be included before any system header.	2017-12-02 14:45:03 -06:00
Even Rouault	c56eda4b7e	Remove remaining .cvsignore files	2017-12-01 15:55:10 +01:00
Even Rouault	2440a113ea	Remove autoconf/automake generated files, and add them to .gitignore	2017-12-01 15:54:48 +01:00
Even Rouault	8603db6cfa	Regenerate autoconf files	2017-11-30 18:10:01 +01:00
Even Rouault	f0a54a4fa0	Remove all $Id and $Headers comments with CVS versions	2017-11-30 18:02:46 +01:00
Bob Friesenhahn	25f9ffa565	* tools/tiff2bw.c (main): Free memory allocated in the tiff2bw program. This is in response to the report associated with CVE-2017-16232 but does not solve the extremely high memory usage with the associated POC file.	2017-11-01 13:41:58 +00:00
Bob Friesenhahn	61d4eb3a01	tiff2pdf.c: Fix possible overflow in bounds check computation and eliminate signed/unsigned comparison.	2017-10-29 18:50:41 +00:00
Bob Friesenhahn	1cb6c46b9d	fax2tiff: Pass the FAX_Client_Data struct as client data	2017-10-29 18:28:43 +00:00
Even Rouault	76a2b9d619	* tools/tiffset.c: fix setting a single value for the ExtraSamples tag (and other tags with variable number of values). So 'tiffset -s ExtraSamples 1 X'. This only worked when setting 2 or more values, but not just one.	2017-10-01 17:38:12 +00:00
Even Rouault	979751c407	* tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" mode on PlanarConfig=Contig input images. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715 Reported by team OWL337	2017-07-15 11:13:46 +00:00
Even Rouault	222083301a	* refresh autoconf/make stuff with what is on Ubuntu 16.04 (minor changes)	2017-07-11 09:10:28 +00:00
Even Rouault	d606ea22bb	* tools/tiff2bw.c: close TIFF handle in error code path. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2677	2017-04-28 18:08:47 +00:00
Even Rouault	fa55777370	* litiff/tif_fax3.c: avoid crash in Fax3Close() on empty file. Patch by Alan Coopersmith + complement by myself. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2673 * tools/fax2tiff.c: emit appropriate message if the input file is empty. Patch by Alan Coopersmith. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2672	2017-04-27 19:50:01 +00:00
Even Rouault	697bfd9f39	* libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD mode (ie default) when there is both a StripOffsets and TileOffsets tag, or a StripByteCounts and TileByteCounts Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689 * tools/tiff2ps.c: call TIFFClose() in error code paths.	2017-04-27 15:46:22 +00:00
Even Rouault	55e5962794	* tools/raw2tiff.c: avoid integer division by zero. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2631	2017-01-14 13:12:33 +00:00
Even Rouault	480167a350	* tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and http://bugzilla.maptools.org/show_bug.cgi?id=2657	2017-01-11 19:25:44 +00:00
Even Rouault	9f839d9233	* libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace assertion by runtime check to error out if passed value is strictly negative. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535 * tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that caused double free. Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535	2017-01-11 12:51:59 +00:00
Even Rouault	6d97ea6dcc	* tools/tiff2pdf.c: avoid potential heap-based overflow in t2p_readwrite_pdf_image_tile(). Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640	2016-12-20 17:28:17 +00:00
Even Rouault	5e95f6a34c	* tools/tiff2pdf.c: avoid potential invalid memory read in t2p_writeproc. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639	2016-12-20 17:24:35 +00:00
Even Rouault	7fb75582f4	* tools/tiff2pdf.c: fix wrong usage of memcpy() that can trigger unspecified behaviour. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2638	2016-12-20 17:13:26 +00:00
Even Rouault	732f8e0b46	* tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode on a paletted image. Note: this fix errors out before the overflow happens. There could probably be a better fix. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635	2016-12-18 10:37:59 +00:00
Even Rouault	0a85b00c8b	* tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW and PSDataColorContig). Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and http://bugzilla.maptools.org/show_bug.cgi?id=2634.	2016-12-17 19:45:28 +00:00
Even Rouault	2766c8583d	* tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert check. Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605	2016-12-03 16:50:02 +00:00
Even Rouault	bae8284136	* tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based buffer overflow. Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610	2016-12-03 16:40:01 +00:00
Even Rouault	b1e5ae5984	* tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is missing. Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607	2016-12-03 15:44:15 +00:00
Even Rouault	5b52559d39	* tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is missing. Reported by Agostino sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597	2016-12-03 14:42:40 +00:00
Even Rouault	2deb7183ca	* tools/tiffinfo.c: fix null pointer dereference in -r mode when the image has no StripByteCount tag. Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594	2016-12-03 14:18:48 +00:00
Even Rouault	5c47f33899	* tools/tiffcrop.c: fix integer division by zero when BitsPerSample is missing. Reported by Agostina Sarubo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619	2016-12-03 13:00:03 +00:00
Even Rouault	7aad042fc8	* tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer. Reported by Agostina Sarubo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621	2016-12-03 12:19:32 +00:00
Even Rouault	3a1c5ac67b	* tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so that the output buffer is correctly incremented to avoid write outside bounds. Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620	2016-12-03 11:35:56 +00:00
Even Rouault	78dab0996f	* tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that can cause various issues, such as buffer overflows in the library. Reported by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598	2016-12-02 22:13:32 +00:00
Bob Friesenhahn	5ba49e2beb	* tools/fax2tiff.c (main): Applied patch by Jörg Ahrens to fix passing client data for Win32 builds using tif_win32.c (USE_WIN32_FILEIO defined) for file I/O. Patch was provided via email on November 20, 2016.	2016-11-20 18:04:52 +00:00
Bob Friesenhahn	07e63bcdf8	* tools/tiffdump.c (ReadDirectory): Remove uint32 cast to _TIFFmalloc() argument which resulted in Coverity report. Added more mutiplication overflow checks.	2016-11-19 15:42:46 +00:00
Even Rouault	c80c06ce45	* tools/tiffcrop.c: Fix memory leak in (recent) error code path. Fixes Coverity 1394415.	2016-11-18 14:58:46 +00:00
Bob Friesenhahn	c22e3e5b42	* tools/tiffinfo.c (TIFFReadContigTileData): Fix signed/unsigned comparison warning. (TIFFReadSeparateTileData): Fix signed/unsigned comparison warning.	2016-11-12 20:06:05 +00:00
Bob Friesenhahn	b6779d1454	tmsize_t is a signed type so change casting to cast to unsigned type before compare	2016-11-12 19:57:16 +00:00
Bob Friesenhahn	d2c7f195f1	* tools/tiffcrop.c (readContigTilesIntoBuffer): Fix signed/unsigned comparison warning.	2016-11-12 18:35:11 +00:00
Even Rouault	34e2075125	Fix typo in comment	2016-11-11 21:28:24 +00:00
Even Rouault	57b0f8ba24	* tools/tiff2pdf.c: avoid undefined behaviour related to overlapping of source and destination buffer in memcpy() call in t2p_sample_rgbaa_to_rgb() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577	2016-11-11 21:22:50 +00:00
Even Rouault	16e71ae0a2	* tools/tiff2pdf.c: fix potential integer overflows on 32 bit builds in t2p_read_tiff_size() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2576	2016-11-11 21:15:25 +00:00
Even Rouault	49062afa56	* tools/tiffcrop.c: fix multiple uint32 overflows in writeBufferToSeparateStrips(), writeBufferToContigTiles() and writeBufferToSeparateTiles() that could cause heap buffer overflows. Reported by Henri Salo from Nixu Corporation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592	2016-11-11 19:33:06 +00:00
Even Rouault	124d8fc810	* tools/fax2tiff.c: fix segfault when specifying -r without argument. Patch by Yuriy M. Kaminskiy. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2572	2016-10-25 22:22:45 +00:00
Even Rouault	0c05834d05	* tools/tiffinfo.c: fix out-of-bound read on some tiled images. (http://bugzilla.maptools.org/show_bug.cgi?id=2517) * libtiff/tif_compress.c: make TIFFNoDecode() return 0 to indicate an error and make upper level read routines treat it accordingly. (linked to the test case of http://bugzilla.maptools.org/show_bug.cgi?id=2517)	2016-10-25 20:04:21 +00:00
Even Rouault	0d521dfab0	* tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.	2016-10-14 19:13:20 +00:00
Even Rouault	0937638efd	* tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG compressed images. Reported by Tyler Bohan of Cisco Talos as TALOS-CAN-0187 / CVE-2016-5652. Also prevents writing 2 extra uninitialized bytes to the file stream.	2016-10-09 11:03:36 +00:00
Even Rouault	6f13bf391a	* tools/tiffcp.c: fix out-of-bounds write on tiled images with odd tile width vs image width. Reported as MSVR 35103 by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.	2016-10-08 15:54:56 +00:00
Even Rouault	7399a6f13b	* tools/tiff2pdf.c: fix read -largely- outsize of buffer in t2p_readwrite_pdf_image_tile(), causing crash, when reading a JPEG compressed image with TIFFTAG_JPEGTABLES length being one. Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.	2016-10-08 15:14:42 +00:00

1 2 3 4 5 ...

682 Commits