Commit Graph

623 Commits

Author SHA1 Message Date
Even Rouault
b04da30e11
tiff2ps: fix use of wrong data type that caused issues (/Height being written as 0) on 64-bit big endian platforms 2019-08-18 10:52:45 +02:00
Even Rouault
b9b93f661e Merge branch 'bug2799' into 'master'
fix fax2tiff

See merge request libtiff/libtiff!55
2019-05-08 08:36:34 +00:00
Even Rouault
3c0becb4aa Merge branch 'bug_2844' into 'master'
tiff2ps.c: PSDataColorContig(): avoid heap buffer overrun

See merge request libtiff/libtiff!69
2019-04-25 09:39:01 +00:00
Thomas Bernard
ea2e933b17
tiff2pdf.c: don't call t2p_tile_collapse_left() when buffer size is wrong
see http://bugzilla.maptools.org/show_bug.cgi?id=2785
2019-02-28 13:44:49 +01:00
Thomas Bernard
b7d479cf8b
tiff2pdf.c: check colormap pointers
Avoid access to non initialized pointers
http://bugzilla.maptools.org/show_bug.cgi?id=2826
2019-02-28 13:05:19 +01:00
Thomas Bernard
05029fb7f1
PSDataColorContig(): avoid heap buffer overrun
fixes http://bugzilla.maptools.org/show_bug.cgi?id=2844
each iteration of the loop read nc bytes
2019-02-24 00:50:12 +01:00
Thomas Bernard
a242136916
tiff2ps.c: fix warning caused by integer promotion
uint8 value is promoted to int in (value << 24) so -fsanitize
yield runtime errors :
tiff2ps.c:2969:33: runtime error: left shift of 246 by 24 places cannot be represented in type 'int'
2019-02-22 16:23:33 +01:00
Even Rouault
27124e9148 Merge branch 'issue_2833' into 'master'
tiffcp.c: check that (Tile Width)*(Samples/Pixel) do no overflow

See merge request libtiff/libtiff!60
2019-02-19 14:39:26 +00:00
Thomas Bernard
9cfa5c4691 tiffcrop.c: fix invertImage() for bps 2 and 4
too much bytes were processed, causing a heap buffer overrun
    http://bugzilla.maptools.org/show_bug.cgi?id=2831
the loop counter must be
    for (col = 0; col < width; col += 8 / bps)

Also the values were not properly calculated. It should be
255-x, 15-x, 3-x for bps 8, 4, 2.

But anyway it is easyer to invert all bits as 255-x = ~x, etc.
(substracting from a binary number composed of all 1 is like inverting
the bits)
2019-02-11 23:08:25 +01:00
Thomas Bernard
7cc76e9bc4 tiffcp.c: use INT_MAX 2019-02-11 21:42:03 +01:00
Thomas Bernard
2b0d0e6997 check that (Tile Width)*(Samples/Pixel) do no overflow
fixes bug 2833
2019-02-11 10:05:33 +01:00
Even Rouault
ae0bed1fe5 Merge branch 'master' into 'master'
Fix for simple memory leak that was assigned CVE-2019-6128.

See merge request libtiff/libtiff!50
2019-02-02 14:46:05 +00:00
Even Rouault
933784a10a Merge branch 'bug2835' into 'master'
tiff2ps: fix heap-buffer-overflow

See merge request libtiff/libtiff!53
2019-02-02 14:32:58 +00:00
Yuri Aksenov
88b410f800
fix fax2tiff
see http://bugzilla.maptools.org/show_bug.cgi?id=2799
fixes d9bc8472e7
2019-02-02 15:14:54 +01:00
Thomas Bernard
309bfd7f61
tiff2ps: fix heap-buffer-overflow
http://bugzilla.maptools.org/show_bug.cgi?id=2834

usually the test (i < byte_count) is OK because the byte_count is divisible by samplesperpixel.
But if that is not the case, (i + ncomps) < byte_count should be used, or
maybe (i + samplesperpixel) <= byte_count
2019-01-29 10:47:14 +01:00
Thomas Bernard
5c222ec96c
tiffcrop: shut up clang warnings
make the out filename building a bit more simple
and remove the use of strcat()
2019-01-28 16:10:28 +01:00
Scott Gayou
0c74a9f49b Fix for simple memory leak that was assigned CVE-2019-6128.
pal2rgb failed to free memory on a few errors. This was reported
here: http://bugzilla.maptools.org/show_bug.cgi?id=2836.
2019-01-23 15:09:59 -05:00
Bob Friesenhahn
a0e273fdca Fix tiff2ps error regarding "Inconsistent value of es" by allowing es to be zero.
Problem was reported to the tiff mailing list by Julian H. Stacey on January 5, 2019.
2019-01-05 13:56:09 -06:00
Even Rouault
ae0325a1ab Merge branch 'resource-leaks' into 'master'
Fix two resource leaks

See merge request libtiff/libtiff!43
2018-12-07 20:58:13 +00:00
Bob Friesenhahn
d6f7cf744c tiffcrop.c: Avoid new clang warning about tools/tiffcrop.c "size argument in 'strncat' call appears to be size of the source". 2018-12-01 09:16:10 -06:00
Bob Friesenhahn
2480971bba tiff2pdf: Eliminate compiler warning about snprintf output truncation when formatting pdf_datetime. 2018-11-03 13:27:20 -05:00
Bob Friesenhahn
ed624dfe48 tiffcrop.c: Eliminate compiler warning about snprintf output truncation when formatting filenum. 2018-11-03 10:00:11 -05:00
Bob Friesenhahn
34b5be5a2e Eliminate compiler warnings about duplicate definitions of streq/strneq macros. 2018-11-03 09:35:19 -05:00
Nikola Forró
2f694198f1 Fix two resource leaks
Signed-off-by: Nikola Forró <nforro@redhat.com>
2018-10-31 11:50:48 +01:00
Even Rouault
99b10edde9
tiff2bw: avoid null pointer dereference in case of out of memory situation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2819 / CVE-2018-18661 2018-10-30 18:50:27 +01:00
Even Rouault
1a926533b8 Merge branch 'tif_webp' into 'master'
webp support

See merge request libtiff/libtiff!32
2018-10-05 19:41:16 +00:00
Norman Barker
9eacd59fec webp in tiff 2018-10-05 11:21:17 -05:00
Young_X
97c95667f6 fix out-of-bound read on some tiled images. 2018-09-08 15:07:53 +08:00
Young_X
6da1fb3f64 avoid potential int32 overflows in multiply_ms() 2018-09-08 14:46:27 +08:00
Young_X
f1b94e8a3b only read/write TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4 2018-09-08 14:36:12 +08:00
Roger Leigh
43586d4105 tiffset: Add support for LONG8, SLONG8 and IFD8 field types 2018-03-23 22:11:17 +00:00
Stefan Weil
642b8f998e Fix some typos
Most of them were found by codespell.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
2018-02-24 21:47:52 +01:00
Even Rouault
442fa64e41 Merge branch 'zstd' 2018-02-14 15:41:04 +01:00
Nathan Baker
473851d211 Fix for bug 2772
It is possible to craft a TIFF document where the IFD list is circular,
leading to an infinite loop while traversing the chain. The libtiff
directory reader has a failsafe that will break out of this loop after
reading 65535 directory entries, but it will continue processing,
consuming time and resources to process what is essentially a bogus TIFF
document.

This change fixes the above behavior by breaking out of processing when
a TIFF document has >= 65535 directories and terminating with an error.
2018-02-12 09:43:34 -05:00
Nathan Baker
e9fa4baf1d Fix all compiler warnings for default build 2018-02-04 23:54:17 +00:00
Even Rouault
c4d31e9b06 Merge branch 'patch-1' into 'master'
Update CMakeLists.txt for build fix on Windows

See merge request libtiff/libtiff!14
2018-01-27 11:22:09 +00:00
Even Rouault
fb0489937c Merge branch 'patch-2' into 'master'
Update tiffgt.c for build fix on Windows

See merge request libtiff/libtiff!13
2018-01-27 11:20:46 +00:00
Nathan Baker
9171da596c Add workaround to pal2rgb buffer overflow. 2018-01-25 21:28:15 +00:00
Andrea
a6195d0ad4 Update tiffgt.c for build fix on Windows 2018-01-24 01:25:13 +00:00
Andrea
e7b87e5d3e Update CMakeLists.txt for build fix on Windows 2018-01-24 01:19:44 +00:00
Even Rouault
62b9df5d2a Add ZSTD compression codec
From https://github.com/facebook/zstd
"Zstandard, or zstd as short version, is a fast lossless compression
algorithm, targeting real-time compression scenarios at zlib-level
and better compression ratios. It's backed by a very fast entropy stage,
provided by Huff0 and FSE library."

We require libzstd >= 1.0.0 so as to be able to use streaming compression
and decompression methods.

The default compression level we have selected is 9 (range goes from 1 to 22),
which experimentally offers equivalent or better compression ratio than
the default deflate/ZIP level of 6, and much faster compression.

For example on a 6600x4400 16bit image, tiffcp -c zip runs in 10.7 seconds,
while tiffcp -c zstd runs in 5.3 seconds. Decompression time for zip is
840 ms, and for zstd 650 ms. File size is 42735936 for zip, and
42586822 for zstd. Similar findings on other images.

On a 25894x16701 16bit image,

                Compression time     Decompression time     File size

ZSTD                 35 s                   3.2 s          399 700 498
ZIP/Deflate       1m 20 s                   4.9 s          419 622 336
2017-12-21 13:32:02 +01:00
Brian May
d4f213636b tiff2pdf: Fix apparent incorrect type for transfer table
The standard says the transfer table contains unsigned 16 bit values,
I have no idea why we refer to them as floats.
2017-12-11 07:35:41 +11:00
Brian May
3dd8f6a357 tiff2pdf: Fix CVE-2017-9935
Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704

This vulnerability - at least for the supplied test case - is because we
assume that a tiff will only have one transfer function that is the same
for all pages. This is not required by the TIFF standards.

We than read the transfer function for every page.  Depending on the
transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
We allocate this memory after we read in the transfer function for the
page.

For the first exploit - POC1, this file has 3 pages. For the first page
we allocate 2 extra extra XREF entries. Then for the next page 2 more
entries. Then for the last page the transfer function changes and we
allocate 4 more entries.

When we read the file into memory, we assume we have 4 bytes extra for
each and every page (as per the last transfer function we read). Which
is not correct, we only have 2 bytes extra for the first 2 pages. As a
result, we end up writing past the end of the buffer.

There are also some related issues that this also fixes. For example,
TIFFGetField can return uninitalized pointer values, and the logic to
detect a N=3 vs N=1 transfer function seemed rather strange.

It is also strange that we declare the transfer functions to be of type
float, when the standard says they are unsigned 16 bit values. This is
fixed in another patch.

This patch will check to ensure that the N value for every transfer
function is the same for every page. If this changes, we abort with an
error. In theory, we should perhaps check that the transfer function
itself is identical for every page, however we don't do that due to the
confusion of the type of the data in the transfer function.
2017-12-11 07:35:18 +11:00
Even Rouault
9c243a11a3 Merge branch 'remove_autogenerated_files' into 'master'
Remove autogenerated files

See merge request libtiff/libtiff!5
2017-12-02 22:10:48 +00:00
Bob Friesenhahn
79bb4d034f 'tif_config.h' or 'tiffio.h' must be included before any system header. 2017-12-02 14:45:03 -06:00
Even Rouault
c56eda4b7e Remove remaining .cvsignore files 2017-12-01 15:55:10 +01:00
Even Rouault
2440a113ea Remove autoconf/automake generated files, and add them to .gitignore 2017-12-01 15:54:48 +01:00
Even Rouault
8603db6cfa Regenerate autoconf files 2017-11-30 18:10:01 +01:00
Even Rouault
f0a54a4fa0 Remove all $Id and $Headers comments with CVS versions 2017-11-30 18:02:46 +01:00
Bob Friesenhahn
25f9ffa565 * tools/tiff2bw.c (main): Free memory allocated in the tiff2bw
program.  This is in response to the report associated with
CVE-2017-16232 but does not solve the extremely high memory usage
with the associated POC file.
2017-11-01 13:41:58 +00:00