diff options
| -rwxr-xr-x | contrib/oss-fuzz/build.sh | 11 | ||||
| -rw-r--r-- | contrib/oss-fuzz/tiff_read_rgba_fuzzer.cc | 9 | ||||
| -rw-r--r-- | libtiff/tif_ojpeg.c | 15 | ||||
| -rw-r--r-- | libtiff/tif_open.c | 1 | ||||
| -rw-r--r-- | man/libtiff.3tiff | 6 |
5 files changed, 35 insertions, 7 deletions
diff --git a/contrib/oss-fuzz/build.sh b/contrib/oss-fuzz/build.sh index ccac210c..fe6bd340 100755 --- a/contrib/oss-fuzz/build.sh +++ b/contrib/oss-fuzz/build.sh @@ -37,7 +37,14 @@ popd # Build libjbig pushd "$SRC/jbigkit" -make lib +if [ "$ARCHITECTURE" = "i386" ]; then + echo "#!/bin/bash" > gcc + echo "clang -m32 \$*" >> gcc + chmod +x gcc + PATH=$PWD:$PATH make lib +else + make lib +fi mv "$SRC"/jbigkit/libjbig/*.a "$WORK/lib/" mv "$SRC"/jbigkit/libjbig/*.h "$WORK/include/" popd @@ -48,7 +55,7 @@ make install $CXX $CXXFLAGS -std=c++11 -I$WORK/include \ $SRC/libtiff/contrib/oss-fuzz/tiff_read_rgba_fuzzer.cc -o $OUT/tiff_read_rgba_fuzzer \ - -lFuzzingEngine $WORK/lib/libtiffxx.a $WORK/lib/libtiff.a $WORK/lib/libz.a $WORK/lib/libjpeg.a \ + $LIB_FUZZING_ENGINE $WORK/lib/libtiffxx.a $WORK/lib/libtiff.a $WORK/lib/libz.a $WORK/lib/libjpeg.a \ $WORK/lib/libjbig.a $WORK/lib/libjbig85.a mkdir afl_testcases diff --git a/contrib/oss-fuzz/tiff_read_rgba_fuzzer.cc b/contrib/oss-fuzz/tiff_read_rgba_fuzzer.cc index b1b189f8..ec1c9b63 100644 --- a/contrib/oss-fuzz/tiff_read_rgba_fuzzer.cc +++ b/contrib/oss-fuzz/tiff_read_rgba_fuzzer.cc @@ -22,6 +22,7 @@ */ #include <cstdint> +#include <cstdlib> #include <sstream> #include <tiffio.h> #include <tiffio.hxx> @@ -40,6 +41,14 @@ extern "C" void handle_error(const char *unused, const char *unused2, va_list un extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { TIFFSetErrorHandler(handle_error); TIFFSetWarningHandler(handle_error); +#if defined(__has_feature) +# if __has_feature(memory_sanitizer) + // libjpeg-turbo has issues with MSAN and SIMD code + // See https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7547 + // and https://github.com/libjpeg-turbo/libjpeg-turbo/pull/365 + setenv("JSIMD_FORCENONE" ,"1", 1); +# endif +#endif std::istringstream s(std::string(Data,Data+Size)); TIFF* tif = TIFFStreamOpen("MemTIFF", &s); if (!tif) { diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c index ad3e1e71..643bcf23 100644 --- a/libtiff/tif_ojpeg.c +++ b/libtiff/tif_ojpeg.c @@ -1107,6 +1107,12 @@ OJPEGReadHeaderInfo(TIFF* tif) } if (sp->strile_length<sp->image_length) { + if (((sp->subsampling_hor!=1) && (sp->subsampling_hor!=2) && (sp->subsampling_hor!=4)) || + ((sp->subsampling_ver!=1) && (sp->subsampling_ver!=2) && (sp->subsampling_ver!=4))) + { + TIFFErrorExt(tif->tif_clientdata,module,"Invalid subsampling values"); + return(0); + } if (sp->strile_length%(sp->subsampling_ver*8)!=0) { TIFFErrorExt(tif->tif_clientdata,module,"Incompatible vertical subsampling and image strip/tile length"); @@ -2018,10 +2024,15 @@ OJPEGReadBufferFill(OJPEGState* sp) sp->in_buffer_source=osibsEof; else { - sp->in_buffer_file_pos=TIFFGetStrileOffset(sp->tif, sp->in_buffer_next_strile); + int err = 0; + sp->in_buffer_file_pos=TIFFGetStrileOffsetWithErr(sp->tif, sp->in_buffer_next_strile, &err); + if( err ) + return 0; if (sp->in_buffer_file_pos!=0) { - uint64 bytecount = TIFFGetStrileByteCount(sp->tif, sp->in_buffer_next_strile); + uint64 bytecount = TIFFGetStrileByteCountWithErr(sp->tif, sp->in_buffer_next_strile, &err); + if( err ) + return 0; if (sp->in_buffer_file_pos>=sp->file_size) sp->in_buffer_file_pos=0; else if (bytecount==0) diff --git a/libtiff/tif_open.c b/libtiff/tif_open.c index f7b7e0f8..3cb53d4e 100644 --- a/libtiff/tif_open.c +++ b/libtiff/tif_open.c @@ -131,6 +131,7 @@ TIFFClientOpen( if (!readproc || !writeproc || !seekproc || !closeproc || !sizeproc) { TIFFErrorExt(clientdata, module, "One of the client procedures is NULL pointer."); + _TIFFfree(tif); goto bad2; } tif->tif_readproc = readproc; diff --git a/man/libtiff.3tiff b/man/libtiff.3tiff index 3efe162e..8e9ff35b 100644 --- a/man/libtiff.3tiff +++ b/man/libtiff.3tiff @@ -342,7 +342,7 @@ WhitePoint 318 R/W XPosition 286 R/W XResolution 282 R/W YCbCrCoefficients 529 R/W used by TIFFRGBAImage support -YCbCrPositioning 531 R/W tile/strip size calulcations +YCbCrPositioning 531 R/W tile/strip size calculations YCbCrSubsampling 530 R/W YPosition 286 R/W YResolution 283 R/W used by Group 3 codec @@ -354,7 +354,7 @@ tags whose values lie in a range outside the valid range of .SM TIFF tags. These tags are termed -.I pseud-tags +.I pseudo-tags and are used to control various codec-specific functions within the library. The table below summarizes the defined pseudo-tags. .sp @@ -408,7 +408,7 @@ The default value is a pointer to a builtin function that images packed bilevel data. .TP .B TIFFTAG_IPTCNEWSPHOTO -Tag contaings image metadata per the IPTC newsphoto spec: Headline, +Tag contains image metadata per the IPTC newsphoto spec: Headline, captioning, credit, etc... Used by most wire services. .TP .B TIFFTAG_PHOTOSHOP |