| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
| |
Fix utility baked-in getopt prototype which appears when HAVE_GETOPT is not defined.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
differed for non good reason. Non-functional change normally. (fixes GitLab #162)
|
|
|
|
| |
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17244
|
|
|
|
| |
overflows. Fixes https://oss-fuzz.com/testcase-detail/5686156066291712 and https://oss-fuzz.com/testcase-detail/6332499206078464
|
| |
|
|
|
|
| |
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16844
|
|
|
|
| |
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16846
|
|
|
|
| |
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16793
|
|
|
|
| |
bug). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16792
|
|
|
|
| |
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16784
|
|
|
|
|
|
| |
Follow-up of cf3ce6fab894414a336546f62adc57f02590a22c
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16602
Credit to OSS Fuzz
|
|
|
|
| |
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16685
|
|
|
|
| |
close to UINT32_MAX. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16683
|
|
|
|
| |
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16653
|
|
|
|
| |
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16643&
|
|
|
|
| |
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16635
|
|
|
|
| |
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16632
|
|
|
|
| |
overflow (not a bug)
|
| |
|
| |
|
| |
|
|
|
|
| |
with -fsanitize=unsigned-integer-overflow (not a bug, this is well defined by itself)
|
| |
|
|
|
|
| |
Gunadi. No actual problem known (which does not mean there wouldn't be any. Particularly on 32bit builds)
|
|
|
|
| |
overflow, especially on 32 bit builds. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS Fuzz
|
|\
| |
| |
| |
| | |
Fix integer overflow in _TIFFCheckMalloc() and other implementation-defined behaviour (CVE-2019-14973)
See merge request libtiff/libtiff!90
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
behaviour (CVE-2019-14973)
_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow
in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus
signed), which was especially easily triggered on 32-bit builds (with recent
enough compilers that assume that signed multiplication cannot overflow, since
this is undefined behaviour by the C standard). The original issue which lead to
this fix was trigged from tif_fax3.c
There were also unsafe (implementation defied), and broken in practice on 64bit
builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing
(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known
at that time exploits, but are better to fix in a more bullet-proof way.
Or similarly use of (int64)uint64_var <= 0.
|
| |
| |
| |
| | |
provided. Fixed Coverity GDAL CID 1404110
|
| |
| |
| |
| | |
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16400. master only
|
|/
|
|
| |
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15824. Credit to OSS Fuzz
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IGNORE placeholder in tif_dirread.c is now replaced by a field dir_ignore in the TIFFDirEntry structure
Currently, in tif_dirread.c a special IGNORE value for the tif tags is defined
in order to flag status preventing already processed tags from further processing.
This irrational behaviour prevents reading of custom tags with id code 0 - like tag GPSVERSIONID from EXIF 2.31 definition.
An additional field 'tdir_ignore' is now added to the TIFFDirEntry structure and code is changed
to allow tags with id code 0 to be read correctly.
This change was already proposed as pending improvement in tif_dirread.c around line 32.
Reference is also made to:
- Discussion in https://gitlab.com/libtiff/libtiff/merge_requests/39
- http://bugzilla.maptools.org/show_bug.cgi?id=2540
Comments and indention adapted.
Preparation to rebase onto master
|
|
|
|
| |
have gone with eaeca6274ae71cdfaeb9f673b6fb0f3cfc0e6ce5) (master only)
|
|
|
|
|
| |
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=925269
Patch from Lei Zhang with little adaptations.
|
| |
|
|\
| |
| |
| |
| | |
Add TIFFDeferStrileArrayWriting() and TIFFForceStrileArrayWriting()
See merge request libtiff/libtiff!82
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Those advanced writing functions must be used in a particular sequence
to make their intended effect. Their aim is to control when/where
the [Strip/Tile][Offsets/ByteCounts] arrays are written into the file.
The purpose of this is to generate 'cloud-optimized geotiff' files where
the first KB of the file only contain the IFD entries without the potentially
large strile arrays. Those are written afterwards.
The typical sequence of calls is:
TIFFOpen()
[ TIFFCreateDirectory(tif) ]
Set fields with calls to TIFFSetField(tif, ...)
TIFFDeferStrileArrayWriting(tif)
TIFFWriteCheck(tif, ...)
TIFFWriteDirectory(tif)
... potentially create other directories and come back to the above directory
TIFFForceStrileArrayWriting(tif): emit the arrays at the end of file
See test/defer_strile_writing.c for a practical example.
|
|\ \
| | |
| | |
| | |
| | | |
Add TIFFReadFromUserBuffer()
See merge request libtiff/libtiff!81
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This function replaces the use of TIFFReadEncodedStrip()/TIFFReadEncodedTile()
when the user can provide the buffer for the input data, for example when
he wants to avoid libtiff to read the strile offset/count values from the
[Strip|Tile][Offsets/ByteCounts] array.
|
| | |
| | |
| | |
| | | |
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14908)
|
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Found on GDAL with https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14894
Disabling the TIFF_DEFERSTRILELOAD bit in ChopupStripArray() was a
bad idea since when using TIFFReadDirectory() to reload the directory again
would lead to a different value of td_rowsperstrip, which could confuse
readers if they relied on the value found initially.
|
|/ |
|
| |
|