| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
| |
v4.0.9.
|
|
|
|
| |
comments.
|
|
|
|
| |
not been active in years.
|
| |
|
|
|
|
|
|
| |
program. This is in response to the report associated with
CVE-2017-16232 but does not solve the extremely high memory usage
with the associated POC file.
|
|
|
|
| |
signed/unsigned comparison.
|
| |
|
|
|
|
|
|
| |
initCIELabConversion()
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3733
Credit to OSS Fuzz
|
|
|
|
|
| |
honours max_memory_to_use > 0.
Cf https://github.com/libjpeg-turbo/libjpeg-turbo/issues/162
|
|
|
|
| |
/MDd runtime in debug mode.
|
|
|
|
|
|
| |
(and other tags with variable number of values).
So 'tiffset -s ExtraSamples 1 X'. This only worked
when setting 2 or more values, but not just one.
|
|
|
|
| |
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2735
|
| |
|
|
|
|
| |
null-pointer dereference warning by CLang Static Analyzer.
|
|
|
|
|
|
|
|
| |
function that checks if the offset is not bigger than INT64_MAX, so as
to avoid a -1 error return code of TIFFSeekFile() to match a required
seek to UINT64_MAX/-1.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2726
Adapted from proposal by Nicolas Ruff.
|
| |
|
|
|
|
|
|
|
|
|
| |
file if the codestream height is larger than the truncated height of the
strip. Emit a warning in this situation since this is non compliant.
* test/Makefile.am: add missing reference to images/quad-lzw-compat.tiff
to fix "make distcheck". Patch by Roger Leigh
|
|
|
|
| |
to fix "make distcheck". Patch by Roger Leigh
|
|
|
|
|
|
|
|
|
|
| |
on uint32 when selecting the value of SubIFD tag by runtime check
(in TIFFWriteDirectoryTagSubifd()).
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
Reported by team OWL337
SubIFD tag by runtime check (in TIFFWriteDirectorySec())
|
|
|
|
|
|
| |
SubIFD tag by runtime check.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
Reported by team OWL337
|
|
|
|
|
|
|
| |
buffer when RowsPerStrip >= image_length in LogLuvInitState() and
LogL16InitState().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2700
Credit to OSS Fuzz
|
|
|
|
|
|
|
|
|
|
|
| |
pixel number is not a multiple of the horizontal subsampling, and
also in some other cases. Impact putcontig8bitYCbCr44tile,
putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile,
putcontig8bitYCbCr21tile and putcontig8bitYCbCr12tile
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2637 (discovered
by Agostino Sarubbo)
and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2691 (credit
to OSS Fuzz)
|
|
|
|
|
| |
properly break from loops on error when stoponerr is set, instead
of going on iterating on row based loop.
|
|
|
|
|
|
| |
allocation when RowsPerStrip tag is missing.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2683
Credit to OSS-Fuzz
|
| |
|
| |
|
|
|
|
|
|
|
| |
allocation attempts in TIFFReadDirEntryArray() on short files.
Effective for mmap'ed case. And non-mmap'ed case, but restricted
to 64bit builds.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2675
|
|
|
|
|
|
|
|
|
|
|
| |
arrays that hold StripOffsets/StripByteCounts, when they are smaller
than the expected number of striles, up to 1 million striles, and
error out beyond. Can be tweaked by setting the environment variable
LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT.
This partially goes against a change added on 2002-12-17 to accept
those arrays of wrong sizes, but is needed to avoid denial of services.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350
Credit to OSS Fuzz
|
|
|
|
|
|
| |
Complementary fix for http://bugzilla.maptools.org/show_bug.cgi?id=2708
in the isMapped() case, so as to avoid excessive memory allocation
when we need a temporary buffer but the file is truncated.
|
|
|
|
|
|
| |
mode on PlanarConfig=Contig input images.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
Reported by team OWL337
|
|
|
|
|
| |
_TIFFVGetField() on corrupted TIFFTAG_NUMBEROFINKS tag instance.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2713
|
|
|
|
|
|
|
| |
strips. Crashing issue only on memory mapped files, where the strip
offset is the last byte of the file, and the file size is a multiple
of one page size on the CPU architecture (typically 4096). Credit
to myself :-)
|
|
|
|
|
| |
to test old-style LZW decompression
* test/common.sh, Makefile.am, CMakeList.txt: updated with above
|
| |
|
|
|
|
| |
compressed files.
|
|
|
|
|
|
| |
when RowsPerStrip tag is not defined (and thus td_rowsperstrip == UINT_MAX)
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2554
Credit to OSS Fuzz
|
| |
|
|
|
|
|
|
|
|
|
|
| |
and _TIFFReadTileAndAllocBuffer() variants of TIFFReadEncodedTile() and
TIFFReadTile() that allocates the decoded buffer only after a first
successful TIFFFillTile(). This avoids excessive memory allocation
on corrupted files.
* libtiff/tif_getimage.c: use _TIFFReadTileAndAllocBuffer().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2470
Credit to OSS Fuzz.
|
|
|
|
|
| |
an old-style and new-style warning/error handlers are installed.
Patch by Paavo Helde (sent on the mailing list)
|
|
|
|
|
|
|
|
|
| |
tif_rawdataloaded when it is set. Similarly to TIFFStartStrip().
This issue was revealed by the change of 2017-06-30 in TIFFFileTile(),
limiting the number of bytes read. But it could probably have been hit
too in CHUNKY_STRIP_READ_SUPPORT mode previously ?
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454
Credit to OSS Fuzz
|
|
|
|
|
|
| |
TIFFSetSubDirectory() data type.
Patch by Eric Piel
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2671
|
| |
|
|
|
|
|
|
|
| |
functions associated with LONG8/SLONG8 data type, replace assertion that
the file is BigTIFF, by a non-fatal error.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
Reported by team OWL337
|
|
|
|
|
|
|
|
|
|
| |
function, variant of TIFFReadEncodedStrip() that allocates the
decoded buffer only after a first successful TIFFFillStrip(). This avoids
excessive memory allocation on corrupted files.
* libtiff/tif_getimage.c: use _TIFFReadEncodedStripAndAllocBuffer().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2708 and
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2433 .
Credit to OSS Fuzz
|
|
|
|
|
|
| |
of bytes read in case td_stripbytecount[strip] is bigger than
reasonable, so as to avoid excessive memory allocation (similarly to
what was done for TIFFFileStrip() on 2017-05-10)
|
|
|
|
|
|
|
|
| |
libtiff/tif_read.c: make TIFFReadScanline() works in
CHUNKY_STRIP_READ_SUPPORT mode with JPEG stream with multiple scans.
Also make configurable through a LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER
environment variable the maximum number of scans allowed. Defaults to
100.
|
|
|
|
| |
double value can fit in a float before casting. Patch by Nicolas RUFF
|
|
|
|
|
|
|
| |
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706
Reported by team OWL337
* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg
|