summaryrefslogtreecommitdiff
path: root/libtiff
Commit message (Collapse)AuthorAgeFilesLines
* * libtiff/tif_getimage.c: gtTileContig() and gtTileSeparate():erouault2017-07-241-3/+3
| | | | | properly break from loops on error when stoponerr is set, instead of going on iterating on row based loop.
* * libtiff/tif_luv.c: LogLuvInitState(): avoid excessive memoryerouault2017-07-181-2/+4
| | | | | | allocation when RowsPerStrip tag is missing. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2683 Credit to OSS-Fuzz
* Fix warning with x86_64-w64-mingw32-g++erouault2017-07-151-2/+2
|
* Fix signed vs unsigned comparison warning on Windowserouault2017-07-151-2/+2
|
* * libtiff/tif_read.c: add protection against excessive memoryerouault2017-07-151-6/+85
| | | | | | | allocation attempts in TIFFReadDirEntryArray() on short files. Effective for mmap'ed case. And non-mmap'ed case, but restricted to 64bit builds. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2675
* * libtiff/tif_read.c: in TIFFFetchStripThing(), only grow theerouault2017-07-151-1/+18
| | | | | | | | | | | arrays that hold StripOffsets/StripByteCounts, when they are smaller than the expected number of striles, up to 1 million striles, and error out beyond. Can be tweaked by setting the environment variable LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT. This partially goes against a change added on 2002-12-17 to accept those arrays of wrong sizes, but is needed to avoid denial of services. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350 Credit to OSS Fuzz
* * libtiff/tif_read.c: TIFFFillStrip() / TIFFFillTile().erouault2017-07-151-35/+42
| | | | | | Complementary fix for http://bugzilla.maptools.org/show_bug.cgi?id=2708 in the isMapped() case, so as to avoid excessive memory allocation when we need a temporary buffer but the file is truncated.
* * libtiff/tif_dir.c: avoid potential null pointer dereference inerouault2017-07-111-1/+3
| | | | | _TIFFVGetField() on corrupted TIFFTAG_NUMBEROFINKS tag instance. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2713
* * libtiff/tif_lzw.c: fix potential out-of-buffer read on 1-byte LZWerouault2017-07-111-2/+3
| | | | | | | strips. Crashing issue only on memory mapped files, where the strip offset is the last byte of the file, and the file size is a multiple of one page size on the CPU architecture (typically 4096). Credit to myself :-)
* * refresh autoconf/make stuff with what is on Ubuntu 16.04 (minor changes)erouault2017-07-111-0/+1
|
* * libtiff/tif_lzw.c: fix 4.0.8 regression in the decoding of old-style LZWerouault2017-07-111-1/+5
| | | | compressed files.
* * libtiff/tif_pixarlog.c: avoid excessive memory allocation on decodingerouault2017-07-101-2/+7
| | | | | | when RowsPerStrip tag is not defined (and thus td_rowsperstrip == UINT_MAX) Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2554 Credit to OSS Fuzz
* Commit files that should have gone with previous commiterouault2017-07-043-28/+122
|
* * libtiff/tif_error.c, tif_warning.c: correctly use va_list when botherouault2017-07-042-18/+34
| | | | | an old-style and new-style warning/error handlers are installed. Patch by Paavo Helde (sent on the mailing list)
* * libtiff/tif_read.c: TIFFStartTile(): set tif_rawcc toerouault2017-07-021-2/+5
| | | | | | | | | tif_rawdataloaded when it is set. Similarly to TIFFStartStrip(). This issue was revealed by the change of 2017-06-30 in TIFFFileTile(), limiting the number of bytes read. But it could probably have been hit too in CHUNKY_STRIP_READ_SUPPORT mode previously ? Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454 Credit to OSS Fuzz
* Fix module names in error messageerouault2017-06-301-4/+4
|
* * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()erouault2017-06-301-5/+17
| | | | | | | functions associated with LONG8/SLONG8 data type, replace assertion that the file is BigTIFF, by a non-fatal error. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team OWL337
* * libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedStripAndAllocBuffer()erouault2017-06-303-38/+110
| | | | | | | | | | function, variant of TIFFReadEncodedStrip() that allocates the decoded buffer only after a first successful TIFFFillStrip(). This avoids excessive memory allocation on corrupted files. * libtiff/tif_getimage.c: use _TIFFReadEncodedStripAndAllocBuffer(). Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2708 and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2433 . Credit to OSS Fuzz
* * libtiff/tif_read.c: TIFFFillTile(): add limitation to the numbererouault2017-06-301-1/+34
| | | | | | of bytes read in case td_stripbytecount[strip] is bigger than reasonable, so as to avoid excessive memory allocation (similarly to what was done for TIFFFileStrip() on 2017-05-10)
* * libtiff/tiffiop.h, libtiff/tif_jpeg.c, libtiff/tif_jpeg_12.c,erouault2017-06-294-15/+79
| | | | | | | | libtiff/tif_read.c: make TIFFReadScanline() works in CHUNKY_STRIP_READ_SUPPORT mode with JPEG stream with multiple scans. Also make configurable through a LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER environment variable the maximum number of scans allowed. Defaults to 100.
* * libtiff/tif_dirread.c: in TIFFReadDirEntryFloat(), check that aerouault2017-06-271-1/+3
| | | | double value can fit in a float before casting. Patch by Nicolas RUFF
* * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()erouault2017-06-261-1/+2
| | | | | | | Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 Reported by team OWL337 * libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg
* * libjpeg/tif_jpeg.c: error out at decoding time if anticipated libjpegerouault2017-06-241-1/+50
| | | | | | | | | | | memory allocation is above 100 MB. libjpeg in case of multiple scans, which is allowed even in baseline JPEG, if components are spread over several scans and not interleavedin a single one, needs to allocate memory (or backing store) for the whole strip/tile. See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf This limitation may be overriden by setting the LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC environment variable, or recompiling libtiff with a custom value of TIFF_LIBJPEG_LARGEST_MEM_ALLOC macro.
* * libtiff/tif_jpeg.c: add anti-denial of service measure to avoid excessiveerouault2017-06-241-1/+33
| | | | | | | CPU consumption on progressive JPEGs with a huge number of scans. See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf Note: only affects libtiff since 2014-12-29 where support of non-baseline JPEG was added.
* * libtiff/tiffiop.h: add TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW macro toerouault2017-06-186-51/+74
| | | | | | | | | | | | disable CLang warnings raised by -fsanitize=undefined,unsigned-integer-overflow * libtiff/tif_predict.c: decorate legitimate functions where unsigned int overflow occur with TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW * libtiff/tif_dirread.c: avoid unsigned int overflow in EstimateStripByteCounts() and BYTECOUNTLOOKSBAD when file is too short. * libtiff/tif_jpeg.c: avoid (harmless) unsigned int overflow on tiled images. * libtiff/tif_fax3.c: avoid unsigned int overflow in Fax3Encode2DRow(). Could potentially be a bug with huge rows. * libtiff/tif_getimage.c: avoid many (harmless) unsigned int overflows.
* * libtiff/tif_dirread.c: TIFFFetchStripThing(): limit the number of itemserouault2017-06-121-17/+32
| | | | | | | read in StripOffsets/StripByteCounts tags to the number of strips to avoid excessive memory allocation. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2215 Credit to OSS Fuzz
* * libtiff/tif_dirread.c: fix regression of libtiff 4.0.8 inerouault2017-06-121-1/+6
| | | | | | | | ChopUpSingleUncompressedStrip() regarding update of newly single-strip uncompressed files whose bytecount is 0. Before the change of 2016-12-03, the condition bytecount==0 used to trigger an early exit/disabling of strip chop. Re-introduce that in update mode. Otherwise this cause later incorrect setting for the value of StripByCounts/StripOffsets.
* * libtiff/tif_swab.c: if DISABLE_CHECK_TIFFSWABMACROS is defined, do not doerouault2017-06-081-12/+12
| | | | | the #ifdef TIFFSwabXXX checks. Make it easier for GDAL to rename the symbols of its internal libtiff copy.
* * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),erouault2017-06-013-3/+111
| | | | | | | | | | | | | | | | | | | and use it in TIFFReadDirectory() so as to ignore fields whose tag is a codec-specified tag but this codec is not enabled. This avoids TIFFGetField() to behave differently depending on whether the codec is enabled or not, and thus can avoid stack based buffer overflows in a number of TIFF utilities such as tiffsplit, tiffcmp, thumbnail, etc. Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaƫl Hertzog. Fixes: http://bugzilla.maptools.org/show_bug.cgi?id=2580 http://bugzilla.maptools.org/show_bug.cgi?id=2693 http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095) http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554) http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318) http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128) http://bugzilla.maptools.org/show_bug.cgi?id=2441 http://bugzilla.maptools.org/show_bug.cgi?id=2433
* * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation forerouault2017-05-291-2/+2
| | | | | | | refBlackWhite coefficients values. To avoid invalid float->int32 conversion (when refBlackWhite[0] == 2147483648.f) Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907 Credit to OSS Fuzz
* * libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoiderouault2017-05-291-4/+4
| | | | | | int32 overflow in TIFFYCbCrtoRGB(). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844 Credit to OSS Fuzz
* libtiff 4.0.8 releasedRelease-v4-0-8bfriesen2017-05-211-2/+2
|
* * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation forerouault2017-05-201-7/+12
| | | | | | | | refBlackWhite coefficients values. To avoid invalid float->int32 conversion. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1718 Credit to OSS Fuzz Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663
* * libtiff/tif_getimage.c: initYCbCrConversion(): check luma[1] is not zeroerouault2017-05-181-1/+3
| | | | | | to avoid division by zero. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665 Credit to OSS Fuzz
* * libtiff/tif_read.c: _TIFFVSetField(): fix outside range cast of double toerouault2017-05-171-2/+2
| | | | | float. Credit to Google Autofuzz project
* * libtiff/tif_getimage.c: initYCbCrConversion(): add basic validation oferouault2017-05-171-1/+24
| | | | | | | luma and refBlackWhite coefficients (just check they are not NaN for now), to avoid potential float to int overflows. Fixes ://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663 Credit to OSS Fuzz
* * libtiff/tif_pixarlog.c: PixarLogDecode(): resync tif_rawcp witherouault2017-05-171-1/+8
| | | | | | | next_in and tif_rawcc with avail_in at beginning and end of function, similarly to what is done in LZWDecode(). Likely needed so that it works properly with latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT mode. But untested...
* * libtiff/tif_lzw.c: update dec_bitsleft at beginning of LZWDecode(),erouault2017-05-171-2/+6
| | | | | | and update tif_rawcc at end of LZWDecode(). This is needed to properly work with the latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT mode.
* * libtiff/tif_luv.c: LogL16InitState(): avoid excessive memoryerouault2017-05-141-2/+4
| | | | | allocation when RowsPerStrip tag is missing. Credit to OSS-Fuzz (locally run, on GDAL)
* * libtiff/tif_packbits.c: fix out-of-buffer read in PackBitsDecode()erouault2017-05-141-1/+7
| | | | | Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563 Credit to OSS-Fuzz
* * libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32erouault2017-05-132-20/+19
| | | | | | overflows in multiply_ms() and add_ms(). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558 Credit to OSS-Fuzz
* * libtiff/tif_color.c: avoid potential int32 overflow inerouault2017-05-131-10/+30
| | | | | | TIFFYCbCrToRGBInit() Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533 Credit to OSS-Fuzz
* * libtiff/tif_read.c: update tif_rawcc in CHUNKY_STRIP_READ_SUPPORTerouault2017-05-131-2/+8
| | | | | | | | mode with tif_rawdataloaded when calling TIFFStartStrip() or TIFFFillStripPartial(). This avoids reading beyond tif_rawdata when bytecount > tif_rawdatasize. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545. Credit to OSS-Fuzz
* * libtiff/tif_read.c: TIFFFillStripPartial():erouault2017-05-121-122/+130
| | | | | | avoid excessive memory allocation in case of shorten files. Only effective on 64 bit builds. Credit to OSS-Fuzz (locally run, on GDAL)
* * libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(),erouault2017-05-121-4/+23
| | | | | | avoid potential integer overflows with read_ahead in CHUNKY_STRIP_READ_SUPPORT mode. Should especially occur on 32 bit platforms.
* Rename variable added in previous commit to avoid symbol clasherouault2017-05-101-5/+5
|
* * libtiff/tif_read.c: TIFFFillStrip() and TIFFFillTile():erouault2017-05-101-13/+184
| | | | | | avoid excessive memory allocation in case of shorten files. Only effective on 64 bit builds and non-mapped cases. Credit to OSS-Fuzz (locally run, on GDAL)
* * libtiff/tif_zip.c, tif_pixarlog.c, tif_predict.c: fix memoryerouault2017-05-103-4/+17
| | | | | | leak when the underlying codec (ZIP, PixarLog) succeeds its setupdecode() method, but PredictorSetup fails. Credit to OSS-Fuzz (locally run, on GDAL)
* * libtiff/tif_read.c: TIFFFillStrip(): add limitation to the numbererouault2017-05-101-1/+34
| | | | | of bytes read in case td_stripbytecount[strip] is bigger than reasonable, so as to avoid excessive memory allocation.
* * litiff/tif_fax3.c: avoid crash in Fax3Close() on empty file.erouault2017-04-271-2/+3
| | | | | | | | Patch by Alan Coopersmith + complement by myself. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2673 * tools/fax2tiff.c: emit appropriate message if the input file is empty. Patch by Alan Coopersmith. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2672
View Lorry Controller Status