| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
* configure.ac: Update for 4.0.7 release.
|
|
|
|
|
| |
_TIFFmalloc() argument which resulted in Coverity report. Added
more mutiplication overflow checks.
|
| |
|
|
|
|
| |
Fixes Coverity 1394415.
|
|
|
|
| |
compilation warning.
|
|
|
|
|
|
|
| |
64-bit compilation under Microsoft Visual Studio of the form
"Arithmetic overflow: 32-bit value is shifted, then cast to 64-bit
value. Results might not be an expected value.". Problem was
reported on November 16, 2016 on the tiff mailing list.
|
|
|
|
|
|
|
|
| |
NULL pointer when values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are 0-byte arrays.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression introduced
by previous fix done on 2016-11-11 for CVE-2016-9297).
Reported by Henri Salo.
|
| |
|
| |
|
|
|
|
|
|
| |
comparison warning.
(TIFFReadSeparateTileData): Fix signed/unsigned comparison
warning.
|
|
|
|
| |
compare
|
|
|
|
| |
signed/unsigned comparison warning.
|
|
|
|
| |
release.
|
| |
|
| |
|
|
|
|
|
|
| |
of source and destination buffer in memcpy() call in
t2p_sample_rgbaa_to_rgb()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577
|
|
|
|
|
| |
in t2p_read_tiff_size()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2576
|
| |
|
|
|
|
|
|
| |
when requesting Predictor tag and that the zip/lzw codec is not
configured.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2591
|
|
|
|
|
|
|
| |
values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are null terminated, to avoid potential read outside buffer
in _TIFFPrintField().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590
|
|
|
|
|
|
|
| |
have no TileOffsets/StripOffsets tag, when OJPEG compression is
disabled. Prevent null pointer dereference in TIFFReadRawStrip1()
and other functions that expect td_stripbytecount to be non NULL.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2585
|
|
|
|
|
|
|
| |
writeBufferToSeparateStrips(), writeBufferToContigTiles() and
writeBufferToSeparateTiles() that could cause heap buffer overflows.
Reported by Henri Salo from Nixu Corporation.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
|
|
|
|
|
|
|
| |
value when it is non-zero, instead of recomputing it. This is needed in
TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of
array in tiffsplit (or other utilities using TIFFNumberOfStrips()).
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587
|
|
|
|
| |
previous commit (fix for MSVR 35105)
|
|
|
|
|
|
|
|
| |
Replace assertions by runtime checks to avoid assertions in debug mode,
or buffer overflows in release mode. Can happen when dealing with
unusual tile size like YCbCr with subsampling. Reported as MSVR 35105
by Axel Souchet & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations
team.
|
|
|
|
|
| |
argument. Patch by Yuriy M. Kaminskiy.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2572
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SMaxSampleValue when they have been read and the value of
SamplesPerPixel is changed afterwards (like when reading a
OJPEG compressed image with a missing SamplesPerPixel tag,
and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
being 3). Otherwise when rewriting the directory (for example
with tiffset, we will expect 3 values whereas the array had been
allocated with just one), thus causing a out of bound read access.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
(CVE-2014-8127, duplicate: CVE-2016-3658)
* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
when writing directory, if FIELD_STRIPOFFSETS was artificially set
for a hack case in OJPEG case.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
(CVE-2014-8127, duplicate: CVE-2016-3658)
|
|
|
|
|
|
|
|
| |
(http://bugzilla.maptools.org/show_bug.cgi?id=2517)
* libtiff/tif_compress.c: make TIFFNoDecode() return 0 to indicate an
error and make upper level read routines treat it accordingly.
(linked to the test case of http://bugzilla.maptools.org/show_bug.cgi?id=2517)
|
|
|
|
|
| |
readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
& Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
|
|
|
|
|
|
| |
compressed images. Reported by Tyler Bohan of Cisco Talos as
TALOS-CAN-0187 / CVE-2016-5652.
Also prevents writing 2 extra uninitialized bytes to the file stream.
|
|
|
|
|
|
| |
tile width vs image width. Reported as MSVR 35103
by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
|
|
|
|
|
|
|
| |
t2p_readwrite_pdf_image_tile(), causing crash, when reading a
JPEG compressed image with TIFFTAG_JPEGTABLES length being one.
Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from
the MSRC Vulnerabilities & Mitigations team.
|
|
|
|
|
|
|
|
| |
required tags. Found on test case of MSVR 35100.
* tools/tiffcrop.c: fix read of undefined buffer in
readContigStripsIntoBuffer() due to uint16 overflow. Probably not a
security issue but I can be wrong. Reported as MSVR 35100 by Axel
Souchet from the MSRC Vulnerabilities & Mitigations team.
|
|
|
|
| |
URL as possible.
|
|
|
|
|
|
|
|
|
|
| |
read floating point images.
* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
requirements of floating point predictor (3). Fixes CVE-2016-3622
"Divide By Zero in the tiff2rgba tool."
places where it isn't done currently, but it seems this patch is enough.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
in heap or stack allocated buffers. Reported as MSVR 35093,
MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal
Chauhan from the MSRC Vulnerabilities & Mitigations team.
* tools/tiff2pdf.c: fix out-of-bounds write vulnerabilities in
heap allocate buffer in t2p_process_jpeg_strip(). Reported as MSVR
35098. Discovered by Axel Souchet and Vishal Chauhan from the MSRC
Vulnerabilities & Mitigations team.
* libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities
in heap allocated buffers. Reported as MSVR 35094. Discovered by
Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
* libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1()
that didn't reset the tif_rawcc and tif_rawcp members. I'm not
completely sure if that could happen in practice outside of the odd
behaviour of t2p_seekproc() of tiff2pdf). The report points that a
better fix could be to check the return value of TIFFFlushData1() in
places where it isn't done currently, but it seems this patch is enough.
Reported as MSVR 35095. Discovered by Axel Souchet & Vishal Chauhan &
Suha Can from the MSRC Vulnerabilities & Mitigations team.
|
|
|
|
| |
abandoned utilities.
|
| |
|
| |
|
|
|
|
| |
by GCC 5 / clang -Wfloat-conversion
|
| |
|
| |
|
|
|
|
|
| |
value overflow (no security implication). Fix bugzilla #2550.
Patch by Frank Freudenberg.
|
| |
|
|
|
|
| |
avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
|
|
|
|
|
| |
From patch libtiff-CVE-2016-3991.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
|
|
|
|
|
|
|
|
|
|
| |
if more input samples are provided than expected by PixarLogSetupEncode.
Idea based on libtiff-CVE-2016-3990.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
simpler check. (bugzilla #2544)
invalid tests that rejected valid files. (bugzilla #2545)
|
|
|
|
|
|
|
| |
buffer, when -b mode is enabled, that could result in out-of-bounds
write. Based initially on patch tiff-CVE-2016-3945.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
invalid tests that rejected valid files.
|
| |
|