| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
| |
the #ifdef TIFFSwabXXX checks. Make it easier for GDAL to rename the symbols
of its internal libtiff copy.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
to behave differently depending on whether the codec is enabled or not, and
thus can avoid stack based buffer overflows in a number of TIFF utilities
such as tiffsplit, tiffcmp, thumbnail, etc.
Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
Fixes:
http://bugzilla.maptools.org/show_bug.cgi?id=2580
http://bugzilla.maptools.org/show_bug.cgi?id=2693
http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
http://bugzilla.maptools.org/show_bug.cgi?id=2441
http://bugzilla.maptools.org/show_bug.cgi?id=2433
|
|
|
|
|
|
|
| |
refBlackWhite coefficients values. To avoid invalid float->int32 conversion
(when refBlackWhite[0] == 2147483648.f)
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907
Credit to OSS Fuzz
|
| |
|
|
|
|
|
|
| |
int32 overflow in TIFFYCbCrtoRGB().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844
Credit to OSS Fuzz
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
refBlackWhite coefficients values. To avoid invalid float->int32 conversion.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1718
Credit to OSS Fuzz
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663
|
|
|
|
|
|
| |
to avoid division by zero.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665
Credit to OSS Fuzz
|
|
|
|
|
| |
float.
Credit to Google Autofuzz project
|
|
|
|
|
|
|
| |
luma and refBlackWhite coefficients (just check they are not NaN for now),
to avoid potential float to int overflows.
Fixes ://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663
Credit to OSS Fuzz
|
|
|
|
|
|
|
| |
next_in and tif_rawcc with avail_in at beginning and end of function,
similarly to what is done in LZWDecode(). Likely needed so that it
works properly with latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT
mode. But untested...
|
|
|
|
|
|
| |
and update tif_rawcc at end of LZWDecode(). This is needed to properly
work with the latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT
mode.
|
|
|
|
|
| |
allocation when RowsPerStrip tag is missing.
Credit to OSS-Fuzz (locally run, on GDAL)
|
|
|
|
|
| |
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563
Credit to OSS-Fuzz
|
|
|
|
|
|
| |
overflows in multiply_ms() and add_ms().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558
Credit to OSS-Fuzz
|
|
|
|
|
|
| |
TIFFYCbCrToRGBInit()
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533
Credit to OSS-Fuzz
|
|
|
|
|
|
|
|
| |
mode with tif_rawdataloaded when calling TIFFStartStrip() or
TIFFFillStripPartial(). This avoids reading beyond tif_rawdata
when bytecount > tif_rawdatasize.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545.
Credit to OSS-Fuzz
|
|
|
|
|
|
| |
avoid excessive memory allocation in case of shorten files.
Only effective on 64 bit builds.
Credit to OSS-Fuzz (locally run, on GDAL)
|
|
|
|
|
|
| |
avoid potential integer overflows with read_ahead in
CHUNKY_STRIP_READ_SUPPORT mode. Should
especially occur on 32 bit platforms.
|
|
|
|
|
|
| |
avoid excessive memory allocation in case of shorten files.
Only effective on 64 bit builds and non-mapped cases.
Credit to OSS-Fuzz (locally run, on GDAL)
|
|
|
|
|
|
| |
leak when the underlying codec (ZIP, PixarLog) succeeds its
setupdecode() method, but PredictorSetup fails.
Credit to OSS-Fuzz (locally run, on GDAL)
|
|
|
|
|
| |
of bytes read in case td_stripbytecount[strip] is bigger than
reasonable, so as to avoid excessive memory allocation.
|
|
|
|
| |
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2677
|
|
|
|
|
|
|
|
| |
Patch by Alan Coopersmith + complement by myself.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2673
* tools/fax2tiff.c: emit appropriate message if the input file is
empty. Patch by Alan Coopersmith.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2672
|
|
|
|
|
|
|
| |
OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable
and OJPEGReadHeaderInfoSecTablesAcTable
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2670
|
|
|
|
|
|
|
| |
mode (ie default) when there is both a StripOffsets and
TileOffsets tag, or a StripByteCounts and TileByteCounts
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689
* tools/tiff2ps.c: call TIFFClose() in error code paths.
|
|
|
|
| |
-Wimplicit-fallthrough warnings.
|
|
|
|
|
| |
PixarLogSetupDecode(). Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2665
|
|
|
|
|
|
| |
code bit-width after flushing the remaining code and before emitting
the EOI code.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=1982
|
|
|
|
|
| |
YCbCrSubsampling tag is not explicitly present. This helps a bit to reduce
the I/O amount when te tag is present (especially on cloud hosted files).
|
|
|
|
| |
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2631
|
|
|
|
| |
OJPEGReadHeaderInfoSecTablesDcTable and OJPEGReadHeaderInfoSecTablesAcTable
|
|
|
|
|
|
| |
when read fails.
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
|
|
|
|
|
| |
functions instead of -1 when TIFFFlushData1() fails.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2130
|
|
|
|
|
|
| |
cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
http://bugzilla.maptools.org/show_bug.cgi?id=2657
|
| |
|
|
|
|
|
|
| |
* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
initialize tif_rawdata.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
|
|
|
|
|
|
| |
avoid UndefinedBehaviorSanitizer warning.
Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2658
|
|
|
|
|
| |
addition in TIFFReadRawStrip1() in isMapped() case.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
|
|
|
|
|
| |
undefined behaviour caused by invalid shift exponent.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
|
|
|
|
|
|
|
|
|
| |
of double to other data types to avoid undefined behaviour if the output range
isn't big enough to hold the input value.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643
http://bugzilla.maptools.org/show_bug.cgi?id=2642
http://bugzilla.maptools.org/show_bug.cgi?id=2646
http://bugzilla.maptools.org/show_bug.cgi?id=2647
|
|
|
|
|
|
|
| |
TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(),
and return 0 in that case (instead of infinity as before presumably)
Apparently some sanitizers do not like those divisions by zero.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644
|
|
|
|
|
|
|
|
|
|
| |
assertion by runtime check to error out if passed value is strictly
negative.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535
* tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that
caused double free.
Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535
|
|
|
|
|
| |
JPEGSetupEncode() when horizontal or vertical sampling is set to 0.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653
|
|
|
|
|
|
| |
10 MB instead of libjpeg 1MB default. This helps when creating files
with "big" tile, without using libjpeg temporary files.
Related to https://trac.osgeo.org/gdal/ticket/6757
|
|
|
|
|
| |
t2p_readwrite_pdf_image_tile().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640
|
|
|
|
|
| |
t2p_writeproc.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
|
|
|
|
|
| |
unspecified behaviour.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2638
|
|
|
|
|
| |
path of TIFFRGBAImageBegin().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2627
|