| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
v4.0.9.
|
|
|
|
| |
comments.
|
| |
|
|
|
|
|
|
| |
program. This is in response to the report associated with
CVE-2017-16232 but does not solve the extremely high memory usage
with the associated POC file.
|
|
|
|
| |
signed/unsigned comparison.
|
| |
|
|
|
|
|
|
| |
initCIELabConversion()
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3733
Credit to OSS Fuzz
|
|
|
|
|
| |
honours max_memory_to_use > 0.
Cf https://github.com/libjpeg-turbo/libjpeg-turbo/issues/162
|
|
|
|
| |
/MDd runtime in debug mode.
|
|
|
|
|
|
| |
(and other tags with variable number of values).
So 'tiffset -s ExtraSamples 1 X'. This only worked
when setting 2 or more values, but not just one.
|
|
|
|
| |
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2735
|
| |
|
|
|
|
| |
null-pointer dereference warning by CLang Static Analyzer.
|
|
|
|
|
|
|
|
| |
function that checks if the offset is not bigger than INT64_MAX, so as
to avoid a -1 error return code of TIFFSeekFile() to match a required
seek to UINT64_MAX/-1.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2726
Adapted from proposal by Nicolas Ruff.
|
|
|
|
|
|
|
|
|
| |
file if the codestream height is larger than the truncated height of the
strip. Emit a warning in this situation since this is non compliant.
* test/Makefile.am: add missing reference to images/quad-lzw-compat.tiff
to fix "make distcheck". Patch by Roger Leigh
|
|
|
|
|
|
|
|
|
|
| |
on uint32 when selecting the value of SubIFD tag by runtime check
(in TIFFWriteDirectoryTagSubifd()).
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
Reported by team OWL337
SubIFD tag by runtime check (in TIFFWriteDirectorySec())
|
|
|
|
|
|
| |
SubIFD tag by runtime check.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
Reported by team OWL337
|
|
|
|
|
|
|
| |
buffer when RowsPerStrip >= image_length in LogLuvInitState() and
LogL16InitState().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2700
Credit to OSS Fuzz
|
|
|
|
|
|
|
|
|
|
|
| |
pixel number is not a multiple of the horizontal subsampling, and
also in some other cases. Impact putcontig8bitYCbCr44tile,
putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile,
putcontig8bitYCbCr21tile and putcontig8bitYCbCr12tile
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2637 (discovered
by Agostino Sarubbo)
and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2691 (credit
to OSS Fuzz)
|
|
|
|
|
| |
properly break from loops on error when stoponerr is set, instead
of going on iterating on row based loop.
|
|
|
|
|
|
| |
allocation when RowsPerStrip tag is missing.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2683
Credit to OSS-Fuzz
|
|
|
|
|
|
|
| |
allocation attempts in TIFFReadDirEntryArray() on short files.
Effective for mmap'ed case. And non-mmap'ed case, but restricted
to 64bit builds.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2675
|
|
|
|
|
|
|
|
|
|
|
| |
arrays that hold StripOffsets/StripByteCounts, when they are smaller
than the expected number of striles, up to 1 million striles, and
error out beyond. Can be tweaked by setting the environment variable
LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT.
This partially goes against a change added on 2002-12-17 to accept
those arrays of wrong sizes, but is needed to avoid denial of services.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350
Credit to OSS Fuzz
|
|
|
|
|
|
| |
Complementary fix for http://bugzilla.maptools.org/show_bug.cgi?id=2708
in the isMapped() case, so as to avoid excessive memory allocation
when we need a temporary buffer but the file is truncated.
|
|
|
|
|
|
| |
mode on PlanarConfig=Contig input images.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
Reported by team OWL337
|
|
|
|
|
| |
_TIFFVGetField() on corrupted TIFFTAG_NUMBEROFINKS tag instance.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2713
|
|
|
|
|
|
|
| |
strips. Crashing issue only on memory mapped files, where the strip
offset is the last byte of the file, and the file size is a multiple
of one page size on the CPU architecture (typically 4096). Credit
to myself :-)
|
|
|
|
|
| |
to test old-style LZW decompression
* test/common.sh, Makefile.am, CMakeList.txt: updated with above
|
| |
|
|
|
|
| |
compressed files.
|
|
|
|
|
|
| |
when RowsPerStrip tag is not defined (and thus td_rowsperstrip == UINT_MAX)
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2554
Credit to OSS Fuzz
|
|
|
|
|
|
|
|
|
|
| |
and _TIFFReadTileAndAllocBuffer() variants of TIFFReadEncodedTile() and
TIFFReadTile() that allocates the decoded buffer only after a first
successful TIFFFillTile(). This avoids excessive memory allocation
on corrupted files.
* libtiff/tif_getimage.c: use _TIFFReadTileAndAllocBuffer().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2470
Credit to OSS Fuzz.
|
|
|
|
|
| |
an old-style and new-style warning/error handlers are installed.
Patch by Paavo Helde (sent on the mailing list)
|
|
|
|
|
|
|
|
|
| |
tif_rawdataloaded when it is set. Similarly to TIFFStartStrip().
This issue was revealed by the change of 2017-06-30 in TIFFFileTile(),
limiting the number of bytes read. But it could probably have been hit
too in CHUNKY_STRIP_READ_SUPPORT mode previously ?
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454
Credit to OSS Fuzz
|
|
|
|
|
|
| |
TIFFSetSubDirectory() data type.
Patch by Eric Piel
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2671
|
|
|
|
|
|
|
| |
functions associated with LONG8/SLONG8 data type, replace assertion that
the file is BigTIFF, by a non-fatal error.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
Reported by team OWL337
|
|
|
|
|
|
|
|
|
|
| |
function, variant of TIFFReadEncodedStrip() that allocates the
decoded buffer only after a first successful TIFFFillStrip(). This avoids
excessive memory allocation on corrupted files.
* libtiff/tif_getimage.c: use _TIFFReadEncodedStripAndAllocBuffer().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2708 and
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2433 .
Credit to OSS Fuzz
|
|
|
|
|
|
| |
of bytes read in case td_stripbytecount[strip] is bigger than
reasonable, so as to avoid excessive memory allocation (similarly to
what was done for TIFFFileStrip() on 2017-05-10)
|
|
|
|
|
|
|
|
| |
libtiff/tif_read.c: make TIFFReadScanline() works in
CHUNKY_STRIP_READ_SUPPORT mode with JPEG stream with multiple scans.
Also make configurable through a LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER
environment variable the maximum number of scans allowed. Defaults to
100.
|
|
|
|
| |
double value can fit in a float before casting. Patch by Nicolas RUFF
|
|
|
|
|
|
|
| |
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706
Reported by team OWL337
* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg
|
|
|
|
|
|
|
|
|
|
|
| |
memory allocation is above 100 MB. libjpeg in case of multiple scans,
which is allowed even in baseline JPEG, if components are spread over several
scans and not interleavedin a single one, needs to allocate memory (or
backing store) for the whole strip/tile.
See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf
This limitation may be overriden by setting the
LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC environment variable, or recompiling
libtiff with a custom value of TIFF_LIBJPEG_LARGEST_MEM_ALLOC macro.
|
|
|
|
|
|
|
| |
CPU consumption on progressive JPEGs with a huge number of scans.
See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf
Note: only affects libtiff since 2014-12-29 where support of non-baseline JPEG
was added.
|
|
|
|
|
|
|
|
|
|
|
|
| |
disable CLang warnings raised by -fsanitize=undefined,unsigned-integer-overflow
* libtiff/tif_predict.c: decorate legitimate functions where unsigned int
overflow occur with TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
* libtiff/tif_dirread.c: avoid unsigned int overflow in EstimateStripByteCounts()
and BYTECOUNTLOOKSBAD when file is too short.
* libtiff/tif_jpeg.c: avoid (harmless) unsigned int overflow on tiled images.
* libtiff/tif_fax3.c: avoid unsigned int overflow in Fax3Encode2DRow(). Could
potentially be a bug with huge rows.
* libtiff/tif_getimage.c: avoid many (harmless) unsigned int overflows.
|
|
|
|
|
|
|
| |
read in StripOffsets/StripByteCounts tags to the number of strips to avoid
excessive memory allocation.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2215
Credit to OSS Fuzz
|
| |
|
|
|
|
|
|
|
|
| |
ChopUpSingleUncompressedStrip() regarding update of newly single-strip
uncompressed files whose bytecount is 0. Before the change of 2016-12-03,
the condition bytecount==0 used to trigger an early exit/disabling of
strip chop. Re-introduce that in update mode. Otherwise this cause
later incorrect setting for the value of StripByCounts/StripOffsets.
|
|
|
|
|
|
| |
0001-ci-Travis-script-improvements.patch and
0002-ci-Invoke-helper-script-via-shell.patch by Roger Leigh
(sent to mailing list)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
0001-ci-Add-Travis-support-for-Linux-builds-with-Autoconf.patch by
Roger Leigh (sent to mailing list on 2017-06-08)
This patch adds support for the Travis-CI service.
* .appveyor.yml: new file from
0002-ci-Add-AppVeyor-support.patch by Roger Leigh (sent to mailing
list on 2017-06-08)
This patch adds a .appveyor.yml file to the top-level. This allows
one to opt in to having a branch built on Windows with Cygwin,
MinGW and MSVC automatically when a branch is pushed to GitHub,
GitLab, BitBucket or any other supported git hosting service.
* CMakeLists.txt, test/CMakeLists.txt, test/TiffTestCommon.cmake: apply
patch 0001-cmake-Improve-Cygwin-and-MingGW-test-support.patch from Roger
Leigh (sent to mailing list on 2017-06-08)
This patch makes the CMake build system support running the tests
with MinGW or Cygwin.
|