Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Labels
Merge Requests
105
Merge Requests
105
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Jobs
Commits
Open sidebar
nexedi
slapos
Commits
901be43f
Commit
901be43f
authored
Apr 07, 2017
by
Kazuhiko Shiozaki
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
component/libtiff: apply patches from tiff_4.0.7-5.debian.
parent
ff7c1ae7
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
1162 additions
and
0 deletions
+1162
-0
component/libtiff/buildout.cfg
component/libtiff/buildout.cfg
+4
-0
component/libtiff/tiff_4.0.7-5.debian.patch
component/libtiff/tiff_4.0.7-5.debian.patch
+1158
-0
No files found.
component/libtiff/buildout.cfg
View file @
901be43f
...
...
@@ -2,6 +2,7 @@
extends =
../libjpeg/buildout.cfg
../jbigkit/buildout.cfg
../patch/buildout.cfg
../zlib/buildout.cfg
parts =
...
...
@@ -15,6 +16,9 @@ configure-options =
--disable-static
--without-x
--disable-lzma
patch-options = -p1
patches =
${:_profile_base_location_}/tiff_4.0.7-5.debian.patch#f132ec0dc5cde03f9bbbe90b7a79fed4
environment =
CPPFLAGS=-I${libjpeg:location}/include -I${jbigkit:location}/include -I${zlib:location}/include
LDFLAGS=-L${libjpeg:location}/lib -Wl,-rpath=${libjpeg:location}/lib -L${jbigkit:location}/lib -Wl,-rpath=${jbigkit:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib
...
...
component/libtiff/tiff_4.0.7-5.debian.patch
0 → 100644
View file @
901be43f
commit 8c101323f5789ef6a0db952d53794e9c4ba48207
Author: erouault <erouault>
Date: Fri Dec 2 21:56:56 2016 +0000
* libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
TIFFReadEncodedStrip() that caused an integer division by zero.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
diff --git a/ChangeLog b/ChangeLog
index 46a5d7c..668b66a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-12-02 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
+ TIFFReadEncodedStrip() that caused an integer division by zero.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
+
2016-11-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff 4.0.7 released.
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
index 8003592..29a311d 100644
--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
@@ -1,4 +1,4 @@
-/* $Id: tif_read.c,v 1.49 2016-07-10 18:00:21 erouault Exp $ */
+/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -346,7 +346,7 @@
TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
rowsperstrip=td->td_rowsperstrip;
if (rowsperstrip>td->td_imagelength)
rowsperstrip=td->td_imagelength;
- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip);
+ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
stripinplane=(strip%stripsperplane);
plane=(uint16)(strip/stripsperplane);
rows=td->td_imagelength-stripinplane*rowsperstrip;
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index 8bcd0c1..5294ee7 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -1,4 +1,4 @@
-/* $Id: tiffiop.h,v 1.89 2016-01-23 21:20:34 erouault Exp $ */
+/* $Id: tiffiop.h,v 1.90 2016-12-02 21:56:56 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -250,6 +250,10 @@
struct tiff {
#define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \
((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
0U)
+/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */
+/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */
+#define TIFFhowmany_32_maxuint_compat(x, y) \
+ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0))
#define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
#define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y))
#define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y)))
commit b412777317cabbf8ed89ca38fb180991cca89b8c
Author: erouault <erouault>
Date: Fri Dec 2 22:13:32 2016 +0000
* tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that
can cause various issues, such as buffer overflows in the library.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598
diff --git a/ChangeLog b/ChangeLog
index 668b66a..0f154d6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2016-12-02 Even Rouault <even.rouault at spatialys.com>
+ * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that
+ can cause various issues, such as buffer overflows in the library.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598
+
+2016-12-02 Even Rouault <even.rouault at spatialys.com>
+
* libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
TIFFReadEncodedStrip() that caused an integer division by zero.
Reported by Agostino Sarubbo.
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 338a3d1..6dfb9a9 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1,4 +1,4 @@
-/* $Id: tiffcp.c,v 1.55 2016-10-08 15:54:57 erouault Exp $ */
+/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -985,7 +985,7 @@
DECLAREcpFunc(cpDecodedStrips)
tstrip_t s, ns = TIFFNumberOfStrips(in);
uint32 row = 0;
_TIFFmemset(buf, 0, stripsize);
- for (s = 0; s < ns; s++) {
+ for (s = 0; s < ns && row < imagelength; s++) {
tsize_t cc = (row + rowsperstrip > imagelength) ?
TIFFVStripSize(in, imagelength - row) : stripsize;
if (TIFFReadEncodedStrip(in, s, buf, cc) < 0
commit da99990ba6e1203798a59eb836fc6433ed6e3d66
Author: erouault <erouault>
Date: Fri Dec 2 23:05:51 2016 +0000
* libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
overflow on generation of PixarLog / LUV compressed files, with
ColorMap, TransferFunction attached and nasty plays with bitspersample.
The fix for LUV has not been tested, but suffers from the same kind
of issue of PixarLog.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
diff --git a/ChangeLog b/ChangeLog
index 0f154d6..93c01f8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
+ overflow on generation of PixarLog / LUV compressed files, with
+ ColorMap, TransferFunction attached and nasty plays with bitspersample.
+ The fix for LUV has not been tested, but suffers from the same kind
+ of issue of PixarLog.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
+
2016-12-02 Even Rouault <even.rouault at spatialys.com>
* tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that
diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
index ca08f30..f42ac01 100644
--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
@@ -1,4 +1,4 @@
-/* $Id: tif_luv.c,v 1.43 2016-09-04 21:32:56 erouault Exp $ */
+/* $Id: tif_luv.c,v 1.44 2016-12-02 23:05:51 erouault Exp $ */
/*
* Copyright (c) 1997 Greg Ward Larson
@@ -158,6 +158,7 @@
typedef struct logLuvState LogLuvState;
struct logLuvState {
+ int encoder_state; /* 1 if encoder correctly initialized */
int user_datafmt; /* user data format */
int encode_meth; /* encoding method */
int pixel_size; /* bytes per pixel */
@@ -1552,6 +1553,7 @@
LogLuvSetupEncode(TIFF* tif)
td->td_photometric, "must be either LogLUV or LogL");
break;
}
+ sp->encoder_state = 1;
return (1);
notsupported:
TIFFErrorExt(tif->tif_clientdata, module,
@@ -1563,19 +1565,27 @@
notsupported:
static void
LogLuvClose(TIFF* tif)
{
+ LogLuvState* sp = (LogLuvState*) tif->tif_data;
TIFFDirectory *td = &tif->tif_dir;
+ assert(sp != 0);
/*
* For consistency, we always want to write out the same
* bitspersample and sampleformat for our TIFF file,
* regardless of the data format being used by the application.
* Since this routine is called after tags have been set but
* before they have been recorded in the file, we reset them here.
+ * Note: this is really a nasty approach. See PixarLogClose
*/
- td->td_samplesperpixel =
- (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
- td->td_bitspersample = 16;
- td->td_sampleformat = SAMPLEFORMAT_INT;
+ if( sp->encoder_state )
+ {
+ /* See PixarLogClose. Might avoid issues with tags whose size depends
+ * on those below, but not completely sure this is enough. */
+ td->td_samplesperpixel =
+ (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
+ td->td_bitspersample = 16;
+ td->td_sampleformat = SAMPLEFORMAT_INT;
+ }
}
static void
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index f4af2ba..9836dce 100644
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -1,4 +1,4 @@
-/* $Id: tif_pixarlog.c,v 1.48 2016-09-23 22:12:18 erouault Exp $ */
+/* $Id: tif_pixarlog.c,v 1.49 2016-12-02 23:05:51 erouault Exp $ */
/*
* Copyright (c) 1996-1997 Sam Leffler
@@ -1233,8 +1233,10 @@
PixarLogPostEncode(TIFF* tif)
static void
PixarLogClose(TIFF* tif)
{
+ PixarLogState* sp = (PixarLogState*) tif->tif_data;
TIFFDirectory *td = &tif->tif_dir;
+ assert(sp != 0);
/* In a really sneaky (and really incorrect, and untruthful, and
* troublesome, and error-prone) maneuver that completely goes against
* the spirit of TIFF, and breaks TIFF, on close, we covertly
@@ -1243,8 +1245,19 @@
PixarLogClose(TIFF* tif)
* readers that don't know about PixarLog, or how to set
* the PIXARLOGDATFMT pseudo-tag.
*/
- td->td_bitspersample = 8;
- td->td_sampleformat = SAMPLEFORMAT_UINT;
+
+ if (sp->state&PLSTATE_INIT) {
+ /* We test the state to avoid an issue such as in
+ * http://bugzilla.maptools.org/show_bug.cgi?id=2604
+ * What appends in that case is that the bitspersample is 1 and
+ * a TransferFunction is set. The size of the TransferFunction
+ * depends on 1<<bitspersample. So if we increase it, an access
+ * out of the buffer will happen at directory flushing.
+ * Another option would be to clear those targs.
+ */
+ td->td_bitspersample = 8;
+ td->td_sampleformat = SAMPLEFORMAT_UINT;
+ }
}
static void
commit c533d200ecc45e00892a94f9bb2e762a5aa0b2ce
Author: erouault <erouault>
Date: Sat Dec 3 11:02:15 2016 +0000
* libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
instead of a logic based on the total size of data. Which is faulty is
the total size of data is not sufficient to fill the whole image, and thus
results in reading outside of the StripByCounts/StripOffsets arrays when
using TIFFReadScanline().
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
the above change is a better fix that makes it unnecessary.
diff --git a/ChangeLog b/ChangeLog
index 93c01f8..9dbc7a0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,20 @@
2016-12-03 Even Rouault <even.rouault at spatialys.com>
+ * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
+ instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
+ instead of a logic based on the total size of data. Which is faulty is
+ the total size of data is not sufficient to fill the whole image, and thus
+ results in reading outside of the StripByCounts/StripOffsets arrays when
+ using TIFFReadScanline().
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
+
+ * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
+ for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
+ the above change is a better fix that makes it unnecessary.
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
* libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
overflow on generation of PixarLog / LUV compressed files, with
ColorMap, TransferFunction attached and nasty plays with bitspersample.
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 01070f2..f290528 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dirread.c,v 1.204 2016-11-16 15:14:15 erouault Exp $ */
+/* $Id: tif_dirread.c,v 1.205 2016-12-03 11:02:15 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -5502,8 +5502,7 @@
ChopUpSingleUncompressedStrip(TIFF* tif)
uint64 rowblockbytes;
uint64 stripbytes;
uint32 strip;
- uint64 nstrips64;
- uint32 nstrips32;
+ uint32 nstrips;
uint32 rowsperstrip;
uint64* newcounts;
uint64* newoffsets;
@@ -5534,18 +5533,17 @@
ChopUpSingleUncompressedStrip(TIFF* tif)
return;
/*
- * never increase the number of strips in an image
+ * never increase the number of rows per strip
*/
if (rowsperstrip >= td->td_rowsperstrip)
return;
- nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
- return;
- nstrips32 = (uint32)nstrips64;
+ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
+ if( nstrips == 0 )
+ return;
- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
+ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
"for chopped \"StripByteCounts\" array");
- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
+ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
"for chopped \"StripOffsets\" array");
if (newcounts == NULL || newoffsets == NULL) {
/*
@@ -5562,18 +5560,18 @@
ChopUpSingleUncompressedStrip(TIFF* tif)
* Fill the strip information arrays with new bytecounts and offsets
* that reflect the broken-up format.
*/
- for (strip = 0; strip < nstrips32; strip++) {
+ for (strip = 0; strip < nstrips; strip++) {
if (stripbytes > bytecount)
stripbytes = bytecount;
newcounts[strip] = stripbytes;
- newoffsets[strip] = offset;
+ newoffsets[strip] = stripbytes ? offset : 0;
offset += stripbytes;
bytecount -= stripbytes;
}
/*
* Replace old single strip info with multi-strip info.
*/
- td->td_stripsperimage = td->td_nstrips = nstrips32;
+ td->td_stripsperimage = td->td_nstrips = nstrips;
TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
_TIFFfree(td->td_stripbytecount);
diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
index b6098dd..6e9f2ef 100644
--- a/libtiff/tif_strip.c
+++ b/libtiff/tif_strip.c
@@ -1,4 +1,4 @@
-/* $Id: tif_strip.c,v 1.37 2016-11-09 23:00:49 erouault Exp $ */
+/* $Id: tif_strip.c,v 1.38 2016-12-03 11:02:15 erouault Exp $ */
/*
* Copyright (c) 1991-1997 Sam Leffler
@@ -63,15 +63,6 @@
TIFFNumberOfStrips(TIFF* tif)
TIFFDirectory *td = &tif->tif_dir;
uint32 nstrips;
- /* If the value was already computed and store in td_nstrips, then return it,
- since ChopUpSingleUncompressedStrip might have altered and resized the
- since the td_stripbytecount and td_stripoffset arrays to the new value
- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
- tif_dirread.c ~line 3612.
- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
- if( td->td_nstrips )
- return td->td_nstrips;
-
nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
commit 43576568ed4af4bd43409b7ff36939340141dfd6
Author: erouault <erouault>
Date: Sat Dec 3 11:15:18 2016 +0000
* libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure in
OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611
diff --git a/ChangeLog b/ChangeLog
index 9dbc7a0..5b23665 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2016-12-03 Even Rouault <even.rouault at spatialys.com>
+ * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure in
+ OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
* libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to
instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip),
instead of a logic based on the total size of data. Which is faulty is
diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
index 30a1812..93839d8 100644
--- a/libtiff/tif_ojpeg.c
+++ b/libtiff/tif_ojpeg.c
@@ -1,4 +1,4 @@
-/* $Id: tif_ojpeg.c,v 1.65 2016-09-04 21:32:56 erouault Exp $ */
+/* $Id: tif_ojpeg.c,v 1.66 2016-12-03 11:15:18 erouault Exp $ */
/* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0
specification is now totally obsolete and deprecated for new applications and
@@ -244,6 +244,7 @@
typedef enum {
typedef struct {
TIFF* tif;
+ int decoder_ok;
#ifndef LIBJPEG_ENCAP_EXTERNAL
JMP_BUF exit_jmpbuf;
#endif
@@ -722,6 +723,7 @@
OJPEGPreDecode(TIFF* tif, uint16 s)
}
sp->write_curstrile++;
}
+ sp->decoder_ok = 1;
return(1);
}
@@ -784,8 +786,14 @@
OJPEGPreDecodeSkipScanlines(TIFF* tif)
static int
OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
{
+ static const char module[]="OJPEGDecode";
OJPEGState* sp=(OJPEGState*)tif->tif_data;
(void)s;
+ if( !sp->decoder_ok )
+ {
+ TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized");
+ return 0;
+ }
if (sp->libjpeg_jpeg_query_style==0)
{
if (OJPEGDecodeRaw(tif,buf,cc)==0)
commit 4307dad7fc153baefeb6bb677060e9c5157e5d42
Author: erouault <erouault>
Date: Sat Dec 3 11:35:56 2016 +0000
* tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so
that the output buffer is correctly incremented to avoid write outside bounds.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620
diff --git a/ChangeLog b/ChangeLog
index 5b23665..d6a416b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2016-12-03 Even Rouault <even.rouault at spatialys.com>
+ * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so
+ that the output buffer is correctly incremented to avoid write outside bounds.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
* libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure in
OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues.
Reported by Agostino Sarubbo.
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 722b132..bdcbd63 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -1,4 +1,4 @@
-/* $Id: tiffcrop.c,v 1.46 2016-11-18 14:58:46 erouault Exp $ */
+/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */
/* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
* the image data through additional options listed below
@@ -3698,7 +3698,7 @@
static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
(unsigned long) strip, (unsigned long)rows);
return 0;
}
- bufp += bytes_read;
+ bufp += stripsize;
}
return 1;
commit 17d56c24c10ed300233164cc51380979124d6dd8
Author: erouault <erouault>
Date: Sat Dec 3 12:19:32 2016 +0000
* tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in
readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621
diff --git a/ChangeLog b/ChangeLog
index d6a416b..50db803 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2016-12-03 Even Rouault <even.rouault at spatialys.com>
+ * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in
+ readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
* tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so
that the output buffer is correctly incremented to avoid write outside bounds.
Reported by Agostino Sarubbo.
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index bdcbd63..9122aab 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -1,4 +1,4 @@
-/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */
+/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */
/* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
* the image data through additional options listed below
@@ -4815,10 +4815,17 @@
static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
nstrips = TIFFNumberOfStrips(in);
strips_per_sample = nstrips /spp;
+ /* Add 3 padding bytes for combineSeparateSamples32bits */
+ if( (size_t) stripsize > 0xFFFFFFFFU - 3U )
+ {
+ TIFFError("readSeparateStripsIntoBuffer", "Integer overflow when calculating buffer size.");
+ exit(-1);
+ }
+
for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
srcbuffs[s] = NULL;
- buff = _TIFFmalloc(stripsize);
+ buff = _TIFFmalloc(stripsize + 3);
if (!buff)
{
TIFFError ("readSeparateStripsIntoBuffer",
@@ -4827,6 +4834,9 @@
static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
_TIFFfree (srcbuffs[i]);
return 0;
}
+ buff[stripsize] = 0;
+ buff[stripsize+1] = 0;
+ buff[stripsize+2] = 0;
srcbuffs[s] = buff;
}
commit fc9eedf265394eb8a5633160a8fcdb7ece072701
Author: erouault <erouault>
Date: Sat Dec 3 13:00:03 2016 +0000
* tools/tiffcrop.c: fix integer division by zero when BitsPerSample is missing.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619
diff --git a/ChangeLog b/ChangeLog
index 50db803..2940828 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
2016-12-03 Even Rouault <even.rouault at spatialys.com>
+ * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is missing.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
* tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in
readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer.
Reported by Agostino Sarubbo.
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 9122aab..21dd087 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -1,4 +1,4 @@
-/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */
+/* $Id: tiffcrop.c,v 1.49 2016-12-03 13:00:04 erouault Exp $ */
/* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
* the image data through additional options listed below
@@ -1164,7 +1164,7 @@
writeBufferToSeparateStrips (TIFF* out, uint8* buf,
tdata_t obuf;
(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
- (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
+ (void) TIFFGetFieldDefaulted(out, TIFFTAG_BITSPERSAMPLE, &bps);
bytes_per_sample = (bps + 7) / 8;
if( width == 0 ||
(uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width ||
@@ -4760,7 +4760,7 @@
static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
uint32 j;
int32 bytes_read = 0;
- uint16 bps, planar;
+ uint16 bps = 0, planar;
uint32 nstrips;
uint32 strips_per_sample;
uint32 src_rowsize, dst_rowsize, rows_processed, rps;
@@ -4780,7 +4780,7 @@
static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
}
memset (srcbuffs, '\0', sizeof(srcbuffs));
- TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+ TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &planar);
TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
if (rps > length)
commit a1d523c27dafafadf589c77e834c52661f1c78fc
Author: erouault <erouault>
Date: Sat Dec 3 14:18:48 2016 +0000
* tools/tiffinfo.c: fix null pointer dereference in -r mode when the image has
no StripByteCount tag.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594
diff --git a/ChangeLog b/ChangeLog
index dd27c7f..e41d00c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2016-12-03 Even Rouault <even.rouault at spatialys.com>
+ * tools/tiffinfo.c: fix null pointer dereference in -r mode when the image has
+ no StripByteCount tag.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
* tools/tiffcrop.c: fix integer division by zero when BitsPerSample is missing.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619
diff --git a/tools/tiffinfo.c b/tools/tiffinfo.c
index b02c7d4..4d58055 100644
--- a/tools/tiffinfo.c
+++ b/tools/tiffinfo.c
@@ -1,4 +1,4 @@
-/* $Id: tiffinfo.c,v 1.25 2016-11-12 20:06:05 bfriesen Exp $ */
+/* $Id: tiffinfo.c,v 1.26 2016-12-03 14:18:49 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -417,7 +417,7 @@
TIFFReadRawData(TIFF* tif, int bitrev)
uint64* stripbc=NULL;
TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &stripbc);
- if (nstrips > 0) {
+ if (stripbc != NULL && nstrips > 0) {
uint32 bufsize = (uint32) stripbc[0];
tdata_t buf = _TIFFmalloc(bufsize);
tstrip_t s;
commit 6d3ef98b2415b2edfa36a5ba600d5a824c094309
Author: erouault <erouault>
Date: Sat Dec 3 14:42:40 2016 +0000
* tools/tiffcp.c: avoid potential division by zero if BitsPerSamples tag is
missing.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597
diff --git a/ChangeLog b/ChangeLog
index e41d00c..0d7b12d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2016-12-03 Even Rouault <even.rouault at spatialys.com>
+ * tools/tiffcp.c: avoid potential division by zero if BitsPerSamples tag is
+ missing.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
* tools/tiffinfo.c: fix null pointer dereference in -r mode when the image has
no StripByteCount tag.
Reported by Agostino Sarubbo.
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 6dfb9a9..c8e48c3 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1,4 +1,4 @@
-/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */
+/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -1378,7 +1378,7 @@
DECLAREreadFunc(readSeparateTilesIntoBuffer)
uint8* bufp = (uint8*) buf;
uint32 tw, tl;
uint32 row;
- uint16 bps, bytes_per_sample;
+ uint16 bps = 0, bytes_per_sample;
tilebuf = _TIFFmalloc(tilesize);
if (tilebuf == 0)
@@ -1387,6 +1387,12 @@
DECLAREreadFunc(readSeparateTilesIntoBuffer)
(void) TIFFGetField(in, TIFFTAG_TILEWIDTH, &tw);
(void) TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
(void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+ if( bps == 0 )
+ {
+ TIFFError(TIFFFileName(in), "Error, cannot read BitsPerSample");
+ status = 0;
+ goto done;
+ }
assert( bps % 8 == 0 );
bytes_per_sample = bps/8;
commit 9991b31a7c651e7b87a3ccd73b3dc5c67dcfdd60
Author: erouault <erouault>
Date: Sat Dec 3 15:30:31 2016 +0000
* tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called,
limit the return number of inks to SamplesPerPixel, so that code that parses
ink names doesn't go past the end of the buffer.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
Reported by Agostino Sarubbo.
diff --git a/ChangeLog b/ChangeLog
index 0d7b12d..fb9fc0e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
2016-12-03 Even Rouault <even.rouault at spatialys.com>
+ * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called,
+ limit the return number of inks to SamplesPerPixel, so that code that parses
+ ink names doesn't go past the end of the buffer.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
* tools/tiffcp.c: avoid potential division by zero if BitsPerSamples tag is
missing.
Reported by Agostino Sarubbo.
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index ad21655..2574e74 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -1,4 +1,4 @@
-/* $Id: tif_dir.c,v 1.127 2016-10-25 21:35:15 erouault Exp $ */
+/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -854,6 +854,32 @@
_TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */
return 0;
+ if( tag == TIFFTAG_NUMBEROFINKS )
+ {
+ int i;
+ for (i = 0; i < td->td_customValueCount; i++) {
+ uint16 val;
+ TIFFTagValue *tv = td->td_customValues + i;
+ if (tv->info->field_tag != tag)
+ continue;
+ val = *(uint16 *)tv->value;
+ /* Truncate to SamplesPerPixel, since the */
+ /* setting code for INKNAMES assume that there are SamplesPerPixel */
+ /* inknames. */
+ /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
+ if( val > td->td_samplesperpixel )
+ {
+ TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
+ "Truncating NumberOfInks from %u to %u",
+ val, td->td_samplesperpixel);
+ val = td->td_samplesperpixel;
+ }
+ *va_arg(ap, uint16*) = val;
+ return 1;
+ }
+ return 0;
+ }
+
/*
* We want to force the custom code to be used for custom
* fields even if the tag happens to match a well known
commit 307a31765cb01245e3655ce168385dd7d51e14bd
Author: erouault <erouault>
Date: Sat Dec 3 15:44:15 2016 +0000
* tools/tiffcp.c: avoid potential division by zero if BitsPerSamples tag is
missing.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
diff --git a/ChangeLog b/ChangeLog
index ac2d922..94be038 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2016-12-03 Even Rouault <even.rouault at spatialys.com>
+ * tools/tiffcp.c: avoid potential division by zero if BitsPerSamples tag is
+ missing.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
* tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called,
limit the return number of inks to SamplesPerPixel, so that code that parses
ink names doesn't go past the end of the buffer.
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index c8e48c3..142cbb0 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1,4 +1,4 @@
-/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */
+/* $Id: tiffcp.c,v 1.58 2016-12-03 15:44:15 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -1569,7 +1569,7 @@
DECLAREwriteFunc(writeBufferToSeparateTiles)
uint8* bufp = (uint8*) buf;
uint32 tl, tw;
uint32 row;
- uint16 bps, bytes_per_sample;
+ uint16 bps = 0, bytes_per_sample;
obuf = _TIFFmalloc(TIFFTileSize(out));
if (obuf == NULL)
@@ -1578,6 +1578,12 @@
DECLAREwriteFunc(writeBufferToSeparateTiles)
(void) TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
(void) TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
(void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
+ if( bps == 0 )
+ {
+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
+ _TIFFfree(obuf);
+ return 0;
+ }
assert( bps % 8 == 0 );
bytes_per_sample = bps/8;
commit b34209fede77aa203cd5adcd9638ccc70731a50f
Author: erouault <erouault>
Date: Sat Dec 3 16:40:01 2016 +0000
* tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based
buffer overflow.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
diff --git a/ChangeLog b/ChangeLog
index 94be038..8ee76c0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2016-12-03 Even Rouault <even.rouault at spatialys.com>
+ * tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based
+ buffer overflow.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
* tools/tiffcp.c: avoid potential division by zero if BitsPerSamples tag is
missing.
Reported by Agostino Sarubbo.
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 142cbb0..6d96bb8 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1,4 +1,4 @@
-/* $Id: tiffcp.c,v 1.58 2016-12-03 15:44:15 erouault Exp $ */
+/* $Id: tiffcp.c,v 1.59 2016-12-03 16:40:01 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -1163,7 +1163,7 @@
bad:
static void
cpStripToTile(uint8* out, uint8* in,
- uint32 rows, uint32 cols, int outskew, int inskew)
+ uint32 rows, uint32 cols, int outskew, int64 inskew)
{
while (rows-- > 0) {
uint32 j = cols;
@@ -1320,7 +1320,7 @@
DECLAREreadFunc(readContigTilesIntoBuffer)
tdata_t tilebuf;
uint32 imagew = TIFFScanlineSize(in);
uint32 tilew = TIFFTileRowSize(in);
- int iskew = imagew - tilew;
+ int64 iskew = (int64)imagew - (int64)tilew;
uint8* bufp = (uint8*) buf;
uint32 tw, tl;
uint32 row;
@@ -1348,7 +1348,7 @@
DECLAREreadFunc(readContigTilesIntoBuffer)
status = 0;
goto done;
}
- if (colb + tilew > imagew) {
+ if (colb > iskew) {
uint32 width = imagew - colb;
uint32 oskew = tilew - width;
cpStripToTile(bufp + colb,
commit 18bca4cf3057681689efb502175cbe5f01cb68c3
Author: erouault <erouault>
Date: Sat Dec 3 16:50:02 2016 +0000
* tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert check.
Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605
diff --git a/ChangeLog b/ChangeLog
index 8ee76c0..025eb72 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
2016-12-03 Even Rouault <even.rouault at spatialys.com>
+ * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert check.
+ Reported by Agostino Sarubbo.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605
+
+2016-12-03 Even Rouault <even.rouault at spatialys.com>
+
* tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based
buffer overflow.
Reported by Agostino Sarubbo.
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 6d96bb8..49c9d37 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1,4 +1,4 @@
-/* $Id: tiffcp.c,v 1.59 2016-12-03 16:40:01 erouault Exp $ */
+/* $Id: tiffcp.c,v 1.60 2016-12-03 16:50:02 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -45,7 +45,6 @@
#include <string.h>
#include <ctype.h>
-#include <assert.h>
#ifdef HAVE_UNISTD_H
# include <unistd.h>
@@ -1393,7 +1392,12 @@
DECLAREreadFunc(readSeparateTilesIntoBuffer)
status = 0;
goto done;
}
- assert( bps % 8 == 0 );
+ if( (bps % 8) != 0 )
+ {
+ TIFFError(TIFFFileName(in), "Error, cannot handle BitsPerSample that is not a multiple of 8");
+ status = 0;
+ goto done;
+ }
bytes_per_sample = bps/8;
for (row = 0; row < imagelength; row += tl) {
@@ -1584,7 +1588,12 @@
DECLAREwriteFunc(writeBufferToSeparateTiles)
_TIFFfree(obuf);
return 0;
}
- assert( bps % 8 == 0 );
+ if( (bps % 8) != 0 )
+ {
+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
+ _TIFFfree(obuf);
+ return 0;
+ }
bytes_per_sample = bps/8;
for (row = 0; row < imagelength; row += tl) {
commit 8c9dbee088d8b43cdae47b9c5f711058bd1f17f1
Author: erouault <erouault>
Date: Tue Dec 13 18:15:48 2016 +0000
* libtiff/tif_fax3.h: revert change done on 2016-01-09 that made
Param member of TIFFFaxTabEnt structure a uint16 to reduce size of
the binary. It happens that the Hylafax software uses the tables that
follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable,
TIFFFaxBlackTable), also they are not in a public libtiff header.
Raised by Lee Howard.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2636
diff --git a/ChangeLog b/ChangeLog
index ee6fd802..558db20e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2016-12-13 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_fax3.h: revert change done on 2016-01-09 that made
+ Param member of TIFFFaxTabEnt structure a uint16 to reduce size of
+ the binary. It happens that the Hylafax software uses the tables that
+ follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable,
+ TIFFFaxBlackTable), also they are not in a public libtiff header.
+ Raised by Lee Howard.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2636
+
2016-12-03 Even Rouault <even.rouault at spatialys.com>
* tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert check.
diff --git a/libtiff/tif_fax3.h b/libtiff/tif_fax3.h
index e0b2ca6b..45ce43f1 100644
--- a/libtiff/tif_fax3.h
+++ b/libtiff/tif_fax3.h
@@ -1,4 +1,4 @@
-/* $Id: tif_fax3.h,v 1.11 2016-01-23 21:20:34 erouault Exp $ */
+/* $Id: tif_fax3.h,v 1.12 2016-12-13 18:15:48 erouault Exp $ */
/*
* Copyright (c) 1990-1997 Sam Leffler
@@ -81,10 +81,12 @@
extern void _TIFFFax3fillruns(unsigned char*, uint32*, uint32*, uint32);
#define S_MakeUp 11
#define S_EOL 12
+/* WARNING: do not change the layout of this structure as the Halyfax software */
+/* really depends on it. See http://bugzilla.maptools.org/show_bug.cgi?id=2636 */
typedef struct { /* state table entry */
unsigned char State; /* see above */
unsigned char Width; /* width of code in bits */
- uint16 Param; /* unsigned 16-bit run length in bits */
+ uint32 Param; /* unsigned 32-bit run length in bits (holds on 16 bit actually, but cannot be changed. See above warning) */
} TIFFFaxTabEnt;
extern const TIFFFaxTabEnt TIFFFaxMainTable[];
From c7153361a4041260719b340f73f2f76b0969235c Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Tue, 20 Dec 2016 17:28:17 +0000
Subject: [PATCH] * tools/tiff2pdf.c: avoid potential heap-based overflow in
t2p_readwrite_pdf_image_tile(). Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2640
---
ChangeLog | 6 ++++++
tools/tiff2pdf.c | 2 +-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/ChangeLog b/ChangeLog
index 6be3602..91ba4e6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2016-12-20 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiff2pdf.c: avoid potential heap-based overflow in
+ t2p_readwrite_pdf_image_tile().
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640
+
2016-12-13 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_fax3.h: revert change done on 2016-01-09 that made
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index 47d7629..db196e0 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -2895,7 +2895,7 @@
tsize_t t2p_readwrite_pdf_image_tile(T2P
return(0);
}
if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
- if (count >= 4) {
+ if (count > 4) {
/* Ignore EOI marker of JpegTables */
_TIFFmemcpy(buffer, jpt, count - 2);
bufferoffset += count - 2;
From 5c080298d59efa53264d7248bbe3a04660db6ef7 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Wed, 11 Jan 2017 19:25:44 +0000
Subject: [PATCH] * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow
and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based
overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
http://bugzilla.maptools.org/show_bug.cgi?id=2657
---
ChangeLog | 7 +++++++
tools/tiffcp.c | 24 ++++++++++++++++++++++--
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index f78cad0..064f25b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
+ cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
+ http://bugzilla.maptools.org/show_bug.cgi?id=2657
+
2016-12-20 Even Rouault <even.rouault at spatialys.com>
* tools/tiff2pdf.c: avoid potential heap-based overflow in
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index bdf754c..8bbcd52 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -591,7 +591,7 @@
static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);
static int
tiffcp(TIFF* in, TIFF* out)
{
- uint16 bitspersample, samplesperpixel = 1;
+ uint16 bitspersample = 1, samplesperpixel = 1;
uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
copyFunc cf;
uint32 width, length;
@@ -1067,6 +1067,16 @@
DECLAREcpFunc(cpContig2SeparateByRow)
register uint32 n;
uint32 row;
tsample_t s;
+ uint16 bps = 0;
+
+ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+ if( bps != 8 )
+ {
+ TIFFError(TIFFFileName(in),
+ "Error, can only handle BitsPerSample=8 in %s",
+ "cpContig2SeparateByRow");
+ return 0;
+ }
inbuf = _TIFFmalloc(scanlinesizein);
outbuf = _TIFFmalloc(scanlinesizeout);
@@ -1120,6 +1130,16 @@
DECLAREcpFunc(cpSeparate2ContigByRow)
register uint32 n;
uint32 row;
tsample_t s;
+ uint16 bps = 0;
+
+ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+ if( bps != 8 )
+ {
+ TIFFError(TIFFFileName(in),
+ "Error, can only handle BitsPerSample=8 in %s",
+ "cpSeparate2ContigByRow");
+ return 0;
+ }
inbuf = _TIFFmalloc(scanlinesizein);
outbuf = _TIFFmalloc(scanlinesizeout);
@@ -1784,7 +1804,7 @@
pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel)
uint32 w, l, tw, tl;
int bychunk;
- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
+ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
fprintf(stderr,
"%s: Cannot handle different planar configuration w/ bits/sample != 8\n",
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment