|
|
1ad933 |
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
|
|
1ad933 |
index 19a26e2..6667228 100644
|
|
|
1ad933 |
--- a/libtiff/tif_dirread.c
|
|
|
1ad933 |
+++ b/libtiff/tif_dirread.c
|
|
|
1ad933 |
@@ -3881,6 +3881,32 @@ TIFFReadDirectory(TIFF* tif)
|
|
|
1ad933 |
if (!TIFFSetField(tif,TIFFTAG_SAMPLESPERPIXEL,1))
|
|
|
1ad933 |
goto bad;
|
|
|
1ad933 |
}
|
|
|
1ad933 |
+ /*
|
|
|
1ad933 |
+ * SamplesPerPixel value has changed, adjust SMinSampleValue
|
|
|
1ad933 |
+ * and SMaxSampleValue arrays if necessary
|
|
|
1ad933 |
+ */
|
|
|
1ad933 |
+ {
|
|
|
1ad933 |
+ uint32 saved_flags;
|
|
|
1ad933 |
+ saved_flags = tif->tif_flags;
|
|
|
1ad933 |
+ tif->tif_flags &= ~TIFF_PERSAMPLE;
|
|
|
1ad933 |
+ if (TIFFFieldSet(tif,FIELD_SMINSAMPLEVALUE))
|
|
|
1ad933 |
+ {
|
|
|
1ad933 |
+ if (!TIFFSetField(tif,TIFFTAG_SMINSAMPLEVALUE,tif->tif_dir.td_sminsamplevalue[0]))
|
|
|
1ad933 |
+ {
|
|
|
1ad933 |
+ tif->tif_flags = saved_flags;
|
|
|
1ad933 |
+ goto bad;
|
|
|
1ad933 |
+ }
|
|
|
1ad933 |
+ }
|
|
|
1ad933 |
+ if (TIFFFieldSet(tif,FIELD_SMAXSAMPLEVALUE))
|
|
|
1ad933 |
+ {
|
|
|
1ad933 |
+ if (!TIFFSetField(tif,TIFFTAG_SMAXSAMPLEVALUE,tif->tif_dir.td_smaxsamplevalue[0]))
|
|
|
1ad933 |
+ {
|
|
|
1ad933 |
+ tif->tif_flags = saved_flags;
|
|
|
1ad933 |
+ goto bad;
|
|
|
1ad933 |
+ }
|
|
|
1ad933 |
+ }
|
|
|
1ad933 |
+ tif->tif_flags = saved_flags;
|
|
|
1ad933 |
+ }
|
|
|
1ad933 |
}
|
|
|
1ad933 |
}
|
|
|
1ad933 |
/*
|
|
|
1ad933 |
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
|
|
|
1ad933 |
index fa20609..fa68d1c 100644
|
|
|
1ad933 |
--- a/libtiff/tif_dirwrite.c
|
|
|
1ad933 |
+++ b/libtiff/tif_dirwrite.c
|
|
|
1ad933 |
@@ -542,8 +542,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
|
|
|
1ad933 |
{
|
|
|
1ad933 |
if (!isTiled(tif))
|
|
|
1ad933 |
{
|
|
|
1ad933 |
- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
|
|
|
1ad933 |
- goto bad;
|
|
|
1ad933 |
+ /* td_stripoffset can be NULL even if td_nstrips == 1 due to OJPEG hack */
|
|
|
1ad933 |
+ if (tif->tif_dir.td_stripoffset)
|
|
|
1ad933 |
+ {
|
|
|
1ad933 |
+ if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
|
|
|
1ad933 |
+ goto bad;
|
|
|
1ad933 |
+ }
|
|
|
1ad933 |
}
|
|
|
1ad933 |
else
|
|
|
1ad933 |
{
|
|
|
1ad933 |
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
|
|
|
1ad933 |
index 2ba822a..dfc5b07 100644
|
|
|
1ad933 |
--- a/libtiff/tif_read.c
|
|
|
1ad933 |
+++ b/libtiff/tif_read.c
|
|
|
1ad933 |
@@ -458,7 +458,7 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
|
|
|
1ad933 |
return ((tmsize_t)(-1));
|
|
|
1ad933 |
}
|
|
|
1ad933 |
bytecount = td->td_stripbytecount[strip];
|
|
|
1ad933 |
- if (bytecount <= 0) {
|
|
|
1ad933 |
+ if ((int64)bytecount <= 0) {
|
|
|
1ad933 |
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
|
|
1ad933 |
TIFFErrorExt(tif->tif_clientdata, module,
|
|
|
1ad933 |
"%I64u: Invalid strip byte count, strip %lu",
|
|
|
1ad933 |
@@ -498,7 +498,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
|
|
|
1ad933 |
if ((tif->tif_flags&TIFF_NOREADRAW)==0)
|
|
|
1ad933 |
{
|
|
|
1ad933 |
uint64 bytecount = td->td_stripbytecount[strip];
|
|
|
1ad933 |
- if (bytecount <= 0) {
|
|
|
1ad933 |
+ if ((int64)bytecount <= 0) {
|
|
|
1ad933 |
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
|
|
1ad933 |
TIFFErrorExt(tif->tif_clientdata, module,
|
|
|
1ad933 |
"Invalid strip byte count %I64u, strip %lu",
|
|
|
1ad933 |
@@ -801,7 +801,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
|
|
|
1ad933 |
if ((tif->tif_flags&TIFF_NOREADRAW)==0)
|
|
|
1ad933 |
{
|
|
|
1ad933 |
uint64 bytecount = td->td_stripbytecount[tile];
|
|
|
1ad933 |
- if (bytecount <= 0) {
|
|
|
1ad933 |
+ if ((int64)bytecount <= 0) {
|
|
|
1ad933 |
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
|
|
1ad933 |
TIFFErrorExt(tif->tif_clientdata, module,
|
|
|
1ad933 |
"%I64u: Invalid tile byte count, tile %lu",
|
|
|
1ad933 |
diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
|
|
|
1ad933 |
index b5ed30b..376f4e6 100644
|
|
|
1ad933 |
--- a/tools/bmp2tiff.c
|
|
|
1ad933 |
+++ b/tools/bmp2tiff.c
|
|
|
1ad933 |
@@ -401,6 +401,24 @@ main(int argc, char* argv[])
|
|
|
1ad933 |
return 0;
|
|
|
1ad933 |
}
|
|
|
1ad933 |
|
|
|
1ad933 |
+ if (info_hdr.iCompression == BMPC_RLE4 && info_hdr.iBitCount != 4)
|
|
|
1ad933 |
+ {
|
|
|
1ad933 |
+ TIFFError(infilename,
|
|
|
1ad933 |
+ "Cannot process BMP file with bit count %d and RLE 4-bit/pixel compression",
|
|
|
1ad933 |
+ info_hdr.iBitCount);
|
|
|
1ad933 |
+ close(fd);
|
|
|
1ad933 |
+ return 0;
|
|
|
1ad933 |
+ }
|
|
|
1ad933 |
+
|
|
|
1ad933 |
+ if (info_hdr.iCompression == BMPC_RLE8 && info_hdr.iBitCount != 8)
|
|
|
1ad933 |
+ {
|
|
|
1ad933 |
+ TIFFError(infilename,
|
|
|
1ad933 |
+ "Cannot process BMP file with bit count %d and RLE 8-bit/pixel compression",
|
|
|
1ad933 |
+ info_hdr.iBitCount);
|
|
|
1ad933 |
+ close(fd);
|
|
|
1ad933 |
+ return 0;
|
|
|
1ad933 |
+ }
|
|
|
1ad933 |
+
|
|
|
1ad933 |
width = info_hdr.iWidth;
|
|
|
1ad933 |
length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
|
|
|
1ad933 |
if( width <= 0 || length <= 0 )
|
|
|
1ad933 |
diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
|
|
|
1ad933 |
index 8608aad..426bbc0 100644
|
|
|
1ad933 |
--- a/tools/pal2rgb.c
|
|
|
1ad933 |
+++ b/tools/pal2rgb.c
|
|
|
1ad933 |
@@ -372,7 +372,8 @@ static struct cpTag {
|
|
|
1ad933 |
{ TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
|
|
|
1ad933 |
{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
|
|
|
1ad933 |
{ TIFFTAG_INKSET, 1, TIFF_SHORT },
|
|
|
1ad933 |
- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },
|
|
|
1ad933 |
+ // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
|
|
|
1ad933 |
+ //{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },
|
|
|
1ad933 |
{ TIFFTAG_DOTRANGE, 2, TIFF_SHORT },
|
|
|
1ad933 |
{ TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },
|
|
|
1ad933 |
{ TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },
|
|
|
1ad933 |
diff --git a/tools/thumbnail.c b/tools/thumbnail.c
|
|
|
1ad933 |
index fd1cba5..06edf93 100644
|
|
|
1ad933 |
--- a/tools/thumbnail.c
|
|
|
1ad933 |
+++ b/tools/thumbnail.c
|
|
|
1ad933 |
@@ -257,7 +257,8 @@ static struct cpTag {
|
|
|
1ad933 |
{ TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
|
|
|
1ad933 |
{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
|
|
|
1ad933 |
{ TIFFTAG_INKSET, 1, TIFF_SHORT },
|
|
|
1ad933 |
- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },
|
|
|
1ad933 |
+ // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
|
|
|
1ad933 |
+ //{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },
|
|
|
1ad933 |
{ TIFFTAG_DOTRANGE, 2, TIFF_SHORT },
|
|
|
1ad933 |
{ TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },
|
|
|
1ad933 |
{ TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },
|
|
|
1ad933 |
@@ -585,7 +586,7 @@ generateThumbnail(TIFF* in, TIFF* out)
|
|
|
1ad933 |
rowsize = TIFFScanlineSize(in);
|
|
|
1ad933 |
rastersize = sh * rowsize;
|
|
|
1ad933 |
fprintf(stderr, "rastersize=%u\n", (unsigned int)rastersize);
|
|
|
1ad933 |
- raster = (unsigned char*)_TIFFmalloc(rastersize);
|
|
|
1ad933 |
+ raster = (unsigned char*)_TIFFmalloc(rastersize + 3);
|
|
|
1ad933 |
if (!raster) {
|
|
|
1ad933 |
TIFFError(TIFFFileName(in),
|
|
|
1ad933 |
"Can't allocate space for raster buffer.");
|
|
|
1ad933 |
diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
|
|
|
1ad933 |
index c5dcb7c..02605df 100644
|
|
|
1ad933 |
--- a/tools/tiff2bw.c
|
|
|
1ad933 |
+++ b/tools/tiff2bw.c
|
|
|
1ad933 |
@@ -171,6 +171,11 @@ main(int argc, char* argv[])
|
|
|
1ad933 |
argv[optind], samplesperpixel);
|
|
|
1ad933 |
return (-1);
|
|
|
1ad933 |
}
|
|
|
1ad933 |
+ if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) {
|
|
|
1ad933 |
+ fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n",
|
|
|
1ad933 |
+ argv[optind], samplesperpixel);
|
|
|
1ad933 |
+ return (-1);
|
|
|
1ad933 |
+ }
|
|
|
1ad933 |
TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample);
|
|
|
1ad933 |
if (bitspersample != 8) {
|
|
|
1ad933 |
fprintf(stderr,
|