diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 19a26e2..6667228 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -3881,6 +3881,32 @@ TIFFReadDirectory(TIFF* tif)
if (!TIFFSetField(tif,TIFFTAG_SAMPLESPERPIXEL,1))
goto bad;
}
+ /*
+ * SamplesPerPixel value has changed, adjust SMinSampleValue
+ * and SMaxSampleValue arrays if necessary
+ */
+ {
+ uint32 saved_flags;
+ saved_flags = tif->tif_flags;
+ tif->tif_flags &= ~TIFF_PERSAMPLE;
+ if (TIFFFieldSet(tif,FIELD_SMINSAMPLEVALUE))
+ {
+ if (!TIFFSetField(tif,TIFFTAG_SMINSAMPLEVALUE,tif->tif_dir.td_sminsamplevalue[0]))
+ {
+ tif->tif_flags = saved_flags;
+ goto bad;
+ }
+ }
+ if (TIFFFieldSet(tif,FIELD_SMAXSAMPLEVALUE))
+ {
+ if (!TIFFSetField(tif,TIFFTAG_SMAXSAMPLEVALUE,tif->tif_dir.td_smaxsamplevalue[0]))
+ {
+ tif->tif_flags = saved_flags;
+ goto bad;
+ }
+ }
+ tif->tif_flags = saved_flags;
+ }
}
}
/*
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index fa20609..fa68d1c 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -542,8 +542,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
{
if (!isTiled(tif))
{
- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
- goto bad;
+ /* td_stripoffset can be NULL even if td_nstrips == 1 due to OJPEG hack */
+ if (tif->tif_dir.td_stripoffset)
+ {
+ if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
+ goto bad;
+ }
}
else
{
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
index 2ba822a..dfc5b07 100644
--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
@@ -458,7 +458,7 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
return ((tmsize_t)(-1));
}
bytecount = td->td_stripbytecount[strip];
- if (bytecount <= 0) {
+ if ((int64)bytecount <= 0) {
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFErrorExt(tif->tif_clientdata, module,
"%I64u: Invalid strip byte count, strip %lu",
@@ -498,7 +498,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
if ((tif->tif_flags&TIFF_NOREADRAW)==0)
{
uint64 bytecount = td->td_stripbytecount[strip];
- if (bytecount <= 0) {
+ if ((int64)bytecount <= 0) {
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFErrorExt(tif->tif_clientdata, module,
"Invalid strip byte count %I64u, strip %lu",
@@ -801,7 +801,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
if ((tif->tif_flags&TIFF_NOREADRAW)==0)
{
uint64 bytecount = td->td_stripbytecount[tile];
- if (bytecount <= 0) {
+ if ((int64)bytecount <= 0) {
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFErrorExt(tif->tif_clientdata, module,
"%I64u: Invalid tile byte count, tile %lu",
diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
index b5ed30b..376f4e6 100644
--- a/tools/bmp2tiff.c
+++ b/tools/bmp2tiff.c
@@ -401,6 +401,24 @@ main(int argc, char* argv[])
return 0;
}
+ if (info_hdr.iCompression == BMPC_RLE4 && info_hdr.iBitCount != 4)
+ {
+ TIFFError(infilename,
+ "Cannot process BMP file with bit count %d and RLE 4-bit/pixel compression",
+ info_hdr.iBitCount);
+ close(fd);
+ return 0;
+ }
+
+ if (info_hdr.iCompression == BMPC_RLE8 && info_hdr.iBitCount != 8)
+ {
+ TIFFError(infilename,
+ "Cannot process BMP file with bit count %d and RLE 8-bit/pixel compression",
+ info_hdr.iBitCount);
+ close(fd);
+ return 0;
+ }
+
width = info_hdr.iWidth;
length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
if( width <= 0 || length <= 0 )
diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
index 8608aad..426bbc0 100644
--- a/tools/pal2rgb.c
+++ b/tools/pal2rgb.c
@@ -372,7 +372,8 @@ static struct cpTag {
{ TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
{ TIFFTAG_INKSET, 1, TIFF_SHORT },
- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },
+ // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
+ //{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },
{ TIFFTAG_DOTRANGE, 2, TIFF_SHORT },
{ TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },
{ TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },
diff --git a/tools/thumbnail.c b/tools/thumbnail.c
index fd1cba5..06edf93 100644
--- a/tools/thumbnail.c
+++ b/tools/thumbnail.c
@@ -257,7 +257,8 @@ static struct cpTag {
{ TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
{ TIFFTAG_INKSET, 1, TIFF_SHORT },
- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },
+ // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
+ //{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },
{ TIFFTAG_DOTRANGE, 2, TIFF_SHORT },
{ TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },
{ TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },
@@ -585,7 +586,7 @@ generateThumbnail(TIFF* in, TIFF* out)
rowsize = TIFFScanlineSize(in);
rastersize = sh * rowsize;
fprintf(stderr, "rastersize=%u\n", (unsigned int)rastersize);
- raster = (unsigned char*)_TIFFmalloc(rastersize);
+ raster = (unsigned char*)_TIFFmalloc(rastersize + 3);
if (!raster) {
TIFFError(TIFFFileName(in),
"Can't allocate space for raster buffer.");
diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
index c5dcb7c..02605df 100644
--- a/tools/tiff2bw.c
+++ b/tools/tiff2bw.c
@@ -171,6 +171,11 @@ main(int argc, char* argv[])
argv[optind], samplesperpixel);
return (-1);
}
+ if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) {
+ fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n",
+ argv[optind], samplesperpixel);
+ return (-1);
+ }
TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample);
if (bitspersample != 8) {
fprintf(stderr,