Blob Blame History Raw
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 19a26e2..6667228 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -3881,6 +3881,32 @@ TIFFReadDirectory(TIFF* tif)
 				if (!TIFFSetField(tif,TIFFTAG_SAMPLESPERPIXEL,1))
 					goto bad;
 			}
+			/*
+			 * SamplesPerPixel value has changed, adjust SMinSampleValue
+			 * and SMaxSampleValue arrays if necessary
+			 */
+			{
+				uint32 saved_flags;
+				saved_flags = tif->tif_flags;
+				tif->tif_flags &= ~TIFF_PERSAMPLE;
+				if (TIFFFieldSet(tif,FIELD_SMINSAMPLEVALUE))
+				{
+					if (!TIFFSetField(tif,TIFFTAG_SMINSAMPLEVALUE,tif->tif_dir.td_sminsamplevalue[0]))
+					{
+						tif->tif_flags = saved_flags;
+						goto bad;
+					}
+				}
+				if (TIFFFieldSet(tif,FIELD_SMAXSAMPLEVALUE))
+				{
+					if (!TIFFSetField(tif,TIFFTAG_SMAXSAMPLEVALUE,tif->tif_dir.td_smaxsamplevalue[0]))
+					{
+						tif->tif_flags = saved_flags;
+						goto bad;
+					}
+				}
+				tif->tif_flags = saved_flags;
+			}
 		}
 	}
 	/*
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index fa20609..fa68d1c 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -542,8 +542,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
 			{
 				if (!isTiled(tif))
 				{
-					if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
-						goto bad;
+					/* td_stripoffset can be NULL even if td_nstrips == 1 due to OJPEG hack */
+					if (tif->tif_dir.td_stripoffset)
+					{
+						if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
+							goto bad;
+					}
 				}
 				else
 				{
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
index 2ba822a..dfc5b07 100644
--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
@@ -458,7 +458,7 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
 		return ((tmsize_t)(-1));
 	}
 	bytecount = td->td_stripbytecount[strip];
-	if (bytecount <= 0) {
+	if ((int64)bytecount <= 0) {
 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
 		TIFFErrorExt(tif->tif_clientdata, module,
 			     "%I64u: Invalid strip byte count, strip %lu",
@@ -498,7 +498,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
 	if ((tif->tif_flags&TIFF_NOREADRAW)==0)
 	{
 		uint64 bytecount = td->td_stripbytecount[strip];
-		if (bytecount <= 0) {
+		if ((int64)bytecount <= 0) {
 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
 			TIFFErrorExt(tif->tif_clientdata, module,
 				"Invalid strip byte count %I64u, strip %lu",
@@ -801,7 +801,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
 	if ((tif->tif_flags&TIFF_NOREADRAW)==0)
 	{
 		uint64 bytecount = td->td_stripbytecount[tile];
-		if (bytecount <= 0) {
+		if ((int64)bytecount <= 0) {
 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
 			TIFFErrorExt(tif->tif_clientdata, module,
 				"%I64u: Invalid tile byte count, tile %lu",
diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
index b5ed30b..376f4e6 100644
--- a/tools/bmp2tiff.c
+++ b/tools/bmp2tiff.c
@@ -401,6 +401,24 @@ main(int argc, char* argv[])
 		    return 0;
 		}
 
+        if (info_hdr.iCompression == BMPC_RLE4 && info_hdr.iBitCount != 4)
+        {
+            TIFFError(infilename,
+              "Cannot process BMP file with bit count %d and RLE 4-bit/pixel compression",
+              info_hdr.iBitCount);
+            close(fd);
+            return 0;
+        }
+ 
+        if (info_hdr.iCompression == BMPC_RLE8 && info_hdr.iBitCount != 8)
+        {
+            TIFFError(infilename,
+              "Cannot process BMP file with bit count %d and RLE 8-bit/pixel compression",
+              info_hdr.iBitCount);
+            close(fd);
+            return 0;
+        }
+
 		width = info_hdr.iWidth;
 		length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
         if( width <= 0 || length <= 0 )
diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
index 8608aad..426bbc0 100644
--- a/tools/pal2rgb.c
+++ b/tools/pal2rgb.c
@@ -372,7 +372,8 @@ static struct cpTag {
     { TIFFTAG_CLEANFAXDATA,		1, TIFF_SHORT },
     { TIFFTAG_CONSECUTIVEBADFAXLINES,	1, TIFF_LONG },
     { TIFFTAG_INKSET,			1, TIFF_SHORT },
-    { TIFFTAG_INKNAMES,			1, TIFF_ASCII },
+    // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
+    //{ TIFFTAG_INKNAMES,			1, TIFF_ASCII },
     { TIFFTAG_DOTRANGE,			2, TIFF_SHORT },
     { TIFFTAG_TARGETPRINTER,		1, TIFF_ASCII },
     { TIFFTAG_SAMPLEFORMAT,		1, TIFF_SHORT },
diff --git a/tools/thumbnail.c b/tools/thumbnail.c
index fd1cba5..06edf93 100644
--- a/tools/thumbnail.c
+++ b/tools/thumbnail.c
@@ -257,7 +257,8 @@ static struct cpTag {
     { TIFFTAG_CLEANFAXDATA,		1, TIFF_SHORT },
     { TIFFTAG_CONSECUTIVEBADFAXLINES,	1, TIFF_LONG },
     { TIFFTAG_INKSET,			1, TIFF_SHORT },
-    { TIFFTAG_INKNAMES,			1, TIFF_ASCII },
+    // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
+    //{ TIFFTAG_INKNAMES,			1, TIFF_ASCII },
     { TIFFTAG_DOTRANGE,			2, TIFF_SHORT },
     { TIFFTAG_TARGETPRINTER,		1, TIFF_ASCII },
     { TIFFTAG_SAMPLEFORMAT,		1, TIFF_SHORT },
@@ -585,7 +586,7 @@ generateThumbnail(TIFF* in, TIFF* out)
     rowsize = TIFFScanlineSize(in);
     rastersize = sh * rowsize;
     fprintf(stderr, "rastersize=%u\n", (unsigned int)rastersize);
-    raster = (unsigned char*)_TIFFmalloc(rastersize);
+    raster = (unsigned char*)_TIFFmalloc(rastersize + 3);
     if (!raster) {
 	    TIFFError(TIFFFileName(in),
 		      "Can't allocate space for raster buffer.");
diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
index c5dcb7c..02605df 100644
--- a/tools/tiff2bw.c
+++ b/tools/tiff2bw.c
@@ -171,6 +171,11 @@ main(int argc, char* argv[])
 		    argv[optind], samplesperpixel);
 		return (-1);
 	}
+	if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) {
+		fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n",
+		    argv[optind], samplesperpixel);
+		return (-1);
+	}
 	TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample);
 	if (bitspersample != 8) {
 		fprintf(stderr,