diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index 19a26e2..6667228 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -3881,6 +3881,32 @@ TIFFReadDirectory(TIFF* tif) if (!TIFFSetField(tif,TIFFTAG_SAMPLESPERPIXEL,1)) goto bad; } + /* + * SamplesPerPixel value has changed, adjust SMinSampleValue + * and SMaxSampleValue arrays if necessary + */ + { + uint32 saved_flags; + saved_flags = tif->tif_flags; + tif->tif_flags &= ~TIFF_PERSAMPLE; + if (TIFFFieldSet(tif,FIELD_SMINSAMPLEVALUE)) + { + if (!TIFFSetField(tif,TIFFTAG_SMINSAMPLEVALUE,tif->tif_dir.td_sminsamplevalue[0])) + { + tif->tif_flags = saved_flags; + goto bad; + } + } + if (TIFFFieldSet(tif,FIELD_SMAXSAMPLEVALUE)) + { + if (!TIFFSetField(tif,TIFFTAG_SMAXSAMPLEVALUE,tif->tif_dir.td_smaxsamplevalue[0])) + { + tif->tif_flags = saved_flags; + goto bad; + } + } + tif->tif_flags = saved_flags; + } } } /* diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c index fa20609..fa68d1c 100644 --- a/libtiff/tif_dirwrite.c +++ b/libtiff/tif_dirwrite.c @@ -542,8 +542,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff) { if (!isTiled(tif)) { - if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) - goto bad; + /* td_stripoffset can be NULL even if td_nstrips == 1 due to OJPEG hack */ + if (tif->tif_dir.td_stripoffset) + { + if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset)) + goto bad; + } } else { diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c index 2ba822a..dfc5b07 100644 --- a/libtiff/tif_read.c +++ b/libtiff/tif_read.c @@ -458,7 +458,7 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size) return ((tmsize_t)(-1)); } bytecount = td->td_stripbytecount[strip]; - if (bytecount <= 0) { + if ((int64)bytecount <= 0) { #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) TIFFErrorExt(tif->tif_clientdata, module, "%I64u: Invalid strip byte count, strip %lu", @@ -498,7 +498,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip) if ((tif->tif_flags&TIFF_NOREADRAW)==0) { uint64 bytecount = td->td_stripbytecount[strip]; - if (bytecount <= 0) { + if ((int64)bytecount <= 0) { #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) TIFFErrorExt(tif->tif_clientdata, module, "Invalid strip byte count %I64u, strip %lu", @@ -801,7 +801,7 @@ TIFFFillTile(TIFF* tif, uint32 tile) if ((tif->tif_flags&TIFF_NOREADRAW)==0) { uint64 bytecount = td->td_stripbytecount[tile]; - if (bytecount <= 0) { + if ((int64)bytecount <= 0) { #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) TIFFErrorExt(tif->tif_clientdata, module, "%I64u: Invalid tile byte count, tile %lu", diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c index b5ed30b..376f4e6 100644 --- a/tools/bmp2tiff.c +++ b/tools/bmp2tiff.c @@ -401,6 +401,24 @@ main(int argc, char* argv[]) return 0; } + if (info_hdr.iCompression == BMPC_RLE4 && info_hdr.iBitCount != 4) + { + TIFFError(infilename, + "Cannot process BMP file with bit count %d and RLE 4-bit/pixel compression", + info_hdr.iBitCount); + close(fd); + return 0; + } + + if (info_hdr.iCompression == BMPC_RLE8 && info_hdr.iBitCount != 8) + { + TIFFError(infilename, + "Cannot process BMP file with bit count %d and RLE 8-bit/pixel compression", + info_hdr.iBitCount); + close(fd); + return 0; + } + width = info_hdr.iWidth; length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight; if( width <= 0 || length <= 0 ) diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c index 8608aad..426bbc0 100644 --- a/tools/pal2rgb.c +++ b/tools/pal2rgb.c @@ -372,7 +372,8 @@ static struct cpTag { { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, { TIFFTAG_INKSET, 1, TIFF_SHORT }, - { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, + // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127) + //{ TIFFTAG_INKNAMES, 1, TIFF_ASCII }, { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, diff --git a/tools/thumbnail.c b/tools/thumbnail.c index fd1cba5..06edf93 100644 --- a/tools/thumbnail.c +++ b/tools/thumbnail.c @@ -257,7 +257,8 @@ static struct cpTag { { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT }, { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG }, { TIFFTAG_INKSET, 1, TIFF_SHORT }, - { TIFFTAG_INKNAMES, 1, TIFF_ASCII }, + // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127) + //{ TIFFTAG_INKNAMES, 1, TIFF_ASCII }, { TIFFTAG_DOTRANGE, 2, TIFF_SHORT }, { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII }, { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT }, @@ -585,7 +586,7 @@ generateThumbnail(TIFF* in, TIFF* out) rowsize = TIFFScanlineSize(in); rastersize = sh * rowsize; fprintf(stderr, "rastersize=%u\n", (unsigned int)rastersize); - raster = (unsigned char*)_TIFFmalloc(rastersize); + raster = (unsigned char*)_TIFFmalloc(rastersize + 3); if (!raster) { TIFFError(TIFFFileName(in), "Can't allocate space for raster buffer."); diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c index c5dcb7c..02605df 100644 --- a/tools/tiff2bw.c +++ b/tools/tiff2bw.c @@ -171,6 +171,11 @@ main(int argc, char* argv[]) argv[optind], samplesperpixel); return (-1); } + if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) { + fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n", + argv[optind], samplesperpixel); + return (-1); + } TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample); if (bitspersample != 8) { fprintf(stderr,