1. 15 Aug, 2018 1 commit
  2. 07 Aug, 2018 3 commits
  3. 05 Jul, 2018 1 commit
  4. 02 Jul, 2018 1 commit
  5. 12 May, 2018 3 commits
  6. 04 May, 2018 1 commit
  7. 17 Apr, 2018 4 commits
  8. 14 Apr, 2018 1 commit
  9. 12 Apr, 2018 3 commits
    • Even Rouault's avatar
      Fix MSVC warning · 47be9914
      Even Rouault authored
      47be9914
    • Even Rouault's avatar
      Merge branch 'master' into 'master' · 18d85181
      Even Rouault authored
      Fix NULL pointer dereference in TIFFPrintDirectory (bugzilla 2778/CVE-2018-7456)
      
      See merge request !27
      18d85181
    • Hugo Lefeuvre's avatar
      Fix NULL pointer dereference in TIFFPrintDirectory · be4c85b1
      Hugo Lefeuvre authored
      The TIFFPrintDirectory function relies on the following assumptions,
      supposed to be guaranteed by the specification:
      
      (a) A Transfer Function field is only present if the TIFF file has
          photometric type < 3.
      
      (b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
          has count SamplesPerPixel - (Color Channels) and contains
          information about supplementary channels.
      
      While respect of (a) and (b) are essential for the well functioning of
      TIFFPrintDirectory, no checks are realized neither by the callee nor
      by TIFFPrintDirectory itself. Hence, following scenarios might happen
      and trigger the NULL pointer dereference:
      
      (1) TIFF File of photometric type 4 or more has illegal Transfer
          Function field.
      
      (2) TIFF File has photometric type 3 or less and defines a
          SamplesPerPixel field such that SamplesPerPixel > Color Channels
          without defining all extra samples in the ExtraSamples fields.
      
      In this patch, we address both issues with respect of the following
      principles:
      
      (A) In the case of (1), the defined transfer table should be printed
          safely even if it isn't 'legal'. This allows us to avoid expensive
          checks in TIFFPrintDirectory. Also, it is quite possible that
          an alternative photometric type would be developed (not part of the
          standard) and would allow definition of Transfer Table. We want
          libtiff to be able to handle this scenario out of the box.
      
      (B) In the case of (2), the transfer table should be printed at its
          right size, that is if TIFF file has photometric type Palette
          then the transfer table should have one row and not three, even
          if two extra samples are declared.
      
      In order to fulfill (A) we simply add a new 'i < 3' end condition to
      the broken TIFFPrintDirectory loop. This makes sure that in any case
      where (b) would be respected but not (a), everything stays fine.
      
      (B) is fulfilled by the loop condition
      'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
      long as (b) is respected.
      
      Naturally, we also make sure (b) is respected. This is done in the
      TIFFReadDirectory function by making sure any non-color channel is
      counted in ExtraSamples.
      
      This commit addresses CVE-2018-7456.
      be4c85b1
  10. 27 Mar, 2018 1 commit
  11. 26 Mar, 2018 1 commit
  12. 23 Mar, 2018 2 commits
  13. 17 Mar, 2018 1 commit
  14. 13 Mar, 2018 2 commits
  15. 11 Mar, 2018 1 commit
  16. 10 Mar, 2018 1 commit
  17. 03 Mar, 2018 1 commit
  18. 25 Feb, 2018 1 commit
  19. 24 Feb, 2018 1 commit
  20. 14 Feb, 2018 4 commits
  21. 12 Feb, 2018 1 commit
    • Nathan Baker's avatar
      Fix for bug 2772 · 473851d2
      Nathan Baker authored
      It is possible to craft a TIFF document where the IFD list is circular,
      leading to an infinite loop while traversing the chain. The libtiff
      directory reader has a failsafe that will break out of this loop after
      reading 65535 directory entries, but it will continue processing,
      consuming time and resources to process what is essentially a bogus TIFF
      document.
      
      This change fixes the above behavior by breaking out of processing when
      a TIFF document has >= 65535 directories and terminating with an error.
      473851d2
  22. 09 Feb, 2018 1 commit
  23. 06 Feb, 2018 4 commits