tools/tiffgt.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 opengl

tools/tiff2pdf.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 cve-2012-3401

libtiff/tif_pixarlog.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 cve-2012-4447

===================================================================

tools/ppm2tiff.c | 13 11 + 2 - 0 !
1 file changed, 11 insertions(+), 2 deletions(-)

 cve-2012-4564

===================================================================

tools/tiff2pdf.c | 103 62 + 41 - 0 !
1 file changed, 62 insertions(+), 41 deletions(-)

 cve-2013-1960

contrib/dbs/xtiff/xtiff.c | 4 2 + 2 - 0 !
libtiff/tif_codec.c | 3 2 + 1 - 0 !
libtiff/tif_dirinfo.c | 2 1 + 1 - 0 !
tools/rgb2ycbcr.c | 3 2 + 1 - 0 !
tools/tiff2bw.c | 2 1 + 1 - 0 !
tools/tiff2pdf.c | 208 87 + 121 - 0 !
tools/tiff2ps.c | 8 4 + 4 - 0 !
tools/tiffcrop.c | 10 5 + 5 - 0 !
tools/tiffdither.c | 2 1 + 1 - 0 !
9 files changed, 105 insertions(+), 137 deletions(-)

 cve-2013-1961

tools/gif2tiff.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 cve-2013-4231

tools/tiff2pdf.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 cve-2013-4232

tools/gif2tiff.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 cve-2013-4244

tools/gif2tiff.c | 12 12 + 0 - 0 !
1 file changed, 12 insertions(+)

 cve-2013-4243

===================================================================

libtiff/tif_next.c | 17 17 + 0 - 0 !
1 file changed, 17 insertions(+)

 * libtiff/tif_next.c: check that bitspersample = 2. fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129)

libtiff/tif_dir.c | 21 19 + 2 - 0 !
libtiff/tif_dirread.c | 17 17 + 0 - 0 !
libtiff/tif_getimage.c | 15 15 + 0 - 0 !
libtiff/tif_next.c | 2 2 + 0 - 0 !
tools/bmp2tiff.c | 15 15 + 0 - 0 !
tools/tiff2pdf.c | 41 41 + 0 - 0 !
tools/tiffcrop.c | 7 4 + 3 - 0 !
tools/tiffdump.c | 9 6 + 3 - 0 !
8 files changed, 119 insertions(+), 8 deletions(-)

 fix various crasher bugs on fuzzed images.

* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing the directory * libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or TransferFunction if BitsPerSample has not yet been read, otherwise reading it later will cause user code to crash if BitsPerSample > 1 * libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8 * libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images instead of imagewidth to avoid crash * tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions * tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB * tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight * tools/tiffdump.c: fix crash due to overflow of entry count.

tools/tiffcp.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 fix for debian bug #741451 tiffcp crashes when converting jpeg-encoded tiff to a different encoding (like none or lzw). for example this will probably fail: tiffcp -c none jpeg_encoded_file.tif output.tif the reason is that when the input file contains jpeg data, the tiffcp code forces conversion to rgb space. however, the output normally inherits ycbcr subsampling parameters from the input, which leads to a smaller working buffer than necessary. the buffer is subsequently overrun inside cpstriptotile() (called from writebuffertocontigtiles). note that the resulting tiff file would be scrambled even if tiffcp wouldn't crash, since the output file would contain rgb data intepreted as subsampled ycbcr values. this patch fixes the problem by forcing rgb space on the output tif if the input is jpeg-encoded and output is *not* jpeg-encoded. author: tomasz buchert <tomasz.buchert@inria.fr>

tools/tiffdither.c | 21 16 + 5 - 0 !
1 file changed, 16 insertions(+), 5 deletions(-)

 * tools/tiffdither.c: check memory allocations to avoid writing to
 NULL pointer. Also check multiplication overflow. Fixes #2501,
 CVE-2014-8128. Derived from patch by Petr Gajdos.

tools/tiff2pdf.c | 32 31 + 1 - 0 !
1 file changed, 31 insertions(+), 1 deletion(-)

 * tools/tiff2pdf.c: fix two crashes (ocert-2014-013)

tools/tiff2pdf.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 * tools/tiff2pdf.c: fixed unsigned integer addition overflow
 detection.

tools/thumbnail.c | 21 20 + 1 - 0 !
tools/tiffcmp.c | 17 15 + 2 - 0 !
2 files changed, 35 insertions(+), 3 deletions(-)

 * tools/thumbnail.c,
 tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS or
 TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
 COMPRESSION_CCITTFAX4 http://bugzilla.maptools.org/show_bug.cgi?id=2493
 (CVE-2014-8128)

tools/thumbnail.c | 8 7 + 1 - 0 !
1 file changed, 7 insertions(+), 1 deletion(-)

 * tools/thumbnail.c: fix out-of-buffer write
 http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128)

tools/pal2rgb.c | 2 1 + 1 - 0 !
tools/thumbnail.c | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 * tools/pal2rgb.c,
 tools/thumbnail.c: fix crash by disabling TIFFTAG_INKNAMES copying.
 The right fix would be to properly copy it,
 but not worth the burden for those esoteric utilities.
 http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)

tools/tiff2bw.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 * tools/tiff2bw.c: when photometric=rgb,
 the utility only works if SamplesPerPixel = 3. Enforce that
 http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127)

libtiff/tif_read.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 * libtiff/tif_read.c: fix several invalid comparisons of a uint64
 value with <= 0 by casting it to int64 first. This solves crashing bug on
 corrupted images generated by afl.

libtiff/tif_dirread.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 * libtiff/tif_dirread.c: in estimatestripbytecounts(),
 check return code of _TIFFFillStriles(). This solves crashing bug on
 corrupted images generated by afl.

tools/tiff2pdf.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 * tools/tiff2pdf.c: fix buffer overflow on ycbcr jpeg compressed
 image. Derived from patch by Petr Gajdos,
 http://bugzilla.maptools.org/show_bug.cgi?id=2443

tools/tiff2pdf.c | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 * tools/tiff2pdf.c: fix buffer overflow on some ycbcr jpeg
 compressed images. http://bugzilla.maptools.org/show_bug.cgi?id=2445

libtiff/tif_getimage.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 * libtiff/tif_getimage.c: avoid divide by zero on invalid ycbcr
 subsampling. http://bugzilla.maptools.org/show_bug.cgi?id=2235

libtiff/tif_getimage.c | 12 7 + 5 - 0 !
libtiff/tif_next.c | 4 3 + 1 - 0 !
2 files changed, 10 insertions(+), 6 deletions(-)

 * libtiff/tif_next.c: add new tests to check that we don't read
 outside of the compressed input stream buffer.

* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height

libtiff/tif_getimage.c | 12 7 + 5 - 0 !
1 file changed, 7 insertions(+), 5 deletions(-)

 * libtiff/tif_getimage.c: move test on vertical value of ycbcr
 subsampling. to avoid buffer leak (fix previous fix, found by Coverity scan)

libtiff/tif_dirread.c | 10 9 + 1 - 0 !
1 file changed, 9 insertions(+), 1 deletion(-)

 * libtiff/tif_dirread.c: in tiffcheckdiroffset(),
 avoid uint16 overflow when reading more than 65535 directories,
 and effectively error out when reaching that limit.

libtiff/tif_jpeg.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 * libtiff/tif_jpeg.c: fix segfault in jpegfixuptagssubsampling() on
 corrupted image where tif->tif_dir.td_stripoffset == NULL (bug #2471)

libtiff/tif_dir.c | 13 8 + 5 - 0 !
libtiff/tif_dirread.c | 3 2 + 1 - 0 !
libtiff/tif_lzw.c | 2 2 + 0 - 0 !
libtiff/tif_ojpeg.c | 7 6 + 1 - 0 !
libtiff/tif_read.c | 7 5 + 2 - 0 !
tools/fax2ps.c | 5 5 + 0 - 0 !
tools/tiff2pdf.c | 4 2 + 2 - 0 !
tools/tiffcrop.c | 5 5 + 0 - 0 !
tools/tiffdump.c | 23 21 + 2 - 0 !
9 files changed, 56 insertions(+), 13 deletions(-)

 * libtiff/tif_lzw.c: prevent potential null dereference of
 sp->dec_codetab in LZWPreDecode (bug #2459)

* libtiff/tif_read.c: in TIFFReadBufferSetup(), avoid passing -1 size
to TIFFmalloc() if passed user buffer size is 0 (bug #2459)

* libtiff/tif_ojpeg.c: make Coverity happier (not a bug, #2459)

* libtiff/tif_dir.c: in _TIFFVGetField() and _TIFFVSetField(), make
Coverity happier (not a bug, #2459)

* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make Coverity happier
(not a bug, #2459)

* tools/tiff2pdf.c: close PDF file (bug #2479)

* tools/fax2ps.c: check malloc()/realloc() result (bug #2470)

* tools/tiffdump.c: detect cycle in TIFF directory chaining (bug #2463)
and avoid passing a NULL pointer to read() if seek() failed before (bug #2459)

* tools/tiffcrop.c: fix segfault if bad value passed to -Z option
(bug #2459) and add missing va_end in dump_info (#2459)

tools/tiffdump.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 * tools/tiffdump.c: fix double-free bug.

tools/tiff2pdf.c | 16 10 + 6 - 0 !
1 file changed, 10 insertions(+), 6 deletions(-)

 * tools/tiff2pdf.c (t2p_read_tiff_init): tifftag_transferfunction
 tag can return one channel,
 with the other two channels set to NULL. The tiff2pdf code was expecting that
 other two channels were duplicate pointers in the case where there is only
 one channel. Detect this condition in order to avoid a crash,
 and presumably perform correctly with just one channel.

tools/thumbnail.c | 7 6 + 1 - 0 !
tools/tiffcrop.c | 9 7 + 2 - 0 !
2 files changed, 13 insertions(+), 3 deletions(-)

 tools/thumbnail.c,
 tools/tiffcrop.c: fix heap read over-run found with Valgrind and
 Address Sanitizer on test suite

tools/tiff2pdf.c | 18 9 + 9 - 0 !
1 file changed, 9 insertions(+), 9 deletions(-)

 * tools/tiff2pdf.c: assure that memory size calculations for
 _TIFFmalloc() do not overflow the range of tmsize_t.

ChangeLog | 8 8 + 0 - 0 !
libtiff/tif_getimage.c | 37 23 + 14 - 0 !
2 files changed, 31 insertions(+), 14 deletions(-)

 [patch] * libtiff/tif_getimage.c: fix out-of-bound reads in
 TIFFRGBAImage interface in case of unsupported values of
 SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
 TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
 limingxing and CVE-2015-8683 reported by zzf of Alibaba.

ChangeLog | 7 7 + 0 - 0 !
libtiff/tif_luv.c | 57 45 + 12 - 0 !
2 files changed, 52 insertions(+), 12 deletions(-)

 [patch] * libtiff/tif_luv.c: fix potential out-of-bound writes in
 decode functions in non debug builds by replacing assert()s by regular if
 checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
 input data.

ChangeLog | 6 6 + 0 - 0 !
libtiff/tif_next.c | 12 9 + 3 - 0 !
2 files changed, 15 insertions(+), 3 deletions(-)

 [patch] * libtiff/tif_next.c: fix potential out-of-bound write in
 NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
 (bugzilla #2508)