diff options
Diffstat (limited to 'tiff/html')
| -rw-r--r-- | tiff/html/Makefile.am | 4 | ||||
| -rw-r--r-- | tiff/html/Makefile.in | 4 | ||||
| -rw-r--r-- | tiff/html/index.html | 14 | ||||
| -rw-r--r-- | tiff/html/man/CMakeLists.txt | 2 | ||||
| -rw-r--r-- | tiff/html/man/Makefile.am | 2 | ||||
| -rw-r--r-- | tiff/html/man/Makefile.in | 2 | ||||
| -rw-r--r-- | tiff/html/man/rgb2ycbcr.1.html | 155 | ||||
| -rw-r--r-- | tiff/html/man/thumbnail.1.html | 148 | ||||
| -rw-r--r-- | tiff/html/v4.0.7.html | 2 | ||||
| -rw-r--r-- | tiff/html/v4.0.8.html | 445 | ||||
| -rw-r--r-- | tiff/html/v4.0.9.html | 373 |
11 files changed, 833 insertions, 318 deletions
diff --git a/tiff/html/Makefile.am b/tiff/html/Makefile.am index 01549ba21..12193df70 100644 --- a/tiff/html/Makefile.am +++ b/tiff/html/Makefile.am @@ -84,7 +84,9 @@ docfiles = \ v4.0.4.html \ v4.0.5.html \ v4.0.6.html \ - v4.0.7.html + v4.0.7.html \ + v4.0.8.html \ + v4.0.9.html dist_doc_DATA = $(docfiles) diff --git a/tiff/html/Makefile.in b/tiff/html/Makefile.in index 3cb22e6d9..4c0c8e3e7 100644 --- a/tiff/html/Makefile.in +++ b/tiff/html/Makefile.in @@ -447,7 +447,9 @@ docfiles = \ v4.0.4.html \ v4.0.5.html \ v4.0.6.html \ - v4.0.7.html + v4.0.7.html \ + v4.0.8.html \ + v4.0.9.html dist_doc_DATA = $(docfiles) SUBDIRS = images man diff --git a/tiff/html/index.html b/tiff/html/index.html index 71af0afa4..1c5a3ec31 100644 --- a/tiff/html/index.html +++ b/tiff/html/index.html @@ -24,7 +24,7 @@ </tr> <tr> <th>Latest Stable Release</th> - <td><a href="v4.0.7.html">v4.0.7</a></td> + <td><a href="v4.0.9.html">v4.0.9</a></td> </tr> <tr> <th>Master Download Site</th> @@ -81,12 +81,14 @@ <a href="http://lists.maptools.org/mailman/listinfo/tiff">http://lists.maptools.org/mailman/listinfo/tiff</a>. </p> <p> - The persons responsible for putting up this site and putting together - versions >= 3.5.1 are + The persons currently actively maintaining and releasing libtiff + are <a href="mailto:even.rouault@spatialys.com">Even Rouault</a> + and <a href="mailto:bfriesen@GraphicsMagick.org">Bob Friesenhahn</a>. + </p> + <p>Significant maintainers in the past (since the 3.5.1 release) are <a href="http://pobox.com/~warmerdam">Frank Warmerdam</a>, <a href="mailto:dron@ak4719.spb.edu">Andrey Kiselev</a>, - <a href="mailto:bfriesen@GraphicsMagick.org">Bob Friesenhahn</a>, - Joris Van Damme, Lee Howard and Even Rouault. + Joris Van Damme, and Lee Howard. </p> <p> The following sections are included in this documentation: @@ -114,7 +116,7 @@ </ul> <hr> <p> - Last updated $Date: 2016-09-25 20:05:44 $. + Last updated $Date: 2017-11-07 02:00:06 $. </p> </body> </html> diff --git a/tiff/html/man/CMakeLists.txt b/tiff/html/man/CMakeLists.txt index cb92ea218..897a0e732 100644 --- a/tiff/html/man/CMakeLists.txt +++ b/tiff/html/man/CMakeLists.txt @@ -74,8 +74,6 @@ set(docfiles pal2rgb.1.html ppm2tiff.1.html raw2tiff.1.html - rgb2ycbcr.1.html - thumbnail.1.html tiff2bw.1.html tiff2pdf.1.html tiff2ps.1.html diff --git a/tiff/html/man/Makefile.am b/tiff/html/man/Makefile.am index 587296c53..3ed00d448 100644 --- a/tiff/html/man/Makefile.am +++ b/tiff/html/man/Makefile.am @@ -81,8 +81,6 @@ docfiles = \ pal2rgb.1.html \ ppm2tiff.1.html \ raw2tiff.1.html \ - rgb2ycbcr.1.html \ - thumbnail.1.html \ tiff2bw.1.html \ tiff2pdf.1.html \ tiff2ps.1.html \ diff --git a/tiff/html/man/Makefile.in b/tiff/html/man/Makefile.in index 7f4648c9d..eb99fd1ba 100644 --- a/tiff/html/man/Makefile.in +++ b/tiff/html/man/Makefile.in @@ -383,8 +383,6 @@ docfiles = \ pal2rgb.1.html \ ppm2tiff.1.html \ raw2tiff.1.html \ - rgb2ycbcr.1.html \ - thumbnail.1.html \ tiff2bw.1.html \ tiff2pdf.1.html \ tiff2ps.1.html \ diff --git a/tiff/html/man/rgb2ycbcr.1.html b/tiff/html/man/rgb2ycbcr.1.html deleted file mode 100644 index 6e481f79d..000000000 --- a/tiff/html/man/rgb2ycbcr.1.html +++ /dev/null @@ -1,155 +0,0 @@ -<!-- Creator : groff version 1.18.1 --> -<!-- CreationDate: Sat Feb 24 18:37:19 2007 --> -<html> -<head> -<meta name="generator" content="groff -Thtml, see www.gnu.org"> -<meta name="Content-Style" content="text/css"> -<title>RGB2YCBCR</title> -</head> -<body> - -<h1 align=center>RGB2YCBCR</h1> -<a href="#NAME">NAME</a><br> -<a href="#SYNOPSIS">SYNOPSIS</a><br> -<a href="#DESCRIPTION">DESCRIPTION</a><br> -<a href="#OPTIONS">OPTIONS</a><br> -<a href="#SEE ALSO">SEE ALSO</a><br> - -<hr> -<a name="NAME"></a> -<h2>NAME</h2> -<!-- INDENTATION --> -<table width="100%" border=0 rules="none" frame="void" - cols="2" cellspacing="0" cellpadding="0"> -<tr valign="top" align="left"> -<td width="8%"></td> -<td width="91%"> -<p>rgb2ycbcr − convert non-YCbCr <small>TIFF</small> -images to a YCbCr <small>TIFF</small> image</p> -</td> -</table> -<a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> -<!-- INDENTATION --> -<table width="100%" border=0 rules="none" frame="void" - cols="2" cellspacing="0" cellpadding="0"> -<tr valign="top" align="left"> -<td width="8%"></td> -<td width="91%"> -<p><b>rgb2ycbcr</b> [ <i>options</i> ] <i>src1.tif src2.tif -... dst.tif</i></p> -</td> -</table> -<a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> -<!-- INDENTATION --> -<table width="100%" border=0 rules="none" frame="void" - cols="2" cellspacing="0" cellpadding="0"> -<tr valign="top" align="left"> -<td width="8%"></td> -<td width="91%"> -<p><i>rgb2ycbcr</i> converts <small>RGB</small> color, -greyscale, or bi-level <small>TIFF</small> images to YCbCr -images by transforming and sampling pixel data. If multiple -files are specified on the command line each source file is -converted to a separate directory in the destination -file.</p> -<!-- INDENTATION --> -<p>By default, chrominance samples are created by sampling 2 -by 2 blocks of luminance values; this can be changed with -the <b>−h</b> and <b>−v</b> options. Output data -are compressed with the <small>PackBits</small> compression -scheme, by default; an alternate scheme can be selected with -the <b>−c</b> option. By default, output data are -compressed in strips with the number of rows in each strip -selected so that the size of a strip is never more than 8 -kilobytes; the <b>−r</b> option can be used to -explicitly set the number of rows per strip.</p> -</td> -</table> -<a name="OPTIONS"></a> -<h2>OPTIONS</h2> -<!-- TABS --> -<table width="100%" border=0 rules="none" frame="void" - cols="5" cellspacing="0" cellpadding="0"> -<tr valign="top" align="left"> -<td width="10%"></td> -<td width="3%"> - -<p><b>−c</b></p> -</td> -<td width="5%"></td> -<td width="80%"> - -<p>Specify a compression scheme to use when writing image -data: <b>−c none</b> for no compression, <b>−c -packbits</b> for the PackBits compression algorithm (the -default), <b>−c jpeg</b> for the JPEG compression -algorithm, <b>−c zip</b> for the deflate compression -algorithm, and <b>−c lzw</b> for Lempel-Ziv & -Welch.</p> -</td> -<td width="0%"> -</td> -<tr valign="top" align="left"> -<td width="10%"></td> -<td width="3%"> - -<p><b>−h</b></p> -</td> -<td width="5%"></td> -<td width="80%"> - -<p>Set the horizontal sampling dimension to one of: 1, 2 -(default), or 4.</p> -</td> -<td width="0%"> -</td> -<tr valign="top" align="left"> -<td width="10%"></td> -<td width="3%"> - -<p><b>−r</b></p> -</td> -<td width="5%"></td> -<td width="80%"> - -<p>Write data with a specified number of rows per strip; by -default the number of rows/strip is selected so that each -strip is approximately 8 kilobytes.</p> -</td> -<td width="0%"> -</td> -<tr valign="top" align="left"> -<td width="10%"></td> -<td width="3%"> - -<p><b>−v</b></p> -</td> -<td width="5%"></td> -<td width="80%"> - -<p>Set the vertical sampling dimension to one of: 1, 2 -(default), or 4.</p> -</td> -<td width="0%"> -</td> -</table> -<a name="SEE ALSO"></a> -<h2>SEE ALSO</h2> -<!-- INDENTATION --> -<table width="100%" border=0 rules="none" frame="void" - cols="2" cellspacing="0" cellpadding="0"> -<tr valign="top" align="left"> -<td width="8%"></td> -<td width="91%"> -<p><b>tiffinfo</b>(1), <b>tiffcp</b>(1), -<b>libtiff</b>(3)</p> -<!-- INDENTATION --> -<p>Libtiff library home page: -<b>http://www.simplesystems.org/libtiff/</b></p> -</td> -</table> -<hr> -</body> -</html> diff --git a/tiff/html/man/thumbnail.1.html b/tiff/html/man/thumbnail.1.html deleted file mode 100644 index 8b114137f..000000000 --- a/tiff/html/man/thumbnail.1.html +++ /dev/null @@ -1,148 +0,0 @@ -<!-- Creator : groff version 1.18.1 --> -<!-- CreationDate: Sat Feb 24 18:37:19 2007 --> -<html> -<head> -<meta name="generator" content="groff -Thtml, see www.gnu.org"> -<meta name="Content-Style" content="text/css"> -<title>THUMBNAIL</title> -</head> -<body> - -<h1 align=center>THUMBNAIL</h1> -<a href="#NAME">NAME</a><br> -<a href="#SYNOPSIS">SYNOPSIS</a><br> -<a href="#DESCRIPTION">DESCRIPTION</a><br> -<a href="#OPTIONS">OPTIONS</a><br> -<a href="#BUGS">BUGS</a><br> -<a href="#SEE ALSO">SEE ALSO</a><br> - -<hr> -<a name="NAME"></a> -<h2>NAME</h2> -<!-- INDENTATION --> -<table width="100%" border=0 rules="none" frame="void" - cols="2" cellspacing="0" cellpadding="0"> -<tr valign="top" align="left"> -<td width="8%"></td> -<td width="91%"> -<p>thumbnail − create a <small>TIFF</small> file with -thumbnail images</p> -</td> -</table> -<a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> -<!-- INDENTATION --> -<table width="100%" border=0 rules="none" frame="void" - cols="2" cellspacing="0" cellpadding="0"> -<tr valign="top" align="left"> -<td width="8%"></td> -<td width="91%"> -<p><b>thumbnail</b> [ <i>options</i> ] <i>input.tif -output.tif</i></p> -</td> -</table> -<a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> -<!-- INDENTATION --> -<table width="100%" border=0 rules="none" frame="void" - cols="2" cellspacing="0" cellpadding="0"> -<tr valign="top" align="left"> -<td width="8%"></td> -<td width="91%"> -<p><i>thumbnail</i> is a program written to show how one -might use the SubIFD tag (#330) to store thumbnail images. -<i>thumbnail</i> copies a <small>TIFF</small> Class F -facsimile file to the output file and for each image an -8-bit greyscale <i>thumbnail sketch</i>. The output file -contains the thumbnail image with the associated -full-resolution page linked below with the SubIFD tag.</p> -<!-- INDENTATION --> -<p>By default, thumbnail images are 216 pixels wide by 274 -pixels high. Pixels are calculated by sampling and filtering -the input image with each pixel value passed through a -contrast curve.</p> -</td> -</table> -<a name="OPTIONS"></a> -<h2>OPTIONS</h2> -<!-- TABS --> -<table width="100%" border=0 rules="none" frame="void" - cols="5" cellspacing="0" cellpadding="0"> -<tr valign="top" align="left"> -<td width="10%"></td> -<td width="3%"> - -<p><b>−w</b></p> -</td> -<td width="5%"></td> -<td width="80%"> - -<p>Specify the width of thumbnail images in pixels.</p> -</td> -<td width="0%"> -</td> -<tr valign="top" align="left"> -<td width="10%"></td> -<td width="3%"> - -<p><b>−h</b></p> -</td> -<td width="5%"></td> -<td width="80%"> - -<p>Specify the height of thumbnail images in pixels.</p> -</td> -<td width="0%"> -</td> -<tr valign="top" align="left"> -<td width="10%"></td> -<td width="3%"> - -<p><b>−c</b></p> -</td> -<td width="5%"></td> -<td width="80%"> - -<p>Specify a contrast curve to apply in generating the -thumbnail images. By default pixels values are passed -through a linear contrast curve that simply maps the pixel -value ranges. Alternative curves are: <b>exp50</b> for a 50% -exponential curve, <b>exp60</b> for a 60% exponential curve, -<b>exp70</b> for a 70% exponential curve, <b>exp80</b> for a -80% exponential curve, <b>exp90</b> for a 90% exponential -curve, <b>exp</b> for a pure exponential curve, -<b>linear</b> for a linear curve.</p> -</td> -<td width="0%"> -</td> -</table> -<a name="BUGS"></a> -<h2>BUGS</h2> -<!-- INDENTATION --> -<table width="100%" border=0 rules="none" frame="void" - cols="2" cellspacing="0" cellpadding="0"> -<tr valign="top" align="left"> -<td width="8%"></td> -<td width="91%"> -<p>There are no options to control the format of the saved -thumbnail images.</p> -</td> -</table> -<a name="SEE ALSO"></a> -<h2>SEE ALSO</h2> -<!-- INDENTATION --> -<table width="100%" border=0 rules="none" frame="void" - cols="2" cellspacing="0" cellpadding="0"> -<tr valign="top" align="left"> -<td width="8%"></td> -<td width="91%"> -<p><b>tiffdump</b>(1), <b>tiffgt</b>(1), <b>tiffinfo</b>(1), -<b>libtiff</b>(3)</p> -<!-- INDENTATION --> -<p>Libtiff library home page: -<b>http://www.simplesystems.org/libtiff/</b></p> -</td> -</table> -<hr> -</body> -</html> diff --git a/tiff/html/v4.0.7.html b/tiff/html/v4.0.7.html index 151861f49..e29e8d535 100644 --- a/tiff/html/v4.0.7.html +++ b/tiff/html/v4.0.7.html @@ -405,7 +405,7 @@ information is located here: </UL> -Last updated $Date: 2016-11-12 21:43:44 $. +Last updated $Date: 2016-11-19 17:47:40 $. </BODY> </HTML> diff --git a/tiff/html/v4.0.8.html b/tiff/html/v4.0.8.html new file mode 100644 index 000000000..8b85e9c2e --- /dev/null +++ b/tiff/html/v4.0.8.html @@ -0,0 +1,445 @@ +<HTML> +<HEAD> +<TITLE> + Changes in TIFF v4.0.8 +</TITLE> +</HEAD> + +<BODY BGCOLOR=white> +<FONT FACE="Helvetica, Arial, Sans"> + +<BASEFONT SIZE=4> +<B><FONT SIZE=+3>T</FONT>IFF <FONT SIZE=+2>C</FONT>HANGE <FONT SIZE=+2>I</FONT>NFORMATION</B> +<BASEFONT SIZE=3> + +<UL> +<HR SIZE=4 WIDTH=65% ALIGN=left> +<B>Current Version</B>: v4.0.8<BR> +<B>Previous Version</B>: <A HREF=v4.0.7.html>v4.0.7</a><BR> +<B>Master FTP Site</B>: <A HREF="ftp://download.osgeo.org/libtiff"> +download.osgeo.org</a>, directory pub/libtiff</A><BR> +<B>Master HTTP Site #1</B>: <A HREF="http://www.simplesystems.org/libtiff/"> +http://www.simplesystems.org/libtiff/</a><BR> +<B>Master HTTP Site #2</B>: <A HREF="http://libtiff.maptools.org/"> +http://libtiff.maptools.org/</a> +<HR SIZE=4 WIDTH=65% ALIGN=left> +</UL> + +<P> +This document describes the changes made to the software between the +<I>previous</I> and <I>current</I> versions (see above). If you don't +find something listed here, then it was not done in this timeframe, or +it was not considered important enough to be mentioned. The following +information is located here: +<UL> +<LI><A HREF="#highlights">Major Changes</A> +<LI><A HREF="#configure">Changes in the software configuration</A> +<LI><A HREF="#libtiff">Changes in libtiff</A> +<LI><A HREF="#tools">Changes in the tools</A> +<LI><A HREF="#contrib">Changes in the contrib area</A> +</UL> +<p> +<P><HR WIDTH=65% ALIGN=left> + +<!---------------------------------------------------------------------------> + +<A NAME="highlights"><B><FONT SIZE=+3>M</FONT>AJOR CHANGES:</B></A> + +<UL> + + <LI> None + +</UL> + + +<P><HR WIDTH=65% ALIGN=left> +<!---------------------------------------------------------------------------> + +<A NAME="configure"><B><FONT SIZE=+3>C</FONT>HANGES IN THE SOFTWARE CONFIGURATION:</B></A> + +<UL> + + <LI> None + +</UL> + +<P><HR WIDTH=65% ALIGN=left> + +<!---------------------------------------------------------------------------> + +<A NAME="libtiff"><B><FONT SIZE=+3>C</FONT>HANGES IN LIBTIFF:</B></A> + +<UL> + + <LI> libtiff/tif_getimage.c, libtiff/tif_open.c: add parenthesis + to fix cppcheck clarifyCalculation warnings * + libtiff/tif_predict.c, libtiff/tif_print.c: fix printf + unsigned vs signed formatting (cppcheck + invalidPrintfArgType_uint warnings) + + <LI> libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in + TIFFReadEncodedStrip() that caused an integer division by + zero. Reported by Agostino Sarubbo. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2596 + + <LI> libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based + buffer overflow on generation of PixarLog / LUV compressed + files, with ColorMap, TransferFunction attached and nasty + plays with bitspersample. The fix for LUV has not been + tested, but suffers from the same kind of issue of PixarLog. + Reported by Agostino Sarubbo. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2604 + + <LI> libtiff/tif_strip.c: revert the change in + TIFFNumberOfStrips() done for + http://bugzilla.maptools.org/show_bug.cgi?id=2587 / + CVE-2016-9273 since the above change is a better fix that + makes it unnecessary. + + <LI> libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() + to instanciate compute ntrips as + TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a + logic based on the total size of data. Which is faulty is the + total size of data is not sufficient to fill the whole image, + and thus results in reading outside of the + StripByCounts/StripOffsets arrays when using + TIFFReadScanline(). Reported by Agostino Sarubbo. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2608. + + <LI> libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of + failure in OJPEGPreDecode(). This will avoid a divide by zero, + and potential other issues. Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611 + + <LI> libtiff/tif_write.c: fix misleading indentation as warned by GCC. + + + <LI> libtiff/tif_fax3.h: revert change done on 2016-01-09 that + made Param member of TIFFFaxTabEnt structure a uint16 to + reduce size of the binary. It happens that the Hylafax + software uses the tables that follow this typedef + (TIFFFaxMainTable, TIFFFaxWhiteTable, TIFFFaxBlackTable), + although they are not in a public libtiff header. Raised by + Lee Howard. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2636 + + <LI> libtiff/tiffio.h, libtiff/tif_getimage.c: add + TIFFReadRGBAStripExt() and TIFFReadRGBATileExt() variants of + the functions without ext, with an extra argument to control + the stop_on_error behaviour. + + <LI> libtiff/tif_getimage.c: fix potential memory leaks in error + code path of TIFFRGBAImageBegin(). Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2627 + + <LI> libtiff/tif_jpeg.c: increase libjpeg max memory usable to 10 + MB instead of libjpeg 1MB default. This helps when creating + files with "big" tile, without using libjpeg temporary files. + Related to https://trac.osgeo.org/gdal/ticket/6757 + + <LI> libtiff/tif_jpeg.c: avoid integer division by zero in + JPEGSetupEncode() when horizontal or vertical sampling is set + to 0. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653 + + <LI> libtiff/tif_dirwrite.c: in + TIFFWriteDirectoryTagCheckedRational, replace assertion by + runtime check to error out if passed value is strictly + negative. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2535 + + <LI> libtiff/tif_dirread.c: avoid division by floating point 0 in + TIFFReadDirEntryCheckedRational() and + TIFFReadDirEntryCheckedSrational(), and return 0 in that case + (instead of infinity as before presumably) Apparently some + sanitizers do not like those divisions by zero. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2644 + + <LI> libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement + various clampings of double to other data types to avoid + undefined behaviour if the output range isn't big enough to + hold the input value. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2643 + http://bugzilla.maptools.org/show_bug.cgi?id=2642 + http://bugzilla.maptools.org/show_bug.cgi?id=2646 + http://bugzilla.maptools.org/show_bug.cgi?id=2647 + + <LI> libtiff/tif_jpeg.c: validate BitsPerSample in + JPEGSetupEncode() to avoid undefined behaviour caused by + invalid shift exponent. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2648 + + <LI> libtiff/tif_read.c: avoid potential undefined behaviour on + signed integer addition in TIFFReadRawStrip1() in isMapped() + case. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650 + + <LI> libtiff/tif_getimage.c: add explicit uint32 cast in + putagreytile to avoid UndefinedBehaviorSanitizer warning. + Patch by Nicolás Peña. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2658 + + <LI> libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() + to zero initialize tif_rawdata. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2651 + + <LI> libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add + _TIFFcalloc() + + <LI> libtiff/tif_luv.c, tif_lzw.c, tif_packbits.c: return 0 in + Encode functions instead of -1 when TIFFFlushData1() fails. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2130 + + <LI> libtiff/tif_ojpeg.c: fix leak in + OJPEGReadHeaderInfoSecTablesQTable, + OJPEGReadHeaderInfoSecTablesDcTable and + OJPEGReadHeaderInfoSecTablesAcTable when read fails. Patch by + Nicolás Peña. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2659 + + <LI> libtiff/tif_jpeg.c: only run JPEGFixupTagsSubsampling() if + the YCbCrSubsampling tag is not explicitly present. This helps + a bit to reduce the I/O amount when the tag is present + (especially on cloud hosted files). + + <LI> libtiff/tif_lzw.c: in LZWPostEncode(), increase, if + necessary, the code bit-width after flushing the remaining + code and before emitting the EOI code. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=1982 + + <LI> libtiff/tif_pixarlog.c: fix memory leak in error code path of + PixarLogSetupDecode(). Patch by Nicolás Peña. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2665 + + <LI> libtiff/tif_fax3.c, tif_predict.c, tif_getimage.c: fix GCC 7 + -Wimplicit-fallthrough warnings. + + <LI> libtiff/tif_dirread.c: fix memory leak in non + DEFER_STRILE_LOAD mode (ie default) when there is both a + StripOffsets and TileOffsets tag, or a StripByteCounts and + TileByteCounts Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2689 + + <LI> libtiff/tif_ojpeg.c: fix potential memory leak in + OJPEGReadHeaderInfoSecTablesQTable, + OJPEGReadHeaderInfoSecTablesDcTable and + OJPEGReadHeaderInfoSecTablesAcTable Patch by Nicolás Peña. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2670 + + <LI> libtiff/tif_fax3.c: avoid crash in Fax3Close() on empty file. + Patch by Alan Coopersmith + complement by myself. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2673 + + <LI> libtiff/tif_read.c: TIFFFillStrip(): add limitation to the + number of bytes read in case td_stripbytecount[strip] is + bigger than reasonable, so as to avoid excessive memory + allocation. + + <LI> libtiff/tif_zip.c, tif_pixarlog.c, tif_predict.c: fix memory + leak when the underlying codec (ZIP, PixarLog) succeeds its + setupdecode() method, but PredictorSetup fails. Credit to + OSS-Fuzz (locally run, on GDAL) + + <LI> libtiff/tif_read.c: TIFFFillStrip() and TIFFFillTile(): avoid + excessive memory allocation in case of shorten files. Only + effective on 64 bit builds and non-mapped cases. Credit to + OSS-Fuzz (locally run, on GDAL) + + <LI> libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(), + avoid potential integer overflows with read_ahead in + CHUNKY_STRIP_READ_SUPPORT mode. Should + especially occur on 32 bit platforms. + + <LI> libtiff/tif_read.c: TIFFFillStripPartial(): avoid excessive + memory allocation in case of shorten files. Only effective on + 64 bit builds. Credit to OSS-Fuzz (locally run, on GDAL) + + <LI> libtiff/tif_read.c: update tif_rawcc in + CHUNKY_STRIP_READ_SUPPORT mode with tif_rawdataloaded when + calling TIFFStartStrip() or TIFFFillStripPartial(). This + avoids reading beyond tif_rawdata when bytecount > + tif_rawdatasize. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545. + Credit to OSS-Fuzz + + <LI> libtiff/tif_color.c: avoid potential int32 overflow in + TIFFYCbCrToRGBInit() Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533 + Credit to OSS-Fuzz + + <LI> libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32 + overflows in multiply_ms() and add_ms(). Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558 + Credit to OSS-Fuzz + + <LI> libtiff/tif_packbits.c: fix out-of-buffer read in + PackBitsDecode() Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563 + Credit to OSS-Fuzz + + <LI> libtiff/tif_luv.c: LogL16InitState(): avoid excessive memory + allocation when RowsPerStrip tag is missing. + Credit to OSS-Fuzz (locally run, on GDAL) + + <LI> libtiff/tif_lzw.c: update dec_bitsleft at beginning of + LZWDecode(), and update tif_rawcc at end of LZWDecode(). This + is needed to properly work with the latest chnges in + tif_read.c in CHUNKY_STRIP_READ_SUPPORT mode. + + <LI> libtiff/tif_pixarlog.c: PixarLogDecode(): resync tif_rawcp + with next_in and tif_rawcc with avail_in at beginning and end + of function, similarly to what is done in LZWDecode(). Likely + needed so that it works properly with latest chnges in + tif_read.c in CHUNKY_STRIP_READ_SUPPORT mode. But untested... + + <LI> libtiff/tif_getimage.c: initYCbCrConversion(): add basic + validation of luma and refBlackWhite coefficients (just check + they are not NaN for now), to avoid potential float to int + overflows. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663 + Credit to OSS Fuzz + + <LI> libtiff/tif_read.c: _TIFFVSetField(): fix outside range cast + of double to float. Credit to Google Autofuzz project + + <LI> libtiff/tif_getimage.c: initYCbCrConversion(): check luma[1] + is not zero to avoid division by zero. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665 + Credit to OSS Fuzz + + <LI> libtiff/tif_read.c: _TIFFVSetField(): fix outside range cast + of double to float. Credit to Google Autofuzz project + + <LI> libtiff/tif_getimage.c: initYCbCrConversion(): check luma[1] + is not zero to avoid division by zero. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665 + Credit to OSS Fuzz + + <LI> libtiff/tif_getimage.c: initYCbCrConversion(): stricter + validation for refBlackWhite coefficients values. To avoid + invalid float->int32 conversion. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1718 + Credit to OSS Fuzz + +</UL> + +<P><HR WIDTH=65% ALIGN=left> + +<!--------------------------------------------------------------------------> + +<A NAME="tools"><B><FONT SIZE=+3>C</FONT>HANGES IN THE TOOLS:</B></A> + +<UL> + + <LI> tools/fax2tiff.c (main): Applied patch by Jörg Ahrens to fix + passing client data for Win32 builds using tif_win32.c + (USE_WIN32_FILEIO defined) for file I/O. Patch was provided + via email on November 20, 2016. + + <LI> tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips + that can cause various issues, such as buffer overflows in the + library. Reported by Agostino Sarubbo. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2598 + + <LI> tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i + (ignore) mode so that the output buffer is correctly + incremented to avoid write outside bounds. Reported by + Agostino Sarubbo. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2620 + + <LI> tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in + readSeparateStripsIntoBuffer() to avoid read outside of heap + allocated buffer. Reported by Agostino Sarubbo. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2621 + + <LI> tools/tiffcrop.c: fix integer division by zero when + BitsPerSample is missing. Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619 + + <LI> tools/tiffinfo.c: fix null pointer dereference in -r mode + when the image has no StripByteCount tag. Reported by + Agostino Sarubbo. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2594 + + <LI> tools/tiffcp.c: avoid potential division by zero is + BitsPerSamples tag is missing. Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597 + + <LI> tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) + is called, limit the return number of inks to SamplesPerPixel, + so that code that parses ink names doesn't go past the end of + the buffer. Reported by Agostino Sarubbo. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2599 + + <LI> tools/tiffcp.c: avoid potential division by zero is + BitsPerSamples tag is missing. Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607 + + <LI> tools/tiffcp.c: fix uint32 underflow/overflow that can cause + heap-based buffer overflow. Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610 + + <LI> tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non + assert check. Reported by Agostino Sarubbo. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2605 + + <LI> tools/tiff2ps.c: fix 2 heap-based buffer overflows (in + PSDataBW and PSDataColorContig). Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and + http://bugzilla.maptools.org/show_bug.cgi?id=2634. + + <LI> tools/tiff2pdf.c: prevent heap-based buffer overflow in -j + mode on a paletted image. Note: this fix errors out before the + overflow happens. There could probably be a better fix. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2635 + + <LI> tools/tiff2pdf.c: fix wrong usage of memcpy() that can + trigger unspecified behaviour. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2638 + + <LI> tools/tiff2pdf.c: avoid potential invalid memory read in + t2p_writeproc. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2639 + + <LI> tools/tiff2pdf.c: avoid potential heap-based overflow in + t2p_readwrite_pdf_image_tile(). Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2640 + + <LI> tools/tiffcrop.c: remove extraneous TIFFClose() in error code + path, that caused double free. Related to + http://bugzilla.maptools.org/show_bug.cgi?id=2535 + + <LI> tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow + and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap + based overflow. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2656 and + http://bugzilla.maptools.org/show_bug.cgi?id=2657 + + <LI> tools/raw2tiff.c: avoid integer division by zero. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2631 + + <LI> tools/tiff2ps.c: call TIFFClose() in error code paths. + + <LI> tools/fax2tiff.c: emit appropriate message if the input file + is empty. Patch by Alan Coopersmith. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2672 + + <LI> tools/tiff2bw.c: close TIFF handle in error code path. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2677 + +</UL> + +<P><HR WIDTH=65% ALIGN=left> + +<!---------------------------------------------------------------------------> + +<A NAME="contrib"><B><FONT SIZE=+3>C</FONT>HANGES IN THE CONTRIB AREA:</B></A> + +<UL> + + <LI> None + +</UL> + +Last updated $Date: 2017-05-21 17:47:46 $. + +</BODY> +</HTML> diff --git a/tiff/html/v4.0.9.html b/tiff/html/v4.0.9.html new file mode 100644 index 000000000..9be5f274b --- /dev/null +++ b/tiff/html/v4.0.9.html @@ -0,0 +1,373 @@ +<HTML> +<HEAD> +<TITLE> + Changes in TIFF v4.0.9 +</TITLE> +</HEAD> + +<BODY BGCOLOR=white> +<FONT FACE="Helvetica, Arial, Sans"> + +<BASEFONT SIZE=4> +<B><FONT SIZE=+3>T</FONT>IFF <FONT SIZE=+2>C</FONT>HANGE <FONT SIZE=+2>I</FONT>NFORMATION</B> +<BASEFONT SIZE=3> + +<UL> +<HR SIZE=4 WIDTH=65% ALIGN=left> +<B>Current Version</B>: v4.0.9<BR> +<B>Previous Version</B>: <A HREF=v4.0.8.html>v4.0.8</a><BR> +<B>Master FTP Site</B>: <A HREF="ftp://download.osgeo.org/libtiff"> +download.osgeo.org</a>, directory pub/libtiff</A><BR> +<B>Master HTTP Site #1</B>: <A HREF="http://www.simplesystems.org/libtiff/"> +http://www.simplesystems.org/libtiff/</a><BR> +<B>Master HTTP Site #2</B>: <A HREF="http://libtiff.maptools.org/"> +http://libtiff.maptools.org/</a> +<HR SIZE=4 WIDTH=65% ALIGN=left> +</UL> + +<P> +This document describes the changes made to the software between the +<I>previous</I> and <I>current</I> versions (see above). If you don't +find something listed here, then it was not done in this timeframe, or +it was not considered important enough to be mentioned. The following +information is located here: +<UL> +<LI><A HREF="#highlights">Major Changes</A> +<LI><A HREF="#configure">Changes in the software configuration</A> +<LI><A HREF="#libtiff">Changes in libtiff</A> +<LI><A HREF="#tools">Changes in the tools</A> +<LI><A HREF="#contrib">Changes in the contrib area</A> +</UL> +<p> +<P><HR WIDTH=65% ALIGN=left> + +<!---------------------------------------------------------------------------> + +<A NAME="highlights"><B><FONT SIZE=+3>M</FONT>AJOR CHANGES:</B></A> + +<UL> + + <LI> None + +</UL> + + +<P><HR WIDTH=65% ALIGN=left> +<!---------------------------------------------------------------------------> + +<A NAME="configure"><B><FONT SIZE=+3>C</FONT>HANGES IN THE SOFTWARE CONFIGURATION:</B></A> + +<UL> + + <LI> test/Makefile.am: Add some tests for tiff2bw. + <LI> * .appveyor.yml, .travis.yml, build/travis-ci: apply patches + 0001-ci-Travis-script-improvements.patch and + 0002-ci-Invoke-helper-script-via-shell.patch by Roger Leigh + (sent to mailing list) + <LI> .travis.yml, build/travis-ci: new files from + 0001-ci-Add-Travis-support-for-Linux-builds-with-Autoconf.patch by + Roger Leigh (sent to mailing list on 2017-06-08) + This patch adds support for the Travis-CI service. + <LI> .appveyor.yml: new file from + 0002-ci-Add-AppVeyor-support.patch by Roger Leigh (sent to mailing + list on 2017-06-08) + This patch adds a .appveyor.yml file to the top-level. This allows + one to opt in to having a branch built on Windows with Cygwin, + MinGW and MSVC automatically when a branch is pushed to GitHub, + GitLab, BitBucket or any other supported git hosting service. + <LI> CMakeLists.txt, test/CMakeLists.txt, test/TiffTestCommon.cmake: apply + patch 0001-cmake-Improve-Cygwin-and-MingGW-test-support.patch from Roger + Leigh (sent to mailing list on 2017-06-08) + This patch makes the CMake build system support running the tests + with MinGW or Cygwin. + + <LI> test/tiffcp-lzw-compat.sh, test/images/quad-lzw-compat.tiff: new files + to test old-style LZW decompression + <LI> test/common.sh, Makefile.am, CMakeList.txt: updated with above + <LI> test/Makefile.am: add missing reference to images/quad-lzw-compat.tiff + to fix "make distcheck". Patch by Roger Leigh + <LI> nmake.opt: support a DEBUG=1 option, so as to adjust OPTFLAGS and use + /MDd runtime in debug mode. + + +</UL> + +<P><HR WIDTH=65% ALIGN=left> + +<!---------------------------------------------------------------------------> + +<A NAME="libtiff"><B><FONT SIZE=+3>C</FONT>HANGES IN LIBTIFF:</B></A> + +<UL> + + <LI> libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid + int32 overflow in TIFFYCbCrtoRGB(). + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844 + Credit to OSS Fuzz + + <LI> libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for + refBlackWhite coefficients values. To avoid invalid float->int32 conversion + (when refBlackWhite[0] == 2147483648.f) + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907 + Credit to OSS Fuzz + + <LI> libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), + and use it in TIFFReadDirectory() so as to ignore fields whose tag is a + codec-specified tag but this codec is not enabled. This avoids TIFFGetField() + to behave differently depending on whether the codec is enabled or not, and + thus can avoid stack based buffer overflows in a number of TIFF utilities + such as tiffsplit, tiffcmp, thumbnail, etc. + Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch + (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog. + Fixes: + http://bugzilla.maptools.org/show_bug.cgi?id=2580 + http://bugzilla.maptools.org/show_bug.cgi?id=2693 + http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095) + http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554) + http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318) + http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128) + http://bugzilla.maptools.org/show_bug.cgi?id=2441 + http://bugzilla.maptools.org/show_bug.cgi?id=2433 + + <LI> libtiff/tif_swab.c: if DISABLE_CHECK_TIFFSWABMACROS is defined, do not do + the #ifdef TIFFSwabXXX checks. Make it easier for GDAL to rename the symbols + of its internal libtiff copy. + + + <LI> libtiff/tif_dirread.c: fix regression of libtiff 4.0.8 in + ChopUpSingleUncompressedStrip() regarding update of newly single-strip + uncompressed files whose bytecount is 0. Before the change of 2016-12-03, + the condition bytecount==0 used to trigger an early exit/disabling of + strip chop. Re-introduce that in update mode. Otherwise this cause + later incorrect setting for the value of StripByCounts/StripOffsets. + ( https://trac.osgeo.org/gdal/ticket/6924 ) + <LI> libtiff/tif_dirread.c: TIFFFetchStripThing(): limit the number of items + read in StripOffsets/StripByteCounts tags to the number of strips to avoid + excessive memory allocation. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2215 + Credit to OSS Fuzz + <LI> libtiff/tif_getimage.c: avoid many (harmless) unsigned int overflows. + <LI> libtiff/tif_fax3.c: avoid unsigned int overflow in Fax3Encode2DRow(). Could + potentially be a bug with huge rows. + <LI> libtiff/tif_jpeg.c: avoid (harmless) unsigned int overflow on tiled images. + <LI> libtiff/tif_dirread.c: avoid unsigned int overflow in EstimateStripByteCounts() + and BYTECOUNTLOOKSBAD when file is too short. + <LI> libtiff/tif_predict.c: decorate legitimate functions where unsigned int + overflow occur with TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW + * libtiff/tif_dirread.c: avoid unsigned int overflow in EstimateStripByteCounts() + <LI> libtiff/tiffiop.h: add TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW macro to + disable CLang warnings raised by -fsanitize=undefined,unsigned-integer-overflow + <LI> libtiff/tif_jpeg.c: add anti-denial of service measure to avoid excessive + CPU consumption on progressive JPEGs with a huge number of scans. + See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf + Note: only affects libtiff since 2014-12-29 where support of non-baseline JPEG + was added. + + <LI> libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg + memory allocation is above 100 MB. libjpeg in case of multiple scans, + which is allowed even in baseline JPEG, if components are spread over several + scans and not interleavedin a single one, needs to allocate memory (or + backing store) for the whole strip/tile. + See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf + This limitation may be overriden by setting the + LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC environment variable, or recompiling + libtiff with a custom value of TIFF_LIBJPEG_LARGEST_MEM_ALLOC macro. + <LI> libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode() + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 + Reported by team OWL337 + <LI> libtiff/tif_dirread.c: in TIFFReadDirEntryFloat(), check that a + double value can fit in a float before casting. Patch by Nicolas RUFF + <LI> libtiff/tiffiop.h, libtiff/tif_jpeg.c, libtiff/tif_jpeg_12.c, + libtiff/tif_read.c: make TIFFReadScanline() works in + CHUNKY_STRIP_READ_SUPPORT mode with JPEG stream with multiple scans. + Also make configurable through a LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER + environment variable the maximum number of scans allowed. Defaults to + 100. + <LI> libtiff/tif_read.c: TIFFFillTile(): add limitation to the number + of bytes read in case td_stripbytecount[strip] is bigger than + reasonable, so as to avoid excessive memory allocation (similarly to + what was done for TIFFFileStrip() on 2017-05-10) + <LI> libtiff/tif_getimage.c: use _TIFFReadEncodedStripAndAllocBuffer(). + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2708 and + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2433 . + Credit to OSS Fuzz + <LI> libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedStripAndAllocBuffer() + function, variant of TIFFReadEncodedStrip() that allocates the + decoded buffer only after a first successful TIFFFillStrip(). This avoids + excessive memory allocation on corrupted files. + <LI> libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX() + functions associated with LONG8/SLONG8 data type, replace assertion that + the file is BigTIFF, by a non-fatal error. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 + Reported by team OWL337 + <LI> libtiff/tif_read.c: TIFFStartTile(): set tif_rawcc to + tif_rawdataloaded when it is set. Similarly to TIFFStartStrip(). + This issue was revealed by the change of 2017-06-30 in TIFFFileTile(), + limiting the number of bytes read. But it could probably have been hit + too in CHUNKY_STRIP_READ_SUPPORT mode previously ? + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454 + Credit to OSS Fuzz + <LI> libtiff/tif_error.c, tif_warning.c: correctly use va_list when both + an old-style and new-style warning/error handlers are installed. + Patch by Paavo Helde (sent on the mailing list) + <LI> libtiff/tif_getimage.c: use _TIFFReadTileAndAllocBuffer(). + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2470 + Credit to OSS Fuzz. + <LI> libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedTileAndAllocBuffer() + and _TIFFReadTileAndAllocBuffer() variants of TIFFReadEncodedTile() and + TIFFReadTile() that allocates the decoded buffer only after a first + successful TIFFFillTile(). This avoids excessive memory allocation + on corrupted files. + <LI> libtiff/tif_pixarlog.c: avoid excessive memory allocation on decoding + when RowsPerStrip tag is not defined (and thus td_rowsperstrip == UINT_MAX) + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2554 + Credit to OSS Fuzz + <LI> libtiff/tif_lzw.c: fix 4.0.8 regression in the decoding of old-style LZW + compressed files. + <LI> libtiff/tif_lzw.c: fix potential out-of-buffer read on 1-byte LZW + strips. Crashing issue only on memory mapped files, where the strip + offset is the last byte of the file, and the file size is a multiple + of one page size on the CPU architecture (typically 4096). Credit + to myself :-) + <LI> libtiff/tif_dir.c: avoid potential null pointer dereference in + _TIFFVGetField() on corrupted TIFFTAG_NUMBEROFINKS tag instance. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2713 + <LI> tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" + mode on PlanarConfig=Contig input images. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715 + Reported by team OWL337 + <LI> libtiff/tif_read.c: TIFFFillStrip() / TIFFFillTile(). + Complementary fix for http://bugzilla.maptools.org/show_bug.cgi?id=2708 + in the isMapped() case, so as to avoid excessive memory allocation + when we need a temporary buffer but the file is truncated. + <LI> libtiff/tif_read.c: TIFFFillStrip() / TIFFFillTile(). + Complementary fix for http://bugzilla.maptools.org/show_bug.cgi?id=2708 + in the isMapped() case, so as to avoid excessive memory allocation + when we need a temporary buffer but the file is truncated. + <LI> libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the + arrays that hold StripOffsets/StripByteCounts, when they are smaller + than the expected number of striles, up to 1 million striles, and + error out beyond. Can be tweaked by setting the environment variable + LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT. + This partially goes against a change added on 2002-12-17 to accept + those arrays of wrong sizes, but is needed to avoid denial of services. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350 + Credit to OSS Fuzz + <LI> libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the + arrays that hold StripOffsets/StripByteCounts, when they are smaller + than the expected number of striles, up to 1 million striles, and + error out beyond. Can be tweaked by setting the environment variable + LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT. + This partially goes against a change added on 2002-12-17 to accept + those arrays of wrong sizes, but is needed to avoid denial of services. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350 + Credit to OSS Fuzz + <LI> libtiff/tif_read.c: add protection against excessive memory + allocation attempts in TIFFReadDirEntryArray() on short files. + Effective for mmap'ed case. And non-mmap'ed case, but restricted + to 64bit builds. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2675 + <LI> libtiff/tif_read.c: add protection against excessive memory + allocation attempts in TIFFReadDirEntryArray() on short files. + Effective for mmap'ed case. And non-mmap'ed case, but restricted + to 64bit builds. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2675 + <LI> libtiff/tif_luv.c: LogLuvInitState(): avoid excessive memory + allocation when RowsPerStrip tag is missing. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2683 + Credit to OSS-Fuzz + <LI> libtiff/tif_getimage.c: gtTileContig() and gtTileSeparate(): + properly break from loops on error when stoponerr is set, instead + of going on iterating on row based loop. + <LI> libtiff/tif_getimage.c: fix fromskew computation when to-be-skipped + pixel number is not a multiple of the horizontal subsampling, and + also in some other cases. Impact putcontig8bitYCbCr44tile, + putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile, + putcontig8bitYCbCr21tile and putcontig8bitYCbCr12tile + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2637 (discovered + by Agostino Sarubbo) + and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2691 (credit + to OSS Fuzz) + <LI> libtiff/tif_luv.c: further reduce memory requirements for temporary + buffer when RowsPerStrip >= image_length in LogLuvInitState() and + LogL16InitState(). + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2700 + Credit to OSS Fuzz + <LI> libtiff/tif_dirwrite.c: replace assertion related to not finding the + SubIFD tag by runtime check (in TIFFWriteDirectorySec()) + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727 + Reported by team OWL337 + <LI> libtiff/tif_dirwrite.c: replace assertion to tag value not fitting + on uint32 when selecting the value of SubIFD tag by runtime check + (in TIFFWriteDirectoryTagSubifd()). + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728 + Reported by team OWL337 + <LI> libtiff/tif_jpeg.c: accept reading the last strip of a JPEG compressed + file if the codestream height is larger than the truncated height of the + strip. Emit a warning in this situation since this is non compliant. + <LI> libtiff/tiffiop.h, tif_aux.c: redirect SeekOK() macro to a _TIFFSeekoK() + function that checks if the offset is not bigger than INT64_MAX, so as + to avoid a -1 error return code of TIFFSeekFile() to match a required + seek to UINT64_MAX/-1. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2726 + Adapted from proposal by Nicolas Ruff. + <LI> libtiff/tif_dirread.c: add NULL check to avoid likely false positive + null-pointer dereference warning by CLang Static Analyzer. + <LI> libtiff/libtiff.def: add TIFFReadRGBAStripExt and TIFFReadRGBATileExt + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2735 + <LI> libtiff/tif_jpeg.c: add compatibility with libjpeg-turbo 1.5.2 that + honours max_memory_to_use > 0. + Cf https://github.com/libjpeg-turbo/libjpeg-turbo/issues/162 + <LI> libtiff/tif_getimage.c: avoid floating point division by zero in + initCIELabConversion() + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3733 + Credit to OSS Fuzz +</UL> + +<P><HR WIDTH=65% ALIGN=left> + +<!--------------------------------------------------------------------------> + +<A NAME="tools"><B><FONT SIZE=+3>C</FONT>HANGES IN THE TOOLS:</B></A> + +<UL> + + <LI> tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" + mode on PlanarConfig=Contig input images. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715 + Reported by team OWL337 + <LI> tools/tiffset.c: fix setting a single value for the ExtraSamples tag + (and other tags with variable number of values). + So 'tiffset -s ExtraSamples 1 X'. This only worked + when setting 2 or more values, but not just one. + <LI> tools/fax2tiff.c (_FAX_Client_Data): Pass FAX_Client_Data as the + client data. This client data is not used at all at the moment, + but it makes the most sense. Issue that the value of + client_data.fd was passed where a pointer is expected was reported + via email by Gerald Schade on Sun, 29 Oct 2017. + <LI> tools/tiff2pdf.c (t2p_sample_realize_palette): Fix possible + arithmetic overflow in bounds checking code and eliminate + comparison between signed and unsigned type. + <LI> tools/tiff2bw.c (main): Free memory allocated in the tiff2bw + program. This is in response to the report associated with + CVE-2017-16232 but does not solve the extremely high memory usage + with the associated POC file. + +</UL> + +<P><HR WIDTH=65% ALIGN=left> + +<!---------------------------------------------------------------------------> + +<A NAME="contrib"><B><FONT SIZE=+3>C</FONT>HANGES IN THE CONTRIB AREA:</B></A> + +<UL> + + <LI> None + +</UL> + +Last updated $Date: 2017-11-18 19:38:06 $. + +</BODY> +</HTML> |