1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
|
Changes in TIFF v4.0.4beta
==========================
.. table:: References
:widths: auto
====================== ==========================================
Current Version v4.0.4beta (:tag:`Release-v4-0-4beta`)
Previous Version :doc:`v4.0.3 <v4.0.3>`
Master Download Site `<https://download.osgeo.org/libtiff/>`_
Master HTTP Site `<https://download.osgeo.org/libtiff/>`_
====================== ==========================================
This document describes the changes made to the software between the
*previous* and *current* versions (see above). If you don't
find something listed here, then it was not done in this timeframe, or
it was not considered important enough to be mentioned. The following
information is located here:
Major changes
-------------
* None
Software configuration changes
------------------------------
* Updated to use Automake 1.15 and Libtool 2.4.5
Library changes
---------------
* :c:func:`TIFFCheckDirOffset`: avoid :c:type:`uint16` overflow
when reading more than 65535 directories, and effectively error out when
reaching that limit.
* :c:func:`TIFFNumberOfDirectories`: generate error in case of directory count
overflow.
* :c:func:`TIFFAdvanceDirectory`: If nextdir is found to
be defective, then set it to zero before returning error in order
to terminate processing of truncated TIFF.
* JPEG-in-TIFF: recognize ``SOF2``, ``SOF9`` and ``SOF10``
markers to avoid emitting a warning. Fix for compatibility with mozjpeg library.
Note: the default settings of mozjpeg will produce progressive scans, which
is forbidden by the TechNote.
* JPEG-in-TIFF: Fix regression introduced in 3.9.3/4.0.0 that caused
all tiles/strips to include quantization tables even when the jpegtablesmode
had the :c:macro:`JPEGTABLESMODE_QUANT` bit set.
Also add explicit removal of Huffman tables when jpegtablesmode has the
:c:macro:`JPEGTABLESMODE_HUFF` bit set, which avoids Huffman tables to be emitted in the
first tile/strip (only useful in update scenarios. create-only was
fine)
* JPEG-in-TIFF: fix segfault in :c:func:`JPEGFixupTagsSubsampling` on
corrupted image where ``tif->tif_dir.td_stripoffset == NULL``.
(:bugzilla:`2471`)
* NeXT codec: add new tests to check that we don't read outside of
the compressed input stream buffer.
* NeXT codec: check that ``BitsPerSample`` = 2. Fixes
:bugzilla:`2487` (:cve:`2014-8129`)
* NeXT codec: in the "run mode", use tilewidth for tiled images
instead of imagewidth to avoid crash
* tif_getimage.c: in OJPEG case, fix checks on strile width/height
in the ``putcontig8bitYCbCr42tile``, ``putcontig8bitYCbCr41tile`` and
``putcontig8bitYCbCr21tile`` cases.
* in :c:func:`TIFFDefaultDirectory`, reset any already existing
extended tags installed by user code through the extender mechaninm before
calling the extender callback (GDAL #5054)
* Fix warnings about unused parameters.
* Fix various typos in comments found by Debian lintian tool (GDAL #5756)
* tif_getimage.c: avoid divide by zero on invalid YCbCr subsampling.
(:bugzilla:`2235`)
* :file:`tif_dirread.c`: In :c:func:`EstimateStripByteCounts`, check return code
of :c:func:`_TIFFFillStriles`. This solves crashing bug on corrupted
images generated by afl.
* :file:`tif_read.c`: fix several invalid comparisons of a :c:type:`uint64` value with
``<= 0`` by casting it to :c:type:`int64` first. This solves crashing bug on corrupted
images generated by afl.
* :c:func:`TIFFSetField`: refuse to set negative values for
:c:macro:`TIFFTAG_XRESOLUTION` and :c:macro:`TIFFTAG_YRESOLUTION` that cause asserts when writing
the directory
* :c:func:`TIFFReadDirectory`: refuse to read ``ColorMap`` or
``TransferFunction`` if ``BitsPerSample`` has not yet been read, otherwise reading
it later will cause user code to crash if ``BitsPerSample > 1``
* :c:func:`TIFFRGBAImageOK`: return FALSE if LOGLUV with
``SamplesPerPixel != 3``, or if CIELAB with
``SamplesPerPixel != 3`` or ``BitsPerSample != 8``
* :file:`tif_config.vc.h`: no longer use ``#define snprintf _snprintf`` with
Visual Studio 2015 aka VC 14 aka MSVC 1900
* LZW codec: prevent potential null dereference of ``sp->dec_codetab`` in :c:func:`LZWPreDecode`
(:bugzilla:`2459`)
* :c:func:`TIFFReadBufferSetup`: avoid passing -1 size
to :c:func:`TIFFmalloc` if passed user buffer size is 0
(:bugzilla:`2459`)
* :c:func:`TIFFReadDirEntryOutputErr`: Incorrect
count for tag should be a warning rather than an error since
errors terminate processing.
* :file:`tif_dirinfo.c` (``TIFFField``) : Fix data type for :c:macro:`TIFFTAG_GLOBALPARAMETERSIFD` tag.
* Add definitions for TIFF/EP ``CFARepeatPatternDim`` and ``CFAPattern`` tags
(:bugzilla:`2457`)
* :file:`tif_codec.c`, :file:`tif_dirinfo.c`: Enlarge some fixed-size buffers that weren't
large enough, and eliminate substantially all uses of ``sprintf(buf,
...)`` in favor of using ``snprintf(buf, sizeof(buf), ...)``
* :file:`configure.ac`: Improve pkg-config static linking by adding ``-lm`` to ``Libs.private`` when needed.
* :file:`tif_write.c`: :c:type:`tmsize_t` related casting warning fixed for
64bit linux.
* :c:file:`tif_read.c`: :c:type:`uint64`/:c:type:`tmsize_t` change for MSVC warnings.
(:bugzilla:`2427`)
* Fix :c:func:`TIFFPrintDirectory` handling of
:c:member:`field_passcount` fields: it had the :c:macro:`TIFF_VARIABLE` and
:c:macro:`TIFF_VARIABLE2` cases backwards.
* PixarLog codec: Improve previous patch for :cve:`2012-4447`
(to enlarge :c:member:`tbuf` for possible partial stride at end) so that
overflow in the integer addition is detected.
* :file:`tif_{unix,vms,win32}.c` (:c:func:`_TIFFmalloc`): ANSI C does not
require :c:func:`malloc` to return :c:macro:`NULL` pointer if requested allocation
size is zero. Assure that :c:func:`_TIFFmalloc` does.
* :file:`tif_zip.c`: Avoid crash on :c:macro:`NULL` error messages.
Tools changes
-------------
* :program:`tiff2pdf` Fix various crashes and memory buffer access errors (oCERT-2014-013).
* :program:`tiff2pdf` fix buffer overflow on some YCbCr JPEG compressed images.
(:bugzilla:`2445`)
* :program:`tiff2pdf` fix buffer overflow on YCbCr JPEG compressed image.
(:bugzilla:`2443`)
* :program:`tiff2pdf` check return code of :c:func:`TIFFGetField` when reading :c:macro:`TIFFTAG_SAMPLESPERPIXEL`
* :program:`tiff2pdf` fix crash due to invalid tile count.
* :program:`tiff2pdf` Detect invalid settings of ``BitsPerSample``/``SamplesPerPixel`` for CIELAB / ITULAB
* :program:`tiff2pdf` Assure that memory size calculations for
:c:func:`_TIFFmalloc` do not overflow the range of :c:type:`tmsize_t`.
* :program:`tiff2pdf` Avoid crash when :c:macro:`TIFFTAG_TRANSFERFUNCTION` tag returns one channel,
with the other two channels set to :c:macro:`NULL`.
* :program:`tiff2pdf` close PDF file. (:bugzilla:`2479`)
* :program:`tiff2pdf` Preserve input file directory order when pages
are tagged with the same page number.
* :program:`tiff2pdf.c` terminate after failure of allocating ycbcr buffer
(:bugzilla:`2449`, :cve:`2013-4232`)
* :program:`tiff2pdf` Rewrite JPEG marker parsing in
:c:func:`t2p_process_jpeg_strip` to be at least marginally competent. The
approach is still fundamentally flawed, but at least now it won't
stomp all over memory when given bogus input. Fixes :cve:`2013-1960`.
* :program:`tiffdump` Guard against arithmetic overflow when calculating allocation buffer sizes.
* :program:`tiffdump` fix crash due to overflow of entry count.
* :program:`tiffdump` Fix double-free bug.
* :program:`tiffdump` detect cycle in TIFF directory chaining.
(:bugzilla:`2463`)
* :program:`tiffdump` avoid passing a :c:macro:`NULL` pointer to :c:func:`read` if :c:func:`seek` failed before.
(:bugzilla:`2459`)
* :program:`tiff2bw` when ``Photometric = RGB``, the utility only works if ``SamplesPerPixel = 3``. Enforce that.
(:bugzilla:2485`, :cve:`2014-8127`)
* :program:`pal2rgb`, :program:`thumbnail`: fix crash by disabling :c:macro:`TIFFTAG_INKNAMES` copying.
(:bugzilla:`#2484`, :cve:`2014-8127`)
* :program:`thumbnail` fix out-of-buffer write.
(:bugzilla:`2489`, :cve:`2014-8128`)
* :program:`thumbnail`, :program:`tiffcmp`: only read/write :c:macro:`TIFFTAG_GROUP3OPTIONS`
or :c:macro:`TIFFTAG_GROUP4OPTIONS` if compression is :c:macro:`COMPRESSION_CCITTFAX3` or
:c:macro:`COMPRESSION_CCITTFAX4`.
(:bugzilla:`2493`, :cve:`2014-8128`)
* :program:`tiffcp` fix crash when converting YCbCr JPEG-compressed to none.
(:bugzilla:`2480`)
* :program:`bmp2tiff` fix crash due to int overflow related to input BMP dimensions
* :program:`tiffcrop` fix crash due to invalid ``TileWidth``/``TileHeight``
* :program:`tiffcrop` fix segfault if bad value passed to ``-Z`` option
(:bugzilla:`2459`) and add missing ``va_end`` in :c:func:`dump_info`
* :program:`thumbnail`, :program:`tiffcrop`: "fix" heap read over-run found with
Valgrind and Address Sanitizer on test suite
* :program:`fax2ps` check :c:func:`malloc`/:c:func:`realloc` result. (:bugzilla:`2470`)
* :program:`gif2tiff` apply patch for :cve:`2013-4243`. (:bugzilla:`2451`)
* :program:`gif2tiff` fix possible OOB write. (:bugzilla:`2452`, :cve:`2013-4244`)
* :program:`gif2tiff` Be more careful about corrupt or hostile input files (:bugzilla:`2450`, :cve:`2013-4231`)
* :program:`tiff2rgba` fix usage message in that zip was wrongly described
* :program:`tiffinfo` Default various values fetched with :c:func:`TIFFGetField` to avoid being uninitialized.
* :program:`tiff2ps` Fix bug in auto rotate option code.
* :program:`ppm2tiff` avoid zero size buffer vulnerability (:cve:`2012-4564`).
check the linebytes calculation too, get the :c:func:`max` calculation
straight, avoid redundant error messages, check for :c:func:`malloc`
failure.
* :program:`tiffset` now supports a ``-u`` option to unset a tag.
(:bugzilla:`2419`)
* Fix warnings about unused parameters.
* :program:`rgb2ycbcr`, :program:`tiff2bw`, :program:`tiff2pdf`, :program:`tiff2ps`, :program:`tiffcrop`, :program:`tiffdither`:
Enlarge some fixed-size buffers that weren't
large enough, and eliminate substantially all uses of ``sprintf(buf,
...)`` in favor of using ``snprintf(buf, sizeof(buf), ...)``, so as to
protect against overflow of fixed-size buffers. This responds in
particular to :cve:`2013-1961` concerning overflow in :file:`tiff2pdf.c`'s
:c:func:`t2p_write_pdf_page`.
* :file:`html/man/tiff2ps.1.html`, :file:`html/man/tiffcp.1.html`,
:file:`html/man/tiffdither.1.html`, :file:`man/tiff2ps.1`, :file:`man/tiffcp.1`,
:file:`man/tiffdither.1`, :file:`tools/tiff2ps.c`, :file:`tools/tiffcp.c`,
:file:`tools/tiffdither.c`: Sync tool usage printouts and man pages with
reality
Contributed software changes
----------------------------
* Fix warnings about variables set but not used.
* :file:`contrib/dbs/xtiff/xtiff.c`: Enlarge some fixed-size buffers that weren't
large enough, and eliminate substantially all uses of ``sprintf(buf,
...)`` in favor of using ``snprintf(buf, sizeof(buf), ...)``, so as to
protect against overflow of fixed-size buffers.
|