1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
|
Changes in TIFF v4.0.8
======================
.. table:: References
:widths: auto
====================== ==========================================
Current Version v4.0.8 (:tag:`Release-v4-0-8`)
Previous Version :doc:`v4.0.7 <v4.0.7>`
Master Download Site `<https://download.osgeo.org/libtiff/>`_
Master HTTP Site #1 `<http://www.simplesystems.org/libtiff/>`_
Master HTTP Site #2 `<http://libtiff.maptools.org/>`_
====================== ==========================================
This document describes the changes made to the software between the
*previous* and *current* versions (see above). If you don't
find something listed here, then it was not done in this timeframe, or
it was not considered important enough to be mentioned. The following
information is located here:
Major changes
-------------
* None
Software configuration changes
------------------------------
* None
Library changes
---------------
* :file:`libtiff/tif_getimage.c`, :file:`libtiff/tif_open.c`: add parenthesis
to fix cppcheck ``clarifyCalculation`` warnings
* :file:`libtiff/tif_predict.c`, :file:`libtiff/tif_print.c`: fix printf
unsigned vs signed formatting (cppcheck
``invalidPrintfArgType_uint`` warnings)
* :file:`libtiff/tif_read.c`, :file:`libtiff/tiffiop.h`: fix :c:type:`uint32` overflow in
:c:func:`TIFFReadEncodedStrip` that caused an integer division by
zero. Reported by Agostino Sarubbo. Fixes
:bugzilla:`2596`
* :file:`libtiff/tif_pixarlog.c`, :file:`libtiff/tif_luv.c`: fix heap-based
buffer overflow on generation of PixarLog / LUV compressed
files, with ``ColorMap``, ``TransferFunction`` attached and nasty
plays with ``bitspersample``. The fix for LUV has not been
tested, but suffers from the same kind of issue of PixarLog.
Reported by Agostino Sarubbo. Fixes
:bugzilla:`2604`
* :file:`libtiff/tif_strip.c`: revert the change in
:c:func:`TIFFNumberOfStrips` done for
:bugzilla:`2587` /
:cve:`2016-9273` since the above change is a better fix that
makes it unnecessary.
* :file:`libtiff/tif_dirread.c`: modify :c:func:`ChopUpSingleUncompressedStrip`
to instantiate compute ``nstrips`` as
``TIFFhowmany_32(td->td_imagelength, rowsperstrip)``, instead of a
logic based on the total size of data. Which is faulty is the
total size of data is not sufficient to fill the whole image,
and thus results in reading outside of the
``StripByCounts``/``StripOffsets`` arrays when using
:c:func:`TIFFReadScanline`. Reported by Agostino Sarubbo. Fixes
:bugzilla:`2608`.
* :file:`libtiff/tif_ojpeg.c`: make :c:func:`OJPEGDecode` early exit in case of
failure in :c:func:`OJPEGPreDecode`. This will avoid a divide by zero,
and potential other issues. Reported by Agostino Sarubbo.
Fixes :bugzilla:`2611`
* :file:`libtiff/tif_write.c`: fix misleading indentation as warned by GCC.
* :file:`libtiff/tif_fax3.h`: revert change done on 2016-01-09 that
made :c:member:`Param` member of :c:struct:`TIFFFaxTabEnt` structure a :c:type:`uint16` to
reduce size of the binary. It happens that the Hylafax
software uses the tables that follow this typedef
(:c:var:`TIFFFaxMainTable`, :c:var:`TIFFFaxWhiteTable`, :c:var:`TIFFFaxBlackTable`),
although they are not in a public libtiff header. Raised by
Lee Howard. Fixes
:bugzilla:`2636`
* :file:`libtiff/tiffio.h`, :file:`libtiff/tif_getimage.c`: add
:c:func:`TIFFReadRGBAStripExt` and :c:func:`TIFFReadRGBATileExt` variants of
the functions without ext, with an extra argument to control
the ``stop_on_error`` behaviour.
* :file:`libtiff/tif_getimage.c`: fix potential memory leaks in error
code path of :c:func:`TIFFRGBAImageBegin`. Fixes
:bugzilla:`2627`
* :file:`libtiff/tif_jpeg.c`: increase libjpeg max memory usable to 10
MB instead of libjpeg 1MB default. This helps when creating
files with "big" tile, without using libjpeg temporary files.
Related to https://trac.osgeo.org/gdal/ticket/6757
* :file:`libtiff/tif_jpeg.c`: avoid integer division by zero in
:c:func:`JPEGSetupEncode` when horizontal or vertical sampling is set
to 0. Fixes :bugzilla:`2653`
* :file:`libtiff/tif_dirwrite.c`: in
:c:func:`TIFFWriteDirectoryTagCheckedRational`, replace assertion by
runtime check to error out if passed value is strictly
negative. Fixes
:bugzilla:`2535`
* :file:`libtiff/tif_dirread.c`: avoid division by floating point 0 in
:c:func:`TIFFReadDirEntryCheckedRational` and
:c:func:`TIFFReadDirEntryCheckedSrational`, and return 0 in that case
(instead of infinity as before presumably) Apparently some
sanitizers do not like those divisions by zero. Fixes
:bugzilla:`2644`
* :file:`libtiff/tif_dir.c`, :file:`tif_dirread.c`, :file:`tif_dirwrite.c`: implement
various clampings of double to other data types to avoid
undefined behaviour if the output range isn't big enough to
hold the input value. Fixes
:bugzilla:`2643`,
:bugzilla:`2642`,
:bugzilla:`2646`,
:bugzilla:`2647`
* :file:`libtiff/tif_jpeg.c`: validate ``BitsPerSample`` in
:c:func:`JPEGSetupEncode` to avoid undefined behaviour caused by
invalid shift exponent. Fixes
:bugzilla:`2648`
* :file:`libtiff/tif_read.c`: avoid potential undefined behaviour on
signed integer addition in :c:func:`TIFFReadRawStrip1` in :c:func:`isMapped`
case. Fixes :bugzilla:`2650`
* :file:`libtiff/tif_getimage.c`: add explicit :c:func:`uint32` cast in
:c:var:`putagreytile` to avoid ``UndefinedBehaviorSanitizer`` warning.
Patch by Nicolás Peña. Fixes
:bugzilla:`2658`
* :file:`libtiff/tif_read.c`: :c:func:`TIFFReadBufferSetup`: use :c:func:`_TIFFcalloc`
to zero initialize :c:member:`tif_rawdata`. Fixes
:bugzilla:`2651`
* :file:`libtiff/tiffio.h`, :file:`tif_unix.c`, :file:`tif_win32.c`, :file:`tif_vms.c`: add
:c:func:`_TIFFcalloc`
* :file:`libtiff/tif_luv.c`, :file:`tif_lzw.c`, :file:`tif_packbits.c`: return 0 in
Encode functions instead of -1 when :c:func:`TIFFFlushData1` fails.
Fixes :bugzilla:`2130`
* :file:`libtiff/tif_ojpeg.c`: fix leak in
:c:func:`OJPEGReadHeaderInfoSecTablesQTable`,
:c:func:`OJPEGReadHeaderInfoSecTablesDcTable` and
:c:func:`OJPEGReadHeaderInfoSecTablesAcTable` when read fails. Patch by
Nicolás Peña. Fixes
:bugzilla:`2659`
* :file:`libtiff/tif_jpeg.c`: only run :c:func:`JPEGFixupTagsSubsampling` if
the ``YCbCrSubsampling`` tag is not explicitly present. This helps
a bit to reduce the I/O amount when the tag is present
(especially on cloud hosted files).
* :file:`libtiff/tif_lzw.c`: in :c:func:`LZWPostEncode`, increase, if
necessary, the code bit-width after flushing the remaining
code and before emitting the EOI code. Fixes
:bugzilla:`1982`
* :file:`libtiff/tif_pixarlog.c`: fix memory leak in error code path of
:c:func:`PixarLogSetupDecode`. Patch by Nicolás Peña. Fixes
:bugzilla:`2665`
* :file:`libtiff/tif_fax3.c`, :file:`tif_predict.c`, :file:`tif_getimage.c`: fix GCC 7
``-Wimplicit-fallthrough`` warnings.
* :file:`libtiff/tif_dirread.c`: fix memory leak in non
:c:macro:`DEFER_STRILE_LOAD` mode (ie default) when there is both a
``StripOffsets`` and ``TileOffsets`` tag, or a ``StripByteCounts`` and
``TileByteCounts``. Fixes
:bugzilla:`2689`
* :file:`libtiff/tif_ojpeg.c`: fix potential memory leak in
:c:func:`OJPEGReadHeaderInfoSecTablesQTable`,
:c:func:`OJPEGReadHeaderInfoSecTablesDcTable` and
:c:func:`OJPEGReadHeaderInfoSecTablesAcTable`. Patch by Nicolás Peña.
Fixes :bugzilla:`2670`
* :file:`libtiff/tif_fax3.c`: avoid crash in :c:func:`Fax3Close` on empty file.
Patch by Alan Coopersmith + complement by myself. Fixes
:bugzilla:`2673`
* :file:`libtiff/tif_read.c`: :c:func:`TIFFFillStrip`: add limitation to the
number of bytes read in case ``td_stripbytecount[strip]`` is
bigger than reasonable, so as to avoid excessive memory
allocation.
* :file:`libtiff/tif_zip.c`, :file:`tif_pixarlog.c`, :file:`tif_predict.c`: fix memory
leak when the underlying codec (ZIP, PixarLog) succeeds its
:c:func:`setupdecode` method, but :c:func:`PredictorSetup` fails. Credit to
OSS-Fuzz (locally run, on GDAL)
* :file:`libtiff/tif_read.c`: :c:func:`TIFFFillStrip` and :c:func:`TIFFFillTile`: avoid
excessive memory allocation in case of shorten files. Only
effective on 64 bit builds and non-mapped cases. Credit to
OSS-Fuzz (locally run, on GDAL)
* :file:`libtiff/tif_read.c`: :c:func:`TIFFFillStripPartial` / :c:func:`TIFFSeek`,
avoid potential integer overflows with read_ahead in
:c:macro:`CHUNKY_STRIP_READ_SUPPORT` mode. Should
especially occur on 32 bit platforms.
* :file:`libtiff/tif_read.c`: :c:func:`TIFFFillStripPartial`: avoid excessive
memory allocation in case of shorten files. Only effective on
64 bit builds. Credit to OSS-Fuzz (locally run, on GDAL)
* :file:`libtiff/tif_read.c`: update :c:member:`tif_rawcc` in
:c:macro:`CHUNKY_STRIP_READ_SUPPORT` mode with :c:member:`tif_rawdataloaded` when
calling :c:func:`TIFFStartStrip` or :c:func:`TIFFFillStripPartial`. This
avoids reading beyond :c:func:`tif_rawdata` when ``bytecount >
tif_rawdatasize``. Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545.
Credit to OSS-Fuzz
* :file:`libtiff/tif_color.c`: avoid potential :c:type:`int32` overflow in
:c:func:`TIFFYCbCrToRGBInit`. Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533
Credit to OSS-Fuzz
* :file:`libtiff/tif_pixarlog.c`, :file:`tif_luv.c`: avoid potential :c:type:`int32`
overflows in :c:func:`multiply_ms` and :c:func:`add_ms`. Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558
Credit to OSS-Fuzz
* :file:`libtiff/tif_packbits.c`: fix out-of-buffer read in
:c:func:`PackBitsDecode`. Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563
Credit to OSS-Fuzz
* :file:`libtiff/tif_luv.c`: :c:func:`LogL16InitState`: avoid excessive memory
allocation when ``RowsPerStrip`` tag is missing.
Credit to OSS-Fuzz (locally run, on GDAL)
* :file:`libtiff/tif_lzw.c`: update dec_bitsleft at beginning of
LZWDecode(), and update tif_rawcc at end of LZWDecode(). This
is needed to properly work with the latest chnges in
tif_read.c in CHUNKY_STRIP_READ_SUPPORT mode.
* :file:`libtiff/tif_pixarlog.c`: :c:func:`PixarLogDecode`: resync :c:member:`tif_rawcp`
with :c:member:`next_in` and :c:member:`tif_rawcc` with :c:member:`avail_in` at beginning and end
of function, similarly to what is done in :c:func:`LZWDecode`. Likely
needed so that it works properly with latest chnges in
:file:`tif_read.c` in :c:macro:`CHUNKY_STRIP_READ_SUPPORT` mode. But untested...
* :file:`libtiff/tif_getimage.c`: :c:func:`initYCbCrConversion`: add basic
validation of :c:var:`luma` and :c:var:`refBlackWhite` coefficients (just check
they are not NaN for now), to avoid potential :c:expr:`float` to :c:expr:`int`
overflows. Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663
Credit to OSS Fuzz
* :file:`libtiff/tif_read.c`: :c:func:`_TIFFVSetField`: fix outside range cast
of :c:expr:`double` to :c:expr:`float`. Credit to Google Autofuzz project
* :file:`libtiff/tif_getimage.c`: :c:func:`initYCbCrConversion`: check ``luma[1]``
is not zero to avoid division by zero. Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665
Credit to OSS Fuzz
* :file:`libtiff/tif_read.c`: :c:func:`_TIFFVSetField`: fix outside range cast
of :c:expr:`double` to :c:expr:`float`. Credit to Google Autofuzz project
* :file:`libtiff/tif_getimage.c`: :c:func:`initYCbCrConversion`: check ``luma[1]``
is not zero to avoid division by zero. Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665
Credit to OSS Fuzz
* :file:`libtiff/tif_getimage.c`: :c:func:`initYCbCrConversion`: stricter
validation for :c:var:`refBlackWhite` coefficients values. To avoid
invalid :c:expr:`float` to :c:expr:`int32` conversion. Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1718
Credit to OSS Fuzz
Tools changes
-------------
* :file:`tools/fax2tiff.c` (:c:func:`main`): Applied patch by Jörg Ahrens to fix
passing client data for Win32 builds using :file:`tif_win32.c`
(:c:macro:`USE_WIN32_FILEIO` defined) for file I/O. Patch was provided
via email on November 20, 2016.
* :file:`tools/tiffcp.c`: avoid :c:type:`uint32` underflow in :c:func:`cpDecodedStrips`
that can cause various issues, such as buffer overflows in the
library. Reported by Agostino Sarubbo. Fixes
:bugzilla:`2598`
* :file:`tools/tiffcrop.c`: fix :c:func:`readContigStripsIntoBuffer` in ``-i``
(ignore) mode so that the output buffer is correctly
incremented to avoid write outside bounds. Reported by
Agostino Sarubbo. Fixes
:bugzilla:`2620`
* :file:`tools/tiffcrop.c`: add 3 extra bytes at end of strip buffer in
:c:func:`readSeparateStripsIntoBuffer` to avoid read outside of heap
allocated buffer. Reported by Agostino Sarubbo. Fixes
:bugzilla:`2621`
* :file:`tools/tiffcrop.c`: fix integer division by zero when
``BitsPerSample`` is missing. Reported by Agostino Sarubbo.
Fixes :bugzilla:`2619`
* :file:`tools/tiffinfo.c`: fix null pointer dereference in ``-r`` mode
when the image has no ``StripByteCount`` tag. Reported by
Agostino Sarubbo. Fixes
:bugzilla:`2594`
* :file:`tools/tiffcp.c`: avoid potential division by zero if
``BitsPerSamples`` tag is missing. Reported by Agostino Sarubbo.
Fixes :bugzilla:`2597`
* :file:`tools/tif_dir.c`: when ``TIFFGetField(, TIFFTAG_NUMBEROFINKS, )``
is called, limit the return number of inks to ``SamplesPerPixel``,
so that code that parses ink names doesn't go past the end of
the buffer. Reported by Agostino Sarubbo. Fixes
:bugzilla:`2599`
* :file:`tools/tiffcp.c`: avoid potential division by zero if
``BitsPerSamples`` tag is missing. Reported by Agostino Sarubbo.
Fixes :bugzilla:`2607`
* :file:`tools/tiffcp.c`: fix :c:type:`uint32` underflow/overflow that can cause
heap-based buffer overflow. Reported by Agostino Sarubbo.
Fixes :bugzilla:`2610`
* :file:`tools/tiffcp.c`: replace ``assert( (bps % 8) == 0 )`` by a non
assert check. Reported by Agostino Sarubbo. Fixes
:bugzilla:`2605`
* :file:`tools/tiff2ps.c`: fix 2 heap-based buffer overflows (in
:c:func:`PSDataBW` and :c:func:`PSDataColorContig`). Reported by Agostino Sarubbo.
Fixes :bugzilla:`2633` and
:bugzilla:`2634`.
* :file:`tools/tiff2pdf.c`: prevent heap-based buffer overflow in ``-j``
mode on a paletted image. Note: this fix errors out before the
overflow happens. There could probably be a better fix. Fixes
:bugzilla:`2635`
* :file:`tools/tiff2pdf.c`: fix wrong usage of :c:func:`memcpy` that can
trigger unspecified behaviour. Fixes
:bugzilla:`2638`
* :file:`tools/tiff2pdf.c`: avoid potential invalid memory read in
:c:func:`t2p_writeproc`. Fixes
:bugzilla:`2639`
* :file:`tools/tiff2pdf.c`: avoid potential heap-based overflow in
:c:func:`t2p_readwrite_pdf_image_tile`. Fixes
:bugzilla:`2640`
* :file:`tools/tiffcrop.c`: remove extraneous :c:func:`TIFFClose` in error code
path, that caused double free. Related to
:bugzilla:`2535`
* :file:`tools/tiffcp.c`: error out cleanly in :c:func:`cpContig2SeparateByRow`
and :c:func:`cpSeparate2ContigByRow` if ``BitsPerSample != 8`` to avoid heap
based overflow. Fixes
:bugzilla:`2656` and
:bugzilla:`2657`
* :file:`tools/raw2tiff.c`: avoid integer division by zero. Fixes
:bugzilla:`2631`
* :file:`tools/tiff2ps.c`: call :c:func:`TIFFClose` in error code paths.
* :file:`tools/fax2tiff.c`: emit appropriate message if the input file
is empty. Patch by Alan Coopersmith. Fixes
:bugzilla:`2672`
* :file:`tools/tiff2bw.c`: close :c:struct:`TIFF` handle in error code path. Fixes
:bugzilla:`2677`
Contributed software changes
----------------------------
None
|