|
Packit |
7838c8 |
<HTML>
|
|
Packit |
7838c8 |
<HEAD>
|
|
Packit |
7838c8 |
<TITLE>
|
|
Packit |
7838c8 |
Changes in TIFF v4.0.4beta
|
|
Packit |
7838c8 |
</TITLE>
|
|
Packit |
7838c8 |
</HEAD>
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
<BODY BGCOLOR=white>
|
|
Packit |
7838c8 |
<FONT FACE="Helvetica, Arial, Sans">
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
<BASEFONT SIZE=4>
|
|
Packit |
7838c8 |
<FONT SIZE=+3>T</FONT>IFF <FONT SIZE=+2>C</FONT>HANGE <FONT SIZE=+2>I</FONT>NFORMATION
|
|
Packit |
7838c8 |
<BASEFONT SIZE=3>
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
Current Version: v4.0.4beta
|
|
Packit |
7838c8 |
Previous Version: v4.0.3
|
|
Packit |
7838c8 |
Master FTP Site:
|
|
Packit |
7838c8 |
download.osgeo.org, directory pub/libtiff
|
|
Packit |
7838c8 |
Master HTTP Site:
|
|
Packit |
7838c8 |
http://www.simplesystems.org/libtiff/
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
This document describes the changes made to the software between the
|
|
Packit |
7838c8 |
previous and current versions (see above). If you don't
|
|
Packit |
7838c8 |
find something listed here, then it was not done in this timeframe, or
|
|
Packit |
7838c8 |
it was not considered important enough to be mentioned. The following
|
|
Packit |
7838c8 |
information is located here:
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
Major Changes
|
|
Packit |
7838c8 |
Changes in the software configuration
|
|
Packit |
7838c8 |
Changes in libtiff
|
|
Packit |
7838c8 |
Changes in the tools
|
|
Packit |
7838c8 |
Changes in the contrib area
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
<FONT SIZE=+3>M</FONT>AJOR CHANGES:
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
None
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
<FONT SIZE=+3>C</FONT>HANGES IN THE SOFTWARE CONFIGURATION:
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
Updated to use Automake 1.15 and Libtool 2.4.5
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
<FONT SIZE=+3>C</FONT>HANGES IN LIBTIFF:
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
TIFFCheckDirOffset(): avoid uint16 overflow
|
|
Packit |
7838c8 |
when reading more than 65535 directories, and effectively error out when
|
|
Packit |
7838c8 |
eaching that limit.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
TIFFNumberOfDirectories(): generate error in case of directory count
|
|
Packit |
7838c8 |
overflow.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
TIFFAdvanceDirectory(): If nextdir is found to
|
|
Packit |
7838c8 |
be defective, then set it to zero before returning error in order
|
|
Packit |
7838c8 |
to terminate processing of truncated TIFF.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
JPEG-in-TIFF: recognize SOF2, SOF9 and SOF10
|
|
Packit |
7838c8 |
markers to avoid emitting a warning. Fix for compatibility with mozjpeg library.
|
|
Packit |
7838c8 |
Note: the default settings of mozjpeg will produce progressive scans, which
|
|
Packit |
7838c8 |
is forbidden by the TechNote.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
JPEG-in-TIFF: Fix regression introduced in 3.9.3/4.0.0 that caused
|
|
Packit |
7838c8 |
all tiles/strips to include quantization tables even when the jpegtablesmode
|
|
Packit |
7838c8 |
had the JPEGTABLESMODE_QUANT bit set.
|
|
Packit |
7838c8 |
Also add explicit removal of Huffman tables when jpegtablesmode has the
|
|
Packit |
7838c8 |
JPEGTABLESMODE_HUFF bit set, which avoids Huffman tables to be emitted in the
|
|
Packit |
7838c8 |
first tile/strip (only useful in update scenarios. create-only was
|
|
Packit |
7838c8 |
fine)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
JPEG-in-TIFF: fix segfault in JPEGFixupTagsSubsampling() on
|
|
Packit |
7838c8 |
corrupted image where tif->tif_dir.td_stripoffset == NULL.
|
|
Packit |
7838c8 |
(#2471)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
NeXT codec: add new tests to check that we don't read outside of
|
|
Packit |
7838c8 |
the compressed input stream buffer.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
NeXT codec: check that BitsPerSample = 2. Fixes
|
|
Packit |
7838c8 |
#2487 (CVE-2014-8129)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
NeXT codec: in the "run mode", use tilewidth for tiled images
|
|
Packit |
7838c8 |
instead of imagewidth to avoid crash
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tif_getimage.c: in OJPEG case, fix checks on strile width/height
|
|
Packit |
7838c8 |
in the putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile and
|
|
Packit |
7838c8 |
putcontig8bitYCbCr21tile cases.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
in TIFFDefaultDirectory(), reset any already existing
|
|
Packit |
7838c8 |
extented tags installed by user code through the extender mechaninm before
|
|
Packit |
7838c8 |
calling the extender callback (GDAL #5054)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
Fix warnings about unused parameters.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
Fix various typos in comments found by Debian lintian tool (GDAL #5756)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tif_getimage.c: avoid divide by zero on invalid YCbCr subsampling.
|
|
Packit |
7838c8 |
(#2235)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tif_dirread.c: In EstimateStripByteCounts(), check return code
|
|
Packit |
7838c8 |
of _TIFFFillStriles(). This solves crashing bug on corrupted
|
|
Packit |
7838c8 |
images generated by afl.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tif_read.c: fix several invalid comparisons of a uint64 value with
|
|
Packit |
7838c8 |
<= 0 by casting it to int64 first. This solves crashing bug on corrupted
|
|
Packit |
7838c8 |
images generated by afl.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
TIFFSetField(): refuse to set negative values for
|
|
Packit |
7838c8 |
TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
|
|
Packit |
7838c8 |
the directory
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
TIFFReadDirectory(): refuse to read ColorMap or
|
|
Packit |
7838c8 |
TransferFunction if BitsPerSample has not yet been read, otherwise reading
|
|
Packit |
7838c8 |
it later will cause user code to crash if BitsPerSample > 1
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
TIFFRGBAImageOK(): return FALSE if LOGLUV with
|
|
Packit |
7838c8 |
SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tif_config.vc.h: no longer use "#define snprintf _snprintf" with
|
|
Packit |
7838c8 |
Visual Studio 2015 aka VC 14 aka MSVC 1900
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
LZW codec: prevent potential null dereference of sp->dec_codetab in LZWPreDecode
|
|
Packit |
7838c8 |
(#2459)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
TIFFReadBufferSetup(): avoid passing -1 size
|
|
Packit |
7838c8 |
to TIFFmalloc() if passed user buffer size is 0
|
|
Packit |
7838c8 |
(#2459)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
TIFFReadDirEntryOutputErr(): Incorrect
|
|
Packit |
7838c8 |
count for tag should be a warning rather than an error since
|
|
Packit |
7838c8 |
errors terminate processing.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tif_dirinfo.c (TIFFField) : Fix data type for TIFFTAG_GLOBALPARAMETERSIFD tag.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
Add definitions for TIFF/EP CFARepeatPatternDim and CFAPattern tags
|
|
Packit |
7838c8 |
(#2457)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tif_codec.c, tif_dirinfo.c: Enlarge some fixed-size buffers that weren't
|
|
Packit |
7838c8 |
large enough, and eliminate substantially all uses of sprintf(buf,
|
|
Packit |
7838c8 |
...) in favor of using snprintf(buf, sizeof(buf), ...)
|
|
Packit |
7838c8 |
configure.ac: Improve pkg-config static linking by adding -lm to Libs.private when needed.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tif_write.c: tmsize_t related casting warning fixed for
|
|
Packit |
7838c8 |
64bit linux.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tif_read.c: uint64/tmsize_t change for MSVC warnings.
|
|
Packit |
7838c8 |
(#2427)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
Fix TIFFPrintDirectory's handling of
|
|
Packit |
7838c8 |
field_passcount fields: it had the TIFF_VARIABLE and
|
|
Packit |
7838c8 |
TIFF_VARIABLE2 cases backwards.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
PixarLog codec: Improve previous patch for CVE-2012-4447
|
|
Packit |
7838c8 |
(to enlarge tbuf for possible partial stride at end) so that
|
|
Packit |
7838c8 |
overflow in the integer addition is detected.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not
|
|
Packit |
7838c8 |
require malloc() to return NULL pointer if requested allocation
|
|
Packit |
7838c8 |
size is zero. Assure that _TIFFmalloc does.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tif_zip.c: Avoid crash on NULL error messages.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
<FONT SIZE=+3>C</FONT>HANGES IN THE TOOLS:
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tiff2pdf: Fis various crashes and memory buffer access errors (oCERT-2014-013).
|
|
Packit |
7838c8 |
tiff2pdf: fix buffer overflow on some YCbCr JPEG compressed images.
|
|
Packit |
7838c8 |
(#2445)
|
|
Packit |
7838c8 |
tiff2pdf: fix buffer overflow on YCbCr JPEG compressed image.
|
|
Packit |
7838c8 |
(#2443)
|
|
Packit |
7838c8 |
tiff2pdf: check return code of TIFFGetField() when reading TIFFTAG_SAMPLESPERPIXEL
|
|
Packit |
7838c8 |
tiff2pdf: fix crash due to invalid tile count.
|
|
Packit |
7838c8 |
tiff2pdf: Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB
|
|
Packit |
7838c8 |
tiff2pdf: Assure that memory size calculations for
|
|
Packit |
7838c8 |
_TIFFmalloc() do not overflow the range of tmsize_t.
|
|
Packit |
7838c8 |
tiff2pdf: Avoid crash when TIFFTAG_TRANSFERFUNCTION tag returns one channel,
|
|
Packit |
7838c8 |
with the other two channels set to NULL.
|
|
Packit |
7838c8 |
tiff2pdf: close PDF file. (#2479)
|
|
Packit |
7838c8 |
tiff2pdf: Preserve input file directory order when pages
|
|
Packit |
7838c8 |
are tagged with the same page number.
|
|
Packit |
7838c8 |
tiff2pdf.c: terminate after failure of allocating ycbcr buffer
|
|
Packit |
7838c8 |
(#2449 CVE-2013-4232)
|
|
Packit |
7838c8 |
tiff2pdf: Rewrite JPEG marker parsing in
|
|
Packit |
7838c8 |
t2p_process_jpeg_strip to be at least marginally competent. The
|
|
Packit |
7838c8 |
approach is still fundamentally flawed, but at least now it won't
|
|
Packit |
7838c8 |
stomp all over memory when given bogus input. Fixes CVE-2013-1960.
|
|
Packit |
7838c8 |
tiffdump: Guard against arithmetic overflow when calculating allocation buffer sizes.
|
|
Packit |
7838c8 |
tiffdump: fix crash due to overflow of entry count.
|
|
Packit |
7838c8 |
tiffdump: Fix double-free bug.
|
|
Packit |
7838c8 |
tiffdump: detect cycle in TIFF directory chaining.
|
|
Packit |
7838c8 |
(#2463)
|
|
Packit |
7838c8 |
tiffdump: avoid passing a NULL pointer to read() if seek() failed before.
|
|
Packit |
7838c8 |
(#2459)
|
|
Packit |
7838c8 |
tiff2bw: when Photometric=RGB, the utility only works if SamplesPerPixel = 3. Enforce that.
|
|
Packit |
7838c8 |
(#2485, CVE-2014-8127)
|
|
Packit |
7838c8 |
pal2rgb, thumbnail: fix crash by disabling TIFFTAG_INKNAMES copying.
|
|
Packit |
7838c8 |
(#2484, CVE-2014-8127)
|
|
Packit |
7838c8 |
thumbnail: fix out-of-buffer write.
|
|
Packit |
7838c8 |
(#2489, CVE-2014-8128)
|
|
Packit |
7838c8 |
thumbnail, tiffcmp: only read/write TIFFTAG_GROUP3OPTIONS
|
|
Packit |
7838c8 |
or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
|
|
Packit |
7838c8 |
COMPRESSION_CCITTFAX4.
|
|
Packit |
7838c8 |
(#2493, CVE-2014-8128)
|
|
Packit |
7838c8 |
tiffcp: fix crash when converting YCbCr JPEG-compressed to none.
|
|
Packit |
7838c8 |
(#2480)
|
|
Packit |
7838c8 |
bmp2tiff: fix crash due to int overflow related to input BMP dimensions
|
|
Packit |
7838c8 |
tiffcrop: fix crash due to invalid TileWidth/TileHeight
|
|
Packit |
7838c8 |
tiffcrop: fix segfault if bad value passed to -Z option
|
|
Packit |
7838c8 |
( #2459)
|
|
Packit |
7838c8 |
and add missing va_end in dump_info
|
|
Packit |
7838c8 |
thumbnail, tiffcrop: "fix" heap read over-run found with
|
|
Packit |
7838c8 |
Valgrind and Address Sanitizer on test suite
|
|
Packit |
7838c8 |
fax2ps: check malloc()/realloc() result. (#2470)
|
|
Packit |
7838c8 |
gif2tiff: apply patch for CVE-2013-4243. (#2451)
|
|
Packit |
7838c8 |
gif2tiff: fix possible OOB write. (#2452, CVE-2013-4244)
|
|
Packit |
7838c8 |
gif2tiff: Be more careful about corrupt or hostile input files (#2450, CVE-2013-4231)
|
|
Packit |
7838c8 |
tiff2rgba: fix usage message in that zip was wrongly described
|
|
Packit |
7838c8 |
tiffinfo: Default various values fetched with TIFFGetField() to avoid being uninitialized.
|
|
Packit |
7838c8 |
tiff2ps: Fix bug in auto rotate option code.
|
|
Packit |
7838c8 |
ppm2tiff: avoid zero size buffer vulnerability (CVE-2012-4564).
|
|
Packit |
7838c8 |
check the linebytes calculation too, get the max() calculation
|
|
Packit |
7838c8 |
straight, avoid redundant error messages, check for malloc
|
|
Packit |
7838c8 |
failure.
|
|
Packit |
7838c8 |
tiffset: now supports a -u option to unset a tag.
|
|
Packit |
7838c8 |
(#2419)
|
|
Packit |
7838c8 |
Fix warnings about unused parameters.
|
|
Packit |
7838c8 |
rgb2ycbcr, tiff2bw, tiff2pdf, tiff2ps, tiffcrop, tiffdither :
|
|
Packit |
7838c8 |
Enlarge some fixed-size buffers that weren't
|
|
Packit |
7838c8 |
large enough, and eliminate substantially all uses of sprintf(buf,
|
|
Packit |
7838c8 |
...) in favor of using snprintf(buf, sizeof(buf), ...), so as to
|
|
Packit |
7838c8 |
protect against overflow of fixed-size buffers. This responds in
|
|
Packit |
7838c8 |
particular to CVE-2013-1961 concerning overflow in tiff2pdf.c's
|
|
Packit |
7838c8 |
t2p_write_pdf_page().
|
|
Packit |
7838c8 |
html/man/tiff2ps.1.html, html/man/tiffcp.1.html,
|
|
Packit |
7838c8 |
html/man/tiffdither.1.html, man/tiff2ps.1, man/tiffcp.1,
|
|
Packit |
7838c8 |
man/tiffdither.1, tools/tiff2ps.c, tools/tiffcp.c,
|
|
Packit |
7838c8 |
tools/tiffdither.c: Sync tool usage printouts and man pages with
|
|
Packit |
7838c8 |
reality
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
<FONT SIZE=+3>C</FONT>HANGES IN THE CONTRIB AREA:
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
Fix warnings about variables set but not used.
|
|
Packit |
7838c8 |
contrib/dbs/xtiff/xtiff.c: Enlarge some fixed-size buffers that weren't
|
|
Packit |
7838c8 |
large enough, and eliminate substantially all uses of sprintf(buf,
|
|
Packit |
7838c8 |
...) in favor of using snprintf(buf, sizeof(buf), ...), so as to
|
|
Packit |
7838c8 |
protect against overflow of fixed-size buffers.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
Last updated $Date: 2016-09-25 20:05:47 $.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
</BODY>
|
|
Packit |
7838c8 |
</HTML>
|