|
Packit |
7838c8 |
<HTML>
|
|
Packit |
7838c8 |
<HEAD>
|
|
Packit |
7838c8 |
<TITLE>
|
|
Packit |
7838c8 |
Changes in TIFF v4.0.7
|
|
Packit |
7838c8 |
</TITLE>
|
|
Packit |
7838c8 |
</HEAD>
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
<BODY BGCOLOR=white>
|
|
Packit |
7838c8 |
<FONT FACE="Helvetica, Arial, Sans">
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
<BASEFONT SIZE=4>
|
|
Packit |
7838c8 |
<FONT SIZE=+3>T</FONT>IFF <FONT SIZE=+2>C</FONT>HANGE <FONT SIZE=+2>I</FONT>NFORMATION
|
|
Packit |
7838c8 |
<BASEFONT SIZE=3>
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
Current Version: v4.0.7
|
|
Packit |
7838c8 |
Previous Version: v4.0.6
|
|
Packit |
7838c8 |
Master FTP Site:
|
|
Packit |
7838c8 |
download.osgeo.org, directory pub/libtiff
|
|
Packit |
7838c8 |
Master HTTP Site #1:
|
|
Packit |
7838c8 |
http://www.simplesystems.org/libtiff/
|
|
Packit |
7838c8 |
Master HTTP Site #2:
|
|
Packit |
7838c8 |
http://libtiff.maptools.org/
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
This document describes the changes made to the software between the
|
|
Packit |
7838c8 |
previous and current versions (see above). If you don't
|
|
Packit |
7838c8 |
find something listed here, then it was not done in this timeframe, or
|
|
Packit |
7838c8 |
it was not considered important enough to be mentioned. The following
|
|
Packit |
7838c8 |
information is located here:
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
Major Changes
|
|
Packit |
7838c8 |
Changes in the software configuration
|
|
Packit |
7838c8 |
Changes in libtiff
|
|
Packit |
7838c8 |
Changes in the tools
|
|
Packit |
7838c8 |
Changes in the contrib area
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
<FONT SIZE=+3>M</FONT>AJOR CHANGES:
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff,
|
|
Packit |
7838c8 |
sgisv, and ycbcr are completely removed from the distribution.
|
|
Packit |
7838c8 |
These tools were written in the late 1980s and early 1990s for
|
|
Packit |
7838c8 |
test and demonstration purposes. In some cases the tools were
|
|
Packit |
7838c8 |
never updated to support updates to the file format, or the
|
|
Packit |
7838c8 |
file formats are now rarely used. In all cases these tools
|
|
Packit |
7838c8 |
increased the libtiff security and maintenance exposure beyond
|
|
Packit |
7838c8 |
the value offered by the tool.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
<FONT SIZE=+3>C</FONT>HANGES IN THE SOFTWARE CONFIGURATION:
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
None
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
<FONT SIZE=+3>C</FONT>HANGES IN LIBTIFF:
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not
|
|
Packit |
7838c8 |
dereference NULL pointer when values of tags with
|
|
Packit |
7838c8 |
TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII access are
|
|
Packit |
7838c8 |
0-byte arrays. Fixes
|
|
Packit |
7838c8 |
http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression
|
|
Packit |
7838c8 |
introduced by previous fix done on 2016-11-11 for
|
|
Packit |
7838c8 |
CVE-2016-9297). Reported by Henri Salo. Assigned as
|
|
Packit |
7838c8 |
CVE-2016-9448
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_aux.c: fix crash in TIFFVGetFieldDefaulted() when
|
|
Packit |
7838c8 |
requesting Predictor tag and that the zip/lzw codec is not
|
|
Packit |
7838c8 |
configured. Fixes
|
|
Packit |
7838c8 |
http://bugzilla.maptools.org/show_bug.cgi?id=2591
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure
|
|
Packit |
7838c8 |
that values of tags with TIFF_SETGET_C16_ASCII /
|
|
Packit |
7838c8 |
TIFF_SETGET_C32_ASCII access are null terminated, to avoid
|
|
Packit |
7838c8 |
potential read outside buffer in _TIFFPrintField(). Fixes
|
|
Packit |
7838c8 |
http://bugzilla.maptools.org/show_bug.cgi?id=2590
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_dirread.c: reject images with OJPEG compression
|
|
Packit |
7838c8 |
that have no TileOffsets/StripOffsets tag, when OJPEG
|
|
Packit |
7838c8 |
compression is disabled. Prevent null pointer dereference in
|
|
Packit |
7838c8 |
TIFFReadRawStrip1() and other functions that expect
|
|
Packit |
7838c8 |
td_stripbytecount to be non NULL. Fixes
|
|
Packit |
7838c8 |
http://bugzilla.maptools.org/show_bug.cgi?id=2585
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_strip.c: make TIFFNumberOfStrips() return the
|
|
Packit |
7838c8 |
td->td_nstrips value when it is non-zero, instead of
|
|
Packit |
7838c8 |
recomputing it. This is needed in TIFF_STRIPCHOP mode where
|
|
Packit |
7838c8 |
td_nstrips is modified. Fixes a read outsize of array in
|
|
Packit |
7838c8 |
tiffsplit (or other utilities using TIFFNumberOfStrips()).
|
|
Packit |
7838c8 |
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587
|
|
Packit |
7838c8 |
(CVE-2016-9273)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_predict.h, libtiff/tif_predict.c: Replace
|
|
Packit |
7838c8 |
assertions by runtime checks to avoid assertions in debug
|
|
Packit |
7838c8 |
mode, or buffer overflows in release mode. Can happen when
|
|
Packit |
7838c8 |
dealing with unusual tile size like YCbCr with
|
|
Packit |
7838c8 |
subsampling. Reported as MSVR 35105 by Axel Souchet & Vishal
|
|
Packit |
7838c8 |
Chauhan from the MSRC Vulnerabilities & Mitigations
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_dir.c: discard values of SMinSampleValue and
|
|
Packit |
7838c8 |
SMaxSampleValue when they have been read and the value of
|
|
Packit |
7838c8 |
SamplesPerPixel is changed afterwards (like when reading a
|
|
Packit |
7838c8 |
OJPEG compressed image with a missing SamplesPerPixel tag, and
|
|
Packit |
7838c8 |
whose photometric is RGB or YCbCr, forcing SamplesPerPixel
|
|
Packit |
7838c8 |
being 3). Otherwise when rewriting the directory (for example
|
|
Packit |
7838c8 |
with tiffset, we will expect 3 values whereas the array had
|
|
Packit |
7838c8 |
been allocated with just one), thus causing a out of bound
|
|
Packit |
7838c8 |
read access. Fixes
|
|
Packit |
7838c8 |
http://bugzilla.maptools.org/show_bug.cgi?id=2500
|
|
Packit |
7838c8 |
(CVE-2014-8127, duplicate: CVE-2016-3658)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_dirwrite.c: avoid null pointer dereference on
|
|
Packit |
7838c8 |
td_stripoffset when writing directory, if FIELD_STRIPOFFSETS
|
|
Packit |
7838c8 |
was artificially set for a hack case in OJPEG case. Fixes
|
|
Packit |
7838c8 |
http://bugzilla.maptools.org/show_bug.cgi?id=2500
|
|
Packit |
7838c8 |
(CVE-2014-8127, duplicate: CVE-2016-3658)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
|
|
Packit |
7838c8 |
read floating point images.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_predict.c (PredictorSetup): Enforce
|
|
Packit |
7838c8 |
bits-per-sample requirements of floating point predictor (3).
|
|
Packit |
7838c8 |
Fixes CVE-2016-3622 "Divide By Zero in the tiff2rgba tool."
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities
|
|
Packit |
7838c8 |
in heap allocated buffers. Reported as MSVR 35094. Discovered by
|
|
Packit |
7838c8 |
Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
|
|
Packit |
7838c8 |
Mitigations team.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_write.c: fix issue in error code path of
|
|
Packit |
7838c8 |
TIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp
|
|
Packit |
7838c8 |
members. I'm not completely sure if that could happen in
|
|
Packit |
7838c8 |
practice outside of the odd behaviour of t2p_seekproc() of
|
|
Packit |
7838c8 |
tiff2pdf). The report points that a better fix could be to
|
|
Packit |
7838c8 |
check the return value of TIFFFlushData1() in places where it
|
|
Packit |
7838c8 |
isn't done currently, but it seems this patch is enough.
|
|
Packit |
7838c8 |
Reported as MSVR 35095. Discovered by Axel Souchet & Vishal
|
|
Packit |
7838c8 |
Chauhan & Suha Can from the MSRC Vulnerabilities & Mitigations
|
|
Packit |
7838c8 |
team.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_pixarlog.c: Fix write buffer overflow in
|
|
Packit |
7838c8 |
PixarLogEncode if more input samples are provided than
|
|
Packit |
7838c8 |
expected by PixarLogSetupEncode. Idea based on
|
|
Packit |
7838c8 |
libtiff-CVE-2016-3990.patch from
|
|
Packit |
7838c8 |
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with
|
|
Packit |
7838c8 |
different and simpler check. (bugzilla #2544)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_read.c: Fix out-of-bounds read on memory-mapped
|
|
Packit |
7838c8 |
files in TIFFReadRawStrip1() and TIFFReadRawTile1() when
|
|
Packit |
7838c8 |
stripoffset is beyond tmsize_t max value (reported by Mathias
|
|
Packit |
7838c8 |
Svensson)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_read.c: make TIFFReadEncodedStrip() and
|
|
Packit |
7838c8 |
TIFFReadEncodedTile() directly use user provided buffer when
|
|
Packit |
7838c8 |
no compression (and other conditions) to save a memcpy()
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_write.c: make TIFFWriteEncodedStrip() and
|
|
Packit |
7838c8 |
TIFFWriteEncodedTile() directly use user provided buffer when
|
|
Packit |
7838c8 |
no compression to save a memcpy().
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_luv.c: validate that for COMPRESSION_SGILOG and
|
|
Packit |
7838c8 |
PHOTOMETRIC_LOGL, there is only one sample per pixel. Avoid
|
|
Packit |
7838c8 |
potential invalid memory write on corrupted/unexpected images
|
|
Packit |
7838c8 |
when using the TIFFRGBAImageBegin() interface (reported by
|
|
Packit |
7838c8 |
Clay Wood)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_pixarlog.c: fix potential buffer write overrun in
|
|
Packit |
7838c8 |
PixarLogDecode() on corrupted/unexpected images (reported by
|
|
Packit |
7838c8 |
Mathias Svensson) (CVE-2016-5875)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/libtiff.def: Added _TIFFMultiply32 and
|
|
Packit |
7838c8 |
_TIFFMultiply64 to libtiff.def
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_config.vc.h (HAVE_SNPRINTF): Add a '1' to the
|
|
Packit |
7838c8 |
HAVE_SNPRINTF definition.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_config.vc.h (HAVE_SNPRINTF): Applied patch by
|
|
Packit |
7838c8 |
Edward Lam to define HAVE_SNPRINTF for Visual Studio 2015.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_dirread.c: when compiled with DEFER_STRILE_LOAD,
|
|
Packit |
7838c8 |
fix regression, introduced on 2014-12-23, when reading a
|
|
Packit |
7838c8 |
one-strip file without a StripByteCounts tag. GDAL #6490
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/*: upstream typo fixes (mostly contributed by Kurt
|
|
Packit |
7838c8 |
Schwehr) coming from GDAL internal libtiff
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_fax3.h: make Param member of TIFFFaxTabEnt
|
|
Packit |
7838c8 |
structure a uint16 to reduce size of the binary.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_read.c, tif_dirread.c: fix indentation issues
|
|
Packit |
7838c8 |
raised by GCC 6 -Wmisleading-indentation
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_pixarlog.c: avoid zlib error messages to pass a
|
|
Packit |
7838c8 |
NULL string to %s formatter, which is undefined behaviour in
|
|
Packit |
7838c8 |
sprintf().
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
|
|
Packit |
7838c8 |
triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
|
|
Packit |
7838c8 |
(bugzilla #2508)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_luv.c: fix potential out-of-bound writes in
|
|
Packit |
7838c8 |
decode functions in non debug builds by replacing assert()s by
|
|
Packit |
7838c8 |
regular if checks (bugzilla #2522). Fix potential
|
|
Packit |
7838c8 |
out-of-bound reads in case of short input data.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_getimage.c: fix out-of-bound reads in
|
|
Packit |
7838c8 |
TIFFRGBAImage interface in case of unsupported values of
|
|
Packit |
7838c8 |
SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit
|
|
Packit |
7838c8 |
call to TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix
|
|
Packit |
7838c8 |
CVE-2015-8665 reported by limingxing and CVE-2015-8683
|
|
Packit |
7838c8 |
reported by zzf of Alibaba.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_dirread.c: workaround false positive warning of
|
|
Packit |
7838c8 |
Clang Static Analyzer about null pointer dereference in
|
|
Packit |
7838c8 |
TIFFCheckDirOffset().
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_fax3.c: remove dead assignment in
|
|
Packit |
7838c8 |
Fax3PutEOLgdal(). Found by Clang Static Analyzer
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_dirwrite.c: fix truncation to 32 bit of file
|
|
Packit |
7838c8 |
offsets in TIFFLinkDirectory() and TIFFWriteDirectorySec()
|
|
Packit |
7838c8 |
when aligning directory offsets on a even offset (affects
|
|
Packit |
7838c8 |
BigTIFF). This was a regression of the changeset of
|
|
Packit |
7838c8 |
2015-10-19.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_write.c: TIFFWriteEncodedStrip() and
|
|
Packit |
7838c8 |
TIFFWriteEncodedTile() should return -1 in case of failure of
|
|
Packit |
7838c8 |
tif_encodestrip() as documented
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_dumpmode.c: DumpModeEncode() should return 0 in
|
|
Packit |
7838c8 |
case of failure so that the above mentionned functions detect
|
|
Packit |
7838c8 |
the error.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/*.c: fix MSVC warnings related to cast shortening and
|
|
Packit |
7838c8 |
assignment within conditional expression
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/*.c: fix clang -Wshorten-64-to-32 warnings
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_dirread.c: prevent reading ColorMap or
|
|
Packit |
7838c8 |
TransferFunction if BitsPerPixel > 24, so as to avoid huge
|
|
Packit |
7838c8 |
memory allocation and file read attempts
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_dirread.c: remove duplicated assignment (reported
|
|
Packit |
7838c8 |
by Clang static analyzer)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_dir.c, libtiff/tif_dirinfo.c,
|
|
Packit |
7838c8 |
libtiff/tif_compress.c, libtiff/tif_jpeg_12.c: suppress
|
|
Packit |
7838c8 |
warnings about 'no previous declaration/prototype'
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tiffiop.h, libtiff/tif_dirwrite.c: suffix constants
|
|
Packit |
7838c8 |
by U to fix 'warning: negative integer implicitly converted to
|
|
Packit |
7838c8 |
unsigned type' warning (part of -Wconversion)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
libtiff/tif_dir.c, libtiff/tif_dirread.c,
|
|
Packit |
7838c8 |
libtiff/tif_getimage.c, libtiff/tif_print.c: fix -Wshadow
|
|
Packit |
7838c8 |
warnings (only in libtiff/)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
<FONT SIZE=+3>C</FONT>HANGES IN THE TOOLS:
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/Makefile.am: The libtiff tools bmp2tiff, gif2tiff,
|
|
Packit |
7838c8 |
ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed
|
|
Packit |
7838c8 |
from the distribution. The libtiff tools rgb2ycbcr and
|
|
Packit |
7838c8 |
thumbnail are only built in the build tree for testing. Old
|
|
Packit |
7838c8 |
files are put in new 'archive' subdirectory of the source
|
|
Packit |
7838c8 |
repository, but not in distribution archives. These changes
|
|
Packit |
7838c8 |
are made in order to lessen the maintenance burden.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/tiff2pdf.c: avoid undefined behaviour related to
|
|
Packit |
7838c8 |
overlapping of source and destination buffer in memcpy() call
|
|
Packit |
7838c8 |
in t2p_sample_rgbaa_to_rgb() Fixes
|
|
Packit |
7838c8 |
http://bugzilla.maptools.org/show_bug.cgi?id=2577
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/tiff2pdf.c: fix potential integer overflows on 32 bit
|
|
Packit |
7838c8 |
builds in t2p_read_tiff_size() Fixes
|
|
Packit |
7838c8 |
http://bugzilla.maptools.org/show_bug.cgi?id=2576
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/fax2tiff.c: fix segfault when specifying -r without
|
|
Packit |
7838c8 |
argument. Patch by Yuriy M. Kaminskiy. Fixes
|
|
Packit |
7838c8 |
http://bugzilla.maptools.org/show_bug.cgi?id=2572
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/tiffinfo.c: fix out-of-bound read on some tiled images.
|
|
Packit |
7838c8 |
(http://bugzilla.maptools.org/show_bug.cgi?id=2517)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/tiffcrop.c: fix multiple uint32 overflows in
|
|
Packit |
7838c8 |
writeBufferToSeparateStrips(), writeBufferToContigTiles() and
|
|
Packit |
7838c8 |
writeBufferToSeparateTiles() that could cause heap buffer
|
|
Packit |
7838c8 |
overflows. Reported by Henri Salo from Nixu Corporation.
|
|
Packit |
7838c8 |
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
|
|
Packit |
7838c8 |
readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel
|
|
Packit |
7838c8 |
Souchet & Vishal Chauhan from the MSRC Vulnerabilities &
|
|
Packit |
7838c8 |
Mitigations team.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on
|
|
Packit |
7838c8 |
JPEG compressed images. Reported by Tyler Bohan of Cisco Talos
|
|
Packit |
7838c8 |
as TALOS-CAN-0187 / CVE-2016-5652. Also prevents writing 2
|
|
Packit |
7838c8 |
extra uninitialized bytes to the file stream.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
|
|
Packit |
7838c8 |
tile width vs image width. Reported as MSVR 35103
|
|
Packit |
7838c8 |
by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
|
|
Packit |
7838c8 |
Mitigations team.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/tiff2pdf.c: fix read -largely- outsize of buffer in
|
|
Packit |
7838c8 |
t2p_readwrite_pdf_image_tile(), causing crash, when reading a
|
|
Packit |
7838c8 |
JPEG compressed image with TIFFTAG_JPEGTABLES length being
|
|
Packit |
7838c8 |
one. Reported as MSVR 35101 by Axel Souchet and Vishal
|
|
Packit |
7838c8 |
Chauhan from the MSRC Vulnerabilities & Mitigations team.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/tiffcp.c: fix read of undefined variable in case of
|
|
Packit |
7838c8 |
missing required tags. Found on test case of MSVR 35100.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/tiffcrop.c: fix read of undefined buffer in
|
|
Packit |
7838c8 |
readContigStripsIntoBuffer() due to uint16 overflow. Probably
|
|
Packit |
7838c8 |
not a security issue but I can be wrong. Reported as MSVR
|
|
Packit |
7838c8 |
35100 by Axel Souchet from the MSRC Vulnerabilities &
|
|
Packit |
7838c8 |
Mitigations team.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/tiffcrop.c: fix various out-of-bounds write
|
|
Packit |
7838c8 |
vulnerabilities in heap or stack allocated buffers. Reported
|
|
Packit |
7838c8 |
as MSVR 35093, MSVR 35096 and MSVR 35097. Discovered by Axel
|
|
Packit |
7838c8 |
Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
|
|
Packit |
7838c8 |
Mitigations team.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/tiff2pdf.c: fix out-of-bounds write vulnerabilities in
|
|
Packit |
7838c8 |
heap allocate buffer in t2p_process_jpeg_strip(). Reported as
|
|
Packit |
7838c8 |
MSVR 35098. Discovered by Axel Souchet and Vishal Chauhan from
|
|
Packit |
7838c8 |
the MSRC Vulnerabilities & Mitigations team.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/tiff2bw.c: fix weight computation that could result of
|
|
Packit |
7838c8 |
color value overflow (no security implication). Fix bugzilla
|
|
Packit |
7838c8 |
#2550. Patch by Frank Freudenberg.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/rgb2ycbcr.c: validate values of -v and -h parameters to
|
|
Packit |
7838c8 |
avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
|
|
Packit |
7838c8 |
From patch libtiff-CVE-2016-3991.patch from
|
|
Packit |
7838c8 |
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla
|
|
Packit |
7838c8 |
#2543)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/tiff2rgba.c: Fix integer overflow in size of allocated
|
|
Packit |
7838c8 |
buffer, when -b mode is enabled, that could result in
|
|
Packit |
7838c8 |
out-of-bounds write. Based initially on patch
|
|
Packit |
7838c8 |
tiff-CVE-2016-3945.patch from libtiff-4.0.3-25.el7_2.src.rpm
|
|
Packit |
7838c8 |
by Nikola Forro, with correction for invalid tests that
|
|
Packit |
7838c8 |
rejected valid files. (bugzilla #2545)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/tiffcrop.c: Avoid access outside of stack allocated
|
|
Packit |
7838c8 |
array on a tiled separate TIFF with more than 8 samples per
|
|
Packit |
7838c8 |
pixel. Reported by Kaixiang Zhang of the Cloud Security Team,
|
|
Packit |
7838c8 |
Qihoo 360 (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 /
|
|
Packit |
7838c8 |
#2559)
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/tiffdump.c: fix a few misaligned 64-bit reads warned by
|
|
Packit |
7838c8 |
-fsanitize
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
tools/tiffdump.c (ReadDirectory): Remove uint32 cast to
|
|
Packit |
7838c8 |
_TIFFmalloc() argument which resulted in Coverity report.
|
|
Packit |
7838c8 |
Added more mutiplication overflow checks.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
<FONT SIZE=+3>C</FONT>HANGES IN THE CONTRIB AREA:
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
None
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
Last updated $Date: 2016-11-19 17:47:40 $.
|
|
Packit |
7838c8 |
|
|
Packit |
7838c8 |
</BODY>
|
|
Packit |
7838c8 |
</HTML>
|