From c714d5b5a73d7508f9c46da4c479164d7c5b4b85 Mon Sep 17 00:00:00 2001 From: Bob Friesenhahn Date: Sun, 21 May 2017 17:47:46 +0000 Subject: [PATCH] html/v4.0.8.html: Add description of changes targeting the 4.0.8 release. --- ChangeLog | 5 + html/Makefile.am | 3 +- html/Makefile.in | 3 +- html/man/Makefile.in | 2 - html/v4.0.8.html | 445 +++++++++++++++++++++++++++++++++++++++++++ man/Makefile.in | 2 - 6 files changed, 454 insertions(+), 6 deletions(-) create mode 100644 html/v4.0.8.html diff --git a/ChangeLog b/ChangeLog index c489160c..eeb809d4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2017-05-21 Bob Friesenhahn + + * html/v4.0.8.html: Add description of changes targeting the 4.0.8 + release. + 2017-05-20 Even Rouault * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for diff --git a/html/Makefile.am b/html/Makefile.am index 01549ba2..21fd8d9e 100644 --- a/html/Makefile.am +++ b/html/Makefile.am @@ -84,7 +84,8 @@ docfiles = \ v4.0.4.html \ v4.0.5.html \ v4.0.6.html \ - v4.0.7.html + v4.0.7.html \ + v4.0.8.html dist_doc_DATA = $(docfiles) diff --git a/html/Makefile.in b/html/Makefile.in index 3cb22e6d..82467b8f 100644 --- a/html/Makefile.in +++ b/html/Makefile.in @@ -447,7 +447,8 @@ docfiles = \ v4.0.4.html \ v4.0.5.html \ v4.0.6.html \ - v4.0.7.html + v4.0.7.html \ + v4.0.8.html dist_doc_DATA = $(docfiles) SUBDIRS = images man diff --git a/html/man/Makefile.in b/html/man/Makefile.in index 7f4648c9..eb99fd1b 100644 --- a/html/man/Makefile.in +++ b/html/man/Makefile.in @@ -383,8 +383,6 @@ docfiles = \ pal2rgb.1.html \ ppm2tiff.1.html \ raw2tiff.1.html \ - rgb2ycbcr.1.html \ - thumbnail.1.html \ tiff2bw.1.html \ tiff2pdf.1.html \ tiff2ps.1.html \ diff --git a/html/v4.0.8.html b/html/v4.0.8.html new file mode 100644 index 00000000..8b85e9c2 --- /dev/null +++ b/html/v4.0.8.html @@ -0,0 +1,445 @@ + + + + Changes in TIFF v4.0.8 + + + + + + + +TIFF CHANGE INFORMATION + + + + +

+This document describes the changes made to the software between the +previous and current versions (see above). If you don't +find something listed here, then it was not done in this timeframe, or +it was not considered important enough to be mentioned. The following +information is located here: +

+

+

+ + + +MAJOR CHANGES: + +
    + +
  • None + +
+ + +

+ + +CHANGES IN THE SOFTWARE CONFIGURATION: + +
    + +
  • None + +
+ +

+ + + +CHANGES IN LIBTIFF: + +
    + +
  • libtiff/tif_getimage.c, libtiff/tif_open.c: add parenthesis + to fix cppcheck clarifyCalculation warnings * + libtiff/tif_predict.c, libtiff/tif_print.c: fix printf + unsigned vs signed formatting (cppcheck + invalidPrintfArgType_uint warnings) + +
  • libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in + TIFFReadEncodedStrip() that caused an integer division by + zero. Reported by Agostino Sarubbo. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2596 + +
  • libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based + buffer overflow on generation of PixarLog / LUV compressed + files, with ColorMap, TransferFunction attached and nasty + plays with bitspersample. The fix for LUV has not been + tested, but suffers from the same kind of issue of PixarLog. + Reported by Agostino Sarubbo. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2604 + +
  • libtiff/tif_strip.c: revert the change in + TIFFNumberOfStrips() done for + http://bugzilla.maptools.org/show_bug.cgi?id=2587 / + CVE-2016-9273 since the above change is a better fix that + makes it unnecessary. + +
  • libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() + to instanciate compute ntrips as + TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a + logic based on the total size of data. Which is faulty is the + total size of data is not sufficient to fill the whole image, + and thus results in reading outside of the + StripByCounts/StripOffsets arrays when using + TIFFReadScanline(). Reported by Agostino Sarubbo. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2608. + +
  • libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of + failure in OJPEGPreDecode(). This will avoid a divide by zero, + and potential other issues. Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611 + +
  • libtiff/tif_write.c: fix misleading indentation as warned by GCC. + + +
  • libtiff/tif_fax3.h: revert change done on 2016-01-09 that + made Param member of TIFFFaxTabEnt structure a uint16 to + reduce size of the binary. It happens that the Hylafax + software uses the tables that follow this typedef + (TIFFFaxMainTable, TIFFFaxWhiteTable, TIFFFaxBlackTable), + although they are not in a public libtiff header. Raised by + Lee Howard. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2636 + +
  • libtiff/tiffio.h, libtiff/tif_getimage.c: add + TIFFReadRGBAStripExt() and TIFFReadRGBATileExt() variants of + the functions without ext, with an extra argument to control + the stop_on_error behaviour. + +
  • libtiff/tif_getimage.c: fix potential memory leaks in error + code path of TIFFRGBAImageBegin(). Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2627 + +
  • libtiff/tif_jpeg.c: increase libjpeg max memory usable to 10 + MB instead of libjpeg 1MB default. This helps when creating + files with "big" tile, without using libjpeg temporary files. + Related to https://trac.osgeo.org/gdal/ticket/6757 + +
  • libtiff/tif_jpeg.c: avoid integer division by zero in + JPEGSetupEncode() when horizontal or vertical sampling is set + to 0. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653 + +
  • libtiff/tif_dirwrite.c: in + TIFFWriteDirectoryTagCheckedRational, replace assertion by + runtime check to error out if passed value is strictly + negative. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2535 + +
  • libtiff/tif_dirread.c: avoid division by floating point 0 in + TIFFReadDirEntryCheckedRational() and + TIFFReadDirEntryCheckedSrational(), and return 0 in that case + (instead of infinity as before presumably) Apparently some + sanitizers do not like those divisions by zero. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2644 + +
  • libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement + various clampings of double to other data types to avoid + undefined behaviour if the output range isn't big enough to + hold the input value. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2643 + http://bugzilla.maptools.org/show_bug.cgi?id=2642 + http://bugzilla.maptools.org/show_bug.cgi?id=2646 + http://bugzilla.maptools.org/show_bug.cgi?id=2647 + +
  • libtiff/tif_jpeg.c: validate BitsPerSample in + JPEGSetupEncode() to avoid undefined behaviour caused by + invalid shift exponent. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2648 + +
  • libtiff/tif_read.c: avoid potential undefined behaviour on + signed integer addition in TIFFReadRawStrip1() in isMapped() + case. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650 + +
  • libtiff/tif_getimage.c: add explicit uint32 cast in + putagreytile to avoid UndefinedBehaviorSanitizer warning. + Patch by Nicolás Peña. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2658 + +
  • libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() + to zero initialize tif_rawdata. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2651 + +
  • libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add + _TIFFcalloc() + +
  • libtiff/tif_luv.c, tif_lzw.c, tif_packbits.c: return 0 in + Encode functions instead of -1 when TIFFFlushData1() fails. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2130 + +
  • libtiff/tif_ojpeg.c: fix leak in + OJPEGReadHeaderInfoSecTablesQTable, + OJPEGReadHeaderInfoSecTablesDcTable and + OJPEGReadHeaderInfoSecTablesAcTable when read fails. Patch by + Nicolás Peña. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2659 + +
  • libtiff/tif_jpeg.c: only run JPEGFixupTagsSubsampling() if + the YCbCrSubsampling tag is not explicitly present. This helps + a bit to reduce the I/O amount when the tag is present + (especially on cloud hosted files). + +
  • libtiff/tif_lzw.c: in LZWPostEncode(), increase, if + necessary, the code bit-width after flushing the remaining + code and before emitting the EOI code. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=1982 + +
  • libtiff/tif_pixarlog.c: fix memory leak in error code path of + PixarLogSetupDecode(). Patch by Nicolás Peña. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2665 + +
  • libtiff/tif_fax3.c, tif_predict.c, tif_getimage.c: fix GCC 7 + -Wimplicit-fallthrough warnings. + +
  • libtiff/tif_dirread.c: fix memory leak in non + DEFER_STRILE_LOAD mode (ie default) when there is both a + StripOffsets and TileOffsets tag, or a StripByteCounts and + TileByteCounts Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2689 + +
  • libtiff/tif_ojpeg.c: fix potential memory leak in + OJPEGReadHeaderInfoSecTablesQTable, + OJPEGReadHeaderInfoSecTablesDcTable and + OJPEGReadHeaderInfoSecTablesAcTable Patch by Nicolás Peña. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2670 + +
  • libtiff/tif_fax3.c: avoid crash in Fax3Close() on empty file. + Patch by Alan Coopersmith + complement by myself. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2673 + +
  • libtiff/tif_read.c: TIFFFillStrip(): add limitation to the + number of bytes read in case td_stripbytecount[strip] is + bigger than reasonable, so as to avoid excessive memory + allocation. + +
  • libtiff/tif_zip.c, tif_pixarlog.c, tif_predict.c: fix memory + leak when the underlying codec (ZIP, PixarLog) succeeds its + setupdecode() method, but PredictorSetup fails. Credit to + OSS-Fuzz (locally run, on GDAL) + +
  • libtiff/tif_read.c: TIFFFillStrip() and TIFFFillTile(): avoid + excessive memory allocation in case of shorten files. Only + effective on 64 bit builds and non-mapped cases. Credit to + OSS-Fuzz (locally run, on GDAL) + +
  • libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(), + avoid potential integer overflows with read_ahead in + CHUNKY_STRIP_READ_SUPPORT mode. Should + especially occur on 32 bit platforms. + +
  • libtiff/tif_read.c: TIFFFillStripPartial(): avoid excessive + memory allocation in case of shorten files. Only effective on + 64 bit builds. Credit to OSS-Fuzz (locally run, on GDAL) + +
  • libtiff/tif_read.c: update tif_rawcc in + CHUNKY_STRIP_READ_SUPPORT mode with tif_rawdataloaded when + calling TIFFStartStrip() or TIFFFillStripPartial(). This + avoids reading beyond tif_rawdata when bytecount > + tif_rawdatasize. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545. + Credit to OSS-Fuzz + +
  • libtiff/tif_color.c: avoid potential int32 overflow in + TIFFYCbCrToRGBInit() Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533 + Credit to OSS-Fuzz + +
  • libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32 + overflows in multiply_ms() and add_ms(). Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558 + Credit to OSS-Fuzz + +
  • libtiff/tif_packbits.c: fix out-of-buffer read in + PackBitsDecode() Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563 + Credit to OSS-Fuzz + +
  • libtiff/tif_luv.c: LogL16InitState(): avoid excessive memory + allocation when RowsPerStrip tag is missing. + Credit to OSS-Fuzz (locally run, on GDAL) + +
  • libtiff/tif_lzw.c: update dec_bitsleft at beginning of + LZWDecode(), and update tif_rawcc at end of LZWDecode(). This + is needed to properly work with the latest chnges in + tif_read.c in CHUNKY_STRIP_READ_SUPPORT mode. + +
  • libtiff/tif_pixarlog.c: PixarLogDecode(): resync tif_rawcp + with next_in and tif_rawcc with avail_in at beginning and end + of function, similarly to what is done in LZWDecode(). Likely + needed so that it works properly with latest chnges in + tif_read.c in CHUNKY_STRIP_READ_SUPPORT mode. But untested... + +
  • libtiff/tif_getimage.c: initYCbCrConversion(): add basic + validation of luma and refBlackWhite coefficients (just check + they are not NaN for now), to avoid potential float to int + overflows. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663 + Credit to OSS Fuzz + +
  • libtiff/tif_read.c: _TIFFVSetField(): fix outside range cast + of double to float. Credit to Google Autofuzz project + +
  • libtiff/tif_getimage.c: initYCbCrConversion(): check luma[1] + is not zero to avoid division by zero. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665 + Credit to OSS Fuzz + +
  • libtiff/tif_read.c: _TIFFVSetField(): fix outside range cast + of double to float. Credit to Google Autofuzz project + +
  • libtiff/tif_getimage.c: initYCbCrConversion(): check luma[1] + is not zero to avoid division by zero. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665 + Credit to OSS Fuzz + +
  • libtiff/tif_getimage.c: initYCbCrConversion(): stricter + validation for refBlackWhite coefficients values. To avoid + invalid float->int32 conversion. Fixes + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1718 + Credit to OSS Fuzz + +
+ +

+ + + +CHANGES IN THE TOOLS: + +
    + +
  • tools/fax2tiff.c (main): Applied patch by Jörg Ahrens to fix + passing client data for Win32 builds using tif_win32.c + (USE_WIN32_FILEIO defined) for file I/O. Patch was provided + via email on November 20, 2016. + +
  • tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips + that can cause various issues, such as buffer overflows in the + library. Reported by Agostino Sarubbo. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2598 + +
  • tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i + (ignore) mode so that the output buffer is correctly + incremented to avoid write outside bounds. Reported by + Agostino Sarubbo. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2620 + +
  • tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in + readSeparateStripsIntoBuffer() to avoid read outside of heap + allocated buffer. Reported by Agostino Sarubbo. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2621 + +
  • tools/tiffcrop.c: fix integer division by zero when + BitsPerSample is missing. Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619 + +
  • tools/tiffinfo.c: fix null pointer dereference in -r mode + when the image has no StripByteCount tag. Reported by + Agostino Sarubbo. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2594 + +
  • tools/tiffcp.c: avoid potential division by zero is + BitsPerSamples tag is missing. Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597 + +
  • tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) + is called, limit the return number of inks to SamplesPerPixel, + so that code that parses ink names doesn't go past the end of + the buffer. Reported by Agostino Sarubbo. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2599 + +
  • tools/tiffcp.c: avoid potential division by zero is + BitsPerSamples tag is missing. Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607 + +
  • tools/tiffcp.c: fix uint32 underflow/overflow that can cause + heap-based buffer overflow. Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610 + +
  • tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non + assert check. Reported by Agostino Sarubbo. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2605 + +
  • tools/tiff2ps.c: fix 2 heap-based buffer overflows (in + PSDataBW and PSDataColorContig). Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and + http://bugzilla.maptools.org/show_bug.cgi?id=2634. + +
  • tools/tiff2pdf.c: prevent heap-based buffer overflow in -j + mode on a paletted image. Note: this fix errors out before the + overflow happens. There could probably be a better fix. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2635 + +
  • tools/tiff2pdf.c: fix wrong usage of memcpy() that can + trigger unspecified behaviour. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2638 + +
  • tools/tiff2pdf.c: avoid potential invalid memory read in + t2p_writeproc. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2639 + +
  • tools/tiff2pdf.c: avoid potential heap-based overflow in + t2p_readwrite_pdf_image_tile(). Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2640 + +
  • tools/tiffcrop.c: remove extraneous TIFFClose() in error code + path, that caused double free. Related to + http://bugzilla.maptools.org/show_bug.cgi?id=2535 + +
  • tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow + and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap + based overflow. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2656 and + http://bugzilla.maptools.org/show_bug.cgi?id=2657 + +
  • tools/raw2tiff.c: avoid integer division by zero. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2631 + +
  • tools/tiff2ps.c: call TIFFClose() in error code paths. + +
  • tools/fax2tiff.c: emit appropriate message if the input file + is empty. Patch by Alan Coopersmith. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2672 + +
  • tools/tiff2bw.c: close TIFF handle in error code path. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2677 + +
+ +

+ + + +CHANGES IN THE CONTRIB AREA: + +
    + +
  • None + +
+ +Last updated $Date: 2017-05-21 17:47:46 $. + + + diff --git a/man/Makefile.in b/man/Makefile.in index 3f19b8c3..212905b6 100644 --- a/man/Makefile.in +++ b/man/Makefile.in @@ -335,8 +335,6 @@ dist_man1_MANS = \ pal2rgb.1 \ ppm2tiff.1 \ raw2tiff.1 \ - rgb2ycbcr.1 \ - thumbnail.1 \ tiff2bw.1 \ tiff2pdf.1 \ tiff2ps.1 \