Based on patch by Tomasz Buchert (http://bugzilla.maptools.org/show_bug.cgi?id=2480)
Description: fix for Debian bug #741451
tiffcp crashes when converting JPEG-encoded TIFF to a different
encoding (like none or lzw). For example this will probably fail:
tiffcp -c none jpeg_encoded_file.tif output.tif
The reason is that when the input file contains JPEG data,
the tiffcp code forces conversion to RGB space. However,
the output normally inherits YCbCr subsampling parameters
from the input, which leads to a smaller working buffer
than necessary. The buffer is subsequently overrun inside
cpStripToTile() (called from writeBufferToContigTiles).
Note that the resulting TIFF file would be scrambled even
if tiffcp wouldn't crash, since the output file would contain
RGB data intepreted as subsampled YCbCr values.
This patch fixes the problem by forcing RGB space on the output
TIF if the input is JPEG-encoded and output is *not* JPEG-encoded.
Author: Tomasz Buchert <tomasz.buchert@inria.fr>
* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
the directory
* libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or
TransferFunction if BitsPerSample has not yet been read, otherwise reading
it later will cause user code to crash if BitsPerSample > 1
* libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
* libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
instead of imagewidth to avoid crash
* tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions
* tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by
libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB
* tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight
* tools/tiffdump.c: fix crash due to overflow of entry count.
tag can return one channel, with the other two channels set to
NULL. The tiff2pdf code was expecting that other two channels
were duplicate pointers in the case where there is only one
channel. Detect this condition in order to avoid a crash, and
presumably perform correctly with just one channel.
sp->dec_codetab in LZWPreDecode (bug #2459)
* libtiff/tif_read.c: in TIFFReadBufferSetup(), avoid passing -1 size
to TIFFmalloc() if passed user buffer size is 0 (bug #2459)
* libtiff/tif_ojpeg.c: make Coverity happier (not a bug, #2459)
* libtiff/tif_dir.c: in _TIFFVGetField() and _TIFFVSetField(), make
Coverity happier (not a bug, #2459)
* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make Coverity happier
(not a bug, #2459)
* tools/tiff2pdf.c: close PDF file (bug #2479)
* tools/fax2ps.c: check malloc()/realloc() result (bug #2470)
* tools/tiffdump.c: detect cycle in TIFF directory chaining (bug #2463)
and avoid passing a NULL pointer to read() if seek() failed before (bug #2459)
* tools/tiffcrop.c: fix segfault if bad value passed to -Z option
(bug #2459) and add missing va_end in dump_info (#2459)
* tools/gif2tif.c: apply patch for CVE-2013-4243 (#2451)
Date: Thu, 18 Jul 2013 14:36:47 -0400
Here's a patch to correct an issue with creating G4-compressed PDFs.
The issue is caused by == being used to compare bitfields when only
one bit is intended to be compared. Some of the tiffs I have had both
T2P_CS_ICCBASED and T2P_CS_BILEVEL set; therefore, the current code
will fail, producing certain pages that are inverted.
The patch follows, and is also attached.
--David
rotation angle was set by the auto rotate check, it was retained
for all pages that followed instead of being retested for each
page. Patch by Richard Nolde.
some TIFF/FX support in libtiff. Add the tag definitions to
tiff.h. Add the related TIFF field definitions to tif_dirinfo.c,
and also fixes an error in a comment. Adds the photometric values
to tif_print.c, and fixes a bug. These changes are by Steve
Underwood.
* libtiff/tif_write.c: Fix bug rewriting image tiles in a
the run-time target whereas target is used to specify the final
output target if the package is a build tool (like a compiler),
which libtiff is not. Resolves libtiff bug 2307 "Use
AC_CANONICAL_HOST macro".
TIFF_UINT64_FORMAT appropriately for MinGW32.
* tools/tiffdump.c (ReadDirectory): MinGW32 needs to use WIN32
printf conventions for 64-bit types because it uses the WIN32 CRT.
* libtiff/{tif_dumpmode.c,tif_luv.c,tif_lzw.c,tif_print.c,
tif_read.c,tif_strip.c,tif_thunder.c}: MinGW32 needs to use WIN32
printf conventions for 64-bit types because it uses the WIN32 CRT.
* tools/tiff2pdf.c (t2p_write_pdf_string): Fix printf syntax not
understood by WIN32 CRT.
* tools/fax2ps.c (main): Use tmpfile() rather than mkstemp() since
it is much more portable. Tmpfile is included in ISO/IEC
9899:1990 and the WIN32 CRT.
* libtiff/tif_ojpeg.c: fix crash when reading a TIFF with a zero
or missing byte-count tag
* tools/tiffsplit.c: abort when reading a TIFF without a byte-count
per http://bugzilla.maptools.org/show_bug.cgi?id=1996
* tools/tiff2ps.c: improvements and enhancements from Richard Nolde
with additional command line options for Document Title,
Document Creator, and Page Orientation
European page size dimensions. Added an option to allow the user
to specify a custom page size on the command line. Fix the case
where a page size specified with a fractional part was being
coerced to an integer by retyping the variables that define the
paper size.
CVE-2010-1411 was not complete.
* libtiff/tiffiop.h (TIFFSafeMultiply): New macro to safely
multiply two integers. Returns zero if there is an integer
overflow.
* tools/tiffcp.c (main): tiffcp should not leak memory if an error
is reported when reading the input file.
* libtiff/tif_fax3.c (Fax3SetupState): Avoid under-allocation of
buffer due to integer overflow in TIFFroundup() and several other
potential overflows. In conjunction with the fix to TIFFhowmany(),
fixes CVE-2010-1411.
* libtiff/tiffiop.h (TIFFhowmany): Return zero if parameters would
result in an integer overflow. This causes TIFFroundup() to also
return zero if there would be an integer overflow.
when the tag count value is zero. Error handling is still a
regression since in 3.9.2, empty tags are skipped (with a warning)
rather than returning a hard error and refusing to read the file.
* tools/ppm2tiff.c (main): While case for parsing comment line
requires extra parenthesis to work as expected. Reported by
Thomas Sinclair.
the JPEG TIFF as is is not required in order to prevent it from
being unused and filled with invalid data. (Leave it to be
generated by later activity.)
* tools/tiff2pdf.c: Write the JPEG SOI headers into the TIFF strip
data rather than skipping them. This fixes the ability to view in
Acrobat Reader, Evince, and Ghostscript.
Nolde. Major updates to add significant functionality for reading
and writing tile based images with bit depths not a multiple of 8
which cannot be handled by tiffcp.
libtool 2.2.6. Enabled support for silent build rules
(--enable-silent-rules or 'make V=0') and colorized tests.
* html/{index.html, v3.9.0.html}: Update for 3.9.0 release.
from Richard Nolde. In particular, support for rotating the image
by 90, 180, 270, and 'auto' has been added. Still waiting for
documentation patch to man/tiff2ps.1.
* man/tiffcrop.1: Incorporated documentation updates from Richard
Nolde.
* tools/tiffcrop.c: Incorporated significant functionality update
from Richard Nolde.
for TIFFError(), TIFFErrorExt(), TIFFWarning(), and
TIFFWarningExt() in order to reveal bugs.
* Many fixes throughout to work better as a 64-bit build.
consistent (__int64) casting when testing if _lseeki64 has
successfully seeked as requested. This is necessary for large
file support to work since off_t is only 32-bit.
tiff2ps-PS3.sh tiffcp-g3-1d-fill.sh tiffcp-g3-1d.sh
tiffcp-g3-2d-fill.sh tiffcp-g3-2d.sh tiffcp-g3.sh tiffcp-g4.sh
tiffcp-split-join.sh tiffcp-split.sh tiffcp-thumbnail.sh
tiffdump.sh tiffinfo.sh}: Added more test scripts based on
suggestions from Lee Howard posted to the tiff list on 13 Sep
2007.
test programs and scripts.
* test/tiffinfo.sh: A trivial example test script.
* test/common.sh: Added small script for setting the environment
used by script-based tests.
utility as per bug http://bugzilla.remotesensing.org/show_bug.cgi?id=1560
Now we don't need tiffiop.h in tiff2pdf anymore and will open output PDF file
using TIFFClientOpen() machinery as it is implemented by Leon Bottou.
available on the target system.
* configure.ac: Add configure support for determining sized types
in a portable way and performing necessary substitutions in
tif_config.h and tiffconf.h. Updated tiff.h to use the new
definitions.
