cb66df4e65
* HOWTO-RELEASE: write that cvs add html/vX.X.html must be used
292 lines
13 KiB
HTML
292 lines
13 KiB
HTML
<HTML>
|
|
<HEAD>
|
|
<TITLE>
|
|
Changes in TIFF v4.0.4beta
|
|
</TITLE>
|
|
</HEAD>
|
|
|
|
<BODY BGCOLOR=white>
|
|
<FONT FACE="Helvetica, Arial, Sans">
|
|
|
|
<BASEFONT SIZE=4>
|
|
<B><FONT SIZE=+3>T</FONT>IFF <FONT SIZE=+2>C</FONT>HANGE <FONT SIZE=+2>I</FONT>NFORMATION</B>
|
|
<BASEFONT SIZE=3>
|
|
|
|
<UL>
|
|
<HR SIZE=4 WIDTH=65% ALIGN=left>
|
|
<B>Current Version</B>: v4.0.4beta<BR>
|
|
<B>Previous Version</B>: <A HREF=v4.0.3.html>v4.0.3</a><BR>
|
|
<B>Master FTP Site</B>: <A HREF="ftp://ftp.remotesensing.org/pub/libtiff">
|
|
ftp.remotesensing.org</a>, directory pub/libtiff</A><BR>
|
|
<B>Master HTTP Site</B>: <A HREF="http://www.remotesensing.org/libtiff">
|
|
http://www.remotesensing.org/libtiff</a>
|
|
<HR SIZE=4 WIDTH=65% ALIGN=left>
|
|
</UL>
|
|
|
|
<P>
|
|
This document describes the changes made to the software between the
|
|
<I>previous</I> and <I>current</I> versions (see above). If you don't
|
|
find something listed here, then it was not done in this timeframe, or
|
|
it was not considered important enough to be mentioned. The following
|
|
information is located here:
|
|
<UL>
|
|
<LI><A HREF="#highlights">Major Changes</A>
|
|
<LI><A HREF="#configure">Changes in the software configuration</A>
|
|
<LI><A HREF="#libtiff">Changes in libtiff</A>
|
|
<LI><A HREF="#tools">Changes in the tools</A>
|
|
<LI><A HREF="#contrib">Changes in the contrib area</A>
|
|
</UL>
|
|
<p>
|
|
<P><HR WIDTH=65% ALIGN=left>
|
|
|
|
<!--------------------------------------------------------------------------->
|
|
|
|
<A NAME="highlights"><B><FONT SIZE=+3>M</FONT>AJOR CHANGES:</B></A>
|
|
|
|
<UL>
|
|
|
|
<li> None
|
|
|
|
</UL>
|
|
|
|
|
|
<P><HR WIDTH=65% ALIGN=left>
|
|
<!--------------------------------------------------------------------------->
|
|
|
|
<A NAME="configure"><B><FONT SIZE=+3>C</FONT>HANGES IN THE SOFTWARE CONFIGURATION:</B></A>
|
|
|
|
<UL>
|
|
|
|
<li> Updated to use Automake 1.15 and Libtool 2.4.5
|
|
|
|
</UL>
|
|
|
|
<P><HR WIDTH=65% ALIGN=left>
|
|
|
|
<!--------------------------------------------------------------------------->
|
|
|
|
<A NAME="libtiff"><B><FONT SIZE=+3>C</FONT>HANGES IN LIBTIFF:</B></A>
|
|
|
|
<UL>
|
|
|
|
<li> TIFFCheckDirOffset(): avoid uint16 overflow
|
|
when reading more than 65535 directories, and effectively error out when
|
|
eaching that limit.
|
|
|
|
<li> TIFFNumberOfDirectories(): generate error in case of directory count
|
|
overflow.
|
|
|
|
<li> TIFFAdvanceDirectory(): If nextdir is found to
|
|
be defective, then set it to zero before returning error in order
|
|
to terminate processing of truncated TIFF.
|
|
|
|
<li> JPEG-in-TIFF: recognize SOF2, SOF9 and SOF10
|
|
markers to avoid emitting a warning. Fix for compatibility with mozjpeg library.
|
|
Note: the default settings of mozjpeg will produce progressive scans, which
|
|
is forbidden by the TechNote.
|
|
|
|
<li> JPEG-in-TIFF: Fix regression introduced in 3.9.3/4.0.0 that caused
|
|
all tiles/strips to include quantization tables even when the jpegtablesmode
|
|
had the JPEGTABLESMODE_QUANT bit set.
|
|
Also add explicit removal of Huffman tables when jpegtablesmode has the
|
|
JPEGTABLESMODE_HUFF bit set, which avoids Huffman tables to be emitted in the
|
|
first tile/strip (only useful in update scenarios. create-only was
|
|
fine)
|
|
|
|
<li> JPEG-in-TIFF: fix segfault in JPEGFixupTagsSubsampling() on
|
|
corrupted image where tif->tif_dir.td_stripoffset == NULL.
|
|
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2471">#2471</a>)
|
|
|
|
<li> NeXT codec: add new tests to check that we don't read outside of
|
|
the compressed input stream buffer.
|
|
|
|
<li> NeXT codec: check that BitsPerSample = 2. Fixes
|
|
<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2487">#2487</a> (CVE-2014-8129)
|
|
|
|
<li> NeXT codec: in the "run mode", use tilewidth for tiled images
|
|
instead of imagewidth to avoid crash
|
|
|
|
<li> tif_getimage.c: in OJPEG case, fix checks on strile width/height
|
|
in the putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile and
|
|
putcontig8bitYCbCr21tile cases.
|
|
|
|
<li> in TIFFDefaultDirectory(), reset any already existing
|
|
extented tags installed by user code through the extender mechaninm before
|
|
calling the extender callback (GDAL #5054)
|
|
|
|
<li> Fix warnings about unused parameters.
|
|
|
|
<li> Fix various typos in comments found by Debian lintian tool (GDAL #5756)
|
|
|
|
<li> tif_getimage.c: avoid divide by zero on invalid YCbCr subsampling.
|
|
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2235">#2235</a>)
|
|
|
|
<li> tif_dirread.c: In EstimateStripByteCounts(), check return code
|
|
of _TIFFFillStriles(). This solves crashing bug on corrupted
|
|
images generated by afl.
|
|
|
|
<li>tif_read.c: fix several invalid comparisons of a uint64 value with
|
|
<= 0 by casting it to int64 first. This solves crashing bug on corrupted
|
|
images generated by afl.
|
|
|
|
<li>TIFFSetField(): refuse to set negative values for
|
|
TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
|
|
the directory
|
|
|
|
<li>TIFFReadDirectory(): refuse to read ColorMap or
|
|
TransferFunction if BitsPerSample has not yet been read, otherwise reading
|
|
it later will cause user code to crash if BitsPerSample > 1
|
|
|
|
<li> TIFFRGBAImageOK(): return FALSE if LOGLUV with
|
|
SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
|
|
|
|
<li> tif_config.vc.h: no longer use "#define snprintf _snprintf" with
|
|
Visual Studio 2015 aka VC 14 aka MSVC 1900
|
|
|
|
<li> LZW codec: prevent potential null dereference of sp->dec_codetab in LZWPreDecode
|
|
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2459">#2459</a>)
|
|
|
|
<li> TIFFReadBufferSetup(): avoid passing -1 size
|
|
to TIFFmalloc() if passed user buffer size is 0
|
|
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2459">#2459</a>)
|
|
|
|
<li> TIFFReadDirEntryOutputErr(): Incorrect
|
|
count for tag should be a warning rather than an error since
|
|
errors terminate processing.
|
|
|
|
<li> tif_dirinfo.c (TIFFField) : Fix data type for TIFFTAG_GLOBALPARAMETERSIFD tag.
|
|
|
|
<li> Add definitions for TIFF/EP CFARepeatPatternDim and CFAPattern tags
|
|
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2457">#2457</a>)
|
|
|
|
<li> tif_codec.c, tif_dirinfo.c: Enlarge some fixed-size buffers that weren't
|
|
large enough, and eliminate substantially all uses of sprintf(buf,
|
|
...) in favor of using snprintf(buf, sizeof(buf), ...)
|
|
<li> configure.ac: Improve pkg-config static linking by adding -lm to Libs.private when needed.
|
|
|
|
<li> tif_write.c: tmsize_t related casting warning fixed for
|
|
64bit linux.
|
|
|
|
<li> tif_read.c: uint64/tmsize_t change for MSVC warnings.
|
|
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2427">#2427</a>)
|
|
|
|
<li> Fix TIFFPrintDirectory's handling of
|
|
field_passcount fields: it had the TIFF_VARIABLE and
|
|
TIFF_VARIABLE2 cases backwards.
|
|
|
|
<li> PixarLog codec: Improve previous patch for CVE-2012-4447
|
|
(to enlarge tbuf for possible partial stride at end) so that
|
|
overflow in the integer addition is detected.
|
|
|
|
<li>tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not
|
|
require malloc() to return NULL pointer if requested allocation
|
|
size is zero. Assure that _TIFFmalloc does.
|
|
|
|
<li>tif_zip.c: Avoid crash on NULL error messages.
|
|
|
|
</UL>
|
|
|
|
<P><HR WIDTH=65% ALIGN=left>
|
|
|
|
<!-------------------------------------------------------------------------->
|
|
|
|
<A NAME="tools"><B><FONT SIZE=+3>C</FONT>HANGES IN THE TOOLS:</B></A>
|
|
|
|
<UL>
|
|
|
|
<li> tiff2pdf: Fis various crashes and memory buffer access errors (oCERT-2014-013).
|
|
<li> tiff2pdf: fix buffer overflow on some YCbCr JPEG compressed images.
|
|
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2445">#2445</a>)
|
|
<li> tiff2pdf: fix buffer overflow on YCbCr JPEG compressed image.
|
|
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2443">#2443</a>)
|
|
<li> tiff2pdf: check return code of TIFFGetField() when reading TIFFTAG_SAMPLESPERPIXEL
|
|
<li> tiff2pdf: fix crash due to invalid tile count.
|
|
<li> tiff2pdf: Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB
|
|
<li> tiff2pdf: Assure that memory size calculations for
|
|
_TIFFmalloc() do not overflow the range of tmsize_t.
|
|
<li> tiff2pdf: Avoid crash when TIFFTAG_TRANSFERFUNCTION tag returns one channel,
|
|
with the other two channels set to NULL.
|
|
<li> tiff2pdf: close PDF file. (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2479">#2479</a>)
|
|
<li> tiff2pdf: Preserve input file directory order when pages
|
|
are tagged with the same page number.
|
|
<li> tiff2pdf.c: terminate after failure of allocating ycbcr buffer
|
|
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2449">#2449</a> CVE-2013-4232)
|
|
<li> tiff2pdf: Rewrite JPEG marker parsing in
|
|
t2p_process_jpeg_strip to be at least marginally competent. The
|
|
approach is still fundamentally flawed, but at least now it won't
|
|
stomp all over memory when given bogus input. Fixes CVE-2013-1960.
|
|
<li> tiffdump: Guard against arithmetic overflow when calculating allocation buffer sizes.
|
|
<li> tiffdump: fix crash due to overflow of entry count.
|
|
<li> tiffdump: Fix double-free bug.
|
|
<li> tiffdump: detect cycle in TIFF directory chaining.
|
|
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2463">#2463</a>)
|
|
<li> tiffdump: avoid passing a NULL pointer to read() if seek() failed before.
|
|
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2459">#2459</a>)
|
|
<li> tiff2bw: when Photometric=RGB, the utility only works if SamplesPerPixel = 3. Enforce that.
|
|
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2485">#2485</a>, CVE-2014-8127)
|
|
<li> pal2rgb, thumbnail: fix crash by disabling TIFFTAG_INKNAMES copying.
|
|
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2484">#2484</a>, CVE-2014-8127)
|
|
<li> thumbnail: fix out-of-buffer write.
|
|
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2489">#2489</a>, CVE-2014-8128)
|
|
<li> thumbnail, tiffcmp: only read/write TIFFTAG_GROUP3OPTIONS
|
|
or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
|
|
COMPRESSION_CCITTFAX4.
|
|
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2493">#2493</a>, CVE-2014-8128)
|
|
<li> tiffcp: fix crash when converting YCbCr JPEG-compressed to none.
|
|
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2480">#2480</a>)
|
|
<li> bmp2tiff: fix crash due to int overflow related to input BMP dimensions
|
|
<li> tiffcrop: fix crash due to invalid TileWidth/TileHeight
|
|
<li> tiffcrop: fix segfault if bad value passed to -Z option
|
|
( <a href="http://bugzilla.maptools.org/show_bug.cgi?id=2459">#2459</a>)
|
|
and add missing va_end in dump_info
|
|
<li> thumbnail, tiffcrop: "fix" heap read over-run found with
|
|
Valgrind and Address Sanitizer on test suite
|
|
<li> fax2ps: check malloc()/realloc() result. (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2470">#2470</a>)
|
|
<li> gif2tiff: apply patch for CVE-2013-4243. (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2451">#2451</a>)
|
|
<li> gif2tiff: fix possible OOB write. (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2452">#2452</a>, CVE-2013-4244)
|
|
<li> gif2tiff: Be more careful about corrupt or hostile input files (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2450">#2450</a>, CVE-2013-4231)
|
|
<li> tiff2rgba: fix usage message in that zip was wrongly described
|
|
<li> tiffinfo: Default various values fetched with TIFFGetField() to avoid being uninitialized.
|
|
<li> tiff2ps: Fix bug in auto rotate option code.
|
|
<li> ppm2tiff: avoid zero size buffer vulnerability (CVE-2012-4564).
|
|
check the linebytes calculation too, get the max() calculation
|
|
straight, avoid redundant error messages, check for malloc
|
|
failure.
|
|
<li> tiffset: now supports a -u option to unset a tag.
|
|
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2419">#2419</a>)
|
|
<li> Fix warnings about unused parameters.
|
|
<li> rgb2ycbcr, tiff2bw, tiff2pdf, tiff2ps, tiffcrop, tiffdither :
|
|
Enlarge some fixed-size buffers that weren't
|
|
large enough, and eliminate substantially all uses of sprintf(buf,
|
|
...) in favor of using snprintf(buf, sizeof(buf), ...), so as to
|
|
protect against overflow of fixed-size buffers. This responds in
|
|
particular to CVE-2013-1961 concerning overflow in tiff2pdf.c's
|
|
t2p_write_pdf_page().
|
|
<li>html/man/tiff2ps.1.html, html/man/tiffcp.1.html,
|
|
html/man/tiffdither.1.html, man/tiff2ps.1, man/tiffcp.1,
|
|
man/tiffdither.1, tools/tiff2ps.c, tools/tiffcp.c,
|
|
tools/tiffdither.c: Sync tool usage printouts and man pages with
|
|
reality
|
|
|
|
</UL>
|
|
|
|
<P><HR WIDTH=65% ALIGN=left>
|
|
|
|
<!--------------------------------------------------------------------------->
|
|
|
|
<A NAME="contrib"><B><FONT SIZE=+3>C</FONT>HANGES IN THE CONTRIB AREA:</B></A>
|
|
|
|
<UL>
|
|
|
|
<li> Fix warnings about variables set but not used.
|
|
<li> contrib/dbs/xtiff/xtiff.c: Enlarge some fixed-size buffers that weren't
|
|
large enough, and eliminate substantially all uses of sprintf(buf,
|
|
...) in favor of using snprintf(buf, sizeof(buf), ...), so as to
|
|
protect against overflow of fixed-size buffers.
|
|
</UL>
|
|
|
|
Last updated $Date: 2015-01-26 15:14:45 $.
|
|
|
|
</BODY>
|
|
</HTML>
|