diff options
Diffstat (limited to 'src/3rdparty/libtiff/ChangeLog')
| -rw-r--r-- | src/3rdparty/libtiff/ChangeLog | 824 |
1 files changed, 823 insertions, 1 deletions
diff --git a/src/3rdparty/libtiff/ChangeLog b/src/3rdparty/libtiff/ChangeLog index 9b9d397..e15feec 100644 --- a/src/3rdparty/libtiff/ChangeLog +++ b/src/3rdparty/libtiff/ChangeLog @@ -1,3 +1,825 @@ +2017-10-10 Even Rouault <even.rouault at spatialys.com> + + * nmake.opt: support a DEBUG=1 option, so as to adjust OPTFLAGS and use + /MDd runtime in debug mode. + +2017-10-01 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffset.c: fix setting a single value for the ExtraSamples tag + (and other tags with variable number of values). + So 'tiffset -s ExtraSamples 1 X'. This only worked + when setting 2 or more values, but not just one. + +2017-09-29 Even Rouault <even.rouault at spatialys.com> + + * libtiff/libtiff.def: add TIFFReadRGBAStripExt and TIFFReadRGBATileExt + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2735 + +2017-09-09 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dirread.c: add NULL check to avoid likely false positive + null-pointer dereference warning by CLang Static Analyzer. + +2017-09-07 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tiffiop.h, tif_aux.c: redirect SeekOK() macro to a _TIFFSeekoK() + function that checks if the offset is not bigger than INT64_MAX, so as + to avoid a -1 error return code of TIFFSeekFile() to match a required + seek to UINT64_MAX/-1. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2726 + Adapted from proposal by Nicolas Ruff. + +2017-08-29 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_jpeg.c: accept reading the last strip of a JPEG compressed + file if the codestream height is larger than the truncated height of the + strip. Emit a warning in this situation since this is non compliant. + +2017-08-28 Even Rouault <even.rouault at spatialys.com> + + * test/Makefile.am: add missing reference to images/quad-lzw-compat.tiff + to fix "make distcheck". Patch by Roger Leigh + +2017-08-23 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dirwrite.c: replace assertion to tag value not fitting + on uint32 when selecting the value of SubIFD tag by runtime check + (in TIFFWriteDirectoryTagSubifd()). + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728 + Reported by team OWL337 + +2017-08-23 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dirwrite.c: replace assertion related to not finding the + SubIFD tag by runtime check (in TIFFWriteDirectorySec()) + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727 + Reported by team OWL337 + +2017-07-24 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_luv.c: further reduce memory requirements for temporary + buffer when RowsPerStrip >= image_length in LogLuvInitState() and + LogL16InitState(). + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2700 + Credit to OSS Fuzz + +2017-07-24 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_getimage.c: fix fromskew computation when to-be-skipped + pixel number is not a multiple of the horizontal subsampling, and + also in some other cases. Impact putcontig8bitYCbCr44tile, + putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile, + putcontig8bitYCbCr21tile and putcontig8bitYCbCr12tile + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2637 (discovered + by Agostino Sarubbo) + and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2691 (credit + to OSS Fuzz) + +2017-07-24 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_getimage.c: gtTileContig() and gtTileSeparate(): + properly break from loops on error when stoponerr is set, instead + of going on iterating on row based loop. + +2017-07-18 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_luv.c: LogLuvInitState(): avoid excessive memory + allocation when RowsPerStrip tag is missing. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2683 + Credit to OSS-Fuzz + +2017-07-15 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c: add protection against excessive memory + allocation attempts in TIFFReadDirEntryArray() on short files. + Effective for mmap'ed case. And non-mmap'ed case, but restricted + to 64bit builds. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2675 + +2017-07-15 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the + arrays that hold StripOffsets/StripByteCounts, when they are smaller + than the expected number of striles, up to 1 million striles, and + error out beyond. Can be tweaked by setting the environment variable + LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT. + This partially goes against a change added on 2002-12-17 to accept + those arrays of wrong sizes, but is needed to avoid denial of services. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350 + Credit to OSS Fuzz + +2017-07-15 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c: TIFFFillStrip() / TIFFFillTile(). + Complementary fix for http://bugzilla.maptools.org/show_bug.cgi?id=2708 + in the isMapped() case, so as to avoid excessive memory allocation + when we need a temporary buffer but the file is truncated. + +2017-07-15 Even Rouault <even.rouault at spatialys.com> + + * tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw" + mode on PlanarConfig=Contig input images. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715 + Reported by team OWL337 + +2017-07-11 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dir.c: avoid potential null pointer dereference in + _TIFFVGetField() on corrupted TIFFTAG_NUMBEROFINKS tag instance. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2713 + +2017-07-11 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_lzw.c: fix potential out-of-buffer read on 1-byte LZW + strips. Crashing issue only on memory mapped files, where the strip + offset is the last byte of the file, and the file size is a multiple + of one page size on the CPU architecture (typically 4096). Credit + to myself :-) + +2017-07-11 Even Rouault <even.rouault at spatialys.com> + + * test/tiffcp-lzw-compat.sh, test/images/quad-lzw-compat.tiff: new files + to test old-style LZW decompression + * test/common.sh, Makefile.am, CMakeList.txt: updated with above + +2017-07-11 Even Rouault <even.rouault at spatialys.com> + + * refresh autoconf/make stuff with what is on Ubuntu 16.04 (minor changes) + +2017-07-11 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_lzw.c: fix 4.0.8 regression in the decoding of old-style LZW + compressed files. + +2017-07-10 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_pixarlog.c: avoid excessive memory allocation on decoding + when RowsPerStrip tag is not defined (and thus td_rowsperstrip == UINT_MAX) + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2554 + Credit to OSS Fuzz + +2017-07-04 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedTileAndAllocBuffer() + and _TIFFReadTileAndAllocBuffer() variants of TIFFReadEncodedTile() and + TIFFReadTile() that allocates the decoded buffer only after a first + successful TIFFFillTile(). This avoids excessive memory allocation + on corrupted files. + * libtiff/tif_getimage.c: use _TIFFReadTileAndAllocBuffer(). + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2470 + Credit to OSS Fuzz. + +2017-07-04 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_error.c, tif_warning.c: correctly use va_list when both + an old-style and new-style warning/error handlers are installed. + Patch by Paavo Helde (sent on the mailing list) + +2017-07-02 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c: TIFFStartTile(): set tif_rawcc to + tif_rawdataloaded when it is set. Similarly to TIFFStartStrip(). + This issue was revealed by the change of 2017-06-30 in TIFFFileTile(), + limiting the number of bytes read. But it could probably have been hit + too in CHUNKY_STRIP_READ_SUPPORT mode previously ? + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454 + Credit to OSS Fuzz + +2017-06-30 Even Rouault <even.rouault at spatialys.com> + + * man: update documentation regarding SubIFD tag and + TIFFSetSubDirectory() data type. + Patch by Eric Piel + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2671 + +2017-06-30 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX() + functions associated with LONG8/SLONG8 data type, replace assertion that + the file is BigTIFF, by a non-fatal error. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 + Reported by team OWL337 + +2017-06-30 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedStripAndAllocBuffer() + function, variant of TIFFReadEncodedStrip() that allocates the + decoded buffer only after a first successful TIFFFillStrip(). This avoids + excessive memory allocation on corrupted files. + * libtiff/tif_getimage.c: use _TIFFReadEncodedStripAndAllocBuffer(). + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2708 and + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2433 . + Credit to OSS Fuzz + +2017-06-30 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c: TIFFFillTile(): add limitation to the number + of bytes read in case td_stripbytecount[strip] is bigger than + reasonable, so as to avoid excessive memory allocation (similarly to + what was done for TIFFFileStrip() on 2017-05-10) + +2017-06-29 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tiffiop.h, libtiff/tif_jpeg.c, libtiff/tif_jpeg_12.c, + libtiff/tif_read.c: make TIFFReadScanline() works in + CHUNKY_STRIP_READ_SUPPORT mode with JPEG stream with multiple scans. + Also make configurable through a LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER + environment variable the maximum number of scans allowed. Defaults to + 100. + +2017-06-27 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dirread.c: in TIFFReadDirEntryFloat(), check that a + double value can fit in a float before casting. Patch by Nicolas RUFF + +2017-06-26 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode() + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706 + Reported by team OWL337 + +2017-06-24 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg + memory allocation is above 100 MB. libjpeg in case of multiple scans, + which is allowed even in baseline JPEG, if components are spread over several + scans and not interleavedin a single one, needs to allocate memory (or + backing store) for the whole strip/tile. + See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf + This limitation may be overriden by setting the + LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC environment variable, or recompiling + libtiff with a custom value of TIFF_LIBJPEG_LARGEST_MEM_ALLOC macro. + +2017-06-24 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_jpeg.c: add anti-denial of service measure to avoid excessive + CPU consumption on progressive JPEGs with a huge number of scans. + See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf + Note: only affects libtiff since 2014-12-29 where support of non-baseline JPEG + was added. + +2017-06-18 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tiffiop.h: add TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW macro to + disable CLang warnings raised by -fsanitize=undefined,unsigned-integer-overflow + * libtiff/tif_predict.c: decorate legitimate functions where unsigned int + overflow occur with TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW + * libtiff/tif_dirread.c: avoid unsigned int overflow in EstimateStripByteCounts() + and BYTECOUNTLOOKSBAD when file is too short. + * libtiff/tif_jpeg.c: avoid (harmless) unsigned int overflow on tiled images. + * libtiff/tif_fax3.c: avoid unsigned int overflow in Fax3Encode2DRow(). Could + potentially be a bug with huge rows. + * libtiff/tif_getimage.c: avoid many (harmless) unsigned int overflows. + +2017-06-12 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dirread.c: TIFFFetchStripThing(): limit the number of items + read in StripOffsets/StripByteCounts tags to the number of strips to avoid + excessive memory allocation. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2215 + Credit to OSS Fuzz + +2017-06-12 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dirread.c: fix regression of libtiff 4.0.8 in + ChopUpSingleUncompressedStrip() regarding update of newly single-strip + uncompressed files whose bytecount is 0. Before the change of 2016-12-03, + the condition bytecount==0 used to trigger an early exit/disabling of + strip chop. Re-introduce that in update mode. Otherwise this cause + later incorrect setting for the value of StripByCounts/StripOffsets. + ( https://trac.osgeo.org/gdal/ticket/6924 ) + +2017-06-10 Even Rouault <even.rouault at spatialys.com> + + * .appveyor.yml, .travis.yml, build/travis-ci: apply patches + 0001-ci-Travis-script-improvements.patch and + 0002-ci-Invoke-helper-script-via-shell.patch by Roger Leigh + (sent to mailing list) + +2017-06-08 Even Rouault <even.rouault at spatialys.com> + + * .travis.yml, build/travis-ci: new files from + 0001-ci-Add-Travis-support-for-Linux-builds-with-Autoconf.patch by + Roger Leigh (sent to mailing list on 2017-06-08) + This patch adds support for the Travis-CI service. + + * .appveyor.yml: new file from + 0002-ci-Add-AppVeyor-support.patch by Roger Leigh (sent to mailing + list on 2017-06-08) + This patch adds a .appveyor.yml file to the top-level. This allows + one to opt in to having a branch built on Windows with Cygwin, + MinGW and MSVC automatically when a branch is pushed to GitHub, + GitLab, BitBucket or any other supported git hosting service. + + * CMakeLists.txt, test/CMakeLists.txt, test/TiffTestCommon.cmake: apply + patch 0001-cmake-Improve-Cygwin-and-MingGW-test-support.patch from Roger + Leigh (sent to mailing list on 2017-06-08) + This patch makes the CMake build system support running the tests + with MinGW or Cygwin. + +2017-06-08 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_swab.c: if DISABLE_CHECK_TIFFSWABMACROS is defined, do not do + the #ifdef TIFFSwabXXX checks. Make it easier for GDAL to rename the symbols + of its internal libtiff copy. + +2017-06-01 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(), + and use it in TIFFReadDirectory() so as to ignore fields whose tag is a + codec-specified tag but this codec is not enabled. This avoids TIFFGetField() + to behave differently depending on whether the codec is enabled or not, and + thus can avoid stack based buffer overflows in a number of TIFF utilities + such as tiffsplit, tiffcmp, thumbnail, etc. + Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch + (http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog. + Fixes: + http://bugzilla.maptools.org/show_bug.cgi?id=2580 + http://bugzilla.maptools.org/show_bug.cgi?id=2693 + http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095) + http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554) + http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318) + http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128) + http://bugzilla.maptools.org/show_bug.cgi?id=2441 + http://bugzilla.maptools.org/show_bug.cgi?id=2433 + +2017-05-29 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for + refBlackWhite coefficients values. To avoid invalid float->int32 conversion + (when refBlackWhite[0] == 2147483648.f) + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907 + Credit to OSS Fuzz + +2017-05-29 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid + int32 overflow in TIFFYCbCrtoRGB(). + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844 + Credit to OSS Fuzz + +2017-05-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> + + * configure.ac: libtiff 4.0.8 released. + + * html/v4.0.8.html: Add description of changes targeting the 4.0.8 + release. + +2017-05-20 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for + refBlackWhite coefficients values. To avoid invalid float->int32 conversion. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1718 + Credit to OSS Fuzz + +2017-05-18 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_getimage.c: initYCbCrConversion(): check luma[1] is not zero + to avoid division by zero. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665 + Credit to OSS Fuzz + +2017-05-17 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c: _TIFFVSetField(): fix outside range cast of double to + float. + Credit to Google Autofuzz project + +2017-05-17 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_getimage.c: initYCbCrConversion(): add basic validation of + luma and refBlackWhite coefficients (just check they are not NaN for now), + to avoid potential float to int overflows. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663 + Credit to OSS Fuzz + +2017-05-17 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_pixarlog.c: PixarLogDecode(): resync tif_rawcp with + next_in and tif_rawcc with avail_in at beginning and end of function, + similarly to what is done in LZWDecode(). Likely needed so that it + works properly with latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT + mode. But untested... + +2017-05-17 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_lzw.c: update dec_bitsleft at beginning of LZWDecode(), + and update tif_rawcc at end of LZWDecode(). This is needed to properly + work with the latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT + mode. + +2017-05-14 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_luv.c: LogL16InitState(): avoid excessive memory + allocation when RowsPerStrip tag is missing. + Credit to OSS-Fuzz (locally run, on GDAL) + +2017-05-14 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_packbits.c: fix out-of-buffer read in PackBitsDecode() + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563 + Credit to OSS-Fuzz + +2017-05-13 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32 + overflows in multiply_ms() and add_ms(). + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558 + Credit to OSS-Fuzz + +2017-05-13 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_color.c: avoid potential int32 overflow in + TIFFYCbCrToRGBInit() + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533 + Credit to OSS-Fuzz + +2017-05-13 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c: update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT + mode with tif_rawdataloaded when calling TIFFStartStrip() or + TIFFFillStripPartial(). This avoids reading beyond tif_rawdata + when bytecount > tif_rawdatasize. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545. + Credit to OSS-Fuzz + +2017-05-12 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c: TIFFFillStripPartial(): + avoid excessive memory allocation in case of shorten files. + Only effective on 64 bit builds. + Credit to OSS-Fuzz (locally run, on GDAL) + +2017-05-12 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(), + avoid potential integer overflows with read_ahead in + CHUNKY_STRIP_READ_SUPPORT mode. Should + especially occur on 32 bit platforms. + +2017-05-10 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c: TIFFFillStrip() and TIFFFillTile(): + avoid excessive memory allocation in case of shorten files. + Only effective on 64 bit builds and non-mapped cases. + Credit to OSS-Fuzz (locally run, on GDAL) + +2017-05-10 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_zip.c, tif_pixarlog.c, tif_predict.c: fix memory + leak when the underlying codec (ZIP, PixarLog) succeeds its + setupdecode() method, but PredictorSetup fails. + Credit to OSS-Fuzz (locally run, on GDAL) + +2017-05-10 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c: TIFFFillStrip(): add limitation to the number + of bytes read in case td_stripbytecount[strip] is bigger than + reasonable, so as to avoid excessive memory allocation. + +2017-04-28 Even Rouault <even.rouault at spatialys.com> + + * tools/tiff2bw.c: close TIFF handle in error code path. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2677 + +2017-04-27 Even Rouault <even.rouault at spatialys.com> + + * litiff/tif_fax3.c: avoid crash in Fax3Close() on empty file. + Patch by Alan Coopersmith + complement by myself. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2673 + * tools/fax2tiff.c: emit appropriate message if the input file is + empty. Patch by Alan Coopersmith. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2672 + +2017-04-27 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_ojpeg.c: fix potential memory leak in + OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable + and OJPEGReadHeaderInfoSecTablesAcTable + Patch by Nicolás Peña. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2670 + +2017-04-27 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD + mode (ie default) when there is both a StripOffsets and + TileOffsets tag, or a StripByteCounts and TileByteCounts + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689 + * tools/tiff2ps.c: call TIFFClose() in error code paths. + +2017-02-25 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_fax3.c, tif_predict.c, tif_getimage.c: fix GCC 7 + -Wimplicit-fallthrough warnings. + +2017-02-18 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_pixarlog.c: fix memory leak in error code path of + PixarLogSetupDecode(). Patch by Nicolás Peña. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2665 + +2017-02-18 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_lzw.c: in LZWPostEncode(), increase, if necessary, the + code bit-width after flushing the remaining code and before emitting + the EOI code. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=1982 + +2017-01-31 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_jpeg.c: only run JPEGFixupTagsSubsampling() if the + YCbCrSubsampling tag is not explicitly present. This helps a bit to reduce + the I/O amount when te tag is present (especially on cloud hosted files). + +2017-01-14 Even Rouault <even.rouault at spatialys.com> + + * tools/raw2tiff.c: avoid integer division by zero. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2631 + +2017-01-12 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable, + OJPEGReadHeaderInfoSecTablesDcTable and OJPEGReadHeaderInfoSecTablesAcTable + when read fails. + Patch by Nicolás Peña. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659 + +2017-01-11 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_luv.c, tif_lzw.c, tif_packbits.c: return 0 in Encode + functions instead of -1 when TIFFFlushData1() fails. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2130 + +2017-01-11 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and + cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and + http://bugzilla.maptools.org/show_bug.cgi?id=2657 + +2017-01-11 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc() + + * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero + initialize tif_rawdata. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651 + +2017-01-11 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to + avoid UndefinedBehaviorSanitizer warning. + Patch by Nicolás Peña. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2658 + +2017-01-11 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c: avoid potential undefined behaviour on signed integer + addition in TIFFReadRawStrip1() in isMapped() case. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650 + +2017-01-11 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid + undefined behaviour caused by invalid shift exponent. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648 + +2017-01-11 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings + of double to other data types to avoid undefined behaviour if the output range + isn't big enough to hold the input value. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643 + http://bugzilla.maptools.org/show_bug.cgi?id=2642 + http://bugzilla.maptools.org/show_bug.cgi?id=2646 + http://bugzilla.maptools.org/show_bug.cgi?id=2647 + +2017-01-11 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dirread.c: avoid division by floating point 0 in + TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(), + and return 0 in that case (instead of infinity as before presumably) + Apparently some sanitizers do not like those divisions by zero. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644 + +2017-01-11 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational, replace + assertion by runtime check to error out if passed value is strictly + negative. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2535 + + * tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that + caused double free. + Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535 + +2017-01-11 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_jpeg.c: avoid integer division by zero in + JPEGSetupEncode() when horizontal or vertical sampling is set to 0. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653 + +2017-01-03 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_jpeg.c: increase libjpeg max memory usable to + 10 MB instead of libjpeg 1MB default. This helps when creating files + with "big" tile, without using libjpeg temporary files. + Related to https://trac.osgeo.org/gdal/ticket/6757 + +2016-12-20 Even Rouault <even.rouault at spatialys.com> + + * tools/tiff2pdf.c: avoid potential heap-based overflow in + t2p_readwrite_pdf_image_tile(). + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640 + +2016-12-20 Even Rouault <even.rouault at spatialys.com> + + * tools/tiff2pdf.c: avoid potential invalid memory read in + t2p_writeproc. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639 + +2016-12-20 Even Rouault <even.rouault at spatialys.com> + + * tools/tiff2pdf.c: fix wrong usage of memcpy() that can trigger + unspecified behaviour. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2638 + +2016-12-18 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_getimage.c: fix potential memory leaks in error code + path of TIFFRGBAImageBegin(). + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2627 + +2016-12-18 Even Rouault <even.rouault at spatialys.com> + + * tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode + on a paletted image. Note: this fix errors out before the overflow + happens. There could probably be a better fix. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2635 + +2016-12-17 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tiffio.h, libtiff/tif_getimage.c: add TIFFReadRGBAStripExt() + and TIFFReadRGBATileExt() variants of the functions without ext, with + an extra argument to control the stop_on_error behaviour. + +2016-12-17 Even Rouault <even.rouault at spatialys.com> + + * tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW + and PSDataColorContig). Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and + http://bugzilla.maptools.org/show_bug.cgi?id=2634. + +2016-12-13 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_fax3.h: revert change done on 2016-01-09 that made + Param member of TIFFFaxTabEnt structure a uint16 to reduce size of + the binary. It happens that the Hylafax software uses the tables that + follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable, + TIFFFaxBlackTable), although they are not in a public libtiff header. + Raised by Lee Howard. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2636 + +2016-12-04 Even Rouault <even.rouault at spatialys.com> + + * html/man/Makefile.am: remove thumbnail.1.html and rgb2ycbcr.1.html + from installed pages since the corresponding utilities are no longer + installed. Reported by Havard Eidnes + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2606 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_write.c: fix misleading indentation as warned by GCC. + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert check. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based + buffer overflow. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is + missing. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * man/Makefile.am: remove thumbnail.1 and rgb2ycbcr.1 from installed man + pages since the corresponding utilities are no longer installed. + Reported by Havard Eidnes + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2606 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called, + limit the return number of inks to SamplesPerPixel, so that code that parses + ink names doesn't go past the end of the buffer. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples tag is + missing. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffinfo.c: fix null pointer dereference in -r mode when the image has + no StripByteCount tag. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is missing. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in + readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so + that the output buffer is correctly incremented to avoid write outside bounds. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure in + OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611 + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to + instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip), + instead of a logic based on the total size of data. Which is faulty is + the total size of data is not sufficient to fill the whole image, and thus + results in reading outside of the StripByCounts/StripOffsets arrays when + using TIFFReadScanline(). + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608. + + * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done + for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since + the above change is a better fix that makes it unnecessary. + +2016-12-03 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer + overflow on generation of PixarLog / LUV compressed files, with + ColorMap, TransferFunction attached and nasty plays with bitspersample. + The fix for LUV has not been tested, but suffers from the same kind + of issue of PixarLog. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604 + +2016-12-02 Even Rouault <even.rouault at spatialys.com> + + * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that + can cause various issues, such as buffer overflows in the library. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598 + +2016-12-02 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in + TIFFReadEncodedStrip() that caused an integer division by zero. + Reported by Agostino Sarubbo. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 + +2016-11-20 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_getimage.c, libtiff/tif_open.c: add parenthesis to + fix cppcheck clarifyCalculation warnings + * libtiff/tif_predict.c, libtiff/tif_print.c: fix printf unsigned + vs signed formatting (cppcheck invalidPrintfArgType_uint warnings) + +2016-11-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> + + * tools/fax2tiff.c (main): Applied patch by Jörg Ahrens to fix + passing client data for Win32 builds using tif_win32.c + (USE_WIN32_FILEIO defined) for file I/O. Patch was provided via + email on November 20, 2016. + 2016-11-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * libtiff 4.0.7 released. @@ -85,7 +907,7 @@ writeBufferToSeparateStrips(), writeBufferToContigTiles() and writeBufferToSeparateTiles() that could cause heap buffer overflows. Reported by Henri Salo from Nixu Corporation. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592 + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592 (CVE-2016-9532) 2016-11-10 Even Rouault <even.rouault at spatialys.com> |