summaryrefslogtreecommitdiffstats
path: root/src/3rdparty/libtiff/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to 'src/3rdparty/libtiff/ChangeLog')
-rw-r--r--src/3rdparty/libtiff/ChangeLog482
1 files changed, 482 insertions, 0 deletions
diff --git a/src/3rdparty/libtiff/ChangeLog b/src/3rdparty/libtiff/ChangeLog
index 5b77723..9b9d397 100644
--- a/src/3rdparty/libtiff/ChangeLog
+++ b/src/3rdparty/libtiff/ChangeLog
@@ -1,3 +1,485 @@
+2016-11-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * libtiff 4.0.7 released.
+
+ * configure.ac: Update for 4.0.7 release.
+
+ * tools/tiffdump.c (ReadDirectory): Remove uint32 cast to
+ _TIFFmalloc() argument which resulted in Coverity report. Added
+ more mutiplication overflow checks.
+
+2016-11-18 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcrop.c: Fix memory leak in (recent) error code path.
+ Fixes Coverity 1394415.
+
+2016-11-17 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * libtiff/tif_getimage.c: Fix some benign warnings which appear in
+ 64-bit compilation under Microsoft Visual Studio of the form
+ "Arithmetic overflow: 32-bit value is shifted, then cast to 64-bit
+ value. Results might not be an expected value.". Problem was
+ reported on November 16, 2016 on the tiff mailing list.
+
+2016-11-16 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not dereference
+ NULL pointer when values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
+ access are 0-byte arrays.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression introduced
+ by previous fix done on 2016-11-11 for CVE-2016-9297).
+ Reported by Henri Salo. Assigned as CVE-2016-9448
+
+2016-11-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * tools/tiffinfo.c (TIFFReadContigTileData): Fix signed/unsigned
+ comparison warning.
+ (TIFFReadSeparateTileData): Fix signed/unsigned comparison
+ warning.
+
+ * tools/tiffcrop.c (readContigTilesIntoBuffer): Fix
+ signed/unsigned comparison warning.
+
+ * html/v4.0.7.html: Add a file to document the pending 4.0.7
+ release.
+
+2016-11-11 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiff2pdf.c: avoid undefined behaviour related to overlapping
+ of source and destination buffer in memcpy() call in
+ t2p_sample_rgbaa_to_rgb()
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577
+
+2016-11-11 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiff2pdf.c: fix potential integer overflows on 32 bit builds
+ in t2p_read_tiff_size()
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2576
+
+2016-11-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_aux.c: fix crash in TIFFVGetFieldDefaulted()
+ when requesting Predictor tag and that the zip/lzw codec is not
+ configured.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2591
+
+2016-11-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that
+ values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
+ access are null terminated, to avoid potential read outside buffer
+ in _TIFFPrintField().
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590 (CVE-2016-9297)
+
+2016-11-11 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: reject images with OJPEG compression that
+ have no TileOffsets/StripOffsets tag, when OJPEG compression is
+ disabled. Prevent null pointer dereference in TIFFReadRawStrip1()
+ and other functions that expect td_stripbytecount to be non NULL.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2585
+
+2016-11-11 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcrop.c: fix multiple uint32 overflows in
+ writeBufferToSeparateStrips(), writeBufferToContigTiles() and
+ writeBufferToSeparateTiles() that could cause heap buffer overflows.
+ Reported by Henri Salo from Nixu Corporation.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
+
+2016-11-10 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips
+ value when it is non-zero, instead of recomputing it. This is needed in
+ TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of
+ array in tiffsplit (or other utilities using TIFFNumberOfStrips()).
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587 (CVE-2016-9273)
+
+2016-11-04 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_predic.c: fix memory leaks in error code paths added in
+ previous commit (fix for MSVR 35105)
+
+2016-10-31 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_predict.h, libtiff/tif_predict.c:
+ Replace assertions by runtime checks to avoid assertions in debug mode,
+ or buffer overflows in release mode. Can happen when dealing with
+ unusual tile size like YCbCr with subsampling. Reported as MSVR 35105
+ by Axel Souchet & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations
+ team.
+
+2016-10-26 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/fax2tiff.c: fix segfault when specifying -r without
+ argument. Patch by Yuriy M. Kaminskiy.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2572
+
+2016-10-25 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dir.c: discard values of SMinSampleValue and
+ SMaxSampleValue when they have been read and the value of
+ SamplesPerPixel is changed afterwards (like when reading a
+ OJPEG compressed image with a missing SamplesPerPixel tag,
+ and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
+ being 3). Otherwise when rewriting the directory (for example
+ with tiffset, we will expect 3 values whereas the array had been
+ allocated with just one), thus causing a out of bound read access.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
+ (CVE-2014-8127, duplicate: CVE-2016-3658)
+
+ * libtiff/tif_dirwrite.c: avoid null pointer dereference on td_stripoffset
+ when writing directory, if FIELD_STRIPOFFSETS was artificially set
+ for a hack case in OJPEG case.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
+ (CVE-2014-8127, duplicate: CVE-2016-3658)
+
+2016-10-25 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffinfo.c: fix out-of-bound read on some tiled images.
+ (http://bugzilla.maptools.org/show_bug.cgi?id=2517)
+
+ * libtiff/tif_compress.c: make TIFFNoDecode() return 0 to indicate an
+ error and make upper level read routines treat it accordingly.
+ (linked to the test case of http://bugzilla.maptools.org/show_bug.cgi?id=2517)
+
+2016-10-14 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
+ readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
+ & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
+
+2016-10-09 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG
+ compressed images. Reported by Tyler Bohan of Cisco Talos as
+ TALOS-CAN-0187 / CVE-2016-5652.
+ Also prevents writing 2 extra uninitialized bytes to the file stream.
+
+2016-10-08 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
+ tile width vs image width. Reported as MSVR 35103
+ by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
+ Mitigations team.
+
+2016-10-08 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiff2pdf.c: fix read -largely- outsize of buffer in
+ t2p_readwrite_pdf_image_tile(), causing crash, when reading a
+ JPEG compressed image with TIFFTAG_JPEGTABLES length being one.
+ Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from
+ the MSRC Vulnerabilities & Mitigations team. CVE-2016-9453
+
+2016-10-08 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcp.c: fix read of undefined variable in case of missing
+ required tags. Found on test case of MSVR 35100.
+ * tools/tiffcrop.c: fix read of undefined buffer in
+ readContigStripsIntoBuffer() due to uint16 overflow. Probably not a
+ security issue but I can be wrong. Reported as MSVR 35100 by Axel
+ Souchet from the MSRC Vulnerabilities & Mitigations team.
+
+2016-09-25 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * html: Change as many remotesensing.org broken links to a working
+ URL as possible.
+
+2016-09-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
+ read floating point images.
+
+ * libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
+ requirements of floating point predictor (3). Fixes CVE-2016-3622
+ "Divide By Zero in the tiff2rgba tool."
+
+2016-09-23 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcrop.c: fix various out-of-bounds write vulnerabilities
+ in heap or stack allocated buffers. Reported as MSVR 35093,
+ MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal
+ Chauhan from the MSRC Vulnerabilities & Mitigations team.
+ * tools/tiff2pdf.c: fix out-of-bounds write vulnerabilities in
+ heap allocate buffer in t2p_process_jpeg_strip(). Reported as MSVR
+ 35098. Discovered by Axel Souchet and Vishal Chauhan from the MSRC
+ Vulnerabilities & Mitigations team.
+ * libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities
+ in heap allocated buffers. Reported as MSVR 35094. Discovered by
+ Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
+ Mitigations team.
+ * libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1()
+ that didn't reset the tif_rawcc and tif_rawcp members. I'm not
+ completely sure if that could happen in practice outside of the odd
+ behaviour of t2p_seekproc() of tiff2pdf). The report points that a
+ better fix could be to check the return value of TIFFFlushData1() in
+ places where it isn't done currently, but it seems this patch is enough.
+ Reported as MSVR 35095. Discovered by Axel Souchet & Vishal Chauhan &
+ Suha Can from the MSRC Vulnerabilities & Mitigations team.
+
+2016-09-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * html/man/index.html: Comment out links to documentation for
+ abandoned utilities.
+
+2016-09-17 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_lzma.c: typo fix in comment
+
+2016-09-04 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/*.c: fix warnings raised by clang 3.9 -Wcomma
+
+2016-09-03 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirwrite.c, libtiff/tif_color.c: fix warnings raised
+ by GCC 5 / clang -Wfloat-conversion
+
+2016-08-16 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcrop.c: fix C99'ism.
+
+2016-08-15 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiff2bw.c: fix weight computation that could result of color
+ value overflow (no security implication). Fix bugzilla #2550.
+ Patch by Frank Freudenberg.
+
+2016-08-15 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/rgb2ycbcr.c: validate values of -v and -h parameters to
+ avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
+
+2016-08-15 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
+ From patch libtiff-CVE-2016-3991.patch from
+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
+
+2016-08-15 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode
+ if more input samples are provided than expected by PixarLogSetupEncode.
+ Idea based on libtiff-CVE-2016-3990.patch from
+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
+ simpler check. (bugzilla #2544)
+
+2016-08-15 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiff2rgba.c: Fix integer overflow in size of allocated
+ buffer, when -b mode is enabled, that could result in out-of-bounds
+ write. Based initially on patch tiff-CVE-2016-3945.patch from
+ libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
+ invalid tests that rejected valid files. (bugzilla #2545)
+
+2016-07-11 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffcrop.c: Avoid access outside of stack allocated array
+ on a tiled separate TIFF with more than 8 samples per pixel.
+ Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
+ (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
+
+2016-07-10 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c: Fix out-of-bounds read on
+ memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1()
+ when stripoffset is beyond tmsize_t max value (reported by
+ Mathias Svensson)
+
+2016-07-10 Even Rouault <even.rouault at spatialys.com>
+
+ * tools/tiffdump.c: fix a few misaligned 64-bit reads warned
+ by -fsanitize
+
+2016-07-03 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c: make TIFFReadEncodedStrip() and
+ TIFFReadEncodedTile() directly use user provided buffer when
+ no compression (and other conditions) to save a memcpy().
+
+ * libtiff/tif_write.c: make TIFFWriteEncodedStrip() and
+ TIFFWriteEncodedTile() directly use user provided buffer when
+ no compression to save a memcpy().
+
+2016-07-01 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_luv.c: validate that for COMPRESSION_SGILOG and
+ PHOTOMETRIC_LOGL, there is only one sample per pixel. Avoid
+ potential invalid memory write on corrupted/unexpected images when
+ using the TIFFRGBAImageBegin() interface (reported by
+ Clay Wood)
+
+2016-06-28 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_pixarlog.c: fix potential buffer write overrun in
+ PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson)
+ (CVE-2016-5875)
+
+2016-06-15 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * libtiff/libtiff.def: Added _TIFFMultiply32 and _TIFFMultiply64
+ to libtiff.def
+
+2016-06-05 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * tools/Makefile.am: The libtiff tools bmp2tiff, gif2tiff,
+ ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from
+ the distribution. The libtiff tools rgb2ycbcr and thumbnail are
+ only built in the build tree for testing. Old files are put in
+ new 'archive' subdirectory of the source repository, but not in
+ distribution archives. These changes are made in order to lessen
+ the maintenance burden.
+
+2016-05-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * libtiff/tif_config.vc.h (HAVE_SNPRINTF): Add a '1' to the
+ HAVE_SNPRINTF definition.'
+
+2016-05-09 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * libtiff/tif_config.vc.h (HAVE_SNPRINTF): Applied patch by Edward
+ Lam to define HAVE_SNPRINTF for Visual Studio 2015.
+
+2016-04-27 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: when compiled with DEFER_STRILE_LOAD,
+ fix regression, introduced on 2014-12-23, when reading a one-strip
+ file without a StripByteCounts tag. GDAL #6490
+
+2016-04-07 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * html/bugs.html: Replace Andrey Kiselev with Bob Friesenhahn for
+ purposes of security issue reporting.
+
+2016-01-23 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/*: upstream typo fixes (mostly contributed by Kurt Schwehr)
+ coming from GDAL internal libtiff
+
+2016-01-09 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_fax3.h: make Param member of TIFFFaxTabEnt structure
+ a uint16 to reduce size of the binary.
+
+2016-01-03 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_read.c, tif_dirread.c: fix indentation issues raised
+ by GCC 6 -Wmisleading-indentation
+
+2015-12-27 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_pixarlog.c: avoid zlib error messages to pass a NULL
+ string to %s formatter, which is undefined behaviour in sprintf().
+
+2015-12-27 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
+ triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
+ (bugzilla #2508)
+
+2015-12-27 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
+ functions in non debug builds by replacing assert()s by regular if
+ checks (bugzilla #2522).
+ Fix potential out-of-bound reads in case of short input data.
+
+2015-12-26 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
+ interface in case of unsupported values of SamplesPerPixel/ExtraSamples
+ for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
+ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
+ CVE-2015-8683 reported by zzf of Alibaba.
+
+2015-12-21 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: workaround false positive warning of Clang Static
+ Analyzer about null pointer dereference in TIFFCheckDirOffset().
+
+2015-12-19 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_fax3.c: remove dead assignment in Fax3PutEOLgdal(). Found
+ by Clang Static Analyzer
+
+2015-12-18 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirwrite.c: fix truncation to 32 bit of file offsets in
+ TIFFLinkDirectory() and TIFFWriteDirectorySec() when aligning directory
+ offsets on a even offset (affects BigTIFF). This was a regression of the
+ changeset of 2015-10-19.
+
+2015-12-12 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_write.c: TIFFWriteEncodedStrip() and TIFFWriteEncodedTile()
+ should return -1 in case of failure of tif_encodestrip() as documented
+ * libtiff/tif_dumpmode.c: DumpModeEncode() should return 0 in case of
+ failure so that the above mentionned functions detect the error.
+
+2015-12-06 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/uvcode.h: const'ify uv_code array
+
+2015-12-06 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirinfo.c: const'ify tiffFields, exifFields,
+ tiffFieldArray and exifFieldArray arrays
+
+2015-12-06 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_print.c: constify photoNames and orientNames arrays
+
+2015-12-06 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_close.c, libtiff/tif_extension.c : rename link
+ variable to avoid -Wshadow warnings
+
+2015-11-22 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/*.c: fix typos in comments (patch by Kurt Schwehr)
+
+2015-11-22 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/*.c: fix MSVC warnings related to cast shortening and
+ assignment within conditional expression
+
+2015-11-18 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/*.c: fix clang -Wshorten-64-to-32 warnings
+
+2015-11-18 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: initialize double* data at line 3693 to NULL
+ to please MSVC 2013
+
+2015-11-17 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: prevent reading ColorMap or TransferFunction
+ if BitsPerPixel > 24, so as to avoid huge memory allocation and file
+ read attempts
+
+2015-11-02 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dirread.c: remove duplicated assignment (reported by
+ Clang static analyzer)
+
+2015-10-28 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dir.c, libtiff/tif_dirinfo.c, libtiff/tif_compress.c,
+ libtiff/tif_jpeg_12.c: suppress warnings about 'no previous
+ declaration/prototype'
+
+2015-10-19 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tiffiop.h, libtiff/tif_dirwrite.c: suffix constants by U to fix
+ 'warning: negative integer implicitly converted to unsigned type' warning
+ (part of -Wconversion)
+
+2015-10-17 Even Rouault <even.rouault at spatialys.com>
+
+ * libtiff/tif_dir.c, libtiff/tif_dirread.c, libtiff/tif_getimage.c,
+ libtiff/tif_print.c: fix -Wshadow warnings (only in libtiff/)
+
2015-09-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff 4.0.6 released.
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-04 14:27:37 +0000