#6635 closed enhancement (fixed)
tiff-4.0.4 (LibTIFF-4.0.4)
| Reported by: | Fernando de Oliveira | Owned by: | Fernando de Oliveira |
|---|---|---|---|
| Priority: | high | Milestone: | 7.8 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description (last modified by )
http://download.osgeo.org/libtiff/tiff-4.0.4.tar.gz
http://fossies.org/linux/misc/tiff-4.0.4.tar.gz/tiff-4.0.4/ChangeLog?m=t
Detailed ChangeLog
http://www.remotesensing.org/libtiff/v4.0.4.html
TIFF CHANGE INFORMATION
Current Version: v4.0.4
...
MAJOR CHANGES:
• None
CHANGES IN THE SOFTWARE CONFIGURATION:
• configure.ac / configure
◦ Bugzilla Bug #2405: Correct shell equality operator.
◦ Bugzilla Bug #2498: Adds an option to select the file I/O style
on Windows hosts.
CHANGES IN LIBTIFF:
• tif_dir.c:
◦ TIFFNumberOfDirectories: Coverity 1134470 "Logically dead code"
• tif_dirread.c:
◦ TIFFReadDirEntryDoubleArray: Coverity 298626 "Logically dead
code".
◦ TIFFReadDirEntryFloatArray: Coverity 298627 "Logically dead
code".
◦ TIFFReadDirEntryIfd8Array: Coverity 298628 "Logically dead
code".
◦ TIFFReadDirEntrySlong8Array: Coverity 298629 "Logically dead
code"
• tif_dirwrite.c
◦ _TIFFRewriteField: Coverity 1024310 "Resource leak".
• tif_jpeg.c
◦ JPEGCleanup: Coverity 298624 "Dereference before null check".
◦ JPEGDecode: Coverity 602597 "Operands don't affect result".
• tif_getimage.c
◦ Bugzilla Bug #2409: Correct reading of certain tiled TIFFs.
• tif_luv.c
◦ LogLuvDecodeStrip: Coverity 991239 "Division or modulo by zero".
◦ LogLuvDecodeTile: Coverity 991227 "Division or modulo by zero".
◦ LogLuvEncodeStrip: Coverity 991240 "Division or modulo by zero".
◦ LogLuvEncodeTile: Coverity 991241 "Division or modulo by zero".
• tif_lzw.c
◦ Decode files that contain consecutive CODE_CLEAR codes.
• tif_ojpeg.c
◦ OJPEGReadBufferFill: Coverity 603400 "Missing break in switch".
◦ OJPEGReadHeaderInfoSecStreamDht: Coverity 601720 "Resource
leak".
• tif_read.c
◦ TIFFStartTile: Coverity 715973 and 715974 "Division or modulo by
zero".
• tif_unix.c
◦ Bugzilla Bug #2510: Fix several harmless but still annoying
warnings.
• tif_write
◦ TIFFWriteEncodedStrip: Coverity 715975 "Division or modulo by
zero".
◦ TIFFWriteEncodedTile: Coverity 715976 and 715977 "Division or
modulo by zero".
◦ TIFFWriteRawStrip: Coverity 715978 "Division or modulo by zero".
◦ TIFFWriteScanline: Coverity 715979 "Division or modulo by zero".
CHANGES IN THE TOOLS:
• bmp2tiff
◦ Coverity 1024225 "Untrusted value as argument".
◦ Coverity 1024678 "Unchecked return value from library".
◦ Coverity 1024679 "Unchecked return value from library".
◦ Coverity 1214160 "Ignoring number of bytes read".
• gif2tiff
◦ Coverity 1024222 "Untrusted value as argument".
◦ Coverity 1024890 "Ignoring number of bytes read".
◦ Coverity 1024891 "Ignoring number of bytes read".
◦ Coverity 1024892 "Ignoring number of bytes read".
◦ Coverity 1024893 "Ignoring number of bytes read".
◦ Coverity 1024894 "Ignoring number of bytes read".
• ras2tiff
◦ Corrected Sun Raster header definition to be safe for 64-bit
systems. Add some header validations. Fixes many (unspecified)
Coverity issues.
◦ Coverity 1024223 "Untrusted value as argument".
◦ Coverity 1301206: "Integer handling issues (BAD_SHIFT)".
• raw2tiff
◦ Coverity 1024887 "Unchecked return value from library".
◦ Coverity 1024888 "Unchecked return value from library".
◦ Coverity 1024889 "Unchecked return value from library".
◦ Coverity 1214162 "Ignoring number of bytes read".
• tiff2pdf
◦ Bugzilla Bug #2078. Suppress initial output of the header.
◦ Bugzilla Bug #2150. Change ColorTransform from "0" to "1".
◦ Take care in using the return value from snprintf().
◦ Coverity 1024181 "Structurally dead code".
◦ Coverity 1024181 "Structurally dead code".
◦ Coverity 1227690 "Unused value".
◦ Coverity 298621 "Resource leak".
• tiff2ps
◦ Correct sizing and scaling problems with output document.
• tiffcp
◦ Coverity 1024306, 1024307, 1024308, 1024309 "Resource leak".
• tiffcrop
◦ Correctly copy the compression tag from the source TIFF.
◦ Coverity 1024545 "Division or modulo by zero".
◦ Coverity 1024586 "Logically dead code".
◦ Coverity 1024796 "Nesting level does not match indentation".
◦ Coverity 1024797 "Nesting level does not match indentation".
◦ Coverity 1294542 "Logical vs. bitwise operator".
◦ Coverity 1299740 "Out-of-bounds write".
◦ Coverity 1299741 "Dereference before null check".
• tiffdither
◦ Check memory allocations for failure. Also check multiplication
overflow. (Fixes #2501, CVE-2014-8128)
• tiffgt.c
◦ Bugzilla Bug #2401. Appropriately call glFlush().
• tiffmedian
◦ Coverity 1024386 "Out-of-bounds read".
◦ Coverity 1024386 "Out-of-bounds read".
◦ Coverity 1024795 "Nesting level does not match indentation".
◦ Coverity 1024795 "Nesting level does not match indentation".
• tiffsplit
◦ Coverity 1024304 "Resource leak".
◦ Coverity 1024305 "Resource leak".
CHANGES IN THE CONTRIB AREA:
• addtiffo
◦ Check buffer size calculation for overflow.
◦ Coverity 298615 "Resource leak".
◦ Coverity 1024649 "Unintended sign extension".
• iptcutil
◦ Coverity 1024468 "Infinite loop".
◦ Coverity 1024727 "Truncated stdio return value".
◦ Coverity 1214240 "Untrusted loop bound".
Last updated $Date: 2015-06-18 03:08:06 $.
http://www.remotesensing.org/libtiff/v4.0.4beta.html
TIFF CHANGE INFORMATION
Current Version: v4.0.4beta
...
MAJOR CHANGES:
• None
CHANGES IN THE SOFTWARE CONFIGURATION:
• Updated to use Automake 1.15 and Libtool 2.4.5
CHANGES IN LIBTIFF:
• TIFFCheckDirOffset(): avoid uint16 overflow when reading more than
65535 directories, and effectively error out when eaching that
limit.
• TIFFNumberOfDirectories(): generate error in case of directory count
overflow.
• TIFFAdvanceDirectory(): If nextdir is found to be defective, then
set it to zero before returning error in order to terminate
processing of truncated TIFF.
• JPEG-in-TIFF: recognize SOF2, SOF9 and SOF10 markers to avoid
emitting a warning. Fix for compatibility with mozjpeg library.
Note: the default settings of mozjpeg will produce progressive
scans, which is forbidden by the TechNote.
• JPEG-in-TIFF: Fix regression introduced in 3.9.3/4.0.0 that caused
all tiles/strips to include quantization tables even when the
jpegtablesmode had the JPEGTABLESMODE_QUANT bit set. Also add
explicit removal of Huffman tables when jpegtablesmode has the
JPEGTABLESMODE_HUFF bit set, which avoids Huffman tables to be
emitted in the first tile/strip (only useful in update scenarios.
create-only was fine)
• JPEG-in-TIFF: fix segfault in JPEGFixupTagsSubsampling() on
corrupted image where tif->tif_dir.td_stripoffset == NULL. (#2471)
• NeXT codec: add new tests to check that we don't read outside of the
compressed input stream buffer.
• NeXT codec: check that BitsPerSample = 2. Fixes #2487
(CVE-2014-8129)
• NeXT codec: in the "run mode", use tilewidth for tiled images
instead of imagewidth to avoid crash
• tif_getimage.c: in OJPEG case, fix checks on strile width/height in
the putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile and
putcontig8bitYCbCr21tile cases.
• in TIFFDefaultDirectory(), reset any already existing extented tags
installed by user code through the extender mechaninm before calling
the extender callback (GDAL #5054)
• Fix warnings about unused parameters.
• Fix various typos in comments found by Debian lintian tool (GDAL
#5756)
• tif_getimage.c: avoid divide by zero on invalid YCbCr subsampling.
(#2235)
• tif_dirread.c: In EstimateStripByteCounts(), check return code of
_TIFFFillStriles(). This solves crashing bug on corrupted images
generated by afl.
• tif_read.c: fix several invalid comparisons of a uint64 value with
<= 0 by casting it to int64 first. This solves crashing bug on
corrupted images generated by afl.
• TIFFSetField(): refuse to set negative values for
TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when
writing the directory
• TIFFReadDirectory(): refuse to read ColorMap or TransferFunction if
BitsPerSample has not yet been read, otherwise reading it later will
cause user code to crash if BitsPerSample > 1
• TIFFRGBAImageOK(): return FALSE if LOGLUV with SamplesPerPixel != 3,
or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
• tif_config.vc.h: no longer use "#define snprintf _snprintf" with
Visual Studio 2015 aka VC 14 aka MSVC 1900
• LZW codec: prevent potential null dereference of sp->dec_codetab in
LZWPreDecode (#2459)
• TIFFReadBufferSetup(): avoid passing -1 size to TIFFmalloc() if
passed user buffer size is 0 (#2459)
• TIFFReadDirEntryOutputErr(): Incorrect count for tag should be a
warning rather than an error since errors terminate processing.
• tif_dirinfo.c (TIFFField) : Fix data type for
TIFFTAG_GLOBALPARAMETERSIFD tag.
• Add definitions for TIFF/EP CFARepeatPatternDim and CFAPattern tags
(#2457)
• tif_codec.c, tif_dirinfo.c: Enlarge some fixed-size buffers that
weren't large enough, and eliminate substantially all uses of
sprintf(buf, ...) in favor of using snprintf(buf, sizeof(buf), ...)
• configure.ac: Improve pkg-config static linking by adding -lm to
Libs.private when needed.
• tif_write.c: tmsize_t related casting warning fixed for 64bit linux.
• tif_read.c: uint64/tmsize_t change for MSVC warnings. (#2427)
• Fix TIFFPrintDirectory's handling of field_passcount fields: it had
the TIFF_VARIABLE and TIFF_VARIABLE2 cases backwards.
• PixarLog codec: Improve previous patch for CVE-2012-4447 (to enlarge
tbuf for possible partial stride at end) so that overflow in the
integer addition is detected.
• tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not require
malloc() to return NULL pointer if requested allocation size is
zero. Assure that _TIFFmalloc does.
• tif_zip.c: Avoid crash on NULL error messages.
CHANGES IN THE TOOLS:
• tiff2pdf: Fis various crashes and memory buffer access errors
(oCERT-2014-013).
• tiff2pdf: fix buffer overflow on some YCbCr JPEG compressed images.
(#2445)
• tiff2pdf: fix buffer overflow on YCbCr JPEG compressed image.
(#2443)
• tiff2pdf: check return code of TIFFGetField() when reading
TIFFTAG_SAMPLESPERPIXEL
• tiff2pdf: fix crash due to invalid tile count.
• tiff2pdf: Detect invalid settings of BitsPerSample/SamplesPerPixel
for CIELAB / ITULAB
• tiff2pdf: Assure that memory size calculations for _TIFFmalloc() do
not overflow the range of tmsize_t.
• tiff2pdf: Avoid crash when TIFFTAG_TRANSFERFUNCTION tag returns one
channel, with the other two channels set to NULL.
• tiff2pdf: close PDF file. (#2479)
• tiff2pdf: Preserve input file directory order when pages are tagged
with the same page number.
• tiff2pdf.c: terminate after failure of allocating ycbcr buffer
(#2449 CVE-2013-4232)
• tiff2pdf: Rewrite JPEG marker parsing in t2p_process_jpeg_strip to
be at least marginally competent. The approach is still
fundamentally flawed, but at least now it won't stomp all over
memory when given bogus input. Fixes CVE-2013-1960.
• tiffdump: Guard against arithmetic overflow when calculating
allocation buffer sizes.
• tiffdump: fix crash due to overflow of entry count.
• tiffdump: Fix double-free bug.
• tiffdump: detect cycle in TIFF directory chaining. (#2463)
• tiffdump: avoid passing a NULL pointer to read() if seek() failed
before. (#2459)
• tiff2bw: when Photometric=RGB, the utility only works if
SamplesPerPixel = 3. Enforce that. (#2485, CVE-2014-8127)
• pal2rgb, thumbnail: fix crash by disabling TIFFTAG_INKNAMES copying.
(#2484, CVE-2014-8127)
• thumbnail: fix out-of-buffer write. (#2489, CVE-2014-8128)
• thumbnail, tiffcmp: only read/write TIFFTAG_GROUP3OPTIONS or
TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
COMPRESSION_CCITTFAX4. (#2493, CVE-2014-8128)
• tiffcp: fix crash when converting YCbCr JPEG-compressed to none.
(#2480)
• bmp2tiff: fix crash due to int overflow related to input BMP
dimensions
• tiffcrop: fix crash due to invalid TileWidth/TileHeight
• tiffcrop: fix segfault if bad value passed to -Z option ( #2459) and
add missing va_end in dump_info
• thumbnail, tiffcrop: "fix" heap read over-run found with Valgrind
and Address Sanitizer on test suite
• fax2ps: check malloc()/realloc() result. (#2470)
• gif2tiff: apply patch for CVE-2013-4243. (#2451)
• gif2tiff: fix possible OOB write. (#2452, CVE-2013-4244)
• gif2tiff: Be more careful about corrupt or hostile input files
(#2450, CVE-2013-4231)
• tiff2rgba: fix usage message in that zip was wrongly described
• tiffinfo: Default various values fetched with TIFFGetField() to
avoid being uninitialized.
• tiff2ps: Fix bug in auto rotate option code.
• ppm2tiff: avoid zero size buffer vulnerability (CVE-2012-4564).
check the linebytes calculation too, get the max() calculation
straight, avoid redundant error messages, check for malloc failure.
• tiffset: now supports a -u option to unset a tag. (#2419)
• Fix warnings about unused parameters.
• rgb2ycbcr, tiff2bw, tiff2pdf, tiff2ps, tiffcrop, tiffdither :
Enlarge some fixed-size buffers that weren't large enough, and
eliminate substantially all uses of sprintf(buf, ...) in favor of
using snprintf(buf, sizeof(buf), ...), so as to protect against
overflow of fixed-size buffers. This responds in particular to
CVE-2013-1961 concerning overflow in tiff2pdf.c's
t2p_write_pdf_page().
• html/man/tiff2ps.1.html, html/man/tiffcp.1.html,
html/man/tiffdither.1.html, man/tiff2ps.1, man/tiffcp.1,
man/tiffdither.1, tools/tiff2ps.c, tools/tiffcp.c,
tools/tiffdither.c: Sync tool usage printouts and man pages with
reality
CHANGES IN THE CONTRIB AREA:
• Fix warnings about variables set but not used.
• contrib/dbs/xtiff/xtiff.c: Enlarge some fixed-size buffers that
weren't large enough, and eliminate substantially all uses of
sprintf(buf, ...) in favor of using snprintf(buf, sizeof(buf), ...),
so as to protect against overflow of fixed-size buffers.
Last updated $Date: 2015-01-26 15:14:45 $.
Change History (3)
comment:1 by , 10 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 10 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
| Summary: | tiff-4.0.4 → tiff-4.0.4 (LibTIFF-4.0.4) |
comment:3 by , 10 years ago
| Description: | modified (diff) |
|---|
Note:
See TracTickets
for help on using tickets.
Fixed at r16151.