Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#6635 closed enhancement (fixed)

tiff-4.0.4 (LibTIFF-4.0.4)

Reported by: Fernando de Oliveira Owned by: Fernando de Oliveira
Priority: high Milestone: 7.8
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description (last modified by Fernando de Oliveira)

http://download.osgeo.org/libtiff/tiff-4.0.4.tar.gz

http://fossies.org/linux/misc/tiff-4.0.4.tar.gz/tiff-4.0.4/ChangeLog?m=t

Detailed ChangeLog

http://www.remotesensing.org/libtiff/v4.0.4.html

TIFF CHANGE INFORMATION

    Current Version: v4.0.4

...

MAJOR CHANGES:

  • None

CHANGES IN THE SOFTWARE CONFIGURATION:

  • configure.ac / configure
      ◦ Bugzilla Bug #2405: Correct shell equality operator.
      ◦ Bugzilla Bug #2498: Adds an option to select the file I/O style
        on Windows hosts.

CHANGES IN LIBTIFF:

  • tif_dir.c:
      ◦ TIFFNumberOfDirectories: Coverity 1134470 "Logically dead code"
  • tif_dirread.c:
      ◦ TIFFReadDirEntryDoubleArray: Coverity 298626 "Logically dead
        code".
      ◦ TIFFReadDirEntryFloatArray: Coverity 298627 "Logically dead
        code".
      ◦ TIFFReadDirEntryIfd8Array: Coverity 298628 "Logically dead
        code".
      ◦ TIFFReadDirEntrySlong8Array: Coverity 298629 "Logically dead
        code"
  • tif_dirwrite.c
      ◦ _TIFFRewriteField: Coverity 1024310 "Resource leak".
  • tif_jpeg.c
      ◦ JPEGCleanup: Coverity 298624 "Dereference before null check".
      ◦ JPEGDecode: Coverity 602597 "Operands don't affect result".
  • tif_getimage.c
      ◦ Bugzilla Bug #2409: Correct reading of certain tiled TIFFs.
  • tif_luv.c
      ◦ LogLuvDecodeStrip: Coverity 991239 "Division or modulo by zero".
      ◦ LogLuvDecodeTile: Coverity 991227 "Division or modulo by zero".
      ◦ LogLuvEncodeStrip: Coverity 991240 "Division or modulo by zero".
      ◦ LogLuvEncodeTile: Coverity 991241 "Division or modulo by zero".
  • tif_lzw.c
      ◦ Decode files that contain consecutive CODE_CLEAR codes.
  • tif_ojpeg.c
      ◦ OJPEGReadBufferFill: Coverity 603400 "Missing break in switch".
      ◦ OJPEGReadHeaderInfoSecStreamDht: Coverity 601720 "Resource
        leak".
  • tif_read.c
      ◦ TIFFStartTile: Coverity 715973 and 715974 "Division or modulo by
        zero".
  • tif_unix.c
      ◦ Bugzilla Bug #2510: Fix several harmless but still annoying
        warnings.
  • tif_write
      ◦ TIFFWriteEncodedStrip: Coverity 715975 "Division or modulo by
        zero".
      ◦ TIFFWriteEncodedTile: Coverity 715976 and 715977 "Division or
        modulo by zero".
      ◦ TIFFWriteRawStrip: Coverity 715978 "Division or modulo by zero".
      ◦ TIFFWriteScanline: Coverity 715979 "Division or modulo by zero".

CHANGES IN THE TOOLS:

  • bmp2tiff
      ◦ Coverity 1024225 "Untrusted value as argument".
      ◦ Coverity 1024678 "Unchecked return value from library".
      ◦ Coverity 1024679 "Unchecked return value from library".
      ◦ Coverity 1214160 "Ignoring number of bytes read".
  • gif2tiff
      ◦ Coverity 1024222 "Untrusted value as argument".
      ◦ Coverity 1024890 "Ignoring number of bytes read".
      ◦ Coverity 1024891 "Ignoring number of bytes read".
      ◦ Coverity 1024892 "Ignoring number of bytes read".
      ◦ Coverity 1024893 "Ignoring number of bytes read".
      ◦ Coverity 1024894 "Ignoring number of bytes read".
  • ras2tiff
      ◦ Corrected Sun Raster header definition to be safe for 64-bit
        systems. Add some header validations. Fixes many (unspecified)
        Coverity issues.
      ◦ Coverity 1024223 "Untrusted value as argument".
      ◦ Coverity 1301206: "Integer handling issues (BAD_SHIFT)".
  • raw2tiff
      ◦ Coverity 1024887 "Unchecked return value from library".
      ◦ Coverity 1024888 "Unchecked return value from library".
      ◦ Coverity 1024889 "Unchecked return value from library".
      ◦ Coverity 1214162 "Ignoring number of bytes read".
  • tiff2pdf
      ◦ Bugzilla Bug #2078. Suppress initial output of the header.
      ◦ Bugzilla Bug #2150. Change ColorTransform from "0" to "1".
      ◦ Take care in using the return value from snprintf().
      ◦ Coverity 1024181 "Structurally dead code".
      ◦ Coverity 1024181 "Structurally dead code".
      ◦ Coverity 1227690 "Unused value".
      ◦ Coverity 298621 "Resource leak".
  • tiff2ps
      ◦ Correct sizing and scaling problems with output document.
  • tiffcp
      ◦ Coverity 1024306, 1024307, 1024308, 1024309 "Resource leak".
  • tiffcrop
      ◦ Correctly copy the compression tag from the source TIFF.
      ◦ Coverity 1024545 "Division or modulo by zero".
      ◦ Coverity 1024586 "Logically dead code".
      ◦ Coverity 1024796 "Nesting level does not match indentation".
      ◦ Coverity 1024797 "Nesting level does not match indentation".
      ◦ Coverity 1294542 "Logical vs. bitwise operator".
      ◦ Coverity 1299740 "Out-of-bounds write".
      ◦ Coverity 1299741 "Dereference before null check".
  • tiffdither
      ◦ Check memory allocations for failure. Also check multiplication
        overflow. (Fixes #2501, CVE-2014-8128)
  • tiffgt.c
      ◦ Bugzilla Bug #2401. Appropriately call glFlush().
  • tiffmedian
      ◦ Coverity 1024386 "Out-of-bounds read".
      ◦ Coverity 1024386 "Out-of-bounds read".
      ◦ Coverity 1024795 "Nesting level does not match indentation".
      ◦ Coverity 1024795 "Nesting level does not match indentation".
  • tiffsplit
      ◦ Coverity 1024304 "Resource leak".
      ◦ Coverity 1024305 "Resource leak".

CHANGES IN THE CONTRIB AREA:

  • addtiffo
      ◦ Check buffer size calculation for overflow.
      ◦ Coverity 298615 "Resource leak".
      ◦ Coverity 1024649 "Unintended sign extension".
  • iptcutil
      ◦ Coverity 1024468 "Infinite loop".
      ◦ Coverity 1024727 "Truncated stdio return value".
      ◦ Coverity 1214240 "Untrusted loop bound".

Last updated $Date: 2015-06-18 03:08:06 $.

http://www.remotesensing.org/libtiff/v4.0.4beta.html

TIFF CHANGE INFORMATION

    Current Version: v4.0.4beta

...

MAJOR CHANGES:

  • None

CHANGES IN THE SOFTWARE CONFIGURATION:

  • Updated to use Automake 1.15 and Libtool 2.4.5

CHANGES IN LIBTIFF:

  • TIFFCheckDirOffset(): avoid uint16 overflow when reading more than
    65535 directories, and effectively error out when eaching that
    limit.
  • TIFFNumberOfDirectories(): generate error in case of directory count
    overflow.
  • TIFFAdvanceDirectory(): If nextdir is found to be defective, then
    set it to zero before returning error in order to terminate
    processing of truncated TIFF.
  • JPEG-in-TIFF: recognize SOF2, SOF9 and SOF10 markers to avoid
    emitting a warning. Fix for compatibility with mozjpeg library.
    Note: the default settings of mozjpeg will produce progressive
    scans, which is forbidden by the TechNote.
  • JPEG-in-TIFF: Fix regression introduced in 3.9.3/4.0.0 that caused
    all tiles/strips to include quantization tables even when the
    jpegtablesmode had the JPEGTABLESMODE_QUANT bit set. Also add
    explicit removal of Huffman tables when jpegtablesmode has the
    JPEGTABLESMODE_HUFF bit set, which avoids Huffman tables to be
    emitted in the first tile/strip (only useful in update scenarios.
    create-only was fine)
  • JPEG-in-TIFF: fix segfault in JPEGFixupTagsSubsampling() on
    corrupted image where tif->tif_dir.td_stripoffset == NULL. (#2471)
  • NeXT codec: add new tests to check that we don't read outside of the
    compressed input stream buffer.
  • NeXT codec: check that BitsPerSample = 2. Fixes #2487
    (CVE-2014-8129)
  • NeXT codec: in the "run mode", use tilewidth for tiled images
    instead of imagewidth to avoid crash
  • tif_getimage.c: in OJPEG case, fix checks on strile width/height in
    the putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile and
    putcontig8bitYCbCr21tile cases.
  • in TIFFDefaultDirectory(), reset any already existing extented tags
    installed by user code through the extender mechaninm before calling
    the extender callback (GDAL #5054)
  • Fix warnings about unused parameters.
  • Fix various typos in comments found by Debian lintian tool (GDAL
    #5756)
  • tif_getimage.c: avoid divide by zero on invalid YCbCr subsampling.
    (#2235)
  • tif_dirread.c: In EstimateStripByteCounts(), check return code of
    _TIFFFillStriles(). This solves crashing bug on corrupted images
    generated by afl.
  • tif_read.c: fix several invalid comparisons of a uint64 value with
    <= 0 by casting it to int64 first. This solves crashing bug on
    corrupted images generated by afl.
  • TIFFSetField(): refuse to set negative values for
    TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when
    writing the directory
  • TIFFReadDirectory(): refuse to read ColorMap or TransferFunction if
    BitsPerSample has not yet been read, otherwise reading it later will
    cause user code to crash if BitsPerSample > 1
  • TIFFRGBAImageOK(): return FALSE if LOGLUV with SamplesPerPixel != 3,
    or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
  • tif_config.vc.h: no longer use "#define snprintf _snprintf" with
    Visual Studio 2015 aka VC 14 aka MSVC 1900
  • LZW codec: prevent potential null dereference of sp->dec_codetab in
    LZWPreDecode (#2459)
  • TIFFReadBufferSetup(): avoid passing -1 size to TIFFmalloc() if
    passed user buffer size is 0 (#2459)
  • TIFFReadDirEntryOutputErr(): Incorrect count for tag should be a
    warning rather than an error since errors terminate processing.
  • tif_dirinfo.c (TIFFField) : Fix data type for
    TIFFTAG_GLOBALPARAMETERSIFD tag.
  • Add definitions for TIFF/EP CFARepeatPatternDim and CFAPattern tags
    (#2457)
  • tif_codec.c, tif_dirinfo.c: Enlarge some fixed-size buffers that
    weren't large enough, and eliminate substantially all uses of
    sprintf(buf, ...) in favor of using snprintf(buf, sizeof(buf), ...)
  • configure.ac: Improve pkg-config static linking by adding -lm to
    Libs.private when needed.
  • tif_write.c: tmsize_t related casting warning fixed for 64bit linux.
  • tif_read.c: uint64/tmsize_t change for MSVC warnings. (#2427)
  • Fix TIFFPrintDirectory's handling of field_passcount fields: it had
    the TIFF_VARIABLE and TIFF_VARIABLE2 cases backwards.
  • PixarLog codec: Improve previous patch for CVE-2012-4447 (to enlarge
    tbuf for possible partial stride at end) so that overflow in the
    integer addition is detected.
  • tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not require
    malloc() to return NULL pointer if requested allocation size is
    zero. Assure that _TIFFmalloc does.
  • tif_zip.c: Avoid crash on NULL error messages.

CHANGES IN THE TOOLS:

  • tiff2pdf: Fis various crashes and memory buffer access errors
    (oCERT-2014-013).
  • tiff2pdf: fix buffer overflow on some YCbCr JPEG compressed images.
    (#2445)
  • tiff2pdf: fix buffer overflow on YCbCr JPEG compressed image.
    (#2443)
  • tiff2pdf: check return code of TIFFGetField() when reading
    TIFFTAG_SAMPLESPERPIXEL
  • tiff2pdf: fix crash due to invalid tile count.
  • tiff2pdf: Detect invalid settings of BitsPerSample/SamplesPerPixel
    for CIELAB / ITULAB
  • tiff2pdf: Assure that memory size calculations for _TIFFmalloc() do
    not overflow the range of tmsize_t.
  • tiff2pdf: Avoid crash when TIFFTAG_TRANSFERFUNCTION tag returns one
    channel, with the other two channels set to NULL.
  • tiff2pdf: close PDF file. (#2479)
  • tiff2pdf: Preserve input file directory order when pages are tagged
    with the same page number.
  • tiff2pdf.c: terminate after failure of allocating ycbcr buffer
    (#2449 CVE-2013-4232)
  • tiff2pdf: Rewrite JPEG marker parsing in t2p_process_jpeg_strip to
    be at least marginally competent. The approach is still
    fundamentally flawed, but at least now it won't stomp all over
    memory when given bogus input. Fixes CVE-2013-1960.
  • tiffdump: Guard against arithmetic overflow when calculating
    allocation buffer sizes.
  • tiffdump: fix crash due to overflow of entry count.
  • tiffdump: Fix double-free bug.
  • tiffdump: detect cycle in TIFF directory chaining. (#2463)
  • tiffdump: avoid passing a NULL pointer to read() if seek() failed
    before. (#2459)
  • tiff2bw: when Photometric=RGB, the utility only works if
    SamplesPerPixel = 3. Enforce that. (#2485, CVE-2014-8127)
  • pal2rgb, thumbnail: fix crash by disabling TIFFTAG_INKNAMES copying.
    (#2484, CVE-2014-8127)
  • thumbnail: fix out-of-buffer write. (#2489, CVE-2014-8128)
  • thumbnail, tiffcmp: only read/write TIFFTAG_GROUP3OPTIONS or
    TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
    COMPRESSION_CCITTFAX4. (#2493, CVE-2014-8128)
  • tiffcp: fix crash when converting YCbCr JPEG-compressed to none.
    (#2480)
  • bmp2tiff: fix crash due to int overflow related to input BMP
    dimensions
  • tiffcrop: fix crash due to invalid TileWidth/TileHeight
  • tiffcrop: fix segfault if bad value passed to -Z option ( #2459) and
    add missing va_end in dump_info
  • thumbnail, tiffcrop: "fix" heap read over-run found with Valgrind
    and Address Sanitizer on test suite
  • fax2ps: check malloc()/realloc() result. (#2470)
  • gif2tiff: apply patch for CVE-2013-4243. (#2451)
  • gif2tiff: fix possible OOB write. (#2452, CVE-2013-4244)
  • gif2tiff: Be more careful about corrupt or hostile input files
    (#2450, CVE-2013-4231)
  • tiff2rgba: fix usage message in that zip was wrongly described
  • tiffinfo: Default various values fetched with TIFFGetField() to
    avoid being uninitialized.
  • tiff2ps: Fix bug in auto rotate option code.
  • ppm2tiff: avoid zero size buffer vulnerability (CVE-2012-4564).
    check the linebytes calculation too, get the max() calculation
    straight, avoid redundant error messages, check for malloc failure.
  • tiffset: now supports a -u option to unset a tag. (#2419)
  • Fix warnings about unused parameters.
  • rgb2ycbcr, tiff2bw, tiff2pdf, tiff2ps, tiffcrop, tiffdither :
    Enlarge some fixed-size buffers that weren't large enough, and
    eliminate substantially all uses of sprintf(buf, ...) in favor of
    using snprintf(buf, sizeof(buf), ...), so as to protect against
    overflow of fixed-size buffers. This responds in particular to
    CVE-2013-1961 concerning overflow in tiff2pdf.c's
    t2p_write_pdf_page().
  • html/man/tiff2ps.1.html, html/man/tiffcp.1.html,
    html/man/tiffdither.1.html, man/tiff2ps.1, man/tiffcp.1,
    man/tiffdither.1, tools/tiff2ps.c, tools/tiffcp.c,
    tools/tiffdither.c: Sync tool usage printouts and man pages with
    reality

CHANGES IN THE CONTRIB AREA:

  • Fix warnings about variables set but not used.
  • contrib/dbs/xtiff/xtiff.c: Enlarge some fixed-size buffers that
    weren't large enough, and eliminate substantially all uses of
    sprintf(buf, ...) in favor of using snprintf(buf, sizeof(buf), ...),
    so as to protect against overflow of fixed-size buffers.

Last updated $Date: 2015-01-26 15:14:45 $.

Change History (3)

comment:1 by Fernando de Oliveira, 6 years ago

Owner: changed from blfs-book@… to Fernando de Oliveira
Status: newassigned

comment:2 by Fernando de Oliveira, 6 years ago

Resolution: fixed
Status: assignedclosed
Summary: tiff-4.0.4tiff-4.0.4 (LibTIFF-4.0.4)

Fixed at r16151.

comment:3 by Fernando de Oliveira, 6 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.