6 | | Too long to reproduce here. |
7 | | |
8 | | Some highlights: |
9 | | |
10 | | http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127) |
11 | | |
12 | | http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128) |
13 | | |
14 | | http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129) |
15 | | |
16 | | * tools/gif2tif.c: apply patch for CVE-2013-4243 (#2451) |
| 10 | TIFF CHANGE INFORMATION |
| 11 | |
| 12 | Current Version: v4.0.4 |
| 13 | |
| 14 | ... |
| 15 | |
| 16 | MAJOR CHANGES: |
| 17 | |
| 18 | • None |
| 19 | |
| 20 | CHANGES IN THE SOFTWARE CONFIGURATION: |
| 21 | |
| 22 | • configure.ac / configure |
| 23 | ◦ Bugzilla Bug #2405: Correct shell equality operator. |
| 24 | ◦ Bugzilla Bug #2498: Adds an option to select the file I/O style |
| 25 | on Windows hosts. |
| 26 | |
| 27 | CHANGES IN LIBTIFF: |
| 28 | |
| 29 | • tif_dir.c: |
| 30 | ◦ TIFFNumberOfDirectories: Coverity 1134470 "Logically dead code" |
| 31 | • tif_dirread.c: |
| 32 | ◦ TIFFReadDirEntryDoubleArray: Coverity 298626 "Logically dead |
| 33 | code". |
| 34 | ◦ TIFFReadDirEntryFloatArray: Coverity 298627 "Logically dead |
| 35 | code". |
| 36 | ◦ TIFFReadDirEntryIfd8Array: Coverity 298628 "Logically dead |
| 37 | code". |
| 38 | ◦ TIFFReadDirEntrySlong8Array: Coverity 298629 "Logically dead |
| 39 | code" |
| 40 | • tif_dirwrite.c |
| 41 | ◦ _TIFFRewriteField: Coverity 1024310 "Resource leak". |
| 42 | • tif_jpeg.c |
| 43 | ◦ JPEGCleanup: Coverity 298624 "Dereference before null check". |
| 44 | ◦ JPEGDecode: Coverity 602597 "Operands don't affect result". |
| 45 | • tif_getimage.c |
| 46 | ◦ Bugzilla Bug #2409: Correct reading of certain tiled TIFFs. |
| 47 | • tif_luv.c |
| 48 | ◦ LogLuvDecodeStrip: Coverity 991239 "Division or modulo by zero". |
| 49 | ◦ LogLuvDecodeTile: Coverity 991227 "Division or modulo by zero". |
| 50 | ◦ LogLuvEncodeStrip: Coverity 991240 "Division or modulo by zero". |
| 51 | ◦ LogLuvEncodeTile: Coverity 991241 "Division or modulo by zero". |
| 52 | • tif_lzw.c |
| 53 | ◦ Decode files that contain consecutive CODE_CLEAR codes. |
| 54 | • tif_ojpeg.c |
| 55 | ◦ OJPEGReadBufferFill: Coverity 603400 "Missing break in switch". |
| 56 | ◦ OJPEGReadHeaderInfoSecStreamDht: Coverity 601720 "Resource |
| 57 | leak". |
| 58 | • tif_read.c |
| 59 | ◦ TIFFStartTile: Coverity 715973 and 715974 "Division or modulo by |
| 60 | zero". |
| 61 | • tif_unix.c |
| 62 | ◦ Bugzilla Bug #2510: Fix several harmless but still annoying |
| 63 | warnings. |
| 64 | • tif_write |
| 65 | ◦ TIFFWriteEncodedStrip: Coverity 715975 "Division or modulo by |
| 66 | zero". |
| 67 | ◦ TIFFWriteEncodedTile: Coverity 715976 and 715977 "Division or |
| 68 | modulo by zero". |
| 69 | ◦ TIFFWriteRawStrip: Coverity 715978 "Division or modulo by zero". |
| 70 | ◦ TIFFWriteScanline: Coverity 715979 "Division or modulo by zero". |
| 71 | |
| 72 | CHANGES IN THE TOOLS: |
| 73 | |
| 74 | • bmp2tiff |
| 75 | ◦ Coverity 1024225 "Untrusted value as argument". |
| 76 | ◦ Coverity 1024678 "Unchecked return value from library". |
| 77 | ◦ Coverity 1024679 "Unchecked return value from library". |
| 78 | ◦ Coverity 1214160 "Ignoring number of bytes read". |
| 79 | • gif2tiff |
| 80 | ◦ Coverity 1024222 "Untrusted value as argument". |
| 81 | ◦ Coverity 1024890 "Ignoring number of bytes read". |
| 82 | ◦ Coverity 1024891 "Ignoring number of bytes read". |
| 83 | ◦ Coverity 1024892 "Ignoring number of bytes read". |
| 84 | ◦ Coverity 1024893 "Ignoring number of bytes read". |
| 85 | ◦ Coverity 1024894 "Ignoring number of bytes read". |
| 86 | • ras2tiff |
| 87 | ◦ Corrected Sun Raster header definition to be safe for 64-bit |
| 88 | systems. Add some header validations. Fixes many (unspecified) |
| 89 | Coverity issues. |
| 90 | ◦ Coverity 1024223 "Untrusted value as argument". |
| 91 | ◦ Coverity 1301206: "Integer handling issues (BAD_SHIFT)". |
| 92 | • raw2tiff |
| 93 | ◦ Coverity 1024887 "Unchecked return value from library". |
| 94 | ◦ Coverity 1024888 "Unchecked return value from library". |
| 95 | ◦ Coverity 1024889 "Unchecked return value from library". |
| 96 | ◦ Coverity 1214162 "Ignoring number of bytes read". |
| 97 | • tiff2pdf |
| 98 | ◦ Bugzilla Bug #2078. Suppress initial output of the header. |
| 99 | ◦ Bugzilla Bug #2150. Change ColorTransform from "0" to "1". |
| 100 | ◦ Take care in using the return value from snprintf(). |
| 101 | ◦ Coverity 1024181 "Structurally dead code". |
| 102 | ◦ Coverity 1024181 "Structurally dead code". |
| 103 | ◦ Coverity 1227690 "Unused value". |
| 104 | ◦ Coverity 298621 "Resource leak". |
| 105 | • tiff2ps |
| 106 | ◦ Correct sizing and scaling problems with output document. |
| 107 | • tiffcp |
| 108 | ◦ Coverity 1024306, 1024307, 1024308, 1024309 "Resource leak". |
| 109 | • tiffcrop |
| 110 | ◦ Correctly copy the compression tag from the source TIFF. |
| 111 | ◦ Coverity 1024545 "Division or modulo by zero". |
| 112 | ◦ Coverity 1024586 "Logically dead code". |
| 113 | ◦ Coverity 1024796 "Nesting level does not match indentation". |
| 114 | ◦ Coverity 1024797 "Nesting level does not match indentation". |
| 115 | ◦ Coverity 1294542 "Logical vs. bitwise operator". |
| 116 | ◦ Coverity 1299740 "Out-of-bounds write". |
| 117 | ◦ Coverity 1299741 "Dereference before null check". |
| 118 | • tiffdither |
| 119 | ◦ Check memory allocations for failure. Also check multiplication |
| 120 | overflow. (Fixes #2501, CVE-2014-8128) |
| 121 | • tiffgt.c |
| 122 | ◦ Bugzilla Bug #2401. Appropriately call glFlush(). |
| 123 | • tiffmedian |
| 124 | ◦ Coverity 1024386 "Out-of-bounds read". |
| 125 | ◦ Coverity 1024386 "Out-of-bounds read". |
| 126 | ◦ Coverity 1024795 "Nesting level does not match indentation". |
| 127 | ◦ Coverity 1024795 "Nesting level does not match indentation". |
| 128 | • tiffsplit |
| 129 | ◦ Coverity 1024304 "Resource leak". |
| 130 | ◦ Coverity 1024305 "Resource leak". |
| 131 | |
| 132 | CHANGES IN THE CONTRIB AREA: |
| 133 | |
| 134 | • addtiffo |
| 135 | ◦ Check buffer size calculation for overflow. |
| 136 | ◦ Coverity 298615 "Resource leak". |
| 137 | ◦ Coverity 1024649 "Unintended sign extension". |
| 138 | • iptcutil |
| 139 | ◦ Coverity 1024468 "Infinite loop". |
| 140 | ◦ Coverity 1024727 "Truncated stdio return value". |
| 141 | ◦ Coverity 1214240 "Untrusted loop bound". |
| 142 | |
| 143 | Last updated $Date: 2015-06-18 03:08:06 $. |
| 144 | }}} |
| 145 | |
| 146 | [http://www.remotesensing.org/libtiff/v4.0.4beta.html] |
| 147 | |
| 148 | {{{ |
| 149 | TIFF CHANGE INFORMATION |
| 150 | |
| 151 | Current Version: v4.0.4beta |
| 152 | |
| 153 | ... |
| 154 | |
| 155 | MAJOR CHANGES: |
| 156 | |
| 157 | • None |
| 158 | |
| 159 | CHANGES IN THE SOFTWARE CONFIGURATION: |
| 160 | |
| 161 | • Updated to use Automake 1.15 and Libtool 2.4.5 |
| 162 | |
| 163 | CHANGES IN LIBTIFF: |
| 164 | |
| 165 | • TIFFCheckDirOffset(): avoid uint16 overflow when reading more than |
| 166 | 65535 directories, and effectively error out when eaching that |
| 167 | limit. |
| 168 | • TIFFNumberOfDirectories(): generate error in case of directory count |
| 169 | overflow. |
| 170 | • TIFFAdvanceDirectory(): If nextdir is found to be defective, then |
| 171 | set it to zero before returning error in order to terminate |
| 172 | processing of truncated TIFF. |
| 173 | • JPEG-in-TIFF: recognize SOF2, SOF9 and SOF10 markers to avoid |
| 174 | emitting a warning. Fix for compatibility with mozjpeg library. |
| 175 | Note: the default settings of mozjpeg will produce progressive |
| 176 | scans, which is forbidden by the TechNote. |
| 177 | • JPEG-in-TIFF: Fix regression introduced in 3.9.3/4.0.0 that caused |
| 178 | all tiles/strips to include quantization tables even when the |
| 179 | jpegtablesmode had the JPEGTABLESMODE_QUANT bit set. Also add |
| 180 | explicit removal of Huffman tables when jpegtablesmode has the |
| 181 | JPEGTABLESMODE_HUFF bit set, which avoids Huffman tables to be |
| 182 | emitted in the first tile/strip (only useful in update scenarios. |
| 183 | create-only was fine) |
| 184 | • JPEG-in-TIFF: fix segfault in JPEGFixupTagsSubsampling() on |
| 185 | corrupted image where tif->tif_dir.td_stripoffset == NULL. (#2471) |
| 186 | • NeXT codec: add new tests to check that we don't read outside of the |
| 187 | compressed input stream buffer. |
| 188 | • NeXT codec: check that BitsPerSample = 2. Fixes #2487 |
| 189 | (CVE-2014-8129) |
| 190 | • NeXT codec: in the "run mode", use tilewidth for tiled images |
| 191 | instead of imagewidth to avoid crash |
| 192 | • tif_getimage.c: in OJPEG case, fix checks on strile width/height in |
| 193 | the putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile and |
| 194 | putcontig8bitYCbCr21tile cases. |
| 195 | • in TIFFDefaultDirectory(), reset any already existing extented tags |
| 196 | installed by user code through the extender mechaninm before calling |
| 197 | the extender callback (GDAL #5054) |
| 198 | • Fix warnings about unused parameters. |
| 199 | • Fix various typos in comments found by Debian lintian tool (GDAL |
| 200 | #5756) |
| 201 | • tif_getimage.c: avoid divide by zero on invalid YCbCr subsampling. |
| 202 | (#2235) |
| 203 | • tif_dirread.c: In EstimateStripByteCounts(), check return code of |
| 204 | _TIFFFillStriles(). This solves crashing bug on corrupted images |
| 205 | generated by afl. |
| 206 | • tif_read.c: fix several invalid comparisons of a uint64 value with |
| 207 | <= 0 by casting it to int64 first. This solves crashing bug on |
| 208 | corrupted images generated by afl. |
| 209 | • TIFFSetField(): refuse to set negative values for |
| 210 | TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when |
| 211 | writing the directory |
| 212 | • TIFFReadDirectory(): refuse to read ColorMap or TransferFunction if |
| 213 | BitsPerSample has not yet been read, otherwise reading it later will |
| 214 | cause user code to crash if BitsPerSample > 1 |
| 215 | • TIFFRGBAImageOK(): return FALSE if LOGLUV with SamplesPerPixel != 3, |
| 216 | or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8 |
| 217 | • tif_config.vc.h: no longer use "#define snprintf _snprintf" with |
| 218 | Visual Studio 2015 aka VC 14 aka MSVC 1900 |
| 219 | • LZW codec: prevent potential null dereference of sp->dec_codetab in |
| 220 | LZWPreDecode (#2459) |
| 221 | • TIFFReadBufferSetup(): avoid passing -1 size to TIFFmalloc() if |
| 222 | passed user buffer size is 0 (#2459) |
| 223 | • TIFFReadDirEntryOutputErr(): Incorrect count for tag should be a |
| 224 | warning rather than an error since errors terminate processing. |
| 225 | • tif_dirinfo.c (TIFFField) : Fix data type for |
| 226 | TIFFTAG_GLOBALPARAMETERSIFD tag. |
| 227 | • Add definitions for TIFF/EP CFARepeatPatternDim and CFAPattern tags |
| 228 | (#2457) |
| 229 | • tif_codec.c, tif_dirinfo.c: Enlarge some fixed-size buffers that |
| 230 | weren't large enough, and eliminate substantially all uses of |
| 231 | sprintf(buf, ...) in favor of using snprintf(buf, sizeof(buf), ...) |
| 232 | • configure.ac: Improve pkg-config static linking by adding -lm to |
| 233 | Libs.private when needed. |
| 234 | • tif_write.c: tmsize_t related casting warning fixed for 64bit linux. |
| 235 | • tif_read.c: uint64/tmsize_t change for MSVC warnings. (#2427) |
| 236 | • Fix TIFFPrintDirectory's handling of field_passcount fields: it had |
| 237 | the TIFF_VARIABLE and TIFF_VARIABLE2 cases backwards. |
| 238 | • PixarLog codec: Improve previous patch for CVE-2012-4447 (to enlarge |
| 239 | tbuf for possible partial stride at end) so that overflow in the |
| 240 | integer addition is detected. |
| 241 | • tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not require |
| 242 | malloc() to return NULL pointer if requested allocation size is |
| 243 | zero. Assure that _TIFFmalloc does. |
| 244 | • tif_zip.c: Avoid crash on NULL error messages. |
| 245 | |
| 246 | CHANGES IN THE TOOLS: |
| 247 | |
| 248 | • tiff2pdf: Fis various crashes and memory buffer access errors |
| 249 | (oCERT-2014-013). |
| 250 | • tiff2pdf: fix buffer overflow on some YCbCr JPEG compressed images. |
| 251 | (#2445) |
| 252 | • tiff2pdf: fix buffer overflow on YCbCr JPEG compressed image. |
| 253 | (#2443) |
| 254 | • tiff2pdf: check return code of TIFFGetField() when reading |
| 255 | TIFFTAG_SAMPLESPERPIXEL |
| 256 | • tiff2pdf: fix crash due to invalid tile count. |
| 257 | • tiff2pdf: Detect invalid settings of BitsPerSample/SamplesPerPixel |
| 258 | for CIELAB / ITULAB |
| 259 | • tiff2pdf: Assure that memory size calculations for _TIFFmalloc() do |
| 260 | not overflow the range of tmsize_t. |
| 261 | • tiff2pdf: Avoid crash when TIFFTAG_TRANSFERFUNCTION tag returns one |
| 262 | channel, with the other two channels set to NULL. |
| 263 | • tiff2pdf: close PDF file. (#2479) |
| 264 | • tiff2pdf: Preserve input file directory order when pages are tagged |
| 265 | with the same page number. |
| 266 | • tiff2pdf.c: terminate after failure of allocating ycbcr buffer |
| 267 | (#2449 CVE-2013-4232) |
| 268 | • tiff2pdf: Rewrite JPEG marker parsing in t2p_process_jpeg_strip to |
| 269 | be at least marginally competent. The approach is still |
| 270 | fundamentally flawed, but at least now it won't stomp all over |
| 271 | memory when given bogus input. Fixes CVE-2013-1960. |
| 272 | • tiffdump: Guard against arithmetic overflow when calculating |
| 273 | allocation buffer sizes. |
| 274 | • tiffdump: fix crash due to overflow of entry count. |
| 275 | • tiffdump: Fix double-free bug. |
| 276 | • tiffdump: detect cycle in TIFF directory chaining. (#2463) |
| 277 | • tiffdump: avoid passing a NULL pointer to read() if seek() failed |
| 278 | before. (#2459) |
| 279 | • tiff2bw: when Photometric=RGB, the utility only works if |
| 280 | SamplesPerPixel = 3. Enforce that. (#2485, CVE-2014-8127) |
| 281 | • pal2rgb, thumbnail: fix crash by disabling TIFFTAG_INKNAMES copying. |
| 282 | (#2484, CVE-2014-8127) |
| 283 | • thumbnail: fix out-of-buffer write. (#2489, CVE-2014-8128) |
| 284 | • thumbnail, tiffcmp: only read/write TIFFTAG_GROUP3OPTIONS or |
| 285 | TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or |
| 286 | COMPRESSION_CCITTFAX4. (#2493, CVE-2014-8128) |
| 287 | • tiffcp: fix crash when converting YCbCr JPEG-compressed to none. |
| 288 | (#2480) |
| 289 | • bmp2tiff: fix crash due to int overflow related to input BMP |
| 290 | dimensions |
| 291 | • tiffcrop: fix crash due to invalid TileWidth/TileHeight |
| 292 | • tiffcrop: fix segfault if bad value passed to -Z option ( #2459) and |
| 293 | add missing va_end in dump_info |
| 294 | • thumbnail, tiffcrop: "fix" heap read over-run found with Valgrind |
| 295 | and Address Sanitizer on test suite |
| 296 | • fax2ps: check malloc()/realloc() result. (#2470) |
| 297 | • gif2tiff: apply patch for CVE-2013-4243. (#2451) |
| 298 | • gif2tiff: fix possible OOB write. (#2452, CVE-2013-4244) |
| 299 | • gif2tiff: Be more careful about corrupt or hostile input files |
| 300 | (#2450, CVE-2013-4231) |
| 301 | • tiff2rgba: fix usage message in that zip was wrongly described |
| 302 | • tiffinfo: Default various values fetched with TIFFGetField() to |
| 303 | avoid being uninitialized. |
| 304 | • tiff2ps: Fix bug in auto rotate option code. |
| 305 | • ppm2tiff: avoid zero size buffer vulnerability (CVE-2012-4564). |
| 306 | check the linebytes calculation too, get the max() calculation |
| 307 | straight, avoid redundant error messages, check for malloc failure. |
| 308 | • tiffset: now supports a -u option to unset a tag. (#2419) |
| 309 | • Fix warnings about unused parameters. |
| 310 | • rgb2ycbcr, tiff2bw, tiff2pdf, tiff2ps, tiffcrop, tiffdither : |
| 311 | Enlarge some fixed-size buffers that weren't large enough, and |
| 312 | eliminate substantially all uses of sprintf(buf, ...) in favor of |
| 313 | using snprintf(buf, sizeof(buf), ...), so as to protect against |
| 314 | overflow of fixed-size buffers. This responds in particular to |
| 315 | CVE-2013-1961 concerning overflow in tiff2pdf.c's |
| 316 | t2p_write_pdf_page(). |
| 317 | • html/man/tiff2ps.1.html, html/man/tiffcp.1.html, |
| 318 | html/man/tiffdither.1.html, man/tiff2ps.1, man/tiffcp.1, |
| 319 | man/tiffdither.1, tools/tiff2ps.c, tools/tiffcp.c, |
| 320 | tools/tiffdither.c: Sync tool usage printouts and man pages with |
| 321 | reality |
| 322 | |
| 323 | CHANGES IN THE CONTRIB AREA: |
| 324 | |
| 325 | • Fix warnings about variables set but not used. |
| 326 | • contrib/dbs/xtiff/xtiff.c: Enlarge some fixed-size buffers that |
| 327 | weren't large enough, and eliminate substantially all uses of |
| 328 | sprintf(buf, ...) in favor of using snprintf(buf, sizeof(buf), ...), |
| 329 | so as to protect against overflow of fixed-size buffers. |
| 330 | |
| 331 | Last updated $Date: 2015-01-26 15:14:45 $. |
| 332 | }}} |