| 6 | | Too long to reproduce here. |
| 7 | | |
| 8 | | Some highlights: |
| 9 | | |
| 10 | | http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127) |
| 11 | | |
| 12 | | http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128) |
| 13 | | |
| 14 | | http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129) |
| 15 | | |
| 16 | | * tools/gif2tif.c: apply patch for CVE-2013-4243 (#2451) |
| | 10 | TIFF CHANGE INFORMATION |
| | 11 | |
| | 12 | Current Version: v4.0.4 |
| | 13 | |
| | 14 | ... |
| | 15 | |
| | 16 | MAJOR CHANGES: |
| | 17 | |
| | 18 | • None |
| | 19 | |
| | 20 | CHANGES IN THE SOFTWARE CONFIGURATION: |
| | 21 | |
| | 22 | • configure.ac / configure |
| | 23 | ◦ Bugzilla Bug #2405: Correct shell equality operator. |
| | 24 | ◦ Bugzilla Bug #2498: Adds an option to select the file I/O style |
| | 25 | on Windows hosts. |
| | 26 | |
| | 27 | CHANGES IN LIBTIFF: |
| | 28 | |
| | 29 | • tif_dir.c: |
| | 30 | ◦ TIFFNumberOfDirectories: Coverity 1134470 "Logically dead code" |
| | 31 | • tif_dirread.c: |
| | 32 | ◦ TIFFReadDirEntryDoubleArray: Coverity 298626 "Logically dead |
| | 33 | code". |
| | 34 | ◦ TIFFReadDirEntryFloatArray: Coverity 298627 "Logically dead |
| | 35 | code". |
| | 36 | ◦ TIFFReadDirEntryIfd8Array: Coverity 298628 "Logically dead |
| | 37 | code". |
| | 38 | ◦ TIFFReadDirEntrySlong8Array: Coverity 298629 "Logically dead |
| | 39 | code" |
| | 40 | • tif_dirwrite.c |
| | 41 | ◦ _TIFFRewriteField: Coverity 1024310 "Resource leak". |
| | 42 | • tif_jpeg.c |
| | 43 | ◦ JPEGCleanup: Coverity 298624 "Dereference before null check". |
| | 44 | ◦ JPEGDecode: Coverity 602597 "Operands don't affect result". |
| | 45 | • tif_getimage.c |
| | 46 | ◦ Bugzilla Bug #2409: Correct reading of certain tiled TIFFs. |
| | 47 | • tif_luv.c |
| | 48 | ◦ LogLuvDecodeStrip: Coverity 991239 "Division or modulo by zero". |
| | 49 | ◦ LogLuvDecodeTile: Coverity 991227 "Division or modulo by zero". |
| | 50 | ◦ LogLuvEncodeStrip: Coverity 991240 "Division or modulo by zero". |
| | 51 | ◦ LogLuvEncodeTile: Coverity 991241 "Division or modulo by zero". |
| | 52 | • tif_lzw.c |
| | 53 | ◦ Decode files that contain consecutive CODE_CLEAR codes. |
| | 54 | • tif_ojpeg.c |
| | 55 | ◦ OJPEGReadBufferFill: Coverity 603400 "Missing break in switch". |
| | 56 | ◦ OJPEGReadHeaderInfoSecStreamDht: Coverity 601720 "Resource |
| | 57 | leak". |
| | 58 | • tif_read.c |
| | 59 | ◦ TIFFStartTile: Coverity 715973 and 715974 "Division or modulo by |
| | 60 | zero". |
| | 61 | • tif_unix.c |
| | 62 | ◦ Bugzilla Bug #2510: Fix several harmless but still annoying |
| | 63 | warnings. |
| | 64 | • tif_write |
| | 65 | ◦ TIFFWriteEncodedStrip: Coverity 715975 "Division or modulo by |
| | 66 | zero". |
| | 67 | ◦ TIFFWriteEncodedTile: Coverity 715976 and 715977 "Division or |
| | 68 | modulo by zero". |
| | 69 | ◦ TIFFWriteRawStrip: Coverity 715978 "Division or modulo by zero". |
| | 70 | ◦ TIFFWriteScanline: Coverity 715979 "Division or modulo by zero". |
| | 71 | |
| | 72 | CHANGES IN THE TOOLS: |
| | 73 | |
| | 74 | • bmp2tiff |
| | 75 | ◦ Coverity 1024225 "Untrusted value as argument". |
| | 76 | ◦ Coverity 1024678 "Unchecked return value from library". |
| | 77 | ◦ Coverity 1024679 "Unchecked return value from library". |
| | 78 | ◦ Coverity 1214160 "Ignoring number of bytes read". |
| | 79 | • gif2tiff |
| | 80 | ◦ Coverity 1024222 "Untrusted value as argument". |
| | 81 | ◦ Coverity 1024890 "Ignoring number of bytes read". |
| | 82 | ◦ Coverity 1024891 "Ignoring number of bytes read". |
| | 83 | ◦ Coverity 1024892 "Ignoring number of bytes read". |
| | 84 | ◦ Coverity 1024893 "Ignoring number of bytes read". |
| | 85 | ◦ Coverity 1024894 "Ignoring number of bytes read". |
| | 86 | • ras2tiff |
| | 87 | ◦ Corrected Sun Raster header definition to be safe for 64-bit |
| | 88 | systems. Add some header validations. Fixes many (unspecified) |
| | 89 | Coverity issues. |
| | 90 | ◦ Coverity 1024223 "Untrusted value as argument". |
| | 91 | ◦ Coverity 1301206: "Integer handling issues (BAD_SHIFT)". |
| | 92 | • raw2tiff |
| | 93 | ◦ Coverity 1024887 "Unchecked return value from library". |
| | 94 | ◦ Coverity 1024888 "Unchecked return value from library". |
| | 95 | ◦ Coverity 1024889 "Unchecked return value from library". |
| | 96 | ◦ Coverity 1214162 "Ignoring number of bytes read". |
| | 97 | • tiff2pdf |
| | 98 | ◦ Bugzilla Bug #2078. Suppress initial output of the header. |
| | 99 | ◦ Bugzilla Bug #2150. Change ColorTransform from "0" to "1". |
| | 100 | ◦ Take care in using the return value from snprintf(). |
| | 101 | ◦ Coverity 1024181 "Structurally dead code". |
| | 102 | ◦ Coverity 1024181 "Structurally dead code". |
| | 103 | ◦ Coverity 1227690 "Unused value". |
| | 104 | ◦ Coverity 298621 "Resource leak". |
| | 105 | • tiff2ps |
| | 106 | ◦ Correct sizing and scaling problems with output document. |
| | 107 | • tiffcp |
| | 108 | ◦ Coverity 1024306, 1024307, 1024308, 1024309 "Resource leak". |
| | 109 | • tiffcrop |
| | 110 | ◦ Correctly copy the compression tag from the source TIFF. |
| | 111 | ◦ Coverity 1024545 "Division or modulo by zero". |
| | 112 | ◦ Coverity 1024586 "Logically dead code". |
| | 113 | ◦ Coverity 1024796 "Nesting level does not match indentation". |
| | 114 | ◦ Coverity 1024797 "Nesting level does not match indentation". |
| | 115 | ◦ Coverity 1294542 "Logical vs. bitwise operator". |
| | 116 | ◦ Coverity 1299740 "Out-of-bounds write". |
| | 117 | ◦ Coverity 1299741 "Dereference before null check". |
| | 118 | • tiffdither |
| | 119 | ◦ Check memory allocations for failure. Also check multiplication |
| | 120 | overflow. (Fixes #2501, CVE-2014-8128) |
| | 121 | • tiffgt.c |
| | 122 | ◦ Bugzilla Bug #2401. Appropriately call glFlush(). |
| | 123 | • tiffmedian |
| | 124 | ◦ Coverity 1024386 "Out-of-bounds read". |
| | 125 | ◦ Coverity 1024386 "Out-of-bounds read". |
| | 126 | ◦ Coverity 1024795 "Nesting level does not match indentation". |
| | 127 | ◦ Coverity 1024795 "Nesting level does not match indentation". |
| | 128 | • tiffsplit |
| | 129 | ◦ Coverity 1024304 "Resource leak". |
| | 130 | ◦ Coverity 1024305 "Resource leak". |
| | 131 | |
| | 132 | CHANGES IN THE CONTRIB AREA: |
| | 133 | |
| | 134 | • addtiffo |
| | 135 | ◦ Check buffer size calculation for overflow. |
| | 136 | ◦ Coverity 298615 "Resource leak". |
| | 137 | ◦ Coverity 1024649 "Unintended sign extension". |
| | 138 | • iptcutil |
| | 139 | ◦ Coverity 1024468 "Infinite loop". |
| | 140 | ◦ Coverity 1024727 "Truncated stdio return value". |
| | 141 | ◦ Coverity 1214240 "Untrusted loop bound". |
| | 142 | |
| | 143 | Last updated $Date: 2015-06-18 03:08:06 $. |
| | 144 | }}} |
| | 145 | |
| | 146 | [http://www.remotesensing.org/libtiff/v4.0.4beta.html] |
| | 147 | |
| | 148 | {{{ |
| | 149 | TIFF CHANGE INFORMATION |
| | 150 | |
| | 151 | Current Version: v4.0.4beta |
| | 152 | |
| | 153 | ... |
| | 154 | |
| | 155 | MAJOR CHANGES: |
| | 156 | |
| | 157 | • None |
| | 158 | |
| | 159 | CHANGES IN THE SOFTWARE CONFIGURATION: |
| | 160 | |
| | 161 | • Updated to use Automake 1.15 and Libtool 2.4.5 |
| | 162 | |
| | 163 | CHANGES IN LIBTIFF: |
| | 164 | |
| | 165 | • TIFFCheckDirOffset(): avoid uint16 overflow when reading more than |
| | 166 | 65535 directories, and effectively error out when eaching that |
| | 167 | limit. |
| | 168 | • TIFFNumberOfDirectories(): generate error in case of directory count |
| | 169 | overflow. |
| | 170 | • TIFFAdvanceDirectory(): If nextdir is found to be defective, then |
| | 171 | set it to zero before returning error in order to terminate |
| | 172 | processing of truncated TIFF. |
| | 173 | • JPEG-in-TIFF: recognize SOF2, SOF9 and SOF10 markers to avoid |
| | 174 | emitting a warning. Fix for compatibility with mozjpeg library. |
| | 175 | Note: the default settings of mozjpeg will produce progressive |
| | 176 | scans, which is forbidden by the TechNote. |
| | 177 | • JPEG-in-TIFF: Fix regression introduced in 3.9.3/4.0.0 that caused |
| | 178 | all tiles/strips to include quantization tables even when the |
| | 179 | jpegtablesmode had the JPEGTABLESMODE_QUANT bit set. Also add |
| | 180 | explicit removal of Huffman tables when jpegtablesmode has the |
| | 181 | JPEGTABLESMODE_HUFF bit set, which avoids Huffman tables to be |
| | 182 | emitted in the first tile/strip (only useful in update scenarios. |
| | 183 | create-only was fine) |
| | 184 | • JPEG-in-TIFF: fix segfault in JPEGFixupTagsSubsampling() on |
| | 185 | corrupted image where tif->tif_dir.td_stripoffset == NULL. (#2471) |
| | 186 | • NeXT codec: add new tests to check that we don't read outside of the |
| | 187 | compressed input stream buffer. |
| | 188 | • NeXT codec: check that BitsPerSample = 2. Fixes #2487 |
| | 189 | (CVE-2014-8129) |
| | 190 | • NeXT codec: in the "run mode", use tilewidth for tiled images |
| | 191 | instead of imagewidth to avoid crash |
| | 192 | • tif_getimage.c: in OJPEG case, fix checks on strile width/height in |
| | 193 | the putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile and |
| | 194 | putcontig8bitYCbCr21tile cases. |
| | 195 | • in TIFFDefaultDirectory(), reset any already existing extented tags |
| | 196 | installed by user code through the extender mechaninm before calling |
| | 197 | the extender callback (GDAL #5054) |
| | 198 | • Fix warnings about unused parameters. |
| | 199 | • Fix various typos in comments found by Debian lintian tool (GDAL |
| | 200 | #5756) |
| | 201 | • tif_getimage.c: avoid divide by zero on invalid YCbCr subsampling. |
| | 202 | (#2235) |
| | 203 | • tif_dirread.c: In EstimateStripByteCounts(), check return code of |
| | 204 | _TIFFFillStriles(). This solves crashing bug on corrupted images |
| | 205 | generated by afl. |
| | 206 | • tif_read.c: fix several invalid comparisons of a uint64 value with |
| | 207 | <= 0 by casting it to int64 first. This solves crashing bug on |
| | 208 | corrupted images generated by afl. |
| | 209 | • TIFFSetField(): refuse to set negative values for |
| | 210 | TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when |
| | 211 | writing the directory |
| | 212 | • TIFFReadDirectory(): refuse to read ColorMap or TransferFunction if |
| | 213 | BitsPerSample has not yet been read, otherwise reading it later will |
| | 214 | cause user code to crash if BitsPerSample > 1 |
| | 215 | • TIFFRGBAImageOK(): return FALSE if LOGLUV with SamplesPerPixel != 3, |
| | 216 | or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8 |
| | 217 | • tif_config.vc.h: no longer use "#define snprintf _snprintf" with |
| | 218 | Visual Studio 2015 aka VC 14 aka MSVC 1900 |
| | 219 | • LZW codec: prevent potential null dereference of sp->dec_codetab in |
| | 220 | LZWPreDecode (#2459) |
| | 221 | • TIFFReadBufferSetup(): avoid passing -1 size to TIFFmalloc() if |
| | 222 | passed user buffer size is 0 (#2459) |
| | 223 | • TIFFReadDirEntryOutputErr(): Incorrect count for tag should be a |
| | 224 | warning rather than an error since errors terminate processing. |
| | 225 | • tif_dirinfo.c (TIFFField) : Fix data type for |
| | 226 | TIFFTAG_GLOBALPARAMETERSIFD tag. |
| | 227 | • Add definitions for TIFF/EP CFARepeatPatternDim and CFAPattern tags |
| | 228 | (#2457) |
| | 229 | • tif_codec.c, tif_dirinfo.c: Enlarge some fixed-size buffers that |
| | 230 | weren't large enough, and eliminate substantially all uses of |
| | 231 | sprintf(buf, ...) in favor of using snprintf(buf, sizeof(buf), ...) |
| | 232 | • configure.ac: Improve pkg-config static linking by adding -lm to |
| | 233 | Libs.private when needed. |
| | 234 | • tif_write.c: tmsize_t related casting warning fixed for 64bit linux. |
| | 235 | • tif_read.c: uint64/tmsize_t change for MSVC warnings. (#2427) |
| | 236 | • Fix TIFFPrintDirectory's handling of field_passcount fields: it had |
| | 237 | the TIFF_VARIABLE and TIFF_VARIABLE2 cases backwards. |
| | 238 | • PixarLog codec: Improve previous patch for CVE-2012-4447 (to enlarge |
| | 239 | tbuf for possible partial stride at end) so that overflow in the |
| | 240 | integer addition is detected. |
| | 241 | • tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not require |
| | 242 | malloc() to return NULL pointer if requested allocation size is |
| | 243 | zero. Assure that _TIFFmalloc does. |
| | 244 | • tif_zip.c: Avoid crash on NULL error messages. |
| | 245 | |
| | 246 | CHANGES IN THE TOOLS: |
| | 247 | |
| | 248 | • tiff2pdf: Fis various crashes and memory buffer access errors |
| | 249 | (oCERT-2014-013). |
| | 250 | • tiff2pdf: fix buffer overflow on some YCbCr JPEG compressed images. |
| | 251 | (#2445) |
| | 252 | • tiff2pdf: fix buffer overflow on YCbCr JPEG compressed image. |
| | 253 | (#2443) |
| | 254 | • tiff2pdf: check return code of TIFFGetField() when reading |
| | 255 | TIFFTAG_SAMPLESPERPIXEL |
| | 256 | • tiff2pdf: fix crash due to invalid tile count. |
| | 257 | • tiff2pdf: Detect invalid settings of BitsPerSample/SamplesPerPixel |
| | 258 | for CIELAB / ITULAB |
| | 259 | • tiff2pdf: Assure that memory size calculations for _TIFFmalloc() do |
| | 260 | not overflow the range of tmsize_t. |
| | 261 | • tiff2pdf: Avoid crash when TIFFTAG_TRANSFERFUNCTION tag returns one |
| | 262 | channel, with the other two channels set to NULL. |
| | 263 | • tiff2pdf: close PDF file. (#2479) |
| | 264 | • tiff2pdf: Preserve input file directory order when pages are tagged |
| | 265 | with the same page number. |
| | 266 | • tiff2pdf.c: terminate after failure of allocating ycbcr buffer |
| | 267 | (#2449 CVE-2013-4232) |
| | 268 | • tiff2pdf: Rewrite JPEG marker parsing in t2p_process_jpeg_strip to |
| | 269 | be at least marginally competent. The approach is still |
| | 270 | fundamentally flawed, but at least now it won't stomp all over |
| | 271 | memory when given bogus input. Fixes CVE-2013-1960. |
| | 272 | • tiffdump: Guard against arithmetic overflow when calculating |
| | 273 | allocation buffer sizes. |
| | 274 | • tiffdump: fix crash due to overflow of entry count. |
| | 275 | • tiffdump: Fix double-free bug. |
| | 276 | • tiffdump: detect cycle in TIFF directory chaining. (#2463) |
| | 277 | • tiffdump: avoid passing a NULL pointer to read() if seek() failed |
| | 278 | before. (#2459) |
| | 279 | • tiff2bw: when Photometric=RGB, the utility only works if |
| | 280 | SamplesPerPixel = 3. Enforce that. (#2485, CVE-2014-8127) |
| | 281 | • pal2rgb, thumbnail: fix crash by disabling TIFFTAG_INKNAMES copying. |
| | 282 | (#2484, CVE-2014-8127) |
| | 283 | • thumbnail: fix out-of-buffer write. (#2489, CVE-2014-8128) |
| | 284 | • thumbnail, tiffcmp: only read/write TIFFTAG_GROUP3OPTIONS or |
| | 285 | TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or |
| | 286 | COMPRESSION_CCITTFAX4. (#2493, CVE-2014-8128) |
| | 287 | • tiffcp: fix crash when converting YCbCr JPEG-compressed to none. |
| | 288 | (#2480) |
| | 289 | • bmp2tiff: fix crash due to int overflow related to input BMP |
| | 290 | dimensions |
| | 291 | • tiffcrop: fix crash due to invalid TileWidth/TileHeight |
| | 292 | • tiffcrop: fix segfault if bad value passed to -Z option ( #2459) and |
| | 293 | add missing va_end in dump_info |
| | 294 | • thumbnail, tiffcrop: "fix" heap read over-run found with Valgrind |
| | 295 | and Address Sanitizer on test suite |
| | 296 | • fax2ps: check malloc()/realloc() result. (#2470) |
| | 297 | • gif2tiff: apply patch for CVE-2013-4243. (#2451) |
| | 298 | • gif2tiff: fix possible OOB write. (#2452, CVE-2013-4244) |
| | 299 | • gif2tiff: Be more careful about corrupt or hostile input files |
| | 300 | (#2450, CVE-2013-4231) |
| | 301 | • tiff2rgba: fix usage message in that zip was wrongly described |
| | 302 | • tiffinfo: Default various values fetched with TIFFGetField() to |
| | 303 | avoid being uninitialized. |
| | 304 | • tiff2ps: Fix bug in auto rotate option code. |
| | 305 | • ppm2tiff: avoid zero size buffer vulnerability (CVE-2012-4564). |
| | 306 | check the linebytes calculation too, get the max() calculation |
| | 307 | straight, avoid redundant error messages, check for malloc failure. |
| | 308 | • tiffset: now supports a -u option to unset a tag. (#2419) |
| | 309 | • Fix warnings about unused parameters. |
| | 310 | • rgb2ycbcr, tiff2bw, tiff2pdf, tiff2ps, tiffcrop, tiffdither : |
| | 311 | Enlarge some fixed-size buffers that weren't large enough, and |
| | 312 | eliminate substantially all uses of sprintf(buf, ...) in favor of |
| | 313 | using snprintf(buf, sizeof(buf), ...), so as to protect against |
| | 314 | overflow of fixed-size buffers. This responds in particular to |
| | 315 | CVE-2013-1961 concerning overflow in tiff2pdf.c's |
| | 316 | t2p_write_pdf_page(). |
| | 317 | • html/man/tiff2ps.1.html, html/man/tiffcp.1.html, |
| | 318 | html/man/tiffdither.1.html, man/tiff2ps.1, man/tiffcp.1, |
| | 319 | man/tiffdither.1, tools/tiff2ps.c, tools/tiffcp.c, |
| | 320 | tools/tiffdither.c: Sync tool usage printouts and man pages with |
| | 321 | reality |
| | 322 | |
| | 323 | CHANGES IN THE CONTRIB AREA: |
| | 324 | |
| | 325 | • Fix warnings about variables set but not used. |
| | 326 | • contrib/dbs/xtiff/xtiff.c: Enlarge some fixed-size buffers that |
| | 327 | weren't large enough, and eliminate substantially all uses of |
| | 328 | sprintf(buf, ...) in favor of using snprintf(buf, sizeof(buf), ...), |
| | 329 | so as to protect against overflow of fixed-size buffers. |
| | 330 | |
| | 331 | Last updated $Date: 2015-01-26 15:14:45 $. |
| | 332 | }}} |
