1<HTML>
2<HEAD>
3<TITLE>
4	Changes in TIFF v4.0.4beta
5</TITLE>
6</HEAD>
7
8<BODY BGCOLOR=white>
9<FONT FACE="Helvetica, Arial, Sans">
10
11<BASEFONT SIZE=4>
12<B><FONT SIZE=+3>T</FONT>IFF <FONT SIZE=+2>C</FONT>HANGE <FONT SIZE=+2>I</FONT>NFORMATION</B>
13<BASEFONT SIZE=3>
14
15<UL>
16<HR SIZE=4 WIDTH=65% ALIGN=left>
17<B>Current Version</B>: v4.0.4beta<BR>
18<B>Previous Version</B>: <A HREF=v4.0.3.html>v4.0.3</a><BR>
19<B>Master FTP Site</B>: <A HREF="ftp://download.osgeo.org/libtiff">
20download.osgeo.org</a>, directory pub/libtiff</A><BR>
21<B>Master HTTP Site</B>: <A HREF="http://www.simplesystems.org/libtiff/">
22http://www.simplesystems.org/libtiff/</a>
23<HR SIZE=4 WIDTH=65% ALIGN=left>
24</UL>
25
26<P>
27This document describes the changes made to the software between the
28<I>previous</I> and <I>current</I> versions (see above).  If you don't
29find something listed here, then it was not done in this timeframe, or
30it was not considered important enough to be mentioned.  The following
31information is located here:
32<UL>
33<LI><A HREF="#highlights">Major Changes</A>
34<LI><A HREF="#configure">Changes in the software configuration</A>
35<LI><A HREF="#libtiff">Changes in libtiff</A>
36<LI><A HREF="#tools">Changes in the tools</A>
37<LI><A HREF="#contrib">Changes in the contrib area</A>
38</UL>
39<p>
40<P><HR WIDTH=65% ALIGN=left>
41
42<!--------------------------------------------------------------------------->
43
44<A NAME="highlights"><B><FONT SIZE=+3>M</FONT>AJOR CHANGES:</B></A>
45
46<UL>
47
48	<li> None
49
50</UL>
51
52
53<P><HR WIDTH=65% ALIGN=left>
54<!--------------------------------------------------------------------------->
55
56<A NAME="configure"><B><FONT SIZE=+3>C</FONT>HANGES IN THE SOFTWARE CONFIGURATION:</B></A>
57
58<UL>
59
60  <li> Updated to use Automake 1.15 and Libtool 2.4.5
61
62</UL>
63
64<P><HR WIDTH=65% ALIGN=left>
65
66<!--------------------------------------------------------------------------->
67
68<A NAME="libtiff"><B><FONT SIZE=+3>C</FONT>HANGES IN LIBTIFF:</B></A>
69
70<UL>
71
72  <li> TIFFCheckDirOffset(): avoid uint16 overflow
73       when reading more than 65535 directories, and effectively error out when
74       eaching that limit.
75
76  <li> TIFFNumberOfDirectories(): generate error in case of directory count
77       overflow.
78
79  <li> TIFFAdvanceDirectory(): If nextdir is found to
80       be defective, then set it to zero before returning error in order
81       to terminate processing of truncated TIFF.
82
83  <li> JPEG-in-TIFF: recognize SOF2, SOF9 and SOF10
84       markers to avoid emitting a warning. Fix for compatibility with mozjpeg library.
85       Note: the default settings of mozjpeg will produce progressive scans, which
86       is forbidden by the TechNote.
87
88  <li> JPEG-in-TIFF: Fix regression introduced in 3.9.3/4.0.0 that caused
89       all tiles/strips to include quantization tables even when the jpegtablesmode
90       had the JPEGTABLESMODE_QUANT bit set.
91       Also add explicit removal of Huffman tables when jpegtablesmode has the
92       JPEGTABLESMODE_HUFF bit set, which avoids Huffman tables to be emitted in the
93       first tile/strip (only useful in update scenarios. create-only was
94       fine)
95
96  <li> JPEG-in-TIFF: fix segfault in JPEGFixupTagsSubsampling() on
97       corrupted image where tif->tif_dir.td_stripoffset == NULL.
98       (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2471">#2471</a>)
99
100  <li> NeXT codec: add new tests to check that we don't read outside of
101       the compressed input stream buffer.
102
103  <li> NeXT codec: check that BitsPerSample = 2. Fixes
104       <a href="http://bugzilla.maptools.org/show_bug.cgi?id=2487">#2487</a> (CVE-2014-8129)
105
106  <li> NeXT codec: in the "run mode", use tilewidth for tiled images
107       instead of imagewidth to avoid crash
108
109  <li> tif_getimage.c: in OJPEG case, fix checks on strile width/height
110       in the putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile and
111       putcontig8bitYCbCr21tile cases.
112
113  <li> in TIFFDefaultDirectory(), reset any already existing
114       extented tags installed by user code through the extender mechaninm before
115       calling the extender callback (GDAL #5054)
116
117  <li> Fix  warnings about unused parameters.
118
119  <li> Fix various typos in comments found by Debian lintian tool (GDAL #5756)
120
121  <li> tif_getimage.c: avoid divide by zero on invalid YCbCr subsampling.
122       (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2235">#2235</a>)
123
124  <li> tif_dirread.c: In EstimateStripByteCounts(), check return code
125       of _TIFFFillStriles(). This solves crashing bug on corrupted
126       images generated by afl.
127
128  <li>tif_read.c: fix several invalid comparisons of a uint64 value with
129       &lt;= 0 by casting it to int64 first. This solves crashing bug on corrupted
130      images generated by afl.
131
132  <li>TIFFSetField(): refuse to set negative values for
133      TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
134      the directory
135
136  <li>TIFFReadDirectory(): refuse to read ColorMap or
137      TransferFunction if BitsPerSample has not yet been read, otherwise reading
138      it later will cause user code to crash if BitsPerSample > 1
139
140  <li> TIFFRGBAImageOK(): return FALSE if LOGLUV with
141       SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
142
143  <li> tif_config.vc.h: no longer use "#define snprintf _snprintf" with
144       Visual Studio 2015 aka VC 14 aka MSVC 1900
145
146  <li> LZW codec: prevent potential null dereference of sp->dec_codetab in LZWPreDecode
147       (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2459">#2459</a>)
148
149  <li> TIFFReadBufferSetup(): avoid passing -1 size
150       to TIFFmalloc() if passed user buffer size is 0
151       (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2459">#2459</a>)
152
153  <li> TIFFReadDirEntryOutputErr(): Incorrect
154       count for tag should be a warning rather than an error since
155       errors terminate processing.
156
157  <li> tif_dirinfo.c (TIFFField) : Fix data type for TIFFTAG_GLOBALPARAMETERSIFD tag.
158
159  <li> Add definitions for TIFF/EP CFARepeatPatternDim and CFAPattern tags
160       (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2457">#2457</a>)
161
162  <li> tif_codec.c, tif_dirinfo.c: Enlarge some fixed-size buffers that weren't
163        large enough, and eliminate substantially all uses of sprintf(buf,
164        ...)  in favor of using snprintf(buf, sizeof(buf), ...)
165  <li> configure.ac: Improve pkg-config static linking by adding -lm to Libs.private when needed.
166
167  <li> tif_write.c: tmsize_t related casting warning fixed for
168        64bit linux.
169
170  <li> tif_read.c: uint64/tmsize_t change for MSVC warnings.
171       (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2427">#2427</a>)
172
173  <li> Fix TIFFPrintDirectory's handling of
174       field_passcount fields: it had the TIFF_VARIABLE and
175       TIFF_VARIABLE2 cases backwards.
176
177  <li> PixarLog codec: Improve previous patch for CVE-2012-4447
178       (to enlarge tbuf for possible partial stride at end) so that
179       overflow in the integer addition is detected.
180
181  <li>tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not
182        require malloc() to return NULL pointer if requested allocation
183        size is zero.  Assure that _TIFFmalloc does.
184
185  <li>tif_zip.c: Avoid crash on NULL error messages.
186
187</UL>
188
189<P><HR WIDTH=65% ALIGN=left>
190
191<!-------------------------------------------------------------------------->
192
193<A NAME="tools"><B><FONT SIZE=+3>C</FONT>HANGES IN THE TOOLS:</B></A>
194
195<UL>
196
197  <li> tiff2pdf: Fis various crashes and memory buffer access errors (oCERT-2014-013).
198  <li> tiff2pdf: fix buffer overflow on some YCbCr JPEG compressed images.
199                 (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2445">#2445</a>)
200  <li> tiff2pdf: fix buffer overflow on YCbCr JPEG compressed image.
201                 (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2443">#2443</a>)
202  <li> tiff2pdf: check return code of TIFFGetField() when reading TIFFTAG_SAMPLESPERPIXEL
203  <li> tiff2pdf: fix crash due to invalid tile count.
204  <li> tiff2pdf: Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB
205  <li> tiff2pdf: Assure that memory size calculations for
206                 _TIFFmalloc() do not overflow the range of tmsize_t.
207  <li> tiff2pdf: Avoid crash when TIFFTAG_TRANSFERFUNCTION tag returns one channel,
208       with the other two channels set to NULL.
209  <li> tiff2pdf: close PDF file. (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2479">#2479</a>)
210  <li> tiff2pdf: Preserve input file directory order when pages
211       are tagged with the same page number.
212  <li> tiff2pdf.c: terminate after failure of allocating ycbcr buffer
213       (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2449">#2449</a> CVE-2013-4232)
214  <li> tiff2pdf: Rewrite JPEG marker parsing in
215        t2p_process_jpeg_strip to be at least marginally competent.  The
216        approach is still fundamentally flawed, but at least now it won't
217        stomp all over memory when given bogus input.  Fixes CVE-2013-1960.
218  <li> tiffdump: Guard against arithmetic overflow when calculating allocation buffer sizes.
219  <li> tiffdump: fix crash due to overflow of entry count.
220  <li> tiffdump: Fix double-free bug.
221  <li> tiffdump: detect cycle in TIFF directory chaining.
222       (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2463">#2463</a>)
223  <li> tiffdump: avoid passing a NULL pointer to read() if seek() failed before.
224       (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2459">#2459</a>)
225  <li> tiff2bw: when Photometric=RGB, the utility only works if SamplesPerPixel = 3. Enforce that.
226       (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2485">#2485</a>, CVE-2014-8127)
227  <li> pal2rgb, thumbnail: fix crash by disabling TIFFTAG_INKNAMES copying.
228       (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2484">#2484</a>, CVE-2014-8127)
229  <li> thumbnail: fix out-of-buffer write.
230       (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2489">#2489</a>, CVE-2014-8128)
231  <li> thumbnail, tiffcmp: only read/write TIFFTAG_GROUP3OPTIONS
232       or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
233       COMPRESSION_CCITTFAX4.
234       (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2493">#2493</a>, CVE-2014-8128)
235  <li> tiffcp: fix crash when converting YCbCr JPEG-compressed to none.
236       (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2480">#2480</a>)
237  <li> bmp2tiff: fix crash due to int overflow related to input BMP dimensions
238  <li> tiffcrop: fix crash due to invalid TileWidth/TileHeight
239  <li> tiffcrop: fix segfault if bad value passed to -Z option
240       ( <a href="http://bugzilla.maptools.org/show_bug.cgi?id=2459">#2459</a>)
241       and add missing va_end in dump_info
242  <li> thumbnail, tiffcrop: "fix" heap read over-run found with
243       Valgrind and Address Sanitizer on test suite
244  <li> fax2ps: check malloc()/realloc() result. (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2470">#2470</a>)
245  <li> gif2tiff: apply patch for CVE-2013-4243. (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2451">#2451</a>)
246  <li> gif2tiff: fix possible OOB write. (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2452">#2452</a>, CVE-2013-4244)
247  <li> gif2tiff: Be more careful about corrupt or hostile input files (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2450">#2450</a>, CVE-2013-4231)
248  <li> tiff2rgba: fix usage message in that zip was wrongly described
249  <li> tiffinfo: Default various values fetched with TIFFGetField() to avoid being uninitialized.
250  <li> tiff2ps: Fix bug in auto rotate option code.
251  <li> ppm2tiff: avoid zero size buffer vulnerability (CVE-2012-4564).
252       check the linebytes calculation too, get the max() calculation
253       straight, avoid redundant error messages, check for malloc
254       failure.
255  <li> tiffset: now supports a -u option to unset a tag.
256       (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2419">#2419</a>)
257  <li> Fix warnings about unused parameters.
258  <li> rgb2ycbcr, tiff2bw, tiff2pdf, tiff2ps, tiffcrop, tiffdither :
259       Enlarge some fixed-size buffers that weren't
260       large enough, and eliminate substantially all uses of sprintf(buf,
261       ...)  in favor of using snprintf(buf, sizeof(buf), ...), so as to
262       protect against overflow of fixed-size buffers.  This responds in
263       particular to CVE-2013-1961 concerning overflow in tiff2pdf.c's
264       t2p_write_pdf_page().
265  <li>html/man/tiff2ps.1.html, html/man/tiffcp.1.html,
266        html/man/tiffdither.1.html, man/tiff2ps.1, man/tiffcp.1,
267        man/tiffdither.1, tools/tiff2ps.c, tools/tiffcp.c,
268        tools/tiffdither.c: Sync tool usage printouts and man pages with
269        reality
270
271</UL>
272
273<P><HR WIDTH=65% ALIGN=left>
274
275<!--------------------------------------------------------------------------->
276
277<A NAME="contrib"><B><FONT SIZE=+3>C</FONT>HANGES IN THE CONTRIB AREA:</B></A>
278
279<UL>
280
281    <li> Fix warnings about variables set but not used.
282    <li> contrib/dbs/xtiff/xtiff.c: Enlarge some fixed-size buffers that weren't
283        large enough, and eliminate substantially all uses of sprintf(buf,
284        ...)  in favor of using snprintf(buf, sizeof(buf), ...), so as to
285        protect against overflow of fixed-size buffers.
286</UL>
287
288Last updated $Date: 2016-09-25 20:05:47 $.
289
290</BODY>
291</HTML>
292