1<HTML>
2<HEAD>
3<TITLE>
4	Changes in TIFF v4.0.7
5</TITLE>
6</HEAD>
7
8<BODY BGCOLOR=white>
9<FONT FACE="Helvetica, Arial, Sans">
10
11<BASEFONT SIZE=4>
12<B><FONT SIZE=+3>T</FONT>IFF <FONT SIZE=+2>C</FONT>HANGE <FONT SIZE=+2>I</FONT>NFORMATION</B>
13<BASEFONT SIZE=3>
14
15<UL>
16<HR SIZE=4 WIDTH=65% ALIGN=left>
17<B>Current Version</B>: v4.0.7<BR>
18<B>Previous Version</B>: <A HREF=v4.0.6.html>v4.0.6</a><BR>
19<B>Master FTP Site</B>: <A HREF="ftp://download.osgeo.org/libtiff">
20download.osgeo.org</a>, directory pub/libtiff</A><BR>
21<B>Master HTTP Site #1</B>: <A HREF="http://www.simplesystems.org/libtiff/">
22http://www.simplesystems.org/libtiff/</a><BR>
23<B>Master HTTP Site #2</B>: <A HREF="http://libtiff.maptools.org/">
24http://libtiff.maptools.org/</a>
25<HR SIZE=4 WIDTH=65% ALIGN=left>
26</UL>
27
28<P>
29This document describes the changes made to the software between the
30<I>previous</I> and <I>current</I> versions (see above).  If you don't
31find something listed here, then it was not done in this timeframe, or
32it was not considered important enough to be mentioned.  The following
33information is located here:
34<UL>
35<LI><A HREF="#highlights">Major Changes</A>
36<LI><A HREF="#configure">Changes in the software configuration</A>
37<LI><A HREF="#libtiff">Changes in libtiff</A>
38<LI><A HREF="#tools">Changes in the tools</A>
39<LI><A HREF="#contrib">Changes in the contrib area</A>
40</UL>
41<p>
42<P><HR WIDTH=65% ALIGN=left>
43
44<!--------------------------------------------------------------------------->
45
46<A NAME="highlights"><B><FONT SIZE=+3>M</FONT>AJOR CHANGES:</B></A>
47
48<UL>
49
50	<LI> The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff,
51        sgisv, and ycbcr are completely removed from the distribution.
52        These tools were written in the late 1980s and early 1990s for
53        test and demonstration purposes.  In some cases the tools were
54        never updated to support updates to the file format, or the
55        file formats are now rarely used.  In all cases these tools
56        increased the libtiff security and maintenance exposure beyond
57        the value offered by the tool.
58
59</UL>
60
61
62<P><HR WIDTH=65% ALIGN=left>
63<!--------------------------------------------------------------------------->
64
65<A NAME="configure"><B><FONT SIZE=+3>C</FONT>HANGES IN THE SOFTWARE CONFIGURATION:</B></A>
66
67<UL>
68
69  <LI> None
70
71</UL>
72
73<P><HR WIDTH=65% ALIGN=left>
74
75<!--------------------------------------------------------------------------->
76
77<A NAME="libtiff"><B><FONT SIZE=+3>C</FONT>HANGES IN LIBTIFF:</B></A>
78
79<UL>
80
81    <LI> libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not
82        dereference NULL pointer when values of tags with
83        TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII access are
84        0-byte arrays.  Fixes
85        http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression
86        introduced by previous fix done on 2016-11-11 for
87        CVE-2016-9297).  Reported by Henri Salo. Assigned as
88        CVE-2016-9448
89
90    <LI> libtiff/tif_aux.c: fix crash in TIFFVGetFieldDefaulted() when
91        requesting Predictor tag and that the zip/lzw codec is not
92        configured.  Fixes
93        http://bugzilla.maptools.org/show_bug.cgi?id=2591
94
95    <LI> libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure
96        that values of tags with TIFF_SETGET_C16_ASCII /
97        TIFF_SETGET_C32_ASCII access are null terminated, to avoid
98        potential read outside buffer in _TIFFPrintField().  Fixes
99        http://bugzilla.maptools.org/show_bug.cgi?id=2590
100
101    <LI> libtiff/tif_dirread.c: reject images with OJPEG compression
102        that have no TileOffsets/StripOffsets tag, when OJPEG
103        compression is disabled. Prevent null pointer dereference in
104        TIFFReadRawStrip1() and other functions that expect
105        td_stripbytecount to be non NULL.  Fixes
106        http://bugzilla.maptools.org/show_bug.cgi?id=2585
107
108    <LI> libtiff/tif_strip.c: make TIFFNumberOfStrips() return the
109        td->td_nstrips value when it is non-zero, instead of
110        recomputing it. This is needed in TIFF_STRIPCHOP mode where
111        td_nstrips is modified. Fixes a read outsize of array in
112        tiffsplit (or other utilities using TIFFNumberOfStrips()).
113        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587
114        (CVE-2016-9273)
115
116    <LI> libtiff/tif_predict.h, libtiff/tif_predict.c: Replace
117        assertions by runtime checks to avoid assertions in debug
118        mode, or buffer overflows in release mode. Can happen when
119        dealing with unusual tile size like YCbCr with
120        subsampling. Reported as MSVR 35105 by Axel Souchet & Vishal
121        Chauhan from the MSRC Vulnerabilities & Mitigations
122
123    <LI> libtiff/tif_dir.c: discard values of SMinSampleValue and
124        SMaxSampleValue when they have been read and the value of
125        SamplesPerPixel is changed afterwards (like when reading a
126        OJPEG compressed image with a missing SamplesPerPixel tag, and
127        whose photometric is RGB or YCbCr, forcing SamplesPerPixel
128        being 3). Otherwise when rewriting the directory (for example
129        with tiffset, we will expect 3 values whereas the array had
130        been allocated with just one), thus causing a out of bound
131        read access.  Fixes
132        http://bugzilla.maptools.org/show_bug.cgi?id=2500
133        (CVE-2014-8127, duplicate: CVE-2016-3658)
134
135    <LI> libtiff/tif_dirwrite.c: avoid null pointer dereference on
136        td_stripoffset when writing directory, if FIELD_STRIPOFFSETS
137        was artificially set for a hack case in OJPEG case.  Fixes
138        http://bugzilla.maptools.org/show_bug.cgi?id=2500
139        (CVE-2014-8127, duplicate: CVE-2016-3658)
140
141    <LI> libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
142        read floating point images.
143
144    <LI> libtiff/tif_predict.c (PredictorSetup): Enforce
145        bits-per-sample requirements of floating point predictor (3).
146        Fixes CVE-2016-3622 "Divide By Zero in the tiff2rgba tool."
147
148    <LI> libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities
149        in heap allocated buffers. Reported as MSVR 35094. Discovered by
150        Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
151        Mitigations team.
152
153    <LI> libtiff/tif_write.c: fix issue in error code path of
154        TIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp
155        members. I'm not completely sure if that could happen in
156        practice outside of the odd behaviour of t2p_seekproc() of
157        tiff2pdf). The report points that a better fix could be to
158        check the return value of TIFFFlushData1() in places where it
159        isn't done currently, but it seems this patch is enough.
160        Reported as MSVR 35095. Discovered by Axel Souchet & Vishal
161        Chauhan & Suha Can from the MSRC Vulnerabilities & Mitigations
162        team.
163
164    <LI> libtiff/tif_pixarlog.c: Fix write buffer overflow in
165        PixarLogEncode if more input samples are provided than
166        expected by PixarLogSetupEncode.  Idea based on
167        libtiff-CVE-2016-3990.patch from
168        libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with
169        different and simpler check. (bugzilla #2544)
170
171    <LI> libtiff/tif_read.c: Fix out-of-bounds read on memory-mapped
172        files in TIFFReadRawStrip1() and TIFFReadRawTile1() when
173        stripoffset is beyond tmsize_t max value (reported by Mathias
174        Svensson)
175
176    <LI> libtiff/tif_read.c: make TIFFReadEncodedStrip() and
177        TIFFReadEncodedTile() directly use user provided buffer when
178        no compression (and other conditions) to save a memcpy()
179
180    <LI> libtiff/tif_write.c: make TIFFWriteEncodedStrip() and
181        TIFFWriteEncodedTile() directly use user provided buffer when
182        no compression to save a memcpy().
183
184    <LI> libtiff/tif_luv.c: validate that for COMPRESSION_SGILOG and
185        PHOTOMETRIC_LOGL, there is only one sample per pixel. Avoid
186        potential invalid memory write on corrupted/unexpected images
187        when using the TIFFRGBAImageBegin() interface (reported by
188        Clay Wood)
189
190    <LI> libtiff/tif_pixarlog.c: fix potential buffer write overrun in
191        PixarLogDecode() on corrupted/unexpected images (reported by
192        Mathias Svensson) (CVE-2016-5875)
193
194    <LI> libtiff/libtiff.def: Added _TIFFMultiply32 and
195        _TIFFMultiply64 to libtiff.def
196
197     <LI> libtiff/tif_config.vc.h (HAVE_SNPRINTF): Add a '1' to the
198        HAVE_SNPRINTF definition.
199
200    <LI> libtiff/tif_config.vc.h (HAVE_SNPRINTF): Applied patch by
201        Edward Lam to define HAVE_SNPRINTF for Visual Studio 2015.
202
203    <LI> libtiff/tif_dirread.c: when compiled with DEFER_STRILE_LOAD,
204        fix regression, introduced on 2014-12-23, when reading a
205        one-strip file without a StripByteCounts tag. GDAL #6490
206
207    <LI> libtiff/*: upstream typo fixes (mostly contributed by Kurt
208        Schwehr) coming from GDAL internal libtiff
209
210    <LI> libtiff/tif_fax3.h: make Param member of TIFFFaxTabEnt
211        structure a uint16 to reduce size of the binary.
212
213    <LI> libtiff/tif_read.c, tif_dirread.c: fix indentation issues
214        raised by GCC 6 -Wmisleading-indentation
215
216    <LI> libtiff/tif_pixarlog.c: avoid zlib error messages to pass a
217        NULL string to %s formatter, which is undefined behaviour in
218        sprintf().
219
220    <LI> libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
221        triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
222        (bugzilla #2508)
223
224    <LI> libtiff/tif_luv.c: fix potential out-of-bound writes in
225        decode functions in non debug builds by replacing assert()s by
226        regular if checks (bugzilla #2522).  Fix potential
227        out-of-bound reads in case of short input data.
228
229    <LI> libtiff/tif_getimage.c: fix out-of-bound reads in
230        TIFFRGBAImage interface in case of unsupported values of
231        SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit
232        call to TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix
233        CVE-2015-8665 reported by limingxing and CVE-2015-8683
234        reported by zzf of Alibaba.
235
236    <LI> libtiff/tif_dirread.c: workaround false positive warning of
237        Clang Static Analyzer about null pointer dereference in
238        TIFFCheckDirOffset().
239
240    <LI> libtiff/tif_fax3.c: remove dead assignment in
241        Fax3PutEOLgdal(). Found by Clang Static Analyzer
242
243    <LI> libtiff/tif_dirwrite.c: fix truncation to 32 bit of file
244        offsets in TIFFLinkDirectory() and TIFFWriteDirectorySec()
245        when aligning directory offsets on a even offset (affects
246        BigTIFF). This was a regression of the changeset of
247        2015-10-19.
248
249    <LI> libtiff/tif_write.c: TIFFWriteEncodedStrip() and
250        TIFFWriteEncodedTile() should return -1 in case of failure of
251        tif_encodestrip() as documented
252
253    <LI> libtiff/tif_dumpmode.c: DumpModeEncode() should return 0 in
254        case of failure so that the above mentionned functions detect
255        the error.
256
257    <LI> libtiff/*.c: fix MSVC warnings related to cast shortening and
258        assignment within conditional expression
259
260    <LI> libtiff/*.c: fix clang -Wshorten-64-to-32 warnings
261
262    <LI> libtiff/tif_dirread.c: prevent reading ColorMap or
263        TransferFunction if BitsPerPixel > 24, so as to avoid huge
264        memory allocation and file read attempts
265
266    <LI> libtiff/tif_dirread.c: remove duplicated assignment (reported
267        by Clang static analyzer)
268
269    <LI> libtiff/tif_dir.c, libtiff/tif_dirinfo.c,
270        libtiff/tif_compress.c, libtiff/tif_jpeg_12.c: suppress
271        warnings about 'no previous declaration/prototype'
272
273    <LI> libtiff/tiffiop.h, libtiff/tif_dirwrite.c: suffix constants
274        by U to fix 'warning: negative integer implicitly converted to
275        unsigned type' warning (part of -Wconversion)
276
277    <LI> libtiff/tif_dir.c, libtiff/tif_dirread.c,
278          libtiff/tif_getimage.c, libtiff/tif_print.c: fix -Wshadow
279          warnings (only in libtiff/)
280
281</UL>
282
283<P><HR WIDTH=65% ALIGN=left>
284
285<!-------------------------------------------------------------------------->
286
287<A NAME="tools"><B><FONT SIZE=+3>C</FONT>HANGES IN THE TOOLS:</B></A>
288
289<UL>
290
291    <LI> tools/Makefile.am: The libtiff tools bmp2tiff, gif2tiff,
292        ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed
293        from the distribution.  The libtiff tools rgb2ycbcr and
294        thumbnail are only built in the build tree for testing.  Old
295        files are put in new 'archive' subdirectory of the source
296        repository, but not in distribution archives.  These changes
297        are made in order to lessen the maintenance burden.
298
299    <LI> tools/tiff2pdf.c: avoid undefined behaviour related to
300        overlapping of source and destination buffer in memcpy() call
301        in t2p_sample_rgbaa_to_rgb() Fixes
302        http://bugzilla.maptools.org/show_bug.cgi?id=2577
303
304    <LI> tools/tiff2pdf.c: fix potential integer overflows on 32 bit
305        builds in t2p_read_tiff_size() Fixes
306        http://bugzilla.maptools.org/show_bug.cgi?id=2576
307
308    <LI> tools/fax2tiff.c: fix segfault when specifying -r without
309        argument. Patch by Yuriy M. Kaminskiy.  Fixes
310        http://bugzilla.maptools.org/show_bug.cgi?id=2572
311
312    <LI> tools/tiffinfo.c: fix out-of-bound read on some tiled images.
313        (http://bugzilla.maptools.org/show_bug.cgi?id=2517)
314
315    <LI> tools/tiffcrop.c: fix multiple uint32 overflows in
316        writeBufferToSeparateStrips(), writeBufferToContigTiles() and
317        writeBufferToSeparateTiles() that could cause heap buffer
318        overflows.  Reported by Henri Salo from Nixu Corporation.
319        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
320
321    <LI> tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
322        readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel
323        Souchet & Vishal Chauhan from the MSRC Vulnerabilities &
324        Mitigations team.
325
326    <LI> tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on
327        JPEG compressed images. Reported by Tyler Bohan of Cisco Talos
328        as TALOS-CAN-0187 / CVE-2016-5652.  Also prevents writing 2
329        extra uninitialized bytes to the file stream.
330
331    <LI> tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
332        tile width vs image width. Reported as MSVR 35103
333        by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
334        Mitigations team.
335
336    <LI> tools/tiff2pdf.c: fix read -largely- outsize of buffer in
337        t2p_readwrite_pdf_image_tile(), causing crash, when reading a
338        JPEG compressed image with TIFFTAG_JPEGTABLES length being
339        one.  Reported as MSVR 35101 by Axel Souchet and Vishal
340        Chauhan from the MSRC Vulnerabilities & Mitigations team.
341
342    <LI> tools/tiffcp.c: fix read of undefined variable in case of
343        missing required tags. Found on test case of MSVR 35100.
344
345    <LI> tools/tiffcrop.c: fix read of undefined buffer in
346        readContigStripsIntoBuffer() due to uint16 overflow. Probably
347        not a security issue but I can be wrong. Reported as MSVR
348        35100 by Axel Souchet from the MSRC Vulnerabilities &
349        Mitigations team.
350
351    <LI> tools/tiffcrop.c: fix various out-of-bounds write
352        vulnerabilities in heap or stack allocated buffers. Reported
353        as MSVR 35093, MSVR 35096 and MSVR 35097. Discovered by Axel
354        Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
355        Mitigations team.
356
357    <LI> tools/tiff2pdf.c: fix out-of-bounds write vulnerabilities in
358        heap allocate buffer in t2p_process_jpeg_strip(). Reported as
359        MSVR 35098. Discovered by Axel Souchet and Vishal Chauhan from
360        the MSRC Vulnerabilities & Mitigations team.
361
362    <LI> tools/tiff2bw.c: fix weight computation that could result of
363        color value overflow (no security implication). Fix bugzilla
364        #2550.  Patch by Frank Freudenberg.
365
366    <LI> tools/rgb2ycbcr.c: validate values of -v and -h parameters to
367        avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
368
369    <LI> tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
370        From patch libtiff-CVE-2016-3991.patch from
371        libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla
372        #2543)
373
374    <LI> tools/tiff2rgba.c: Fix integer overflow in size of allocated
375        buffer, when -b mode is enabled, that could result in
376        out-of-bounds write. Based initially on patch
377        tiff-CVE-2016-3945.patch from libtiff-4.0.3-25.el7_2.src.rpm
378        by Nikola Forro, with correction for invalid tests that
379        rejected valid files. (bugzilla #2545)
380
381    <LI> tools/tiffcrop.c: Avoid access outside of stack allocated
382        array on a tiled separate TIFF with more than 8 samples per
383        pixel.  Reported by Kaixiang Zhang of the Cloud Security Team,
384        Qihoo 360 (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 /
385        #2559)
386
387    <LI> tools/tiffdump.c: fix a few misaligned 64-bit reads warned by
388        -fsanitize
389
390    <LI> tools/tiffdump.c (ReadDirectory): Remove uint32 cast to
391        _TIFFmalloc() argument which resulted in Coverity report.
392        Added more mutiplication overflow checks.
393
394</UL>
395
396<P><HR WIDTH=65% ALIGN=left>
397
398<!--------------------------------------------------------------------------->
399
400<A NAME="contrib"><B><FONT SIZE=+3>C</FONT>HANGES IN THE CONTRIB AREA:</B></A>
401
402<UL>
403
404  <LI> None
405
406</UL>
407
408Last updated $Date: 2016-11-19 17:47:40 $.
409
410</BODY>
411</HTML>
412