1<HTML>
2<HEAD>
3<TITLE>
4	Changes in TIFF v4.0.8
5</TITLE>
6</HEAD>
7
8<BODY BGCOLOR=white>
9<FONT FACE="Helvetica, Arial, Sans">
10
11<BASEFONT SIZE=4>
12<B><FONT SIZE=+3>T</FONT>IFF <FONT SIZE=+2>C</FONT>HANGE <FONT SIZE=+2>I</FONT>NFORMATION</B>
13<BASEFONT SIZE=3>
14
15<UL>
16<HR SIZE=4 WIDTH=65% ALIGN=left>
17<B>Current Version</B>: v4.0.8<BR>
18<B>Previous Version</B>: <A HREF=v4.0.7.html>v4.0.7</a><BR>
19<B>Master FTP Site</B>: <A HREF="ftp://download.osgeo.org/libtiff">
20download.osgeo.org</a>, directory pub/libtiff</A><BR>
21<B>Master HTTP Site #1</B>: <A HREF="http://www.simplesystems.org/libtiff/">
22http://www.simplesystems.org/libtiff/</a><BR>
23<B>Master HTTP Site #2</B>: <A HREF="http://libtiff.maptools.org/">
24http://libtiff.maptools.org/</a>
25<HR SIZE=4 WIDTH=65% ALIGN=left>
26</UL>
27
28<P>
29This document describes the changes made to the software between the
30<I>previous</I> and <I>current</I> versions (see above).  If you don't
31find something listed here, then it was not done in this timeframe, or
32it was not considered important enough to be mentioned.  The following
33information is located here:
34<UL>
35<LI><A HREF="#highlights">Major Changes</A>
36<LI><A HREF="#configure">Changes in the software configuration</A>
37<LI><A HREF="#libtiff">Changes in libtiff</A>
38<LI><A HREF="#tools">Changes in the tools</A>
39<LI><A HREF="#contrib">Changes in the contrib area</A>
40</UL>
41<p>
42<P><HR WIDTH=65% ALIGN=left>
43
44<!--------------------------------------------------------------------------->
45
46<A NAME="highlights"><B><FONT SIZE=+3>M</FONT>AJOR CHANGES:</B></A>
47
48<UL>
49
50	<LI> None
51
52</UL>
53
54
55<P><HR WIDTH=65% ALIGN=left>
56<!--------------------------------------------------------------------------->
57
58<A NAME="configure"><B><FONT SIZE=+3>C</FONT>HANGES IN THE SOFTWARE CONFIGURATION:</B></A>
59
60<UL>
61
62  <LI> None
63
64</UL>
65
66<P><HR WIDTH=65% ALIGN=left>
67
68<!--------------------------------------------------------------------------->
69
70<A NAME="libtiff"><B><FONT SIZE=+3>C</FONT>HANGES IN LIBTIFF:</B></A>
71
72<UL>
73
74    <LI> libtiff/tif_getimage.c, libtiff/tif_open.c: add parenthesis
75        to fix cppcheck clarifyCalculation warnings *
76        libtiff/tif_predict.c, libtiff/tif_print.c: fix printf
77        unsigned vs signed formatting (cppcheck
78        invalidPrintfArgType_uint warnings)
79
80    <LI> libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
81        TIFFReadEncodedStrip() that caused an integer division by
82        zero.  Reported by Agostino Sarubbo.  Fixes
83        http://bugzilla.maptools.org/show_bug.cgi?id=2596
84
85    <LI> libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based
86        buffer overflow on generation of PixarLog / LUV compressed
87        files, with ColorMap, TransferFunction attached and nasty
88        plays with bitspersample.  The fix for LUV has not been
89        tested, but suffers from the same kind of issue of PixarLog.
90        Reported by Agostino Sarubbo.  Fixes
91        http://bugzilla.maptools.org/show_bug.cgi?id=2604
92
93    <LI> libtiff/tif_strip.c: revert the change in
94        TIFFNumberOfStrips() done for
95        http://bugzilla.maptools.org/show_bug.cgi?id=2587 /
96        CVE-2016-9273 since the above change is a better fix that
97        makes it unnecessary.
98
99    <LI> libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip()
100        to instanciate compute ntrips as
101        TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a
102        logic based on the total size of data. Which is faulty is the
103        total size of data is not sufficient to fill the whole image,
104        and thus results in reading outside of the
105        StripByCounts/StripOffsets arrays when using
106        TIFFReadScanline().  Reported by Agostino Sarubbo.  Fixes
107        http://bugzilla.maptools.org/show_bug.cgi?id=2608.
108
109    <LI> libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of
110        failure in OJPEGPreDecode(). This will avoid a divide by zero,
111        and potential other issues.  Reported by Agostino Sarubbo.
112        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611
113
114    <LI> libtiff/tif_write.c: fix misleading indentation as warned by GCC.
115
116
117    <LI> libtiff/tif_fax3.h: revert change done on 2016-01-09 that
118        made Param member of TIFFFaxTabEnt structure a uint16 to
119        reduce size of the binary. It happens that the Hylafax
120        software uses the tables that follow this typedef
121        (TIFFFaxMainTable, TIFFFaxWhiteTable, TIFFFaxBlackTable),
122        although they are not in a public libtiff header.  Raised by
123        Lee Howard.  Fixes
124        http://bugzilla.maptools.org/show_bug.cgi?id=2636
125
126    <LI> libtiff/tiffio.h, libtiff/tif_getimage.c: add
127        TIFFReadRGBAStripExt() and TIFFReadRGBATileExt() variants of
128        the functions without ext, with an extra argument to control
129        the stop_on_error behaviour.
130
131    <LI> libtiff/tif_getimage.c: fix potential memory leaks in error
132        code path of TIFFRGBAImageBegin().  Fixes
133        http://bugzilla.maptools.org/show_bug.cgi?id=2627
134
135    <LI> libtiff/tif_jpeg.c: increase libjpeg max memory usable to 10
136        MB instead of libjpeg 1MB default. This helps when creating
137        files with "big" tile, without using libjpeg temporary files.
138        Related to https://trac.osgeo.org/gdal/ticket/6757
139
140    <LI> libtiff/tif_jpeg.c: avoid integer division by zero in
141        JPEGSetupEncode() when horizontal or vertical sampling is set
142        to 0.  Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653
143
144    <LI> libtiff/tif_dirwrite.c: in
145        TIFFWriteDirectoryTagCheckedRational, replace assertion by
146        runtime check to error out if passed value is strictly
147        negative.  Fixes
148        http://bugzilla.maptools.org/show_bug.cgi?id=2535
149
150    <LI> libtiff/tif_dirread.c: avoid division by floating point 0 in
151        TIFFReadDirEntryCheckedRational() and
152        TIFFReadDirEntryCheckedSrational(), and return 0 in that case
153        (instead of infinity as before presumably) Apparently some
154        sanitizers do not like those divisions by zero.  Fixes
155        http://bugzilla.maptools.org/show_bug.cgi?id=2644
156
157    <LI> libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement
158        various clampings of double to other data types to avoid
159        undefined behaviour if the output range isn't big enough to
160        hold the input value.  Fixes
161        http://bugzilla.maptools.org/show_bug.cgi?id=2643
162        http://bugzilla.maptools.org/show_bug.cgi?id=2642
163        http://bugzilla.maptools.org/show_bug.cgi?id=2646
164        http://bugzilla.maptools.org/show_bug.cgi?id=2647
165
166    <LI> libtiff/tif_jpeg.c: validate BitsPerSample in
167        JPEGSetupEncode() to avoid undefined behaviour caused by
168        invalid shift exponent.  Fixes
169        http://bugzilla.maptools.org/show_bug.cgi?id=2648
170
171    <LI> libtiff/tif_read.c: avoid potential undefined behaviour on
172        signed integer addition in TIFFReadRawStrip1() in isMapped()
173        case.  Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
174
175    <LI> libtiff/tif_getimage.c: add explicit uint32 cast in
176        putagreytile to avoid UndefinedBehaviorSanitizer warning.
177        Patch by Nicolás Peña.  Fixes
178        http://bugzilla.maptools.org/show_bug.cgi?id=2658
179
180    <LI> libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc()
181        to zero initialize tif_rawdata.  Fixes
182        http://bugzilla.maptools.org/show_bug.cgi?id=2651
183
184    <LI> libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add
185    _TIFFcalloc()
186
187    <LI> libtiff/tif_luv.c, tif_lzw.c, tif_packbits.c: return 0 in
188        Encode functions instead of -1 when TIFFFlushData1() fails.
189        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2130
190
191    <LI> libtiff/tif_ojpeg.c: fix leak in
192        OJPEGReadHeaderInfoSecTablesQTable,
193        OJPEGReadHeaderInfoSecTablesDcTable and
194        OJPEGReadHeaderInfoSecTablesAcTable when read fails.  Patch by
195        Nicolás Peña.  Fixes
196        http://bugzilla.maptools.org/show_bug.cgi?id=2659
197
198    <LI> libtiff/tif_jpeg.c: only run JPEGFixupTagsSubsampling() if
199        the YCbCrSubsampling tag is not explicitly present. This helps
200        a bit to reduce the I/O amount when the tag is present
201        (especially on cloud hosted files).
202
203    <LI> libtiff/tif_lzw.c: in LZWPostEncode(), increase, if
204        necessary, the code bit-width after flushing the remaining
205        code and before emitting the EOI code.  Fixes
206        http://bugzilla.maptools.org/show_bug.cgi?id=1982
207
208    <LI> libtiff/tif_pixarlog.c: fix memory leak in error code path of
209        PixarLogSetupDecode(). Patch by Nicolás Peña.  Fixes
210        http://bugzilla.maptools.org/show_bug.cgi?id=2665
211
212    <LI> libtiff/tif_fax3.c, tif_predict.c, tif_getimage.c: fix GCC 7
213        -Wimplicit-fallthrough warnings.
214
215    <LI> libtiff/tif_dirread.c: fix memory leak in non
216        DEFER_STRILE_LOAD mode (ie default) when there is both a
217        StripOffsets and TileOffsets tag, or a StripByteCounts and
218        TileByteCounts Fixes
219        http://bugzilla.maptools.org/show_bug.cgi?id=2689
220
221    <LI> libtiff/tif_ojpeg.c: fix potential memory leak in
222        OJPEGReadHeaderInfoSecTablesQTable,
223        OJPEGReadHeaderInfoSecTablesDcTable and
224        OJPEGReadHeaderInfoSecTablesAcTable Patch by Nicolás Peña.
225        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2670
226
227    <LI> libtiff/tif_fax3.c: avoid crash in Fax3Close() on empty file.
228        Patch by Alan Coopersmith + complement by myself.  Fixes
229        http://bugzilla.maptools.org/show_bug.cgi?id=2673
230
231    <LI> libtiff/tif_read.c: TIFFFillStrip(): add limitation to the
232        number of bytes read in case td_stripbytecount[strip] is
233        bigger than reasonable, so as to avoid excessive memory
234        allocation.
235
236    <LI> libtiff/tif_zip.c, tif_pixarlog.c, tif_predict.c: fix memory
237        leak when the underlying codec (ZIP, PixarLog) succeeds its
238        setupdecode() method, but PredictorSetup fails.  Credit to
239        OSS-Fuzz (locally run, on GDAL)
240
241    <LI> libtiff/tif_read.c: TIFFFillStrip() and TIFFFillTile(): avoid
242        excessive memory allocation in case of shorten files.  Only
243        effective on 64 bit builds and non-mapped cases.  Credit to
244        OSS-Fuzz (locally run, on GDAL)
245
246    <LI> libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(),
247        avoid potential integer overflows with read_ahead in
248        CHUNKY_STRIP_READ_SUPPORT mode. Should
249        especially occur on 32 bit platforms.
250
251    <LI> libtiff/tif_read.c: TIFFFillStripPartial(): avoid excessive
252        memory allocation in case of shorten files.  Only effective on
253        64 bit builds.  Credit to OSS-Fuzz (locally run, on GDAL)
254
255    <LI> libtiff/tif_read.c: update tif_rawcc in
256        CHUNKY_STRIP_READ_SUPPORT mode with tif_rawdataloaded when
257        calling TIFFStartStrip() or TIFFFillStripPartial(). This
258        avoids reading beyond tif_rawdata when bytecount >
259        tif_rawdatasize.  Fixes
260        https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545.
261        Credit to OSS-Fuzz
262
263    <LI> libtiff/tif_color.c: avoid potential int32 overflow in
264        TIFFYCbCrToRGBInit() Fixes
265        https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533
266        Credit to OSS-Fuzz
267
268    <LI> libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32
269        overflows in multiply_ms() and add_ms().  Fixes
270        https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558
271        Credit to OSS-Fuzz
272
273    <LI> libtiff/tif_packbits.c: fix out-of-buffer read in
274        PackBitsDecode() Fixes
275        https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563
276        Credit to OSS-Fuzz
277
278    <LI> libtiff/tif_luv.c: LogL16InitState(): avoid excessive memory
279        allocation when RowsPerStrip tag is missing.
280        Credit to OSS-Fuzz (locally run, on GDAL)
281
282    <LI> libtiff/tif_lzw.c: update dec_bitsleft at beginning of
283        LZWDecode(), and update tif_rawcc at end of LZWDecode(). This
284        is needed to properly work with the latest chnges in
285        tif_read.c in CHUNKY_STRIP_READ_SUPPORT mode.
286
287    <LI> libtiff/tif_pixarlog.c: PixarLogDecode(): resync tif_rawcp
288        with next_in and tif_rawcc with avail_in at beginning and end
289        of function, similarly to what is done in LZWDecode(). Likely
290        needed so that it works properly with latest chnges in
291        tif_read.c in CHUNKY_STRIP_READ_SUPPORT mode. But untested...
292
293    <LI> libtiff/tif_getimage.c: initYCbCrConversion(): add basic
294        validation of luma and refBlackWhite coefficients (just check
295        they are not NaN for now), to avoid potential float to int
296        overflows.  Fixes
297        https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663
298        Credit to OSS Fuzz
299
300    <LI> libtiff/tif_read.c: _TIFFVSetField(): fix outside range cast
301        of double to float.  Credit to Google Autofuzz project
302
303    <LI> libtiff/tif_getimage.c: initYCbCrConversion(): check luma[1]
304        is not zero to avoid division by zero.  Fixes
305        https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665
306        Credit to OSS Fuzz
307
308    <LI> libtiff/tif_read.c: _TIFFVSetField(): fix outside range cast
309        of double to float.  Credit to Google Autofuzz project
310
311    <LI> libtiff/tif_getimage.c: initYCbCrConversion(): check luma[1]
312        is not zero to avoid division by zero.  Fixes
313        https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665
314        Credit to OSS Fuzz
315
316    <LI> libtiff/tif_getimage.c: initYCbCrConversion(): stricter
317        validation for refBlackWhite coefficients values. To avoid
318        invalid float->int32 conversion.  Fixes
319        https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1718
320        Credit to OSS Fuzz
321
322</UL>
323
324<P><HR WIDTH=65% ALIGN=left>
325
326<!-------------------------------------------------------------------------->
327
328<A NAME="tools"><B><FONT SIZE=+3>C</FONT>HANGES IN THE TOOLS:</B></A>
329
330<UL>
331
332    <LI> tools/fax2tiff.c (main): Applied patch by Jörg Ahrens to fix
333        passing client data for Win32 builds using tif_win32.c
334        (USE_WIN32_FILEIO defined) for file I/O.  Patch was provided
335        via email on November 20, 2016.
336
337    <LI> tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips
338        that can cause various issues, such as buffer overflows in the
339        library.  Reported by Agostino Sarubbo.  Fixes
340        http://bugzilla.maptools.org/show_bug.cgi?id=2598
341
342    <LI> tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i
343        (ignore) mode so that the output buffer is correctly
344        incremented to avoid write outside bounds.  Reported by
345        Agostino Sarubbo.  Fixes
346        http://bugzilla.maptools.org/show_bug.cgi?id=2620
347
348    <LI> tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in
349        readSeparateStripsIntoBuffer() to avoid read outside of heap
350        allocated buffer.  Reported by Agostino Sarubbo.  Fixes
351        http://bugzilla.maptools.org/show_bug.cgi?id=2621
352
353    <LI> tools/tiffcrop.c: fix integer division by zero when
354        BitsPerSample is missing.  Reported by Agostino Sarubbo.
355        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619
356
357    <LI> tools/tiffinfo.c: fix null pointer dereference in -r mode
358        when the image has no StripByteCount tag.  Reported by
359        Agostino Sarubbo.  Fixes
360        http://bugzilla.maptools.org/show_bug.cgi?id=2594
361
362    <LI> tools/tiffcp.c: avoid potential division by zero is
363        BitsPerSamples tag is missing.  Reported by Agostino Sarubbo.
364        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597
365
366    <LI> tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, )
367        is called, limit the return number of inks to SamplesPerPixel,
368        so that code that parses ink names doesn't go past the end of
369        the buffer.  Reported by Agostino Sarubbo.  Fixes
370        http://bugzilla.maptools.org/show_bug.cgi?id=2599
371
372    <LI> tools/tiffcp.c: avoid potential division by zero is
373        BitsPerSamples tag is missing.  Reported by Agostino Sarubbo.
374        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607
375
376    <LI> tools/tiffcp.c: fix uint32 underflow/overflow that can cause
377        heap-based buffer overflow.  Reported by Agostino Sarubbo.
378        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610
379
380    <LI> tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non
381        assert check.  Reported by Agostino Sarubbo.  Fixes
382        http://bugzilla.maptools.org/show_bug.cgi?id=2605
383
384    <LI> tools/tiff2ps.c: fix 2 heap-based buffer overflows (in
385        PSDataBW and PSDataColorContig). Reported by Agostino Sarubbo.
386        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2633 and
387        http://bugzilla.maptools.org/show_bug.cgi?id=2634.
388
389    <LI> tools/tiff2pdf.c: prevent heap-based buffer overflow in -j
390        mode on a paletted image. Note: this fix errors out before the
391        overflow happens. There could probably be a better fix.  Fixes
392        http://bugzilla.maptools.org/show_bug.cgi?id=2635
393
394    <LI> tools/tiff2pdf.c: fix wrong usage of memcpy() that can
395        trigger unspecified behaviour.  Fixes
396        http://bugzilla.maptools.org/show_bug.cgi?id=2638
397
398    <LI> tools/tiff2pdf.c: avoid potential invalid memory read in
399        t2p_writeproc.  Fixes
400        http://bugzilla.maptools.org/show_bug.cgi?id=2639
401
402    <LI> tools/tiff2pdf.c: avoid potential heap-based overflow in
403        t2p_readwrite_pdf_image_tile().  Fixes
404        http://bugzilla.maptools.org/show_bug.cgi?id=2640
405
406    <LI> tools/tiffcrop.c: remove extraneous TIFFClose() in error code
407        path, that caused double free.  Related to
408        http://bugzilla.maptools.org/show_bug.cgi?id=2535
409
410    <LI> tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow
411        and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap
412        based overflow.  Fixes
413        http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
414        http://bugzilla.maptools.org/show_bug.cgi?id=2657
415
416    <LI> tools/raw2tiff.c: avoid integer division by zero.  Fixes
417        http://bugzilla.maptools.org/show_bug.cgi?id=2631
418
419    <LI> tools/tiff2ps.c: call TIFFClose() in error code paths.
420
421    <LI> tools/fax2tiff.c: emit appropriate message if the input file
422        is empty. Patch by Alan Coopersmith.  Fixes
423        http://bugzilla.maptools.org/show_bug.cgi?id=2672
424
425    <LI> tools/tiff2bw.c: close TIFF handle in error code path.  Fixes
426        http://bugzilla.maptools.org/show_bug.cgi?id=2677
427
428</UL>
429
430<P><HR WIDTH=65% ALIGN=left>
431
432<!--------------------------------------------------------------------------->
433
434<A NAME="contrib"><B><FONT SIZE=+3>C</FONT>HANGES IN THE CONTRIB AREA:</B></A>
435
436<UL>
437
438  <LI> None
439
440</UL>
441
442Last updated $Date: 2017-05-21 17:47:46 $.
443
444</BODY>
445</HTML>
446