1<HTML>
2<HEAD>
3<TITLE>
4	Changes in TIFF v4.0.9
5</TITLE>
6</HEAD>
7
8<BODY BGCOLOR=white>
9<FONT FACE="Helvetica, Arial, Sans">
10
11<BASEFONT SIZE=4>
12<B><FONT SIZE=+3>T</FONT>IFF <FONT SIZE=+2>C</FONT>HANGE <FONT SIZE=+2>I</FONT>NFORMATION</B>
13<BASEFONT SIZE=3>
14
15<UL>
16<HR SIZE=4 WIDTH=65% ALIGN=left>
17<B>Current Version</B>: v4.0.9<BR>
18<B>Previous Version</B>: <A HREF=v4.0.8.html>v4.0.8</a><BR>
19<B>Master FTP Site</B>: <A HREF="ftp://download.osgeo.org/libtiff">
20download.osgeo.org</a>, directory pub/libtiff</A><BR>
21<B>Master HTTP Site #1</B>: <A HREF="http://www.simplesystems.org/libtiff/">
22http://www.simplesystems.org/libtiff/</a><BR>
23<B>Master HTTP Site #2</B>: <A HREF="http://libtiff.maptools.org/">
24http://libtiff.maptools.org/</a>
25<HR SIZE=4 WIDTH=65% ALIGN=left>
26</UL>
27
28<P>
29This document describes the changes made to the software between the
30<I>previous</I> and <I>current</I> versions (see above).  If you don't
31find something listed here, then it was not done in this timeframe, or
32it was not considered important enough to be mentioned.  The following
33information is located here:
34<UL>
35<LI><A HREF="#highlights">Major Changes</A>
36<LI><A HREF="#configure">Changes in the software configuration</A>
37<LI><A HREF="#libtiff">Changes in libtiff</A>
38<LI><A HREF="#tools">Changes in the tools</A>
39<LI><A HREF="#contrib">Changes in the contrib area</A>
40</UL>
41<p>
42<P><HR WIDTH=65% ALIGN=left>
43
44<!--------------------------------------------------------------------------->
45
46<A NAME="highlights"><B><FONT SIZE=+3>M</FONT>AJOR CHANGES:</B></A>
47
48<UL>
49
50	<LI> None
51
52</UL>
53
54
55<P><HR WIDTH=65% ALIGN=left>
56<!--------------------------------------------------------------------------->
57
58<A NAME="configure"><B><FONT SIZE=+3>C</FONT>HANGES IN THE SOFTWARE CONFIGURATION:</B></A>
59
60<UL>
61
62  <LI> test/Makefile.am: Add some tests for tiff2bw.
63  <LI> * .appveyor.yml, .travis.yml, build/travis-ci: apply patches
64	0001-ci-Travis-script-improvements.patch and
65	0002-ci-Invoke-helper-script-via-shell.patch by Roger Leigh
66	(sent to mailing list)
67  <LI> .travis.yml, build/travis-ci: new files from
68	0001-ci-Add-Travis-support-for-Linux-builds-with-Autoconf.patch by
69	Roger Leigh (sent to mailing list on 2017-06-08)
70	This patch adds support for the Travis-CI service.
71  <LI> .appveyor.yml: new file from
72	0002-ci-Add-AppVeyor-support.patch by Roger Leigh (sent to mailing
73	list on 2017-06-08)
74	This patch adds a .appveyor.yml file to the top-level.  This allows
75	one to opt in to having a branch built on Windows with Cygwin,
76	MinGW and MSVC automatically when a branch is pushed to GitHub,
77	GitLab, BitBucket or any other supported git hosting service.
78  <LI> CMakeLists.txt, test/CMakeLists.txt, test/TiffTestCommon.cmake: apply
79	patch 0001-cmake-Improve-Cygwin-and-MingGW-test-support.patch from Roger
80	Leigh (sent to mailing list on 2017-06-08)
81	This patch makes the CMake build system support running the tests
82	with MinGW or Cygwin.
83
84  <LI> test/tiffcp-lzw-compat.sh, test/images/quad-lzw-compat.tiff: new files
85	to test old-style LZW decompression
86  <LI> test/common.sh, Makefile.am, CMakeList.txt: updated with above
87  <LI> test/Makefile.am: add missing reference to images/quad-lzw-compat.tiff
88	to fix "make distcheck". Patch by Roger Leigh
89  <LI> nmake.opt: support a DEBUG=1 option, so as to adjust OPTFLAGS and use
90	/MDd runtime in debug mode.
91
92
93</UL>
94
95<P><HR WIDTH=65% ALIGN=left>
96
97<!--------------------------------------------------------------------------->
98
99<A NAME="libtiff"><B><FONT SIZE=+3>C</FONT>HANGES IN LIBTIFF:</B></A>
100
101<UL>
102
103    <LI> libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid
104	int32 overflow in TIFFYCbCrtoRGB().
105	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844
106	Credit to OSS Fuzz
107
108    <LI> libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for
109	refBlackWhite coefficients values. To avoid invalid float->int32 conversion
110	(when refBlackWhite[0] == 2147483648.f)
111	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907
112	Credit to OSS Fuzz
113
114    <LI> libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
115	and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
116	codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
117	to behave differently depending on whether the codec is enabled or not, and
118	thus can avoid stack based buffer overflows in a number of TIFF utilities
119	such as tiffsplit, tiffcmp, thumbnail, etc.
120	Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
121	(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
122	Fixes:
123	http://bugzilla.maptools.org/show_bug.cgi?id=2580
124	http://bugzilla.maptools.org/show_bug.cgi?id=2693
125	http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
126	http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
127	http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
128	http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
129	http://bugzilla.maptools.org/show_bug.cgi?id=2441
130	http://bugzilla.maptools.org/show_bug.cgi?id=2433
131
132    <LI> libtiff/tif_swab.c: if DISABLE_CHECK_TIFFSWABMACROS is defined, do not do
133	the #ifdef TIFFSwabXXX checks. Make it easier for GDAL to rename the symbols
134	of its internal libtiff copy.
135
136
137    <LI> libtiff/tif_dirread.c: fix regression of libtiff 4.0.8 in
138	ChopUpSingleUncompressedStrip() regarding update of newly single-strip
139	uncompressed files whose bytecount is 0. Before the change of 2016-12-03,
140	the condition bytecount==0 used to trigger an early exit/disabling of
141	strip chop. Re-introduce that in update mode. Otherwise this cause
142	later incorrect setting for the value of StripByCounts/StripOffsets.
143	( https://trac.osgeo.org/gdal/ticket/6924 )
144    <LI> libtiff/tif_dirread.c: TIFFFetchStripThing(): limit the number of items
145	read in StripOffsets/StripByteCounts tags to the number of strips to avoid
146	excessive memory allocation.
147	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2215
148	Credit to OSS Fuzz
149    <LI> libtiff/tif_getimage.c: avoid many (harmless) unsigned int overflows.
150    <LI> libtiff/tif_fax3.c: avoid unsigned int overflow in Fax3Encode2DRow(). Could
151	potentially be a bug with huge rows.
152    <LI> libtiff/tif_jpeg.c: avoid (harmless) unsigned int overflow on tiled images.
153    <LI> libtiff/tif_dirread.c: avoid unsigned int overflow in EstimateStripByteCounts()
154	and BYTECOUNTLOOKSBAD when file is too short.
155    <LI> libtiff/tif_predict.c: decorate legitimate functions where unsigned int
156	overflow occur with TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
157	* libtiff/tif_dirread.c: avoid unsigned int overflow in EstimateStripByteCounts()
158    <LI> libtiff/tiffiop.h: add TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW macro to
159	disable CLang warnings raised by -fsanitize=undefined,unsigned-integer-overflow
160    <LI> libtiff/tif_jpeg.c: add anti-denial of service measure to avoid excessive
161	CPU consumption on progressive JPEGs with a huge number of scans.
162	See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf
163	Note: only affects libtiff since 2014-12-29 where support of non-baseline JPEG
164	was added.
165
166    <LI> libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg
167	memory allocation is above 100 MB. libjpeg in case of multiple scans,
168	which is allowed even in baseline JPEG, if components are spread over several
169	scans and not interleavedin a single one, needs to allocate memory (or
170	backing store) for the whole strip/tile.
171	See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf
172	This limitation may be overriden by setting the
173	LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC environment variable, or recompiling
174	libtiff with a custom value of TIFF_LIBJPEG_LARGEST_MEM_ALLOC macro.
175    <LI> libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
176	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706
177	Reported by team OWL337
178    <LI> libtiff/tif_dirread.c: in TIFFReadDirEntryFloat(), check that a
179	double value can fit in a float before casting. Patch by Nicolas RUFF
180    <LI> libtiff/tiffiop.h, libtiff/tif_jpeg.c, libtiff/tif_jpeg_12.c,
181	libtiff/tif_read.c: make TIFFReadScanline() works in
182	CHUNKY_STRIP_READ_SUPPORT mode with JPEG stream with multiple scans.
183	Also make configurable through a LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER
184	environment variable the maximum number of scans allowed. Defaults to
185	100.
186    <LI> libtiff/tif_read.c: TIFFFillTile(): add limitation to the number
187	of bytes read in case td_stripbytecount[strip] is bigger than
188	reasonable, so as to avoid excessive memory allocation (similarly to
189	what was done for TIFFFileStrip() on 2017-05-10)
190    <LI> libtiff/tif_getimage.c: use _TIFFReadEncodedStripAndAllocBuffer().
191	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2708 and
192	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2433 .
193	Credit to OSS Fuzz
194    <LI> libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedStripAndAllocBuffer()
195	function, variant of TIFFReadEncodedStrip() that allocates the
196	decoded buffer only after a first successful TIFFFillStrip(). This avoids
197	excessive memory allocation on corrupted files.
198    <LI> libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
199	functions associated with LONG8/SLONG8 data type, replace assertion that
200	the file is BigTIFF, by a non-fatal error.
201	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
202	Reported by team OWL337
203    <LI> libtiff/tif_read.c: TIFFStartTile(): set tif_rawcc to
204	tif_rawdataloaded when it is set. Similarly to TIFFStartStrip().
205	This issue was revealed by the change of 2017-06-30 in TIFFFileTile(),
206	limiting the number of bytes read. But it could probably have been hit
207	too in CHUNKY_STRIP_READ_SUPPORT mode previously ?
208	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454
209	Credit to OSS Fuzz
210    <LI> libtiff/tif_error.c, tif_warning.c: correctly use va_list when both
211	an old-style and new-style warning/error handlers are installed.
212	Patch by Paavo Helde (sent on the mailing list)
213    <LI> libtiff/tif_getimage.c: use _TIFFReadTileAndAllocBuffer().
214	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2470
215	Credit to OSS Fuzz.
216    <LI> libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedTileAndAllocBuffer()
217	and _TIFFReadTileAndAllocBuffer() variants of TIFFReadEncodedTile() and
218	TIFFReadTile() that allocates the decoded buffer only after a first
219	successful TIFFFillTile(). This avoids excessive memory allocation
220	on corrupted files.
221    <LI> libtiff/tif_pixarlog.c: avoid excessive memory allocation on decoding
222	when RowsPerStrip tag is not defined (and thus td_rowsperstrip == UINT_MAX)
223	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2554
224	Credit to OSS Fuzz
225    <LI> libtiff/tif_lzw.c: fix 4.0.8 regression in the decoding of old-style LZW
226	compressed files.
227    <LI> libtiff/tif_lzw.c: fix potential out-of-buffer read on 1-byte LZW
228	strips. Crashing issue only on memory mapped files, where the strip
229	offset is the last byte of the file, and the file size is a multiple
230	of one page size on the CPU architecture (typically 4096). Credit
231	to myself :-)
232    <LI> libtiff/tif_dir.c: avoid potential null pointer dereference in
233	_TIFFVGetField() on corrupted TIFFTAG_NUMBEROFINKS tag instance.
234	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2713
235    <LI> tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
236	mode on PlanarConfig=Contig input images.
237	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
238	Reported by team OWL337
239    <LI> libtiff/tif_read.c: TIFFFillStrip() / TIFFFillTile().
240	Complementary fix for http://bugzilla.maptools.org/show_bug.cgi?id=2708
241	in the isMapped() case, so as to avoid excessive memory allocation
242	when we need a temporary buffer but the file is truncated.
243    <LI> libtiff/tif_read.c: TIFFFillStrip() / TIFFFillTile().
244	Complementary fix for http://bugzilla.maptools.org/show_bug.cgi?id=2708
245	in the isMapped() case, so as to avoid excessive memory allocation
246	when we need a temporary buffer but the file is truncated.
247    <LI> libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the
248	arrays that hold StripOffsets/StripByteCounts, when they are smaller
249	than the expected number of striles, up to 1 million striles, and
250	error out beyond. Can be tweaked by setting the environment variable
251	LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT.
252	This partially goes against a change added on 2002-12-17 to accept
253	those arrays of wrong sizes, but is needed to avoid denial of services.
254	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350
255	Credit to OSS Fuzz
256    <LI> libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the
257	arrays that hold StripOffsets/StripByteCounts, when they are smaller
258	than the expected number of striles, up to 1 million striles, and
259	error out beyond. Can be tweaked by setting the environment variable
260	LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT.
261	This partially goes against a change added on 2002-12-17 to accept
262	those arrays of wrong sizes, but is needed to avoid denial of services.
263	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350
264	Credit to OSS Fuzz
265    <LI> libtiff/tif_read.c: add protection against excessive memory
266	allocation attempts in TIFFReadDirEntryArray() on short files.
267	Effective for mmap'ed case. And non-mmap'ed case, but restricted
268	to 64bit builds.
269	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2675
270    <LI> libtiff/tif_read.c: add protection against excessive memory
271	allocation attempts in TIFFReadDirEntryArray() on short files.
272	Effective for mmap'ed case. And non-mmap'ed case, but restricted
273	to 64bit builds.
274	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2675
275   <LI> libtiff/tif_luv.c: LogLuvInitState(): avoid excessive memory
276	allocation when RowsPerStrip tag is missing.
277	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2683
278	Credit to OSS-Fuzz
279   <LI> libtiff/tif_getimage.c: gtTileContig() and gtTileSeparate():
280	properly break from loops on error when stoponerr is set, instead
281	of going on iterating on row based loop.
282   <LI> libtiff/tif_getimage.c: fix fromskew computation when to-be-skipped
283	pixel number is not a multiple of the horizontal subsampling, and
284	also in some other cases. Impact putcontig8bitYCbCr44tile,
285	putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile,
286	putcontig8bitYCbCr21tile and putcontig8bitYCbCr12tile
287	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2637 (discovered
288	by Agostino Sarubbo)
289	and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2691 (credit
290	to OSS Fuzz)
291   <LI> libtiff/tif_luv.c: further reduce memory requirements for temporary
292	buffer when RowsPerStrip >= image_length in LogLuvInitState() and
293	LogL16InitState().
294	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2700
295	Credit to OSS Fuzz
296   <LI> libtiff/tif_dirwrite.c: replace assertion related to not finding the
297	SubIFD tag by runtime check (in TIFFWriteDirectorySec())
298	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
299	Reported by team OWL337
300   <LI> libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
301	on uint32 when selecting the value of SubIFD tag by runtime check
302	(in TIFFWriteDirectoryTagSubifd()).
303	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
304	Reported by team OWL337
305   <LI> libtiff/tif_jpeg.c: accept reading the last strip of a JPEG compressed
306	file if the codestream height is larger than the truncated height of the
307	strip. Emit a warning in this situation since this is non compliant.
308   <LI> libtiff/tiffiop.h, tif_aux.c: redirect SeekOK() macro to a _TIFFSeekoK()
309	function that checks if the offset is not bigger than INT64_MAX, so as
310	to avoid a -1 error return code of TIFFSeekFile() to match a required
311	seek to UINT64_MAX/-1.
312	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2726
313	Adapted from proposal by Nicolas Ruff.
314   <LI> libtiff/tif_dirread.c: add NULL check to avoid likely false positive
315	null-pointer dereference warning by CLang Static Analyzer.
316   <LI> libtiff/libtiff.def: add TIFFReadRGBAStripExt and TIFFReadRGBATileExt
317	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2735
318   <LI> libtiff/tif_jpeg.c: add compatibility with libjpeg-turbo 1.5.2 that
319	honours max_memory_to_use > 0.
320	Cf https://github.com/libjpeg-turbo/libjpeg-turbo/issues/162
321   <LI> libtiff/tif_getimage.c: avoid floating point division by zero in
322	initCIELabConversion()
323	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3733
324	Credit to OSS Fuzz
325</UL>
326
327<P><HR WIDTH=65% ALIGN=left>
328
329<!-------------------------------------------------------------------------->
330
331<A NAME="tools"><B><FONT SIZE=+3>C</FONT>HANGES IN THE TOOLS:</B></A>
332
333<UL>
334
335    <LI> tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
336	mode on PlanarConfig=Contig input images.
337	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
338	Reported by team OWL337
339    <LI> tools/tiffset.c: fix setting a single value for the ExtraSamples tag
340	(and other tags with variable number of values).
341	So 'tiffset -s ExtraSamples 1 X'. This only worked
342	when setting 2 or more values, but not just one.
343    <LI> tools/fax2tiff.c (_FAX_Client_Data): Pass FAX_Client_Data as the
344	client data.  This client data is not used at all at the moment,
345	but it makes the most sense.  Issue that the value of
346	client_data.fd was passed where a pointer is expected was reported
347	via email by Gerald Schade on Sun, 29 Oct 2017.
348    <LI> tools/tiff2pdf.c (t2p_sample_realize_palette): Fix possible
349	arithmetic overflow in bounds checking code and eliminate
350	comparison between signed and unsigned type.
351    <LI> tools/tiff2bw.c (main): Free memory allocated in the tiff2bw
352	program.  This is in response to the report associated with
353	CVE-2017-16232 but does not solve the extremely high memory usage
354	with the associated POC file.
355
356</UL>
357
358<P><HR WIDTH=65% ALIGN=left>
359
360<!--------------------------------------------------------------------------->
361
362<A NAME="contrib"><B><FONT SIZE=+3>C</FONT>HANGES IN THE CONTRIB AREA:</B></A>
363
364<UL>
365
366  <LI> None
367
368</UL>
369
370Last updated $Date: 2017-11-18 19:38:06 $.
371
372</BODY>
373</HTML>
374