-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathChangeLog
8768 lines (5699 loc) · 308 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
2018-11-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* configure.ac: libtiff 4.0.10 released.
Change COMPRESSION_ZSTD to 50000 and COMPRESSION_WEBP to 50001.
2018-11-04 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
Added preliminary release notes for release 4.0.10.
2018-11-03 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
tiff2pdf: Eliminate compiler warning about snprintf output truncation when formatting pdf_datetime.
2018-11-03 Olivier Paquet <olivier.paquet@gmail.com>
Merge branch 'no_tif_platform_console' into 'master'
Remove builtin support for GUI warning and error message boxes
See merge request libtiff/libtiff!24
2018-11-03 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
tiffcrop.c: Eliminate compiler warning about snprintf output truncation when formatting filenum.
TWebPVGetField(): Add apparently missing break statement impacting TIFFTAG_WEBP_LOSSLESS.
Eliminate compiler warnings about duplicate definitions of streq/strneq macros.
Ignore generated files.
Remove and ignore files which are a product of autogen.sh.
2018-11-02 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
Fix TIFFErrorExt() formatting of size_t type for 32-bit compiles.
2018-10-30 Even Rouault <even.rouault@spatialys.com>
tiff2bw: avoid null pointer dereference in case of out of memory situation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2819 / CVE-2018-18661
tiffio.h: fix comment.
2018-10-26 Even Rouault <even.rouault@spatialys.com>
Merge branch 'header2' into 'master'
Fix 725279bd: Standalone tif_predict.h: tiff.h should be tiffiop.h
See merge request libtiff/libtiff!41
2018-10-26 Kurt Schwehr <schwehr@google.com>
Fix 725279bd: Standalone tif_predict.h: tiff.h should be tiffiop.h.
2018-10-25 Even Rouault <even.rouault@spatialys.com>
Merge branch 'headers' into 'master'
Add includes to headers to allow them to stand alone.
See merge request libtiff/libtiff!40
2018-10-24 Kurt Schwehr <schwehr@google.com>
Add includes to headers to allow them to stand alone.
This allows compilers that can do header stand alone header parsing
to process libtiff.
2018-10-18 Even Rouault <even.rouault@spatialys.com>
LZMAPreEncode: emit verbose error if lzma_stream_encoder() fails (typically because not enough memory available)
2018-10-17 Even Rouault <even.rouault@spatialys.com>
tif_webp.c: fix previous commit that broke scanline decoding.
tif_webp.c: fix potential read outside libwebp buffer on corrupted images
2018-10-14 Even Rouault <even.rouault@spatialys.com>
Merge branch 'jbig_decode_overflow' into 'master'
JBIG: fix potential out-of-bounds write in JBIGDecode()
See merge request libtiff/libtiff!38
2018-10-14 Even Rouault <even.rouault@spatialys.com>
JBIG: fix potential out-of-bounds write in JBIGDecode()
JBIGDecode doesn't check if the user provided buffer is large enough
to store the JBIG decoded image, which can potentially cause out-of-bounds
write in the buffer.
This issue was reported and analyzed by Thomas Dullien.
Also fixes a (harmless) potential use of uninitialized memory when
tif->tif_rawsize > tif->tif_rawcc
And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
that whole strip data is provided to JBIGDecode()
2018-10-05 Even Rouault <even.rouault@spatialys.com>
tif_webp.c: fix scanline reading/writing.
WEBP codec: initialize nSamples in TWebPSetupDecode() and TWebPSetupEncode()
2018-10-05 Even Rouault <even.rouault@spatialys.com>
Merge branch 'tif_webp' into 'master'
webp support
See merge request libtiff/libtiff!32
2018-10-05 Norman Barker <norman.barker@mapbox.com>
webp in tiff.
2018-09-17 Even Rouault <even.rouault@spatialys.com>
Merge branch 'master' into 'master'
fix three potential vulnerabilities.
See merge request libtiff/libtiff!33
2018-09-08 Young_X <YangX92@hotmail.com>
fix out-of-bound read on some tiled images.
avoid potential int32 overflows in multiply_ms()
only read/write TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4
2018-08-15 Even Rouault <even.rouault@spatialys.com>
TIFFSetupStrips(): avoid potential uint32 overflow on 32-bit systems with large number of strips. Probably relates to http://bugzilla.maptools.org/show_bug.cgi?id=2788 / CVE-2018-10779
2018-08-07 Even Rouault <even.rouault@spatialys.com>
ZSTD: fix flush issue that can cause endless loop in ZSTDEncode()
Fixes https://github.com/OSGeo/gdal/issues/833
2018-08-07 Even Rouault <even.rouault@spatialys.com>
Merge branch 'fix_bug_2800' into 'master'
Fix libtiff 4.0.8 regression when reading LZW-compressed strips with scanline API
See merge request libtiff/libtiff!31
2018-08-07 Even Rouault <even.rouault@spatialys.com>
Fix libtiff 4.0.8 regression when reading LZW-compressed strips with scanline API
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2800
2018-07-05 Even Rouault <even.rouault@spatialys.com>
Add tag and pseudo-tag definitions for ESRI LERC codec (out of tree codec whose source is at https://github.com/OSGeo/gdal/blob/master/gdal/frmts/gtiff/tif_lerc.c)
2018-07-02 Even Rouault <even.rouault@spatialys.com>
Fix TIFFTAG_ZSTD_LEVEL pseudo tag value to be > 65536, and the next one in the series
2018-05-25 Stefan Weil <sw@weilnetz.de>
Remove builtin support for GUI warning and error message boxes.
Now warnings always go to the console by default unless applications
define their own warning and error handlers.
GUI applications (and Windows CE) are required to define such handlers.
2018-05-12 Even Rouault <even.rouault@spatialys.com>
LZWDecodeCompat(): fix potential index-out-of-bounds write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905
The fix consists in using the similar code LZWDecode() to validate we
don't write outside of the output buffer.
TIFFFetchNormalTag(): avoid (probably false positive) clang-tidy clang-analyzer-core.NullDereference warnings
TIFFWriteDirectorySec: avoid assertion. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
2018-05-04 Even Rouault <even.rouault@spatialys.com>
tif_color.c: fix code comment.
2018-04-17 Even Rouault <even.rouault@mines-paris.org>
Merge branch 'fuzzer-fix' into 'master'
remove a pointless multiplication and a variable that's not necessary
See merge request libtiff/libtiff!29
2018-04-17 Paul Kehrer <paul.l.kehrer@gmail.com>
remove a pointless multiplication and a variable that's not necessary.
2018-04-17 Even Rouault <even.rouault@mines-paris.org>
Merge branch 'ossfuzz' into 'master'
move oss-fuzz build script and fuzzer into libtiff tree
See merge request libtiff/libtiff!28
2018-04-17 Paul Kehrer <paul.l.kehrer@gmail.com>
move oss-fuzz build script and fuzzer into libtiff tree.
2018-04-14 Even Rouault <even.rouault@spatialys.com>
_TIFFGetMaxColorChannels: update for LOGLUV, ITULAB and ICCLAB that have 3 color channels
2018-04-12 Even Rouault <even.rouault@spatialys.com>
Fix MSVC warning.
2018-04-12 Even Rouault <even.rouault@mines-paris.org>
Merge branch 'master' into 'master'
Fix NULL pointer dereference in TIFFPrintDirectory (bugzilla 2778/CVE-2018-7456)
See merge request libtiff/libtiff!27
2018-04-11 Hugo Lefeuvre <hle@debian.org>
Fix NULL pointer dereference in TIFFPrintDirectory.
The TIFFPrintDirectory function relies on the following assumptions,
supposed to be guaranteed by the specification:
(a) A Transfer Function field is only present if the TIFF file has
photometric type < 3.
(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
has count SamplesPerPixel - (Color Channels) and contains
information about supplementary channels.
While respect of (a) and (b) are essential for the well functioning of
TIFFPrintDirectory, no checks are realized neither by the callee nor
by TIFFPrintDirectory itself. Hence, following scenarios might happen
and trigger the NULL pointer dereference:
(1) TIFF File of photometric type 4 or more has illegal Transfer
Function field.
(2) TIFF File has photometric type 3 or less and defines a
SamplesPerPixel field such that SamplesPerPixel > Color Channels
without defining all extra samples in the ExtraSamples fields.
In this patch, we address both issues with respect of the following
principles:
(A) In the case of (1), the defined transfer table should be printed
safely even if it isn't 'legal'. This allows us to avoid expensive
checks in TIFFPrintDirectory. Also, it is quite possible that
an alternative photometric type would be developed (not part of the
standard) and would allow definition of Transfer Table. We want
libtiff to be able to handle this scenario out of the box.
(B) In the case of (2), the transfer table should be printed at its
right size, that is if TIFF file has photometric type Palette
then the transfer table should have one row and not three, even
if two extra samples are declared.
In order to fulfill (A) we simply add a new 'i < 3' end condition to
the broken TIFFPrintDirectory loop. This makes sure that in any case
where (b) would be respected but not (a), everything stays fine.
(B) is fulfilled by the loop condition
'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
long as (b) is respected.
Naturally, we also make sure (b) is respected. This is done in the
TIFFReadDirectory function by making sure any non-color channel is
counted in ExtraSamples.
This commit addresses CVE-2018-7456.
2018-03-27 Even Rouault <even.rouault@mines-paris.org>
Merge branch 'tiffset-long8' into 'master'
tiffset: Add support for LONG8, SLONG8 and IFD8 field types
See merge request libtiff/libtiff!25
2018-03-26 Roger Leigh <rleigh@codelibre.net>
port: Clean up NetBSD sources and headers to build standalone.
2018-03-23 Roger Leigh <rleigh@dundee.ac.uk>
port: Add strtol, strtoll and strtoull.
Also update strtoul. All use the same implementation from NetBSD libc.
tiffset: Add support for LONG8, SLONG8 and IFD8 field types.
2018-03-17 Even Rouault <even.rouault@spatialys.com>
ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613)
Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more
cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979.
Credit to OSS Fuzz
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724
2018-03-13 Even Rouault <even.rouault@spatialys.com>
libtiff/tif_luv.c: rewrite loops in a more readable way (to avoid false positive reports like http://bugzilla.maptools.org/show_bug.cgi?id=2779)
2018-03-13 Even Rouault <even.rouault@mines-paris.org>
Merge branch 'avoid_memory_exhaustion_in_ChopUpSingleUncompressedStrip' into 'master'
ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613)
See merge request libtiff/libtiff!26
2018-03-11 Even Rouault <even.rouault@spatialys.com>
ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613)
In ChopUpSingleUncompressedStrip(), if the computed number of strips is big
enough and we are in read only mode, validate that the file size is consistent
with that number of strips to avoid useless attempts at allocating a lot of
memory for the td_stripbytecount and td_stripoffset arrays.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724
2018-03-10 Even Rouault <even.rouault@spatialys.com>
Typo fix in comment.
2018-03-03 Even Rouault <even.rouault@spatialys.com>
Avoid warning with gcc 8 (partially revert 647b0e8c11ee11896f319b92cf110775f538d75c)
2018-02-25 Even Rouault <even.rouault@mines-paris.org>
Merge branch 'typos' into 'master'
Fix some typos
See merge request libtiff/libtiff!23
2018-02-24 Stefan Weil <sw@weilnetz.de>
Fix some typos.
Most of them were found by codespell.
2018-02-14 Even Rouault <even.rouault@spatialys.com>
Typo fix in comment.
Merge branch 'zstd'
Add warning about COMPRESSION_ZSTD not being officialy registered.
2018-02-14 Even Rouault <even.rouault@mines-paris.org>
Merge branch 'bug2772' into 'master'
Fix for bug 2772
See merge request libtiff/libtiff!20
2018-02-12 Nathan Baker <nathanb@lenovo-chrome.com>
Fix for bug 2772.
It is possible to craft a TIFF document where the IFD list is circular,
leading to an infinite loop while traversing the chain. The libtiff
directory reader has a failsafe that will break out of this loop after
reading 65535 directory entries, but it will continue processing,
consuming time and resources to process what is essentially a bogus TIFF
document.
This change fixes the above behavior by breaking out of processing when
a TIFF document has >= 65535 directories and terminating with an error.
2018-02-09 Even Rouault <even.rouault@mines-paris.org>
Merge branch 'libtiff-as-subdirectory-fixes' into 'master'
Prefer target_include_directories
See merge request libtiff/libtiff!12
2018-02-06 Even Rouault <even.rouault@mines-paris.org>
Merge branch 'cmake-cleanups' into 'master'
Cmake cleanups
See merge request libtiff/libtiff!11
2018-02-06 Even Rouault <even.rouault@mines-paris.org>
Merge branch 'check-right-cxx-variable' into 'master'
Check right cxx variable
See merge request libtiff/libtiff!19
2018-02-06 Even Rouault <even.rouault@mines-paris.org>
Merge branch 'dont-leak-stream-open' into 'master'
Fix a memory leak in TIFFStreamOpen
See merge request libtiff/libtiff!17
2018-02-06 Ben Boeckel <ben.boeckel@kitware.com>
cmake: check CXX_SUPPORT.
This variable is set in response to the `cxx` cache variable; use it
instead.
2018-02-04 Olivier Paquet <olivier.paquet@gmail.com>
Merge branch 'warnings' into 'master'
Fix all compiler warnings for default build
See merge request libtiff/libtiff!16
2018-02-04 Nathan Baker <elitebadger@gmail.com>
Fix all compiler warnings for default build.
2018-01-30 Paul Kehrer <paul.l.kehrer@gmail.com>
tabs are hard.
2018-01-29 Paul Kehrer <paul.l.kehrer@gmail.com>
use hard tabs like the rest of the project.
Fix a memory leak in TIFFStreamOpen.
TIFFStreamOpen allocates a new tiff{o,i}s_data, but if TIFFClientOpen
fails then that struct is leaked. Delete it if the returned TIFF * is
null.
2018-01-29 Kevin Funk <kfunk@kde.org>
Bump minimum required CMake version to v2.8.11.
Because we use the BUILD_INTERFACE generator expression
2018-01-27 Even Rouault <even.rouault@mines-paris.org>
Merge branch 'patch-1' into 'master'
Update CMakeLists.txt for build fix on Windows
See merge request libtiff/libtiff!14
2018-01-27 Even Rouault <even.rouault@mines-paris.org>
Merge branch 'patch-2' into 'master'
Update tiffgt.c for build fix on Windows
See merge request libtiff/libtiff!13
2018-01-25 Olivier Paquet <olivier.paquet@gmail.com>
Merge branch 'bug2750' into 'master'
Add workaround to pal2rgb buffer overflow.
See merge request libtiff/libtiff!15
2018-01-25 Nathan Baker <elitebadger@gmail.com>
Add workaround to pal2rgb buffer overflow.
2018-01-23 Andrea <andrea@andreaplanet.com>
Update tiffgt.c for build fix on Windows.
Update CMakeLists.txt for build fix on Windows.
2018-01-15 Even Rouault <even.rouault@mines-paris.org>
Merge branch 'has-attribute-check' into 'master'
tiffiop: use __has_attribute to detect the no_sanitize attribute
See merge request libtiff/libtiff!10
2018-01-15 Ben Boeckel <ben.boeckel@kitware.com>
cmake: avoid setting hard-coded variables in the cache.
cmake: avoid an unnecessary intermediate variable.
cmake: avoid an unnecessary intermediate variable.
cmake: avoid tautological logic.
cmake: use check_symbol_exists.
This accounts for symbols being provided by macros.
cmake: remove unused configure checks.
2018-01-12 Kevin Funk <kfunk@kde.org>
Prefer target_include_directories.
When libtiff is included in a super project via a simple
`add_subdirectory(libtiff)`, this way the `tiff` library target has all
the necessary information to build against it.
Note: The BUILD_INTERFACE generator expression feature requires at least
CMake v2.8.11 if I'm correct.
2018-01-09 Ben Boeckel <ben.boeckel@kitware.com>
tiffiop: use __has_attribute to detect the no_sanitize attribute.
2017-12-31 Even Rouault <even.rouault@spatialys.com>
man/TIFFquery.3tiff: remove reference to non-existing TIFFReadStrip() function in TIFFIsByteSwapped() documentation. Patch by Eric Piel. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2763
libtiff/tif_dir.c: _TIFFVGetField(): fix heap out-of-bounds access when requesting TIFFTAG_NUMBEROFINKS on a EXIF directory. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2765. Reported by Google Autofuzz project
libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer dereference on corrupted file. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2770
2017-12-21 Even Rouault <even.rouault@spatialys.com>
Add libzstd to gitlab-ci.
2017-12-21 Even Rouault <even.rouault@spatialys.com>
Add ZSTD compression codec.
From https://github.com/facebook/zstd
"Zstandard, or zstd as short version, is a fast lossless compression
algorithm, targeting real-time compression scenarios at zlib-level
and better compression ratios. It's backed by a very fast entropy stage,
provided by Huff0 and FSE library."
We require libzstd >= 1.0.0 so as to be able to use streaming compression
and decompression methods.
The default compression level we have selected is 9 (range goes from 1 to 22),
which experimentally offers equivalent or better compression ratio than
the default deflate/ZIP level of 6, and much faster compression.
For example on a 6600x4400 16bit image, tiffcp -c zip runs in 10.7 seconds,
while tiffcp -c zstd runs in 5.3 seconds. Decompression time for zip is
840 ms, and for zstd 650 ms. File size is 42735936 for zip, and
42586822 for zstd. Similar findings on other images.
On a 25894x16701 16bit image,
Compression time Decompression time File size
ZSTD 35 s 3.2 s 399 700 498
ZIP/Deflate 1m 20 s 4.9 s 419 622 336
2017-12-10 Even Rouault <even.rouault@mines-paris.org>
Merge branch 'fix_cve-2017-9935' into 'master'
Fix CVE-2017-9935
See merge request libtiff/libtiff!7
2017-12-10 Brian May <brian@linuxpenguins.xyz>
tiff2pdf: Fix apparent incorrect type for transfer table.
The standard says the transfer table contains unsigned 16 bit values,
I have no idea why we refer to them as floats.
2017-12-10 Brian May <brian@linuxpenguins.xyz>
tiff2pdf: Fix CVE-2017-9935.
Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
This vulnerability - at least for the supplied test case - is because we
assume that a tiff will only have one transfer function that is the same
for all pages. This is not required by the TIFF standards.
We than read the transfer function for every page. Depending on the
transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
We allocate this memory after we read in the transfer function for the
page.
For the first exploit - POC1, this file has 3 pages. For the first page
we allocate 2 extra extra XREF entries. Then for the next page 2 more
entries. Then for the last page the transfer function changes and we
allocate 4 more entries.
When we read the file into memory, we assume we have 4 bytes extra for
each and every page (as per the last transfer function we read). Which
is not correct, we only have 2 bytes extra for the first 2 pages. As a
result, we end up writing past the end of the buffer.
There are also some related issues that this also fixes. For example,
TIFFGetField can return uninitalized pointer values, and the logic to
detect a N=3 vs N=1 transfer function seemed rather strange.
It is also strange that we declare the transfer functions to be of type
float, when the standard says they are unsigned 16 bit values. This is
fixed in another patch.
This patch will check to ensure that the N value for every transfer
function is the same for every page. If this changes, we abort with an
error. In theory, we should perhaps check that the transfer function
itself is identical for every page, however we don't do that due to the
confusion of the type of the data in the transfer function.
2017-12-10 Even Rouault <even.rouault@mines-paris.org>
Merge branch 'undef-warn-fixes' into 'master'
Fix a couple of harmless but annoying -Wundef warnings
See merge request libtiff/libtiff!8
2017-12-07 Vadim Zeitlin <vadim@zeitlins.org>
Remove tests for undefined SIZEOF_VOIDP.
As configure never uses AC_CHECK_SIZEOF(void*), this symbol is never
defined and so it doesn't make sense to test it in the code, this just
results in -Wundef warnings if they're enabled.
Avoid harmless -Wundef warnings for __clang_major__
Check that we're using Clang before checking its version.
2017-12-02 Even Rouault <even.rouault@mines-paris.org>
Merge branch 'remove_autogenerated_files' into 'master'
Remove autogenerated files
See merge request libtiff/libtiff!5
2017-12-02 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
Merge branch 'tif_config_h_includes' into 'master'
'tif_config.h' or 'tiffiop.h' must be included before any system header.
See merge request libtiff/libtiff!6
2017-12-02 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
'tif_config.h' or 'tiffio.h' must be included before any system header.
2017-12-01 Even Rouault <even.rouault@spatialys.com>
.gitignore: add patterns for build from root.
Remove remaining .cvsignore files.
Remove autoconf/automake generated files, and add them to .gitignore.
2017-12-01 Olivier Paquet <olivier.paquet@gmail.com>
Merge branch 'makedistcheck' into 'master'
build/gitlab-ci and build/travis-ci: add a 'make dist' step in autoconf_build()…
See merge request libtiff/libtiff!4
2017-12-01 Even Rouault <even.rouault@spatialys.com>
build/gitlab-ci and build/travis-ci: add a 'make dist' step in autoconf_build() target, to check we are release-ready
2017-12-01 Even Rouault <even.rouault@mines-paris.org>
Merge branch 'git_updates' into 'master'
CVS to Git updates
See merge request libtiff/libtiff!2
2017-12-01 Even Rouault <even.rouault@spatialys.com>
HOWTO-RELEASE: update to use signed tags.
README.md: use markdown syntax for hyperlinks.
2017-11-30 Even Rouault <even.rouault@spatialys.com>
Add .gitignore.
Regenerate autoconf files.
Makefile.am: update to reflect removal of README.vms and README -> README.md
Remove all $Id and $Headers comments with CVS versions.
HOWTO-RELEASE: update for git.
Remove outdated .cvsignore.
Remove outdated commit script.
Remove README.vms.
Rename README as README.md, and update content.
html/index.html: reflect change from CVS to gitlab.
2017-11-30 Olivier Paquet <olivier.paquet@gmail.com>
Merge branch 'test-ci' into 'master'
Update CI configuration
See merge request libtiff/libtiff!1
2017-11-23 Roger Leigh <rleigh@codelibre.net>
appveyor: Correct path for git clone and skip artefact archival.
2017-11-22 Roger Leigh <rleigh@codelibre.net>
travis-ci: Remove unused matrix exclusion.
Add gitlab-ci build support.
2017-11-18 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* configure.ac: libtiff 4.0.9 released.
* html/v4.0.9.html: Add HTML file to document changes in libtiff
v4.0.9.
2017-11-17 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_aux.c, tif_getimage.c, tif_read.c: typo fixes in
comments.
2017-11-02 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* test/Makefile.am: Add some tests for tiff2bw.
2017-11-01 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* tools/tiff2bw.c (main): Free memory allocated in the tiff2bw
program. This is in response to the report associated with
CVE-2017-16232 but does not solve the extremely high memory usage
with the associated POC file.
2017-10-29 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* tools/tiff2pdf.c (t2p_sample_realize_palette): Fix possible
arithmetic overflow in bounds checking code and eliminate
comparison between signed and unsigned type.
* tools/fax2tiff.c (_FAX_Client_Data): Pass FAX_Client_Data as the
client data. This client data is not used at all at the moment,
but it makes the most sense. Issue that the value of
client_data.fd was passed where a pointer is expected was reported
via email by Gerald Schade on Sun, 29 Oct 2017.
2017-10-23 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_getimage.c: avoid floating point division by zero in
initCIELabConversion()
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3733
Credit to OSS Fuzz
2017-10-17 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_jpeg.c: add compatibility with libjpeg-turbo 1.5.2 that
honours max_memory_to_use > 0.
Cf https://github.com/libjpeg-turbo/libjpeg-turbo/issues/162
2017-10-10 Even Rouault <even.rouault at spatialys.com>
* nmake.opt: support a DEBUG=1 option, so as to adjust OPTFLAGS and use
/MDd runtime in debug mode.
2017-10-01 Even Rouault <even.rouault at spatialys.com>
* tools/tiffset.c: fix setting a single value for the ExtraSamples tag
(and other tags with variable number of values).
So 'tiffset -s ExtraSamples 1 X'. This only worked
when setting 2 or more values, but not just one.
2017-09-29 Even Rouault <even.rouault at spatialys.com>
* libtiff/libtiff.def: add TIFFReadRGBAStripExt and TIFFReadRGBATileExt
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2735
2017-09-09 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_dirread.c: add NULL check to avoid likely false positive
null-pointer dereference warning by CLang Static Analyzer.
2017-09-07 Even Rouault <even.rouault at spatialys.com>
* libtiff/tiffiop.h, tif_aux.c: redirect SeekOK() macro to a _TIFFSeekoK()
function that checks if the offset is not bigger than INT64_MAX, so as
to avoid a -1 error return code of TIFFSeekFile() to match a required
seek to UINT64_MAX/-1.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2726
Adapted from proposal by Nicolas Ruff.
2017-08-29 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_jpeg.c: accept reading the last strip of a JPEG compressed
file if the codestream height is larger than the truncated height of the
strip. Emit a warning in this situation since this is non compliant.
2017-08-28 Even Rouault <even.rouault at spatialys.com>
* test/Makefile.am: add missing reference to images/quad-lzw-compat.tiff
to fix "make distcheck". Patch by Roger Leigh
2017-08-23 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_dirwrite.c: replace assertion to tag value not fitting
on uint32 when selecting the value of SubIFD tag by runtime check
(in TIFFWriteDirectoryTagSubifd()).
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
Reported by team OWL337
2017-08-23 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_dirwrite.c: replace assertion related to not finding the
SubIFD tag by runtime check (in TIFFWriteDirectorySec())
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727
Reported by team OWL337
2017-07-24 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_luv.c: further reduce memory requirements for temporary
buffer when RowsPerStrip >= image_length in LogLuvInitState() and
LogL16InitState().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2700
Credit to OSS Fuzz
2017-07-24 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_getimage.c: fix fromskew computation when to-be-skipped
pixel number is not a multiple of the horizontal subsampling, and
also in some other cases. Impact putcontig8bitYCbCr44tile,
putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile,
putcontig8bitYCbCr21tile and putcontig8bitYCbCr12tile
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2637 (discovered
by Agostino Sarubbo)
and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2691 (credit
to OSS Fuzz)
2017-07-24 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_getimage.c: gtTileContig() and gtTileSeparate():
properly break from loops on error when stoponerr is set, instead
of going on iterating on row based loop.
2017-07-18 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_luv.c: LogLuvInitState(): avoid excessive memory
allocation when RowsPerStrip tag is missing.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2683
Credit to OSS-Fuzz
2017-07-15 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_read.c: add protection against excessive memory
allocation attempts in TIFFReadDirEntryArray() on short files.
Effective for mmap'ed case. And non-mmap'ed case, but restricted
to 64bit builds.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2675
2017-07-15 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the
arrays that hold StripOffsets/StripByteCounts, when they are smaller
than the expected number of striles, up to 1 million striles, and
error out beyond. Can be tweaked by setting the environment variable
LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT.
This partially goes against a change added on 2002-12-17 to accept
those arrays of wrong sizes, but is needed to avoid denial of services.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350
Credit to OSS Fuzz
2017-07-15 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_read.c: TIFFFillStrip() / TIFFFillTile().
Complementary fix for http://bugzilla.maptools.org/show_bug.cgi?id=2708
in the isMapped() case, so as to avoid excessive memory allocation
when we need a temporary buffer but the file is truncated.
2017-07-15 Even Rouault <even.rouault at spatialys.com>
* tools/tiff2pdf.c: prevent heap buffer overflow write in "Raw"
mode on PlanarConfig=Contig input images.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2715
Reported by team OWL337
2017-07-11 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_dir.c: avoid potential null pointer dereference in
_TIFFVGetField() on corrupted TIFFTAG_NUMBEROFINKS tag instance.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2713
2017-07-11 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_lzw.c: fix potential out-of-buffer read on 1-byte LZW
strips. Crashing issue only on memory mapped files, where the strip
offset is the last byte of the file, and the file size is a multiple
of one page size on the CPU architecture (typically 4096). Credit
to myself :-)
2017-07-11 Even Rouault <even.rouault at spatialys.com>
* test/tiffcp-lzw-compat.sh, test/images/quad-lzw-compat.tiff: new files
to test old-style LZW decompression
* test/common.sh, Makefile.am, CMakeList.txt: updated with above
2017-07-11 Even Rouault <even.rouault at spatialys.com>
* refresh autoconf/make stuff with what is on Ubuntu 16.04 (minor changes)
2017-07-11 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_lzw.c: fix 4.0.8 regression in the decoding of old-style LZW
compressed files.
2017-07-10 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_pixarlog.c: avoid excessive memory allocation on decoding
when RowsPerStrip tag is not defined (and thus td_rowsperstrip == UINT_MAX)
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2554
Credit to OSS Fuzz
2017-07-04 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedTileAndAllocBuffer()
and _TIFFReadTileAndAllocBuffer() variants of TIFFReadEncodedTile() and
TIFFReadTile() that allocates the decoded buffer only after a first
successful TIFFFillTile(). This avoids excessive memory allocation
on corrupted files.
* libtiff/tif_getimage.c: use _TIFFReadTileAndAllocBuffer().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2470
Credit to OSS Fuzz.
2017-07-04 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_error.c, tif_warning.c: correctly use va_list when both
an old-style and new-style warning/error handlers are installed.
Patch by Paavo Helde (sent on the mailing list)
2017-07-02 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_read.c: TIFFStartTile(): set tif_rawcc to
tif_rawdataloaded when it is set. Similarly to TIFFStartStrip().
This issue was revealed by the change of 2017-06-30 in TIFFFileTile(),
limiting the number of bytes read. But it could probably have been hit
too in CHUNKY_STRIP_READ_SUPPORT mode previously ?
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454
Credit to OSS Fuzz
2017-06-30 Even Rouault <even.rouault at spatialys.com>
* man: update documentation regarding SubIFD tag and
TIFFSetSubDirectory() data type.
Patch by Eric Piel
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2671
2017-06-30 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
functions associated with LONG8/SLONG8 data type, replace assertion that
the file is BigTIFF, by a non-fatal error.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
Reported by team OWL337
2017-06-30 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_read.c, tiffiop.h: add a _TIFFReadEncodedStripAndAllocBuffer()
function, variant of TIFFReadEncodedStrip() that allocates the
decoded buffer only after a first successful TIFFFillStrip(). This avoids
excessive memory allocation on corrupted files.
* libtiff/tif_getimage.c: use _TIFFReadEncodedStripAndAllocBuffer().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2708 and
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2433 .
Credit to OSS Fuzz
2017-06-30 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_read.c: TIFFFillTile(): add limitation to the number
of bytes read in case td_stripbytecount[strip] is bigger than
reasonable, so as to avoid excessive memory allocation (similarly to
what was done for TIFFFileStrip() on 2017-05-10)
2017-06-29 Even Rouault <even.rouault at spatialys.com>
* libtiff/tiffiop.h, libtiff/tif_jpeg.c, libtiff/tif_jpeg_12.c,
libtiff/tif_read.c: make TIFFReadScanline() works in
CHUNKY_STRIP_READ_SUPPORT mode with JPEG stream with multiple scans.
Also make configurable through a LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER
environment variable the maximum number of scans allowed. Defaults to
100.
2017-06-27 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_dirread.c: in TIFFReadDirEntryFloat(), check that a
double value can fit in a float before casting. Patch by Nicolas RUFF
2017-06-26 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_jbig.c: fix memory leak in error code path of JBIGDecode()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706
Reported by team OWL337
2017-06-24 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg
memory allocation is above 100 MB. libjpeg in case of multiple scans,
which is allowed even in baseline JPEG, if components are spread over several
scans and not interleavedin a single one, needs to allocate memory (or
backing store) for the whole strip/tile.
See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf
This limitation may be overriden by setting the
LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC environment variable, or recompiling
libtiff with a custom value of TIFF_LIBJPEG_LARGEST_MEM_ALLOC macro.
2017-06-24 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_jpeg.c: add anti-denial of service measure to avoid excessive
CPU consumption on progressive JPEGs with a huge number of scans.
See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf