This repository has been archived by the owner on Dec 1, 2017. It is now read-only.
/
ChangeLog
6177 lines (3933 loc) · 212 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
2014-12-24 Even Rouault <even.rouault@spatialys.com>
* libtiff/tif_getimage.c: avoid divide by zero on invalid YCbCr subsampling.
http://bugzilla.maptools.org/show_bug.cgi?id=2235
2014-12-24 Even Rouault <even.rouault@spatialys.com>
* tools/tiff2pdf.c: fix buffer overflow on some YCbCr JPEG compressed images.
http://bugzilla.maptools.org/show_bug.cgi?id=2445
2014-12-24 Even Rouault <even.rouault@spatialys.com>
* tools/tiff2pdf.c: fix buffer overflow on YCbCr JPEG compressed image.
Derived from patch by Petr Gajdos,
http://bugzilla.maptools.org/show_bug.cgi?id=2443
2014-12-23 Even Rouault <even.rouault@spatialys.com>
* libtiff/tif_dirread.c: In EstimateStripByteCounts(), check return code
of _TIFFFillStriles(). This solves crashing bug on corrupted
images generated by afl.
2014-12-23 Even Rouault <even.rouault@spatialys.com>
* libtiff/tif_read.c: fix several invalid comparisons of a uint64 value with
<= 0 by casting it to int64 first. This solves crashing bug on corrupted
images generated by afl.
2014-12-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* tools/tiffdump.c: Guard against arithmetic overflow when
calculating allocation buffer sizes.
2014-12-21 Even Rouault <even.rouault@spatialys.com>
* tools/tiff2bw.c: when Photometric=RGB, the utility only works if
SamplesPerPixel = 3. Enforce that
http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127)
2014-12-21 Even Rouault <even.rouault@spatialys.com>
* tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling TIFFTAG_INKNAMES
copying. The right fix would be to properly copy it, but not worth the burden
for those esoteric utilities.
http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
2014-12-21 Even Rouault <even.rouault@spatialys.com>
* tools/thumbnail.c: fix out-of-buffer write
http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128)
2014-12-21 Even Rouault <even.rouault@spatialys.com>
* tools/thumbnail.c, tools/tiffcmp.c: only read/write TIFFTAG_GROUP3OPTIONS
or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
COMPRESSION_CCITTFAX4
http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128)
2014-12-21 Even Rouault <even.rouault@spatialys.com>
* libtiff/tif_next.c: check that BitsPerSample = 2. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129)
2014-12-21 Even Rouault <even.rouault@spatialys.com>
* tools/tiff2pdf.c: check return code of TIFFGetField() when reading
TIFFTAG_SAMPLESPERPIXEL
2014-12-21 Even Rouault <even.rouault@spatialys.com>
* tools/tiffcp.c: fix crash when converting YCbCr JPEG-compressed to none.
Based on patch by Tomasz Buchert (http://bugzilla.maptools.org/show_bug.cgi?id=2480)
Description: fix for Debian bug #741451
tiffcp crashes when converting JPEG-encoded TIFF to a different
encoding (like none or lzw). For example this will probably fail:
tiffcp -c none jpeg_encoded_file.tif output.tif
The reason is that when the input file contains JPEG data,
the tiffcp code forces conversion to RGB space. However,
the output normally inherits YCbCr subsampling parameters
from the input, which leads to a smaller working buffer
than necessary. The buffer is subsequently overrun inside
cpStripToTile() (called from writeBufferToContigTiles).
Note that the resulting TIFF file would be scrambled even
if tiffcp wouldn't crash, since the output file would contain
RGB data intepreted as subsampled YCbCr values.
This patch fixes the problem by forcing RGB space on the output
TIF if the input is JPEG-encoded and output is *not* JPEG-encoded.
Author: Tomasz Buchert <tomasz.buchert@inria.fr>
2014-12-21 Even Rouault <even.rouault@spatialys.com>
Fix various crasher bugs on fuzzed images.
* libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
the directory
* libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or
TransferFunction if BitsPerSample has not yet been read, otherwise reading
it later will cause user code to crash if BitsPerSample > 1
* libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
* libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
instead of imagewidth to avoid crash
* tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions
* tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by
libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB
* tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight
* tools/tiffdump.c: fix crash due to overflow of entry count.
2014-12-15 Even Rouault <even.rouault@spatialys.com>
* libtiff/tif_jpeg.c: Fix regression introduced on 2010-05-07 that caused
all tiles/strips to include quantization tables even when the jpegtablesmode
had the JPEGTABLESMODE_QUANT bit set.
Also add explicit removal of Huffman tables when jpegtablesmode has the
JPEGTABLESMODE_HUFF bit set, which avoids Huffman tables to be emitted in the
first tile/strip (only useful in update scenarios. create-only was
fine)
2014-12-09 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* tools/tiff2pdf.c: Assure that memory size calculations for
_TIFFmalloc() do not overflow the range of tmsize_t.
2014-12-07 Even Rouault <even.rouault@spatialys.com>
* tools/thumbnail.c, tools/tiffcrop.c: "fix" heap read over-run found with
Valgrind and Address Sanitizer on test suite
2014-12-07 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* tools/tiff2pdf.c (t2p_read_tiff_init): TIFFTAG_TRANSFERFUNCTION
tag can return one channel, with the other two channels set to
NULL. The tiff2pdf code was expecting that other two channels
were duplicate pointers in the case where there is only one
channel. Detect this condition in order to avoid a crash, and
presumably perform correctly with just one channel.
2014-12-06 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* tools/tiffdump.c: Fix double-free bug.
2014-11-27 Even Rouault <even.rouault@spatialys.com>
* libtiff/tif_config.vc.h: no longer use "#define snprintf _snprintf" with
Visual Studio 2015 aka VC 14 aka MSVC 1900
2014-11-20 Even Rouault <even.rouault@spatialys.com>
* libtiff/tif_lzw.c: prevent potential null dereference of
sp->dec_codetab in LZWPreDecode (bug #2459)
* libtiff/tif_read.c: in TIFFReadBufferSetup(), avoid passing -1 size
to TIFFmalloc() if passed user buffer size is 0 (bug #2459)
* libtiff/tif_ojpeg.c: make Coverity happier (not a bug, #2459)
* libtiff/tif_dir.c: in _TIFFVGetField() and _TIFFVSetField(), make
Coverity happier (not a bug, #2459)
* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make Coverity happier
(not a bug, #2459)
* tools/tiff2pdf.c: close PDF file (bug #2479)
* tools/fax2ps.c: check malloc()/realloc() result (bug #2470)
* tools/tiffdump.c: detect cycle in TIFF directory chaining (bug #2463)
and avoid passing a NULL pointer to read() if seek() failed before (bug #2459)
* tools/tiffcrop.c: fix segfault if bad value passed to -Z option
(bug #2459) and add missing va_end in dump_info (#2459)
* tools/gif2tif.c: apply patch for CVE-2013-4243 (#2451)
2014-11-20 Even Rouault <even.rouault@spatialys.com>
* libtiff/tif_jpeg.c: fix segfault in JPEGFixupTagsSubsampling() on
corrupted image where tif->tif_dir.td_stripoffset == NULL (bug #2471)
2014-11-20 Even Rouault <even.rouault@spatialys.com>
* automake: updated to 1.14.1
* libtool: updated to 2.4.3
* HOWTO-RELEASE: small update about autotools building order
2014-10-20 Olivier Paquet <olivier.paquet@gmail.com>
* tools/tiff2pdf.c: Preserve input file directory order when pages
are tagged with the same page number.
2014-08-31 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff/tif_dirread.c (TIFFReadDirEntryOutputErr): Incorrect
count for tag should be a warning rather than an error since
errors terminate processing.
2014-06-07 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* tools/tiff2rgba.c (]): Fixed tiff2rgba usage message in that zip
was wrongly described. Fix suggested by Miguel Medalha.
2014-05-06 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff/tif_dirinfo.c (TIFFField) : Fix data type for
TIFFTAG_GLOBALPARAMETERSIFD tag. Patch by Steve Underwood.
Reviewed and forwarded by Lee Howard.
2013-11-30 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tif_dir.c: fix last fix for TIFFNumberOfDirectories()
2013-10-21 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tif_dir.c: generate error in case of directory count
overflow.
2013-10-01 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tiff.h, libtiff/tif_dirinfo.c: add definitions for
TIFF/EP CFARepeatPatternDim and CFAPattern tags (bug #2457)
2013-09-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff/tif_dir.c (TIFFAdvanceDirectory): If nextdir is found to
be defective, then set it to zero before returning error in order
to terminate processing of truncated TIFF. Issue found and fix
suggested by Richard Nolde.
2013-08-14 Frank Warmerdam <warmerdam@pobox.com>
* tools/gif2tiff.c: fix possible OOB write (#2452, CVE-2013-4244)
2013-08-13 Frank Warmerdam <warmerdam@pobox.com>
* tools/gif2tiff.c: Be more careful about corrupt or
hostile input files (#2450, CVE-2013-4231)
* tools/tiff2pdf.c: terminate after failure of allocating
ycbcr buffer (bug #2449, CVE-2013-4232)
2013-07-09 Frank Warmerdam <warmerdam@google.com>
* tools/tiffinfo.c: Default various values fetched with
TIFFGetField() to avoid being uninitialized.
2013-05-02 Tom Lane <tgl@sss.pgh.pa.us>
* tools/tiff2pdf.c: Rewrite JPEG marker parsing in
t2p_process_jpeg_strip to be at least marginally competent. The
approach is still fundamentally flawed, but at least now it won't
stomp all over memory when given bogus input. Fixes CVE-2013-1960.
2013-05-02 Tom Lane <tgl@sss.pgh.pa.us>
* contrib/dbs/xtiff/xtiff.c, libtiff/tif_codec.c,
libtiff/tif_dirinfo.c, tools/rgb2ycbcr.c, tools/tiff2bw.c,
tools/tiff2pdf.c, tools/tiff2ps.c, tools/tiffcrop.c,
tools/tiffdither.c: Enlarge some fixed-size buffers that weren't
large enough, and eliminate substantially all uses of sprintf(buf,
...) in favor of using snprintf(buf, sizeof(buf), ...), so as to
protect against overflow of fixed-size buffers. This responds in
particular to CVE-2013-1961 concerning overflow in tiff2pdf.c's
t2p_write_pdf_page(), but in general it seems like a good idea to
deprecate use of sprintf().
2013-03-29 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* configure.ac: Applied patch by Brad Smith to improve pkg-config
static linking by adding -lm to Libs.private when needed.
2013-03-05 Tom Lane <tgl@sss.pgh.pa.us>
* html/man/tiff2ps.1.html, html/man/tiffcp.1.html,
html/man/tiffdither.1.html, man/tiff2ps.1, man/tiffcp.1,
man/tiffdither.1, tools/tiff2ps.c, tools/tiffcp.c,
tools/tiffdither.c: Sync tool usage printouts and man pages with
reality (quite a few options had escaped being documented in one
or both places). Per an old report from Miroslav Vadkerti.
2013-01-25 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* tools/tiff2ps.c:Fix bug in auto rotate option code. Once a
rotation angle was set by the auto rotate check, it was retained
for all pages that followed instead ofa being retested for each
page. Patch by Richard Nolde.
2013-01-18 Frank Warmerdam <warmerdam@google.com>
* libtiff/tif_write.c: tmsize_t related casting warning fixed for
64bit linux.
* libtiff/tif_read.c: uint64/tmsize_t change for MSVC warnings.
http://bugzilla.maptools.org/show_bug.cgi?id=2427
2012-12-20 Tom Lane <tgl@sss.pgh.pa.us>
* test/raw_decode.c: Relax raw_decode's pixel-value checks so that
it will pass with more versions of libjpeg. (There are at least
three in active use now, and JPEG_LIB_VERSION doesn't tell us
enough to uniquely identify expected results.)
2012-12-12 Tom Lane <tgl@sss.pgh.pa.us>
* libtiff/tif_print.c: Fix TIFFPrintDirectory's handling of
field_passcount fields: it had the TIFF_VARIABLE and
TIFF_VARIABLE2 cases backwards.
2012-12-10 Tom Lane <tgl@sss.pgh.pa.us>
* tools/ppm2tiff.c: Improve previous patch for CVE-2012-4564:
check the linebytes calculation too, get the max() calculation
straight, avoid redundant error messages, check for malloc
failure.
2012-12-10 Tom Lane <tgl@sss.pgh.pa.us>
* libtiff/tif_pixarlog.c: Improve previous patch for CVE-2012-4447
(to enlarge tbuf for possible partial stride at end) so that
overflow in the integer addition is detected. Per gripe from
Huzaifa Sidhpurwala.
2012-12-03 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* tools/tiffset.c: tiffset now supports a -u option to unset a
tag. Patch by Zach Baker. See
http://bugzilla.maptools.org/show_bug.cgi?id=2419
2012-11-18 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* automake: Update Automake to 1.12.5 release.
* libtiff/tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not
require malloc() to return NULL pointer if requested allocation
size is zero. Assure that _TIFFmalloc does.
2012-11-01 Frank Warmerdam <warmerdam@pobox.com>
* tools/ppm2tiff.c: avoid zero size buffer vulnerability.
CVE-2012-4564 - Thanks to Huzaifa Sidhpurwala of the
Red Hat Security Response team for the fix.
2012-10-18 Frank Warmerdam <warmerdam@google.com>
* tif_zip.c: Avoid crash on NULL error messages.
2012-09-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff 4.0.3 released.
2012-09-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* Makefile.am: Update to Automake 1.12.4
2012-08-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* Makefile.in: Update to Automake 1.12.3
* libtiff{tiff.h, tif_print.c, tif_dirinfo.c, tif_dirread.c}: Add
some TIFF/FX support in libtiff. Add the tag definitions to
tiff.h. Add the related TIFF field definitions to tif_dirinfo.c,
and also fixes an error in a comment. Adds the photometric values
to tif_print.c, and fixes a bug. These changes are by Steve
Underwood.
2012-08-13 Frank Warmerdam <warmerdam@google.com>
* libtiff/tif_write.c: Fix bug rewriting image tiles in a
compressed file: http://trac.osgeo.org/gdal/ticket/4771
2012-08-02 Frank Warmerdam <warmerdam@google.com>
* libtiff/tif_dirread.c: report error in case of mismatch value
counts for tags (ie. DotRange).
2012-07-26 Tom Lane <tgl@sss.pgh.pa.us>
* libtiff/{tiffio.h, tif_dirinfo.c, libtiff.def}: Add six new
functions TIFFFieldTag(), TIFFFieldName(), TIFFFieldDataType(),
TIFFFieldPassCount(), TIFFFieldReadCount(), TIFFFieldWriteCount()
as external accessors for the opaque type TIFFField.
* tools/tiffset.c: Make tiffset use the above functions instead of
relying on library private headers.
2012-07-19 Tom Lane <tgl@sss.pgh.pa.us>
* tools/tiff2pdf.c: Fix two places where t2p_error didn't get set
after a malloc failure. No crash risk AFAICS, but the program
might not report exit code 1 as desired. h/t mancha@mac.hush.com
2012-07-18 Tom Lane <tgl@sss.pgh.pa.us>
* tools/tiff2pdf.c: Fail when TIFFSetDirectory() fails. This
prevents core dumps or perhaps even arbitrary code execution when
processing a corrupt input file (CVE-2012-3401).
2012-07-06 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* test/raw_decode.c (main): Test fixes to work with IJG JPEG 7+.
IJG JPEG 7+ uses a different upsampling algorithm which produces
different numeric results.
* libtiff/tif_jpeg.c (JPEGPreDecode): Patch from Even Rouault to
work with IJG JPEG 7+.
2012-07-04 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* test/raw_decode.c: Add changes so that test can run with build
directory outside of source directory.
2012-07-02 Frank Warmerdam <warmerdam@google.com>
* libtiff/tif_jpeg.c: Fix handling when writing RGBA jpeg compressed
imagery (http://trac.osgeo.org/gdal/ticket/4732)
2012-06-20 Frank Warmerdam <warmerdam@google.com>
* libtiff/tif_fax3.c: fix memory initialization of runs, only
partly done.
* libtiff/tif_pixarlog.c: Make sure tbuf is large enough for one
full "stride" past the end.
2012-06-19 Frank Warmerdam <warmerdam@google.com>
* libtiff/tif_packbits.c: fix read past end of data buffer.
2012-06-15 Frank Warmerdam <warmerdam@google.com>
* libtiff 4.0.2 released.
* tools/tif2pdf.c, tools/tifdump.c: avoid unitialized variable
warnings with clang.
2012-06-15 Tom Lane <tgl@sss.pgh.pa.us>
* tools/tiff2pdf.c: Defend against integer overflows while
calculating required buffer sizes (CVE-2012-2113).
2012-06-12 Frank Warmerdam <warmerdam@google.com>
* libtiff/tif_print.c: Be careful about printing corrupt inknames.
* libtiff/tif_fax3.c: Ensure runs array is initialized to zeros.
2012-06-07 Frank Warmerdam <warmerdam@google.com>
* libtiff/tif_print.c: avoid pretty printing other fields when
we don't have the proper amount and type of data or if the field
is actually autodefined.
2012-06-05 Frank Warmerdam <warmerdam@google.com>
* libtiff/tif_tile.c, libtiff/tif_strip.c: Ensure that illegal
ycbcrsubsampling values result in a runtime error, not just an
assertion.
* tests/custom_dir.c: Add testing of EXIF and custom directory
reading and writing.
* libtiff/tif_dir.c, libtiff/tiffio.h: Add TIFFCreateCustomDirectory()
and TIFFCreateEXIFDirectory() functions.
* libtiff/tif_dir.c, tif_print.c : Remove FIELD_CUSTOM handling for
PAGENUMBER, HALFTONEHINTS, and YCBCRSUBSAMPLING. Implement DOTRANGE
differently. This is to avoid using special TIFFGetField/TIFFSetField
rules for these fields in non-image directories (like EXIF).
2012-06-04 Frank Warmerdam <warmerdam@google.com>
* libtiff/tif_jpeg.c: Remove code for fixing up h_sampling and v_sampling
in JPEGPreDecode(). If a fixup will be done it needs to be done sooner
in JPEGFixupTagsSubsampling() or else buffer sized may be wrong.
2012-06-01 Frank Warmerdam <warmerdam@google.com>
* tools/tiffinfo.c: Do not try to read image data in EXIF directories.
* libtiff/tif_getimage.c: added support for _SEPARATED CMYK images.
http://bugzilla.maptools.org/show_bug.cgi?id=2379
* libtiff/tif_unix.c: use strerror() to return a more specific error message
on failed open.
http://bugzilla.maptools.org/show_bug.cgi?id=2341
* libtiff/tif_jpeg.c: Fix JPEGDecodeRaw() bugs.
http://bugzilla.maptools.org/show_bug.cgi?id=2386
* tests/decode_raw.c, tests/images/quad-tile.jpg.tiff: add limited support
for testing jpeg in tiff image decoding including the "raw" decode interface.
2012-05-31 Frank Warmerdam <warmerdam@google.com>
* libtiff/tif_jpeg.c: avoid overrunning the end of the output buffer in
JPEGDecodeRaw() - mostly likely to occur when there is confusion about
sampling values.
* libtiff/tif_read.c: Make sure tif_rawdatasize is cleared when tif_rawdata is freed.
* libtiff/tif_getimage.c: Add support for greyscale+alpha c/o Jérémie Laval.
http://bugzilla.maptools.org/show_bug.cgi?id=2398
2012-05-29 Frank Warmerdam <warmerdam@google.com>
* libtiff/tif_dir.c: avoid using specific set/get logic to process fields in custom directories,
like EXIF directories. This fixes problems like a tag "320" existing in a custom directory getting
processed as if it were a colormap when it isn't really. Damn the wide variety of argument formulations
to get/set functions for different tags!
* libtiff/tif_dir.c: Ensure that we keep track of when tif_rawdata
is a pointer into an mmap()ed file via TIFF_BUFFERMMAP flag.
2012-05-24 Frank Warmerdam <warmerdam@google.com>
* libtiff/tif_pixarlog.c: Allocate working buffer one word larger since we "forward
accumulate" and overwrite the end by one word in at least some cases.
2012-05-23 Frank Warmerdam <warmerdam@google.com>
* libtiff/tif_pixarlog.c: avoid accessing out of the lookup arrays for out of range inputs.
* tools/tiffinfo.c: initialize h=0 to avoid undefined variable for degenerate files.
* libtiff/tif_ojpeg.c: if OJPEGWriteHeader() fails once do not bother trying again on
the same image.
* libtiff/tif_ojpeg.c: make things more resilient in the face of files without
stripbytecounts or stripoffsets or where loading these fails.
* libtiff/tif_print.c: be careful about whether min/max values are singular
or one per sample.
* libtiff/tif_print.c: Avoid confusion about count size when printing custom fields.
May affect things like ISOSpeedRatings.
* libtiff/tif_dir.c: avoid one byte past end of ink names reading
in some cases.
2012-05-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* man/TIFFGetField.3tiff: Correct the 'count' field type in the
example for how to retreive the value of unsupported tags.
2012-03-30 Frank Warmerdam <warmerdam@google.com>
* tif_getimage.c: Fix size overflow (zdi-can-1221,CVE-2012-1173)
care of Tom Lane @ Red Hat.
2012-02-18 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff 4.0.1 released.
* Update automake used to 1.11.3.
* libtiff/tiffio.h: Use double-underbar syntax in GCC printf
attribute specification to lessen the risk of accidental macro
substitution. Patch from Vincent Torri.
2012-01-31 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tif_dir.c, libtiff/tif_dirread.c: Extra caution around
assumption tag fetching is always successful.
* libtiff/tif_jpeg.c: Extra caution for case where sp is NULL.
2012-01-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* configure.ac: Add support for using library symbol versioning on
ELF systems with the GNU linker. Support is enabled via
--enable-ld-version-script. Disabled by default for now until
there is a decision for how to deploy a libtiff with versioned
symbols after libtiff 4.0.0 was already released.
2011-12-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff/tif_win32.c: Eliminate some minor 64-bit warnings in
tif_win32.c. Patch by Edward Lam.
* configure.ac: Add libtiff private dependency on -llzma for
pkg-config. Patch by Mark Brand.
Updated Automake to 1.11.2.
2011-12-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff 4.0.0 released.
2011-12-08 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tif_dirread.c, libtiff/tif_read.c: more cautious checking
of _TIFFFillStriles() results (#gdal 4372)
2011-12-07 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tif_dirread.c: fixes to deal with invalid files where
_TIFFFillStriles() fails, and we try to chop up strips (gdal #4372)
* libtiff/tif_dirread.c: fix error reporting when there is no
tag information struct and name (gdal #4373)
2011-10-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* Update GNU libtool to 2.4.2.
* tools/tiffsplit.c (tiffcp): TIFFGetField count field should be
uint32 type for TIFFTAG_JPEGTABLES. Patch by Christophe
Deroulers.
2011-06-21 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/libtiff.def: Restore TIFFMergeFieldInfo.
2011-05-31 Jim Meyering <meyering@redhat.com>
* libtiff/tif_dirread.c (TIFFFetchStripThing): Free "data" also
upon failure to allocate "resizeddata".
* tools/tiff2ps.c (PSDataBW): Zero buffer *after* checking for
allocation failure, not before.
* libtiff/tif_ojpeg.c: plug leaks on OJPEG read failure path
* tools/rgb2ycbcr.c (cvtRaster): unchecked malloc
* libtiff/tif_jpeg.c, tools/tiff2pdf.c, tools/tiff2ps.c: mark
NULL-deref and possible overflow
* tools/tiff2pdf.c: remove decl+set of set-but-not-used local, "written"
* libtiff/tif_jpeg.c (JPEGInitializeLibJPEG): Remove declaration
and set of otherwise unused local, data_is_empty.
* libtiff/tif_jpeg.c (JPEGDecodeRaw) [JPEG_LIB_MK1_OR_12BIT]:
Diagnose out-of-memory failure and return 0 rather than
dereferencing NULL.
2011-05-24 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tif_dirread.c: produce special error message for zero tag
directories instead of error out on the malloc(0) failure.
2011-05-16 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tif_dirinfo.c: Restore TIFFMergeFieldInfo() and
related declarations as they are in active use by libraries
such as libgeotiff, and work just fine. (#2315)
2011-04-20 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tif_dirinfo.c,tiffio.h: Remove the obsolete
TIFFMergeFieldInfo/TIFFFindFieldInfo/TIFFFindFieldInfoByName API.
http://bugzilla.maptools.org/show_bug.cgi?id=2315
* libtiff/libtiff.def: add some missing (64bit) APIs.
http://bugzilla.maptools.org/show_bug.cgi?id=2316
2011-04-09 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff 4.0.0beta7 released.
2011-04-09 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* configure.ac: Should use AC_CANONICAL_HOST since host specifies
the run-time target whereas target is used to specify the final
output target if the package is a build tool (like a compiler),
which libtiff is not. Resolves libtiff bug 2307 "Use
AC_CANONICAL_HOST macro".
2011-04-02 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* configure.ac: Support configuring TIFF_INT64_FORMAT and
TIFF_UINT64_FORMAT appropriately for MinGW32.
* tools/tiffdump.c (ReadDirectory): MinGW32 needs to use WIN32
printf conventions for 64-bit types because it uses the WIN32 CRT.
* libtiff/{tif_dumpmode.c,tif_luv.c,tif_lzw.c,tif_print.c,
tif_read.c,tif_strip.c,tif_thunder.c}: MinGW32 needs to use WIN32
printf conventions for 64-bit types because it uses the WIN32 CRT.
* tools/tiff2pdf.c (t2p_write_pdf_string): Fix printf syntax not
understood by WIN32 CRT.
* libtiff/tif_ojpeg.c: Fixes to compile with MinGW32 GCC.
* tools/fax2ps.c (main): Use tmpfile() rather than mkstemp() since
it is much more portable. Tmpfile is included in ISO/IEC
9899:1990 and the WIN32 CRT.
2011-03-26 Frank Warmerdam <warmerdam@pobox.com>
* tools/tiffset.c: add -d and -sd switches to allow operation on
a particular directory, not just the first (jef).
2011-03-21 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tif_thunder.c: Correct potential buffer overflow with
thunder encoded files with wrong bitspersample set. The libtiff
development team would like to thank Marin Barbella and TippingPoint's
Zero Day Initiative for reporting this vulnerability (ZDI-CAN-1004,
CVE-2011-1167).
http://bugzilla.maptools.org/show_bug.cgi?id=2300
2011-03-10 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tif_fax3.h: Fix to last change allowing zero length
runs at the start of a scanline - needed for legal cases.
2011-03-02 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tif_fax3.h: Protect against a fax VL(n) codeword commanding
a move left. Without this, a malicious input file can generate an
indefinitely large series of runs without a0 ever reaching the right
margin, thus overrunning our buffer of run lengths. Per CVE-2011-0192.
This is a modified version of a patch proposed by Drew Yao of Apple
Product Security. It adds an unexpected() report, and disallows the
equality case, since emitting a run without increasing a0 still allows
buffer overrun.
2011-02-23 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tif_jpeg.c: avoid divide by zero in degenerate case (#2296)
* tools/tiff2rgba.c: close source file on error to make leak
detection easier.
* libtiff/tif_getimage.c: avoid leaks if TIFFRGBAImageBegin() fails.
http://bugzilla.maptools.org/show_bug.cgi?id=2295
2011-02-22 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tif_lzma.c: Maintain tif_rawcc/tif_rawcp (CHUNKY_STRING_READ
_SUPPORT)
2011-02-18 Frank Warmerdam <warmerdam@pobox.com>
* configure.ac, configure: Added support for --enable-chunky-strip-read
configure option to enable the experimental feature from a couple
months ago for reading big strips in chunks.
* configure.ac, tif_read.c, tif_readdir.c, tif_dir.h, tiffiop.h,
tif_write.c, tif_print.c, tif_jpeg.c, tif_dirwrite.c, tif_write.c:
Implement optional support for deferring the load of strip/tile
offset and size tags for optimized scanning of directories. Enabled
with the --enable-defer-strile-load configure option (DEFER_STRILE_LOAD
#define in tif_config.h).
2011-02-11 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tif_print.c: remove unused variable.
2011-02-09 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tif_win32.c: avoid error/warning buffer overrun problem
with non-console (popup message) builds on win32.
http://bugzilla.maptools.org/show_bug.cgi?id=2293
2011-01-24 Olivier Paquet <olivier.paquet@gmail.com>
* libtiff/{tif_dir.{h,c}, tif_dirinfo.c, tif_dirread.c, tif_dirwrite.c,
tif_print.c, tiff.h, tiffiop.h} : Added support for
TIFFTAG_SMINSAMPLEVALUE and TIFFTAG_SMAXSAMPLEVALUE to have different
values for each sample. Presents the min/max of all samples by default for
compatibility. TIFFSetField/TIFFGetField can be made to handle those tags
as arrays by changing the new TIFFTAG_PERSAMPLE pseudo tag.
http://www.asmail.be/msg0055458208.html
2011-01-06 Frank Warmerdam <warmerdam@pobox.com>
* libtiff/tif_pixarlog.c: Note that tif_rawcc/tif_rawcp are not
maintained.
* libtiff/tif_zip.c: Maintain tif_rawcc/tif_rawcp when decoding
for CHUNKY_STRIP_READ_SUPPORT.
* libtiff/tif_jpeg.c: ensure that rawcc and rawcp are maintained
during JPEGPreDecode and JPEGDecode calls.
* libtiff/tif_read.c: larger read ahead for CHUNKY_STRIP_READ_SUPPORT,
as compression formats like JPEG keep 16 lines interleaved in a sense
and might need to touch quite a bit of data.
http://trac.osgeo.org/gdal/ticket/3894
2011-01-03 Lee Howard <faxguy@howardsilvan.com>
* libtiff/tif_jpeg.c: Fix regressions with 2 and 3 band images
caused by commit on 2010-12-14. Submitted by e-mail from
Even Rouault <even.rouault@mines-paris.org>
2010-12-31 Olivier Paquet <olivier.paquet@gmail.com>
* libtiff/tif_dirwrite.c: Fixed writing of TIFFTAG_REFERENCEBLACKWHITE.
http://bugzilla.maptools.org/show_bug.cgi?id=2266
2010-12-23 Andrey Kiselev <dron@ak4719.spb.edu>
* tools/tiffcp.c, man/tiffcp.1: Added support for specifying the
compression level parameter (preset) for Deflate and LZMA encoders,
e.g "-c lzma:p1" or "-c zip:p9".
* libtiff/tif_lzma.c: Properly set the LZMA2 compression level
(preset) in LZMAVSetField().
2010-12-18 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff/Makefile.am (libtiff_la_SOURCES): Added tif_lzma.c to
Makefile.
2010-12-14 Andrey Kiselev <dron@ak4719.spb.edu>
* configure.ac, libtiff/{tif_codec.c, tif_config.h.in, tiff.h,
tiffiop.h, tif_lzma.c}, tools/tiffcp.c, man/tiffcp.1: Implement a new
TIFF compression scheme LZMA reserving a new value 34925 for
Compression tag. As per
bug http://bugzilla.maptools.org/show_bug.cgi?id=2221
2010-12-14 Lee Howard <faxguy@howardsilvan.com>
* libtiff/tif_dirread.c: tolerate some cases where
FIELD_COLORMAP is missing
http://bugzilla.maptools.org/show_bug.cgi?id=2189
2010-12-14 Lee Howard <faxguy@howardsilvan.com>
* libtiff/tif_read.c: change read_ahead to tmsize_t
http://bugzilla.maptools.org/show_bug.cgi?id=2222
2010-12-14 Lee Howard <faxguy@howardsilvan.com>
* configure.ac, libtiff/Makefile.am: Build tif_win32.c on
Windows except on Cygwin
http://bugzilla.maptools.org/show_bug.cgi?id=2224
2010-12-14 Lee Howard <faxguy@howardsilvan.com>
* tools/gif2tiff.c: fix buffer overrun
http://bugzilla.maptools.org/show_bug.cgi?id=2270
2010-12-14 Lee Howard <faxguy@howardsilvan.com>
* libtiff/tif_jpeg.c: reduce usage of JCS_UNKNOWN in order
to improve compatibility with various viewers
submitted by e-mail from Dwight Kelly <dkelly@apago.com>
2010-12-13 Lee Howard <faxguy@howardsilvan.com>
* tools/fax2ps.c: be consistent with page-numbering
http://bugzilla.maptools.org/show_bug.cgi?id=2225
2010-12-13 Lee Howard <faxguy@howardsilvan.com>
* libtiff/tif_color.c: prevent crash in handling bad TIFFs
resolves CVE-2010-2595
http://bugzilla.maptools.org/show_bug.cgi?id=2208
2010-12-13 Lee Howard <faxguy@howardsilvan.com>
* tools/tiffcrop.c: new release by Richard Nolde
http://bugzilla.maptools.org/show_bug.cgi?id=2004
2010-12-12 Lee Howard <faxguy@howardsilvan.com>
* tools/tiff2pdf.c: fix colors for images with RGBA
interleaved data
http://bugzilla.maptools.org/show_bug.cgi?id=2250
2010-12-12 Lee Howard <faxguy@howardsilvan.com>
* libtiff/tif_dirread.c: fix for Zeiss LSM and Canon CR2 files
http://bugzilla.maptools.org/show_bug.cgi?id=2164
2010-12-11 Lee Howard <faxguy@howardsilvan.com>
* tools/tiff2pdf.c: remove invalid duplication for Lab
http://bugzilla.maptools.org/show_bug.cgi?id=2162
2010-12-11 Lee Howard <faxguy@howardsilvan.com>
* libtiff/tif_jpeg.c: fix use of clumplines calculation
http://bugzilla.maptools.org/show_bug.cgi?id=2149
2010-12-11 Lee Howard <faxguy@howardsilvan.com>
* tools/fax2ps.c: replace unsafe tmpfile() with mkstemp()
http://bugzilla.maptools.org/show_bug.cgi?id=2118
2010-12-11 Lee Howard <faxguy@howardsilvan.com>
* libtiff/tif_ojpeg.c, libtiff/tif_pixarlog.c,
libtiff/tif_zip.c: fix build errors for VC6
http://bugzilla.maptools.org/show_bug.cgi?id=2105
2010-12-11 Lee Howard <faxguy@howardsilvan.com>
* libtiff/tif_stream.cxx: warnings cleanup
http://bugzilla.maptools.org/show_bug.cgi?id=2091
* libtiff/tif_dirread.c: warnings cleanup
http://bugzilla.maptools.org/show_bug.cgi?id=2092
2010-12-11 Lee Howard <faxguy@howardsilvan.com>
* tools/tiff2pdf.c: add fill-page option
http://bugzilla.maptools.org/show_bug.cgi?id=2051
2010-12-11 Lee Howard <faxguy@howardsilvan.com>
* libtiff/tif_dirread.c: modify warnings
http://bugzilla.maptools.org/show_bug.cgi?id=2016
2010-12-11 Lee Howard <faxguy@howardsilvan.com>
* libtiff/tif_ojpeg.c: fix buffer overflow on problem data
http://bugzilla.maptools.org/show_bug.cgi?id=1999
2010-12-11 Lee Howard <faxguy@howardsilvan.com>
* tools/tiffinfoce.c: strip byte counts are uint64* now
2010-12-11 Lee Howard <faxguy@howardsilvan.com>
* libtiff/tif_ojpeg.c: fix crash when reading a TIFF with a zero
or missing byte-count tag
* tools/tiffsplit.c: abort when reading a TIFF without a byte-count
per http://bugzilla.maptools.org/show_bug.cgi?id=1996
2010-12-08 Lee Howard <faxguy@howardsilvan.com>
* libtiff/tif_dirread.c: fix crash when reading a badly-constructed
TIFF per http://bugzilla.maptools.org/show_bug.cgi?id=1994
2010-12-06 Lee Howard <faxguy@howardsilvan.com>
* libtiff/tif_open.c: Fix mode check before opening a file.
http://bugzilla.maptools.org/show_bug.cgi?id=1906
2010-11-27 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff-4.pc.in: Added libtiff pkg-config .pc file support.
Patch by Vincent Torri.
2010-10-21 Frank Warmerdam <warmerdam@pobox.com>
* tools/tiffinfo.c: avoid direct reference to _TIFFerrorHandler.
* libtiff/tif_config.vc.h: define snprintf to _snprintf for tiff2pdf.
* libtiff/libtiff.def: export _TIFFCheckMalloc for tools.
2010-09-25 Lee Howard <faxguy@howardsilvan.com>
* tools/tiff2ps.c: improvements and enhancements from Richard Nolde
with additional command line options for Document Title,
Document Creator, and Page Orientation
2010-07-13 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* tools/tiffcrop.c: Patch from Richard Nolde to avoid a
potentially unterminated buffer due to using an exceptionally long
file name.
2010-07-08 Andrey Kiselev <dron@ak4719.spb.edu>
* tools/tiff2pdf.c: Fixed ID buffer filling in
t2p_write_pdf_trailer(), thanks to Dmitry V. Levin.
2010-07-07 Andrey Kiselev <dron@ak4719.spb.edu>
* libtiff/tif_dirread.c: Really reset the tag count in CheckDirCount()
to expected value as the warning message suggests. As per bug
http://bugzilla.maptools.org/show_bug.cgi?id=1963
2010-07-06 Andrey Kiselev <dron@ak4719.spb.edu>
* tools/tiffset.c: Properly handle TIFFTAG_PAGENUMBER,
TIFFTAG_HALFTONEHINTS, TIFFTAG_YCBCRSUBSAMPLING, TIFFTAG_DOTRANGE
which should be set by value.
* libtiff/tif_dirinfo.c: Don't use assertions in _TIFFFieldWithTag()
and _TIFFFieldWithName() if the tag is not found in the tag table.
This should be normal situation and returned NULL value should be
properly handled by the caller.
2010-07-02 Andrey Kiselev <dron@ak4719.spb.edu>
* libtiff/tif_getimage.c: Avoid wrong math du to the signed/unsigned
integer type conversions. As per bug
http://bugzilla.maptools.org/show_bug.cgi?id=2207
* tools/{tiff2bw.c, thumbnail.c, pal2rgb.c}: Fix the count for
WhitePoint tag as per bug
http://bugzilla.maptools.org/show_bug.cgi?id=2042
* libtiff/tif_getimage.c: Check the number of samples per pixel when
working with YCbCr image in PickContigCase(). As per bug
http://bugzilla.maptools.org/show_bug.cgi?id=2216
* libtiff/tif_dir.c: Set the bogus post-decoding hook when processing
TIFFTAG_BITSPERSAMPLE in _TIFFVSetField() for the case of 8 bit when
we don't need any post-processing. That helps to reset the hook if we
previously set this field to some other value and the hook was
initialized accordingly. As per bug
http://bugzilla.maptools.org/show_bug.cgi?id=2035
2010-07-01 Andrey Kiselev <dron@ak4719.spb.edu>
* tools/tiffgt.c: Properly check the raster buffer allocations for
integer overflows. As per bug
http://bugzilla.maptools.org/show_bug.cgi?id=2108