Changes in TIFF v4.0.8

References

Current Version

v4.0.8 (tag Release-v4-0-8)

Previous Version

v4.0.7

Master Download Site

https://download.osgeo.org/libtiff/

Master HTTP Site #1

http://www.simplesystems.org/libtiff/

Master HTTP Site #2

http://libtiff.maptools.org/

This document describes the changes made to the software between the previous and current versions (see above). If you don't find something listed here, then it was not done in this timeframe, or it was not considered important enough to be mentioned. The following information is located here:

Major changes

  • None

Software configuration changes

  • None

Library changes

  • libtiff/tif_getimage.c, libtiff/tif_open.c: add parenthesis to fix cppcheck clarifyCalculation warnings

  • libtiff/tif_predict.c, libtiff/tif_print.c: fix printf unsigned vs signed formatting (cppcheck invalidPrintfArgType_uint warnings)

  • libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in TIFFReadEncodedStrip() that caused an integer division by zero. Reported by Agostino Sarubbo. Fixes MapTools bugzilla #2596

  • libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer overflow on generation of PixarLog / LUV compressed files, with ColorMap, TransferFunction attached and nasty plays with bitspersample. The fix for LUV has not been tested, but suffers from the same kind of issue of PixarLog. Reported by Agostino Sarubbo. Fixes MapTools bugzilla #2604

  • libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done for MapTools bugzilla #2587 / CVE-2016-9273 since the above change is a better fix that makes it unnecessary.

  • libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to instantiate compute nstrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on the total size of data. Which is faulty is the total size of data is not sufficient to fill the whole image, and thus results in reading outside of the StripByCounts/StripOffsets arrays when using TIFFReadScanline(). Reported by Agostino Sarubbo. Fixes MapTools bugzilla #2608.

  • libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure in OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues. Reported by Agostino Sarubbo. Fixes MapTools bugzilla #2611

  • libtiff/tif_write.c: fix misleading indentation as warned by GCC.

  • libtiff/tif_fax3.h: revert change done on 2016-01-09 that made Param member of TIFFFaxTabEnt structure a uint16 to reduce size of the binary. It happens that the Hylafax software uses the tables that follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable, TIFFFaxBlackTable), although they are not in a public libtiff header. Raised by Lee Howard. Fixes MapTools bugzilla #2636

  • libtiff/tiffio.h, libtiff/tif_getimage.c: add TIFFReadRGBAStripExt() and TIFFReadRGBATileExt() variants of the functions without ext, with an extra argument to control the stop_on_error behaviour.

  • libtiff/tif_getimage.c: fix potential memory leaks in error code path of TIFFRGBAImageBegin(). Fixes MapTools bugzilla #2627

  • libtiff/tif_jpeg.c: increase libjpeg max memory usable to 10 MB instead of libjpeg 1MB default. This helps when creating files with "big" tile, without using libjpeg temporary files. Related to https://trac.osgeo.org/gdal/ticket/6757

  • libtiff/tif_jpeg.c: avoid integer division by zero in JPEGSetupEncode() when horizontal or vertical sampling is set to 0. Fixes MapTools bugzilla #2653

  • libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational(), replace assertion by runtime check to error out if passed value is strictly negative. Fixes MapTools bugzilla #2535

  • libtiff/tif_dirread.c: avoid division by floating point 0 in TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(), and return 0 in that case (instead of infinity as before presumably) Apparently some sanitizers do not like those divisions by zero. Fixes MapTools bugzilla #2644

  • libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various clampings of double to other data types to avoid undefined behaviour if the output range isn't big enough to hold the input value. Fixes MapTools bugzilla #2643, MapTools bugzilla #2642, MapTools bugzilla #2646, MapTools bugzilla #2647

  • libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to avoid undefined behaviour caused by invalid shift exponent. Fixes MapTools bugzilla #2648

  • libtiff/tif_read.c: avoid potential undefined behaviour on signed integer addition in TIFFReadRawStrip1() in isMapped() case. Fixes MapTools bugzilla #2650

  • libtiff/tif_getimage.c: add explicit uint32() cast in putagreytile to avoid UndefinedBehaviorSanitizer warning. Patch by Nicolás Peña. Fixes MapTools bugzilla #2658

  • libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero initialize tif_rawdata. Fixes MapTools bugzilla #2651

  • libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add

    _TIFFcalloc()

  • libtiff/tif_luv.c, tif_lzw.c, tif_packbits.c: return 0 in Encode functions instead of -1 when TIFFFlushData1() fails. Fixes MapTools bugzilla #2130

  • libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable(), OJPEGReadHeaderInfoSecTablesDcTable() and OJPEGReadHeaderInfoSecTablesAcTable() when read fails. Patch by Nicolás Peña. Fixes MapTools bugzilla #2659

  • libtiff/tif_jpeg.c: only run JPEGFixupTagsSubsampling() if the YCbCrSubsampling tag is not explicitly present. This helps a bit to reduce the I/O amount when the tag is present (especially on cloud hosted files).

  • libtiff/tif_lzw.c: in LZWPostEncode(), increase, if necessary, the code bit-width after flushing the remaining code and before emitting the EOI code. Fixes MapTools bugzilla #1982

  • libtiff/tif_pixarlog.c: fix memory leak in error code path of PixarLogSetupDecode(). Patch by Nicolás Peña. Fixes MapTools bugzilla #2665

  • libtiff/tif_fax3.c, tif_predict.c, tif_getimage.c: fix GCC 7 -Wimplicit-fallthrough warnings.

  • libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD mode (ie default) when there is both a StripOffsets and TileOffsets tag, or a StripByteCounts and TileByteCounts. Fixes MapTools bugzilla #2689

  • libtiff/tif_ojpeg.c: fix potential memory leak in OJPEGReadHeaderInfoSecTablesQTable(), OJPEGReadHeaderInfoSecTablesDcTable() and OJPEGReadHeaderInfoSecTablesAcTable(). Patch by Nicolás Peña. Fixes MapTools bugzilla #2670

  • libtiff/tif_fax3.c: avoid crash in Fax3Close() on empty file. Patch by Alan Coopersmith + complement by myself. Fixes MapTools bugzilla #2673

  • libtiff/tif_read.c: TIFFFillStrip(): add limitation to the number of bytes read in case td_stripbytecount[strip] is bigger than reasonable, so as to avoid excessive memory allocation.

  • libtiff/tif_zip.c, tif_pixarlog.c, tif_predict.c: fix memory leak when the underlying codec (ZIP, PixarLog) succeeds its setupdecode() method, but PredictorSetup() fails. Credit to OSS-Fuzz (locally run, on GDAL)

  • libtiff/tif_read.c: TIFFFillStrip() and TIFFFillTile(): avoid excessive memory allocation in case of shorten files. Only effective on 64 bit builds and non-mapped cases. Credit to OSS-Fuzz (locally run, on GDAL)

  • libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(), avoid potential integer overflows with read_ahead in CHUNKY_STRIP_READ_SUPPORT mode. Should especially occur on 32 bit platforms.

  • libtiff/tif_read.c: TIFFFillStripPartial(): avoid excessive memory allocation in case of shorten files. Only effective on 64 bit builds. Credit to OSS-Fuzz (locally run, on GDAL)

  • libtiff/tif_read.c: update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT mode with tif_rawdataloaded when calling TIFFStartStrip() or TIFFFillStripPartial(). This avoids reading beyond tif_rawdata() when bytecount > tif_rawdatasize. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545. Credit to OSS-Fuzz

  • libtiff/tif_color.c: avoid potential int32 overflow in TIFFYCbCrToRGBInit(). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533 Credit to OSS-Fuzz

  • libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32 overflows in multiply_ms() and add_ms(). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558 Credit to OSS-Fuzz

  • libtiff/tif_packbits.c: fix out-of-buffer read in PackBitsDecode(). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563 Credit to OSS-Fuzz

  • libtiff/tif_luv.c: LogL16InitState(): avoid excessive memory allocation when RowsPerStrip tag is missing. Credit to OSS-Fuzz (locally run, on GDAL)

  • libtiff/tif_lzw.c: update dec_bitsleft at beginning of LZWDecode(), and update tif_rawcc at end of LZWDecode(). This is needed to properly work with the latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT mode.

  • libtiff/tif_pixarlog.c: PixarLogDecode(): resync tif_rawcp with next_in and tif_rawcc with avail_in at beginning and end of function, similarly to what is done in LZWDecode(). Likely needed so that it works properly with latest chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT mode. But untested...

  • libtiff/tif_getimage.c: initYCbCrConversion(): add basic validation of luma and refBlackWhite coefficients (just check they are not NaN for now), to avoid potential float to int overflows. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663 Credit to OSS Fuzz

  • libtiff/tif_read.c: _TIFFVSetField(): fix outside range cast of double to float. Credit to Google Autofuzz project

  • libtiff/tif_getimage.c: initYCbCrConversion(): check luma[1] is not zero to avoid division by zero. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665 Credit to OSS Fuzz

  • libtiff/tif_read.c: _TIFFVSetField(): fix outside range cast of double to float. Credit to Google Autofuzz project

  • libtiff/tif_getimage.c: initYCbCrConversion(): check luma[1] is not zero to avoid division by zero. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665 Credit to OSS Fuzz

  • libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for refBlackWhite coefficients values. To avoid invalid float to int32 conversion. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1718 Credit to OSS Fuzz

Tools changes

  • tools/fax2tiff.c (main()): Applied patch by Jörg Ahrens to fix passing client data for Win32 builds using tif_win32.c (USE_WIN32_FILEIO defined) for file I/O. Patch was provided via email on November 20, 2016.

  • tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips() that can cause various issues, such as buffer overflows in the library. Reported by Agostino Sarubbo. Fixes MapTools bugzilla #2598

  • tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so that the output buffer is correctly incremented to avoid write outside bounds. Reported by Agostino Sarubbo. Fixes MapTools bugzilla #2620

  • tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer. Reported by Agostino Sarubbo. Fixes MapTools bugzilla #2621

  • tools/tiffcrop.c: fix integer division by zero when BitsPerSample is missing. Reported by Agostino Sarubbo. Fixes MapTools bugzilla #2619

  • tools/tiffinfo.c: fix null pointer dereference in -r mode when the image has no StripByteCount tag. Reported by Agostino Sarubbo. Fixes MapTools bugzilla #2594

  • tools/tiffcp.c: avoid potential division by zero if BitsPerSamples tag is missing. Reported by Agostino Sarubbo. Fixes MapTools bugzilla #2597

  • tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called, limit the return number of inks to SamplesPerPixel, so that code that parses ink names doesn't go past the end of the buffer. Reported by Agostino Sarubbo. Fixes MapTools bugzilla #2599

  • tools/tiffcp.c: avoid potential division by zero if BitsPerSamples tag is missing. Reported by Agostino Sarubbo. Fixes MapTools bugzilla #2607

  • tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based buffer overflow. Reported by Agostino Sarubbo. Fixes MapTools bugzilla #2610

  • tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert check. Reported by Agostino Sarubbo. Fixes MapTools bugzilla #2605

  • tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW() and PSDataColorContig()). Reported by Agostino Sarubbo. Fixes MapTools bugzilla #2633 and MapTools bugzilla #2634.

  • tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode on a paletted image. Note: this fix errors out before the overflow happens. There could probably be a better fix. Fixes MapTools bugzilla #2635

  • tools/tiff2pdf.c: fix wrong usage of memcpy() that can trigger unspecified behaviour. Fixes MapTools bugzilla #2638

  • tools/tiff2pdf.c: avoid potential invalid memory read in t2p_writeproc(). Fixes MapTools bugzilla #2639

  • tools/tiff2pdf.c: avoid potential heap-based overflow in t2p_readwrite_pdf_image_tile(). Fixes MapTools bugzilla #2640

  • tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that caused double free. Related to MapTools bugzilla #2535

  • tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow() and cpSeparate2ContigByRow() if BitsPerSample != 8 to avoid heap based overflow. Fixes MapTools bugzilla #2656 and MapTools bugzilla #2657

  • tools/raw2tiff.c: avoid integer division by zero. Fixes MapTools bugzilla #2631

  • tools/tiff2ps.c: call TIFFClose() in error code paths.

  • tools/fax2tiff.c: emit appropriate message if the input file is empty. Patch by Alan Coopersmith. Fixes MapTools bugzilla #2672

  • tools/tiff2bw.c: close TIFF handle in error code path. Fixes MapTools bugzilla #2677

Contributed software changes

None