/usr/share/doc/libtiff-doc/html/v4.0.4beta.html is in libtiff-doc 4.0.9-5.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 | <HTML>
<HEAD>
<TITLE>
Changes in TIFF v4.0.4beta
</TITLE>
</HEAD>
<BODY BGCOLOR=white>
<FONT FACE="Helvetica, Arial, Sans">
<BASEFONT SIZE=4>
<B><FONT SIZE=+3>T</FONT>IFF <FONT SIZE=+2>C</FONT>HANGE <FONT SIZE=+2>I</FONT>NFORMATION</B>
<BASEFONT SIZE=3>
<UL>
<HR SIZE=4 WIDTH=65% ALIGN=left>
<B>Current Version</B>: v4.0.4beta<BR>
<B>Previous Version</B>: <A HREF=v4.0.3.html>v4.0.3</a><BR>
<B>Master FTP Site</B>: <A HREF="ftp://download.osgeo.org/libtiff">
download.osgeo.org</a>, directory pub/libtiff</A><BR>
<B>Master HTTP Site</B>: <A HREF="http://www.simplesystems.org/libtiff/">
http://www.simplesystems.org/libtiff/</a>
<HR SIZE=4 WIDTH=65% ALIGN=left>
</UL>
<P>
This document describes the changes made to the software between the
<I>previous</I> and <I>current</I> versions (see above). If you don't
find something listed here, then it was not done in this timeframe, or
it was not considered important enough to be mentioned. The following
information is located here:
<UL>
<LI><A HREF="#highlights">Major Changes</A>
<LI><A HREF="#configure">Changes in the software configuration</A>
<LI><A HREF="#libtiff">Changes in libtiff</A>
<LI><A HREF="#tools">Changes in the tools</A>
<LI><A HREF="#contrib">Changes in the contrib area</A>
</UL>
<p>
<P><HR WIDTH=65% ALIGN=left>
<!--------------------------------------------------------------------------->
<A NAME="highlights"><B><FONT SIZE=+3>M</FONT>AJOR CHANGES:</B></A>
<UL>
<li> None
</UL>
<P><HR WIDTH=65% ALIGN=left>
<!--------------------------------------------------------------------------->
<A NAME="configure"><B><FONT SIZE=+3>C</FONT>HANGES IN THE SOFTWARE CONFIGURATION:</B></A>
<UL>
<li> Updated to use Automake 1.15 and Libtool 2.4.5
</UL>
<P><HR WIDTH=65% ALIGN=left>
<!--------------------------------------------------------------------------->
<A NAME="libtiff"><B><FONT SIZE=+3>C</FONT>HANGES IN LIBTIFF:</B></A>
<UL>
<li> TIFFCheckDirOffset(): avoid uint16 overflow
when reading more than 65535 directories, and effectively error out when
eaching that limit.
<li> TIFFNumberOfDirectories(): generate error in case of directory count
overflow.
<li> TIFFAdvanceDirectory(): If nextdir is found to
be defective, then set it to zero before returning error in order
to terminate processing of truncated TIFF.
<li> JPEG-in-TIFF: recognize SOF2, SOF9 and SOF10
markers to avoid emitting a warning. Fix for compatibility with mozjpeg library.
Note: the default settings of mozjpeg will produce progressive scans, which
is forbidden by the TechNote.
<li> JPEG-in-TIFF: Fix regression introduced in 3.9.3/4.0.0 that caused
all tiles/strips to include quantization tables even when the jpegtablesmode
had the JPEGTABLESMODE_QUANT bit set.
Also add explicit removal of Huffman tables when jpegtablesmode has the
JPEGTABLESMODE_HUFF bit set, which avoids Huffman tables to be emitted in the
first tile/strip (only useful in update scenarios. create-only was
fine)
<li> JPEG-in-TIFF: fix segfault in JPEGFixupTagsSubsampling() on
corrupted image where tif->tif_dir.td_stripoffset == NULL.
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2471">#2471</a>)
<li> NeXT codec: add new tests to check that we don't read outside of
the compressed input stream buffer.
<li> NeXT codec: check that BitsPerSample = 2. Fixes
<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2487">#2487</a> (CVE-2014-8129)
<li> NeXT codec: in the "run mode", use tilewidth for tiled images
instead of imagewidth to avoid crash
<li> tif_getimage.c: in OJPEG case, fix checks on strile width/height
in the putcontig8bitYCbCr42tile, putcontig8bitYCbCr41tile and
putcontig8bitYCbCr21tile cases.
<li> in TIFFDefaultDirectory(), reset any already existing
extented tags installed by user code through the extender mechaninm before
calling the extender callback (GDAL #5054)
<li> Fix warnings about unused parameters.
<li> Fix various typos in comments found by Debian lintian tool (GDAL #5756)
<li> tif_getimage.c: avoid divide by zero on invalid YCbCr subsampling.
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2235">#2235</a>)
<li> tif_dirread.c: In EstimateStripByteCounts(), check return code
of _TIFFFillStriles(). This solves crashing bug on corrupted
images generated by afl.
<li>tif_read.c: fix several invalid comparisons of a uint64 value with
<= 0 by casting it to int64 first. This solves crashing bug on corrupted
images generated by afl.
<li>TIFFSetField(): refuse to set negative values for
TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
the directory
<li>TIFFReadDirectory(): refuse to read ColorMap or
TransferFunction if BitsPerSample has not yet been read, otherwise reading
it later will cause user code to crash if BitsPerSample > 1
<li> TIFFRGBAImageOK(): return FALSE if LOGLUV with
SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
<li> tif_config.vc.h: no longer use "#define snprintf _snprintf" with
Visual Studio 2015 aka VC 14 aka MSVC 1900
<li> LZW codec: prevent potential null dereference of sp->dec_codetab in LZWPreDecode
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2459">#2459</a>)
<li> TIFFReadBufferSetup(): avoid passing -1 size
to TIFFmalloc() if passed user buffer size is 0
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2459">#2459</a>)
<li> TIFFReadDirEntryOutputErr(): Incorrect
count for tag should be a warning rather than an error since
errors terminate processing.
<li> tif_dirinfo.c (TIFFField) : Fix data type for TIFFTAG_GLOBALPARAMETERSIFD tag.
<li> Add definitions for TIFF/EP CFARepeatPatternDim and CFAPattern tags
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2457">#2457</a>)
<li> tif_codec.c, tif_dirinfo.c: Enlarge some fixed-size buffers that weren't
large enough, and eliminate substantially all uses of sprintf(buf,
...) in favor of using snprintf(buf, sizeof(buf), ...)
<li> configure.ac: Improve pkg-config static linking by adding -lm to Libs.private when needed.
<li> tif_write.c: tmsize_t related casting warning fixed for
64bit linux.
<li> tif_read.c: uint64/tmsize_t change for MSVC warnings.
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2427">#2427</a>)
<li> Fix TIFFPrintDirectory's handling of
field_passcount fields: it had the TIFF_VARIABLE and
TIFF_VARIABLE2 cases backwards.
<li> PixarLog codec: Improve previous patch for CVE-2012-4447
(to enlarge tbuf for possible partial stride at end) so that
overflow in the integer addition is detected.
<li>tif_{unix,vms,win32}.c (_TIFFmalloc): ANSI C does not
require malloc() to return NULL pointer if requested allocation
size is zero. Assure that _TIFFmalloc does.
<li>tif_zip.c: Avoid crash on NULL error messages.
</UL>
<P><HR WIDTH=65% ALIGN=left>
<!-------------------------------------------------------------------------->
<A NAME="tools"><B><FONT SIZE=+3>C</FONT>HANGES IN THE TOOLS:</B></A>
<UL>
<li> tiff2pdf: Fis various crashes and memory buffer access errors (oCERT-2014-013).
<li> tiff2pdf: fix buffer overflow on some YCbCr JPEG compressed images.
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2445">#2445</a>)
<li> tiff2pdf: fix buffer overflow on YCbCr JPEG compressed image.
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2443">#2443</a>)
<li> tiff2pdf: check return code of TIFFGetField() when reading TIFFTAG_SAMPLESPERPIXEL
<li> tiff2pdf: fix crash due to invalid tile count.
<li> tiff2pdf: Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB
<li> tiff2pdf: Assure that memory size calculations for
_TIFFmalloc() do not overflow the range of tmsize_t.
<li> tiff2pdf: Avoid crash when TIFFTAG_TRANSFERFUNCTION tag returns one channel,
with the other two channels set to NULL.
<li> tiff2pdf: close PDF file. (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2479">#2479</a>)
<li> tiff2pdf: Preserve input file directory order when pages
are tagged with the same page number.
<li> tiff2pdf.c: terminate after failure of allocating ycbcr buffer
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2449">#2449</a> CVE-2013-4232)
<li> tiff2pdf: Rewrite JPEG marker parsing in
t2p_process_jpeg_strip to be at least marginally competent. The
approach is still fundamentally flawed, but at least now it won't
stomp all over memory when given bogus input. Fixes CVE-2013-1960.
<li> tiffdump: Guard against arithmetic overflow when calculating allocation buffer sizes.
<li> tiffdump: fix crash due to overflow of entry count.
<li> tiffdump: Fix double-free bug.
<li> tiffdump: detect cycle in TIFF directory chaining.
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2463">#2463</a>)
<li> tiffdump: avoid passing a NULL pointer to read() if seek() failed before.
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2459">#2459</a>)
<li> tiff2bw: when Photometric=RGB, the utility only works if SamplesPerPixel = 3. Enforce that.
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2485">#2485</a>, CVE-2014-8127)
<li> pal2rgb, thumbnail: fix crash by disabling TIFFTAG_INKNAMES copying.
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2484">#2484</a>, CVE-2014-8127)
<li> thumbnail: fix out-of-buffer write.
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2489">#2489</a>, CVE-2014-8128)
<li> thumbnail, tiffcmp: only read/write TIFFTAG_GROUP3OPTIONS
or TIFFTAG_GROUP4OPTIONS if compression is COMPRESSION_CCITTFAX3 or
COMPRESSION_CCITTFAX4.
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2493">#2493</a>, CVE-2014-8128)
<li> tiffcp: fix crash when converting YCbCr JPEG-compressed to none.
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2480">#2480</a>)
<li> bmp2tiff: fix crash due to int overflow related to input BMP dimensions
<li> tiffcrop: fix crash due to invalid TileWidth/TileHeight
<li> tiffcrop: fix segfault if bad value passed to -Z option
( <a href="http://bugzilla.maptools.org/show_bug.cgi?id=2459">#2459</a>)
and add missing va_end in dump_info
<li> thumbnail, tiffcrop: "fix" heap read over-run found with
Valgrind and Address Sanitizer on test suite
<li> fax2ps: check malloc()/realloc() result. (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2470">#2470</a>)
<li> gif2tiff: apply patch for CVE-2013-4243. (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2451">#2451</a>)
<li> gif2tiff: fix possible OOB write. (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2452">#2452</a>, CVE-2013-4244)
<li> gif2tiff: Be more careful about corrupt or hostile input files (<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2450">#2450</a>, CVE-2013-4231)
<li> tiff2rgba: fix usage message in that zip was wrongly described
<li> tiffinfo: Default various values fetched with TIFFGetField() to avoid being uninitialized.
<li> tiff2ps: Fix bug in auto rotate option code.
<li> ppm2tiff: avoid zero size buffer vulnerability (CVE-2012-4564).
check the linebytes calculation too, get the max() calculation
straight, avoid redundant error messages, check for malloc
failure.
<li> tiffset: now supports a -u option to unset a tag.
(<a href="http://bugzilla.maptools.org/show_bug.cgi?id=2419">#2419</a>)
<li> Fix warnings about unused parameters.
<li> rgb2ycbcr, tiff2bw, tiff2pdf, tiff2ps, tiffcrop, tiffdither :
Enlarge some fixed-size buffers that weren't
large enough, and eliminate substantially all uses of sprintf(buf,
...) in favor of using snprintf(buf, sizeof(buf), ...), so as to
protect against overflow of fixed-size buffers. This responds in
particular to CVE-2013-1961 concerning overflow in tiff2pdf.c's
t2p_write_pdf_page().
<li>html/man/tiff2ps.1.html, html/man/tiffcp.1.html,
html/man/tiffdither.1.html, man/tiff2ps.1, man/tiffcp.1,
man/tiffdither.1, tools/tiff2ps.c, tools/tiffcp.c,
tools/tiffdither.c: Sync tool usage printouts and man pages with
reality
</UL>
<P><HR WIDTH=65% ALIGN=left>
<!--------------------------------------------------------------------------->
<A NAME="contrib"><B><FONT SIZE=+3>C</FONT>HANGES IN THE CONTRIB AREA:</B></A>
<UL>
<li> Fix warnings about variables set but not used.
<li> contrib/dbs/xtiff/xtiff.c: Enlarge some fixed-size buffers that weren't
large enough, and eliminate substantially all uses of sprintf(buf,
...) in favor of using snprintf(buf, sizeof(buf), ...), so as to
protect against overflow of fixed-size buffers.
</UL>
Last updated $Date: 2016-09-25 20:05:47 $.
</BODY>
</HTML>
|