* libtiff 4.0.7 released.

* configure.ac: Update for 4.0.7 release.

Cast away unused return value from snprintf() to possibly eliminate a compilation warning.

* libtiff/tif_getimage.c: Fix some benign warnings which appear in
64-bit compilation under Microsoft Visual Studio of the form
"Arithmetic overflow: 32-bit value is shifted, then cast to 64-bit
valu

* libtiff/tif_getimage.c: Fix some benign warnings which appear in
64-bit compilation under Microsoft Visual Studio of the form
"Arithmetic overflow: 32-bit value is shifted, then cast to 64-bit
value. Results might not be an expected value.". Problem was
reported on November 16, 2016 on the tiff mailing list.

show more ...

* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not dereference
NULL pointer when values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are 0-byte arrays.
Fixes http://bugzill

* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not dereference
NULL pointer when values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are 0-byte arrays.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression introduced
by previous fix done on 2016-11-11 for CVE-2016-9297).
Reported by Henri Salo.

show more ...

Fix typo in comment

* libtiff/tif_aux.c: fix crash in TIFFVGetFieldDefaulted()
when requesting Predictor tag and that the zip/lzw codec is not
configured.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2591

* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that
values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are null terminated, to avoid potential read outside buffer
i

* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that
values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are null terminated, to avoid potential read outside buffer
in _TIFFPrintField().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590

show more ...

* libtiff/tif_dirread.c: reject images with OJPEG compression that
have no TileOffsets/StripOffsets tag, when OJPEG compression is
disabled. Prevent null pointer dereference in TIFFReadRawStrip1()
an

* libtiff/tif_dirread.c: reject images with OJPEG compression that
have no TileOffsets/StripOffsets tag, when OJPEG compression is
disabled. Prevent null pointer dereference in TIFFReadRawStrip1()
and other functions that expect td_stripbytecount to be non NULL.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2585

show more ...

* libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips
value when it is non-zero, instead of recomputing it. This is needed in
TIFF_STRIPCHOP mode where td_nstrips is modified. Fi

* libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips
value when it is non-zero, instead of recomputing it. This is needed in
TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of
array in tiffsplit (or other utilities using TIFFNumberOfStrips()).
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587

show more ...

* libtiff/tif_predic.c: fix memory leaks in error code paths added in
previous commit (fix for MSVR 35105)

* libtiff/tif_predict.h, libtiff/tif_predict.c:
Replace assertions by runtime checks to avoid assertions in debug mode,
or buffer overflows in release mode. Can happen when dealing with
unusual tile

* libtiff/tif_predict.h, libtiff/tif_predict.c:
Replace assertions by runtime checks to avoid assertions in debug mode,
or buffer overflows in release mode. Can happen when dealing with
unusual tile size like YCbCr with subsampling. Reported as MSVR 35105
by Axel Souchet & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations
team.

show more ...

* libtiff/tif_dir.c: discard values of SMinSampleValue and
SMaxSampleValue when they have been read and the value of
SamplesPerPixel is changed afterwards (like when reading a
OJPEG compressed image

* libtiff/tif_dir.c: discard values of SMinSampleValue and
SMaxSampleValue when they have been read and the value of
SamplesPerPixel is changed afterwards (like when reading a
OJPEG compressed image with a missing SamplesPerPixel tag,
and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
being 3). Otherwise when rewriting the directory (for example
with tiffset, we will expect 3 values whereas the array had been
allocated with just one), thus causing a out of bound read access.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
(CVE-2014-8127, duplicate: CVE-2016-3658)

* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
when writing directory, if FIELD_STRIPOFFSETS was artificially set
for a hack case in OJPEG case.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
(CVE-2014-8127, duplicate: CVE-2016-3658)

show more ...

* tools/tiffinfo.c: fix out-of-bound read on some tiled images.
(http://bugzilla.maptools.org/show_bug.cgi?id=2517)

* libtiff/tif_compress.c: make TIFFNoDecode() return 0 to indicate an
error and ma

* tools/tiffinfo.c: fix out-of-bound read on some tiled images.
(http://bugzilla.maptools.org/show_bug.cgi?id=2517)

* libtiff/tif_compress.c: make TIFFNoDecode() return 0 to indicate an
error and make upper level read routines treat it accordingly.
(linked to the test case of http://bugzilla.maptools.org/show_bug.cgi?id=2517)

show more ...

* libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
read floating point images.

* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
requirements of floating point predictor

* libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
read floating point images.

* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
requirements of floating point predictor (3). Fixes CVE-2016-3622
"Divide By Zero in the tiff2rgba tool."

places where it isn't done currently, but it seems this patch is enough.

show more ...

* tools/tiffcrop.c: fix various out-of-bounds write vulnerabilities
in heap or stack allocated buffers. Reported as MSVR 35093,
MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal
Chauha

* tools/tiffcrop.c: fix various out-of-bounds write vulnerabilities
in heap or stack allocated buffers. Reported as MSVR 35093,
MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal
Chauhan from the MSRC Vulnerabilities & Mitigations team.
* tools/tiff2pdf.c: fix out-of-bounds write vulnerabilities in
heap allocate buffer in t2p_process_jpeg_strip(). Reported as MSVR
35098. Discovered by Axel Souchet and Vishal Chauhan from the MSRC
Vulnerabilities & Mitigations team.
* libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities
in heap allocated buffers. Reported as MSVR 35094. Discovered by
Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
* libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1()
that didn't reset the tif_rawcc and tif_rawcp members. I'm not
completely sure if that could happen in practice outside of the odd
behaviour of t2p_seekproc() of tiff2pdf). The report points that a
better fix could be to check the return value of TIFFFlushData1() in
places where it isn't done currently, but it seems this patch is enough.
Reported as MSVR 35095. Discovered by Axel Souchet & Vishal Chauhan &
Suha Can from the MSRC Vulnerabilities & Mitigations team.

show more ...

* libtiff/tif_lzma.c: typo fix in comment

* libtiff/*.c: fix warnings raised by clang 3.9 -Wcomma

* libtiff/tif_dirwrite.c, libtiff/tif_color.c: fix warnings raised
by GCC 5 / clang -Wfloat-conversion

* libtiff/tif_dirwrite.c: fix warnings raised by GCC 5 -Wfloat-conversion

Fix signed vs unsigned comparison

* libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode
if more input samples are provided than expected by PixarLogSetupEncode.
Idea based on libtiff-CVE-2016-3990.patch from
libtiff-4

* libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode
if more input samples are provided than expected by PixarLogSetupEncode.
Idea based on libtiff-CVE-2016-3990.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
simpler check. (bugzilla #2544)


invalid tests that rejected valid files. (bugzilla #2545)

show more ...

* libtiff/tif_read.c: Fix out-of-bounds read on
memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1()
when stripoffset is beyond tmsize_t max value (reported by
Mathias Svensson)

* libtiff/tif_read.c: make TIFFReadEncodedStrip() and
TIFFReadEncodedTile() directly use user provided buffer when
no compression (and other conditions) to save a memcpy().

* libtiff/tif_write.c: ma

* libtiff/tif_read.c: make TIFFReadEncodedStrip() and
TIFFReadEncodedTile() directly use user provided buffer when
no compression (and other conditions) to save a memcpy().

* libtiff/tif_write.c: make TIFFWriteEncodedStrip() and
TIFFWriteEncodedTile() directly use user provided buffer when
no compression to save a memcpy().

show more ...

* libtiff/tif_luv.c: validate that for COMPRESSION_SGILOG and
PHOTOMETRIC_LOGL, there is only one sample per pixel. Avoid
potential invalid memory write on corrupted/unexpected images when
using the

* libtiff/tif_luv.c: validate that for COMPRESSION_SGILOG and
PHOTOMETRIC_LOGL, there is only one sample per pixel. Avoid
potential invalid memory write on corrupted/unexpected images when
using the TIFFRGBAImageBegin() interface (reported by
Clay Wood)

(CVE-2016-587)

show more ...

Fix warning about unsigned vs signed comparison