1<HTML> 2<HEAD> 3<TITLE> 4 Changes in TIFF v3.9.5 5</TITLE> 6</HEAD> 7 8<BODY BGCOLOR=white> 9<FONT FACE="Helvetica, Arial, Sans"> 10<FONT FACE="Helvetica, Arial, Sans"> 11 12<BASEFONT SIZE=4> 13<B><FONT SIZE=+3>T</FONT>IFF <FONT SIZE=+2>C</FONT>HANGE <FONT SIZE=+2>I</FONT>NFORMATION</B> 14<BASEFONT SIZE=3> 15 16<UL> 17<HR SIZE=4 WIDTH=65% ALIGN=left> 18<B>Current Version</B>: v3.9.5<BR> 19<B>Previous Version</B>: <A HREF=v3.9.4.html>v3.9.4</a><BR> 20<B>Master FTP Site</B>: <A HREF="ftp://download.osgeo.org/libtiff"> 21download.osgeo.org</a>, directory pub/libtiff</A><BR> 22<B>Master HTTP Site</B>: <A HREF="http://www.simplesystems.org/libtiff/"> 23http://www.simplesystems.org/libtiff/</a> 24<HR SIZE=4 WIDTH=65% ALIGN=left> 25</UL> 26 27<P> 28This document describes the changes made to the software between the 29<I>previous</I> and <I>current</I> versions (see above). If you don't 30find something listed here, then it was not done in this timeframe, or 31it was not considered important enough to be mentioned. The following 32information is located here: 33<UL> 34<LI><A HREF="#hightlights">Major Changes</A> 35<LI><A HREF="#configure">Changes in the software configuration</A> 36<LI><A HREF="#libtiff">Changes in libtiff</A> 37<LI><A HREF="#tools">Changes in the tools</A> 38<LI><A HREF="#contrib">Changes in the contrib area</A> 39</UL> 40<p> 41<P><HR WIDTH=65% ALIGN=left> 42 43<!---------------------------------------------------------------------------> 44 45<A NAME="highlights"><B><FONT SIZE=+3>M</FONT>AJOR CHANGES:</B></A> 46 47<UL> 48 49 <li> None 50 51</UL> 52 53 54<P><HR WIDTH=65% ALIGN=left> 55<!---------------------------------------------------------------------------> 56 57<A NAME="configure"><B><FONT SIZE=+3>C</FONT>HANGES IN THE SOFTWARE CONFIGURATION:</B></A> 58 59<UL> 60 61 <li> configure.ac: Should use AC_CANONICAL_HOST since host specifies 62 the run-time target whereas target is used to specify the final 63 output target if the package is a build tool (like a compiler), 64 which libtiff is not. Resolves libtiff bug 2307 "Use 65 AC_CANONICAL_HOST macro". 66 67</UL> 68 69<P><HR WIDTH=65% ALIGN=left> 70 71<!---------------------------------------------------------------------------> 72 73<A NAME="libtiff"><B><FONT SIZE=+3>C</FONT>HANGES IN LIBTIFF:</B></A> 74 75<UL> 76 <li> libtiff/tif_getimage.c: Check the number of samples per pixel when 77 working with YCbCr image in PickContigCase(). As per bug 78 http://bugzilla.maptools.org/show_bug.cgi?id=2216 79 80 <li> libtiff/tif_dir.c: Set the bogus post-decoding hook when processing 81 TIFFTAG_BITSPERSAMPLE in _TIFFVSetField() for the case of 8 bit when 82 we don't need any post-processing. That helps to reset the hook if we 83 previously set this field to some other value and the hook was 84 initialized accordingly. As per bug 85 http://bugzilla.maptools.org/show_bug.cgi?id=2035 86 87 <li> libtiff/tif_getimage.c: Avoid wrong math du to the signed/unsigned 88 integer type conversions. As per bug 89 http://bugzilla.maptools.org/show_bug.cgi?id=2207 90 91 <li> libtiff/tif_dirinfo.c: Don't use assertions in _TIFFFieldWithTag() 92 and _TIFFFieldWithName() if the tag is not found in the tag table. 93 This should be normal situation and returned NULL value should be 94 properly handled by the caller. 95 96 <li> libtiff/{tif_dirwrite.c, tif_print.c}: Properly handle "DotRange" 97 tag as it can be either byte or short size and should be set and read 98 by value, not as an array. As per bug 99 http://bugzilla.maptools.org/show_bug.cgi?id=2116 100 101 <li> libtiff/tif_dirread.c: Really reset the tag count in CheckDirCount() 102 to expected value as the warning message suggests. As per bug 103 http://bugzilla.maptools.org/show_bug.cgi?id=1963 104 105 <li> libtiff/tif_open.c: Fix mode check before opening a file. 106 http://bugzilla.maptools.org/show_bug.cgi?id=1906 107 108 <li> libtiff/tif_jpeg.c, libtiff/tif_strip.c: apply patch for 109 CVE-2010-3087 per bug 110 http://bugzilla.maptools.org/show_bug.cgi?id=2140 111 112 <li> libtiff/tif_dirread.c: fix crash when reading a badly-constructed 113 TIFF per http://bugzilla.maptools.org/show_bug.cgi?id=1994 114 115 <li> libtiff/tif_ojpeg.c: fix buffer overflow on problem data 116 http://bugzilla.maptools.org/show_bug.cgi?id=1999 117 118 <li> libtiff/tif_dirread.c: modify warnings 119 http://bugzilla.maptools.org/show_bug.cgi?id=2016 120 121 <li> libtiff/tif_jpeg.c: fix use of clumplines calculation 122 http://bugzilla.maptools.org/show_bug.cgi?id=2149 123 124 <li> libtiff/tif_color.c: prevent crash in handling bad TIFFs 125 resolves CVE-2010-2595 126 http://bugzilla.maptools.org/show_bug.cgi?id=2208 127 128 <li> libtiff/tif_dirread.c: fix needless tag ordering warning 129 http://bugzilla.maptools.org/show_bug.cgi?id=2210 130 131 <li> libtiff/tif_jpeg.c: reduce usage of JCS_UNKNOWN in order 132 to improve compatibility with various viewers 133 submitted by e-mail from Dwight Kelly <[email protected]> 134 135 <li> libtiff/tif_strip.c: use TIFFGetFieldDefaulted instead 136 of TIFFGetField when we assume that it will succeed 137 http://bugzilla.maptools.org/show_bug.cgi?id=2215 138 139 <li> libtiff/tif_dirread.c: tolerate some cases where 140 FIELD_COLORMAP is missing 141 http://bugzilla.maptools.org/show_bug.cgi?id=2189 142 143 <li> libtiff/tif_jpeg.c: Fix regressions with 2 and 3 band images 144 caused by commit on 2010-12-14. Submitted by e-mail from 145 Even Rouault <[email protected]> 146 147 <li> libtiff/tif_dirwrite.c: Avoid undefined behaviour when casting from 148 float to unsigned integer in TIFFWriteRationalArray() as reported by 149 Kareem Shehata. 150 151 <li> libtiff/tif_fax3.h: Protect against a fax VL(n) codeword commanding 152 a move left. Without this, a malicious input file can generate an 153 indefinitely large series of runs without a0 ever reaching the right 154 margin, thus overrunning our buffer of run lengths. Per CVE-2011-0192. 155 This is a modified version of a patch proposed by Drew Yao of Apple 156 Product Security. It adds an unexpected() report, and disallows the 157 equality case, since emitting a run without increasing a0 still allows 158 buffer overrun. 159 160 <li> libtiff/tif_fax3.h: Fix to last change allowing zero length 161 runs at the start of a scanline - needed for legal cases. 162 163 <li> libtiff/tif_thunder.c: Correct potential buffer overflow with 164 thunder encoded files with wrong bitspersample set. The libtiff 165 development team would like to thank Marin Barbella and TippingPoint's 166 Zero Day Initiative for reporting this vulnerability (ZDI-CAN-1004, 167 CVE-2011-1167). 168 http://bugzilla.maptools.org/show_bug.cgi?id=2300 169 170 <li> libtiff/tiffiop.h: avoid declaring int64/uint64 on AIX with XLC 171 where they are already available. (#2301) 172</UL> 173 174<P><HR WIDTH=65% ALIGN=left> 175 176<!--------------------------------------------------------------------------> 177 178<A NAME="tools"><B><FONT SIZE=+3>C</FONT>HANGES IN THE TOOLS:</B></A> 179 180<UL> 181 182 <li> tools/tiffcrop.c: Patch from Richard Nolde. Reject YCbCr 183 subsampled data since tiffcrop currently doesn't support it. Fix 184 JPEG support. 185 186 <li> tools/tiffcp.c: Initialize buffer arrays with zero to avoid 187 referencing to uninitialized memory in some cases (e.g. when tile size 188 set bigger than the image size). 189 190 <li> tools/tiff2pdf.c: Better generation of ID field in 191 t2p_write_pdf_trailer(). Get rid of GCC aliasing warnings. 192 193 <li> tools/tiff2pdf.c: Fixed computation of the tile buffer size when 194 converting JPEG encoded tiles. 195 196 <li> tools/tiff2pdf.c: Better handling of string fields, use static 197 string buffers instead of dynamically allocated, use strncpy() instead 198 of strcpy(), control the string lengths. 199 200 <li> tools/{tiff2bw.c, thumbnail.c, pal2rgb.c}: Fix the count for 201 WhitePoint tag as per bug 202 http://bugzilla.maptools.org/show_bug.cgi?id=2042 203 204 <li> tools/tiffdump.c: Use PrintData() function instead of 205 PrintByte/Short/Long(). Should fix an issue reported at 206 http://bugzilla.maptools.org/show_bug.cgi?id=2116 207 208 <li> tools/tiffset.c: Properly handle TIFFTAG_PAGENUMBER, 209 TIFFTAG_HALFTONEHINTS, TIFFTAG_YCBCRSUBSAMPLING, TIFFTAG_DOTRANGE 210 which should be set by value. 211 212 <li> tools/tiffdump.c: Avoid integer overflows computing the buffer size 213 for large directories. As per bug 214 http://bugzilla.maptools.org/show_bug.cgi?id=2218 215 216 <li> tools/tiff2pdf.c: Fixed ID buffer filling in 217 t2p_write_pdf_trailer(), thanks to Dmitry V. Levin. 218 219 <li> tools/tiffcrop.c: Patch from Richard Nolde to avoid a 220 potentially unterminated buffer due to using an exceptionally long 221 file name. 222 223 <li> tools/tiff2ps.c: improvements and enhancements from Richard Nolde 224 with additional command line options for Document Title, 225 Document Creator, and Page Orientation 226 227 <li> tools/tiffsplit.c: abort when reading a TIFF without a byte-count 228 per http://bugzilla.maptools.org/show_bug.cgi?id=1996 229 230 <li> tools/tiff2pdf.c: add fill-page option 231 http://bugzilla.maptools.org/show_bug.cgi?id=2051 232 233 <li> tools/fax2ps.c: replace unsafe tmpfile() with mkstemp() 234 http://bugzilla.maptools.org/show_bug.cgi?id=2118 235 236 <li> tools/tiff2pdf.c: fix colors for images with RGBA 237 interleaved data 238 http://bugzilla.maptools.org/show_bug.cgi?id=2250 239 240 <li> tools/tiffcrop.c: new release by Richard Nolde 241 http://bugzilla.maptools.org/show_bug.cgi?id=2004 242 243 <li> tools/fax2ps.c: be consistent with page-numbering 244 http://bugzilla.maptools.org/show_bug.cgi?id=2225 245 246 <li> tools/gif2tiff.c: fix buffer overrun 247 http://bugzilla.maptools.org/show_bug.cgi?id=2270 248 249 <li> tools/fax2ps.c (main): Use tmpfile() rather than mkstemp() since 250 it is much more portable. Tmpfile is included in ISO/IEC 251 9899:1990 and the WIN32 CRT. 252 253</UL> 254 255<P><HR WIDTH=65% ALIGN=left> 256 257<!---------------------------------------------------------------------------> 258 259<A NAME="contrib"><B><FONT SIZE=+3>C</FONT>HANGES IN THE CONTRIB AREA:</B></A> 260 261<UL> 262 263 <li> None 264 265</UL> 266 267Last updated $Date: 2016-09-25 20:05:47 $. 268 269</BODY> 270</HTML> 271