KGRKJGETMRETU895U-589TY5MIGM5JGB5SDFESFREWTGR54TY
Server : Apache/2.4.62
System : FreeBSD fbsdweb2.web.rcn.net 14.1-RELEASE FreeBSD 14.1-RELEASE releng/14.1-n267679-10e31f0946d8 GENERIC amd64
User : www ( 80)
PHP Version : 8.3.8
Disable Function : NONE
Directory :  /usr/local/share/doc/tiff-4.6.0/manual/releases/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : //usr/local/share/doc/tiff-4.6.0/manual/releases/v4.0.9.html
<!DOCTYPE html>

<html lang="en">
  <head>
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />

    <title>Changes in TIFF v4.0.9 &#8212; LibTIFF 4.6.0 documentation</title>
    <link rel="stylesheet" type="text/css" href="../_static/pygments.css" />
    <link rel="stylesheet" type="text/css" href="../_static/sphinxdoc.css" />
    <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script>
    <script src="../_static/doctools.js"></script>
    <script src="../_static/sphinx_highlight.js"></script>
    <link rel="index" title="Index" href="../genindex.html" />
    <link rel="search" title="Search" href="../search.html" />
    <link rel="next" title="Changes in TIFF v4.0.8" href="v4.0.8.html" />
    <link rel="prev" title="Changes in TIFF v4.0.10" href="v4.0.10.html" /> 
  </head><body>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="../genindex.html" title="General Index"
             accesskey="I">index</a></li>
        <li class="right" >
          <a href="v4.0.8.html" title="Changes in TIFF v4.0.8"
             accesskey="N">next</a> |</li>
        <li class="right" >
          <a href="v4.0.10.html" title="Changes in TIFF v4.0.10"
             accesskey="P">previous</a> |</li>
        <li class="nav-item nav-item-0"><a href="../index.html">LibTIFF 4.6.0 documentation</a> &#187;</li>
          <li class="nav-item nav-item-1"><a href="index.html" accesskey="U">Release history</a> &#187;</li>
        <li class="nav-item nav-item-this"><a href="">Changes in TIFF v4.0.9</a></li> 
      </ul>
    </div>  

    <div class="document">
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body" role="main">
            
  <section id="changes-in-tiff-v4-0-9">
<h1>Changes in TIFF v4.0.9<a class="headerlink" href="#changes-in-tiff-v4-0-9" title="Permalink to this heading">¶</a></h1>
<table class="docutils align-default" id="id2">
<caption><span class="caption-text">References</span><a class="headerlink" href="#id2" title="Permalink to this table">¶</a></caption>
<tbody>
<tr class="row-odd"><td><p>Current Version</p></td>
<td><p>v4.0.9 (<a class="reference external" href="https://gitlab.com/libtiff/libtiff/-/tags/Release-v4-0-9">tag Release-v4-0-9</a>)</p></td>
</tr>
<tr class="row-even"><td><p>Previous Version</p></td>
<td><p><a class="reference internal" href="v4.0.8.html"><span class="doc">v4.0.8</span></a></p></td>
</tr>
<tr class="row-odd"><td><p>Master Download Site</p></td>
<td><p><a class="reference external" href="https://download.osgeo.org/libtiff/">https://download.osgeo.org/libtiff/</a></p></td>
</tr>
<tr class="row-even"><td><p>Master HTTP Site #1</p></td>
<td><p><a class="reference external" href="http://www.simplesystems.org/libtiff/">http://www.simplesystems.org/libtiff/</a></p></td>
</tr>
<tr class="row-odd"><td><p>Master HTTP Site #2</p></td>
<td><p><a class="reference external" href="http://libtiff.maptools.org/">http://libtiff.maptools.org/</a></p></td>
</tr>
</tbody>
</table>
<p>This document describes the changes made to the software between the
<em>previous</em> and <em>current</em> versions (see above).  If you don’t
find something listed here, then it was not done in this timeframe, or
it was not considered important enough to be mentioned.  The following
information is located here:</p>
<section id="major-changes">
<h2>Major changes<a class="headerlink" href="#major-changes" title="Permalink to this heading">¶</a></h2>
<ul class="simple">
<li><p>None</p></li>
</ul>
</section>
<section id="software-configuration-changes">
<h2>Software configuration changes<a class="headerlink" href="#software-configuration-changes" title="Permalink to this heading">¶</a></h2>
<ul class="simple">
<li><p><code class="file docutils literal notranslate"><span class="pre">test/Makefile.am</span></code>: Add some tests for tiff2bw.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">.appveyor.yml</span></code>, <code class="file docutils literal notranslate"><span class="pre">.travis.yml</span></code>, <code class="file docutils literal notranslate"><span class="pre">build/travis-ci</span></code>: apply patches
<code class="file docutils literal notranslate"><span class="pre">0001-ci-Travis-script-improvements.patch</span></code> and
<code class="file docutils literal notranslate"><span class="pre">0002-ci-Invoke-helper-script-via-shell.patch</span></code> by Roger Leigh
(sent to mailing list)</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">.travis.yml</span></code>, <code class="file docutils literal notranslate"><span class="pre">build/travis-ci</span></code>: new files from
<code class="file docutils literal notranslate"><span class="pre">0001-ci-Add-Travis-support-for-Linux-builds-with-Autoconf.patch</span></code> by
Roger Leigh (sent to mailing list on 2017-06-08).
This patch adds support for the Travis-CI service.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">.appveyor.yml</span></code>: new file from
<code class="file docutils literal notranslate"><span class="pre">0002-ci-Add-AppVeyor-support.patch</span></code> by Roger Leigh (sent to mailing
list on 2017-06-08).
This patch adds a <code class="file docutils literal notranslate"><span class="pre">.appveyor.yml</span></code> file to the top-level.  This allows
one to opt in to having a branch built on Windows with Cygwin,
MinGW and MSVC automatically when a branch is pushed to GitHub,
GitLab, BitBucket or any other supported git hosting service.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">CMakeLists.txt</span></code>, <code class="file docutils literal notranslate"><span class="pre">test/CMakeLists.txt</span></code>, <code class="file docutils literal notranslate"><span class="pre">test/TiffTestCommon.cmake</span></code>: apply
patch <code class="file docutils literal notranslate"><span class="pre">0001-cmake-Improve-Cygwin-and-MingGW-test-support.patch</span></code> from Roger
Leigh (sent to mailing list on 2017-06-08).
This patch makes the CMake build system support running the tests
with MinGW or Cygwin.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">test/tiffcp-lzw-compat.sh</span></code>, <code class="file docutils literal notranslate"><span class="pre">test/images/quad-lzw-compat.tiff</span></code>: new files
to test old-style LZW decompression</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">test/common.sh</span></code>, <code class="file docutils literal notranslate"><span class="pre">Makefile.am</span></code>, <code class="file docutils literal notranslate"><span class="pre">CMakeList.txt</span></code>: updated with above</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">test/Makefile.am</span></code>: add missing reference to images/quad-lzw-compat.tiff
to fix <code class="docutils literal notranslate"><span class="pre">make</span> <span class="pre">distcheck</span></code>. Patch by Roger Leigh</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">nmake.opt</span></code>: support a <code class="docutils literal notranslate"><span class="pre">DEBUG=1</span></code> option, so as to adjust <code class="docutils literal notranslate"><span class="pre">OPTFLAGS</span></code> and use
<code class="docutils literal notranslate"><span class="pre">/MDd</span></code> runtime in debug mode.</p></li>
</ul>
</section>
<section id="library-changes">
<h2>Library changes<a class="headerlink" href="#library-changes" title="Permalink to this heading">¶</a></h2>
<ul>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_color.c</span></code>: <a class="reference internal" href="../functions/TIFFcolor.html#c.TIFFYCbCrToRGBInit" title="TIFFYCbCrToRGBInit"><code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFYCbCrToRGBInit()</span></code></a>: stricter clamping to avoid
<code class="xref c c-type docutils literal notranslate"><span class="pre">int32</span></code> overflow in <a class="reference internal" href="../functions/TIFFcolor.html#c.TIFFYCbCrtoRGB" title="TIFFYCbCrtoRGB"><code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFYCbCrtoRGB()</span></code></a>.
Fixes <a class="reference external" href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844">OSS-Fuzz #1844</a>.
Credit to OSS Fuzz</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_getimage.c</span></code>: <code class="xref c c-func docutils literal notranslate"><span class="pre">initYCbCrConversion()</span></code>: stricter validation for
<code class="docutils literal notranslate"><span class="pre">refBlackWhite</span></code> coefficients values. To avoid invalid <code class="docutils literal notranslate"><span class="pre">float-&gt;int32</span></code> conversion
(when <code class="docutils literal notranslate"><span class="pre">refBlackWhite[0]</span> <span class="pre">==</span> <span class="pre">2147483648.f</span></code>)
Fixes <a class="reference external" href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907">OSS-Fuzz #1907</a>.
Credit to OSS Fuzz</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_dirinfo.c</span></code>, <code class="file docutils literal notranslate"><span class="pre">tif_dirread.c</span></code>: add <code class="xref c c-func docutils literal notranslate"><span class="pre">_TIFFCheckFieldIsValidForCodec()</span></code>,
and use it in <a class="reference internal" href="../functions/TIFFReadDirectory.html#c.TIFFReadDirectory" title="TIFFReadDirectory"><code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFReadDirectory()</span></code></a> so as to ignore fields whose tag is a
codec-specified tag but this codec is not enabled. This avoids <a class="reference internal" href="../functions/TIFFGetField.html#c.TIFFGetField" title="TIFFGetField"><code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFGetField()</span></code></a>
to behave differently depending on whether the codec is enabled or not, and
thus can avoid stack based buffer overflows in a number of TIFF utilities
such as <strong class="program">tiffsplit</strong>, <strong class="program">tiffcmp</strong>, <strong class="program">thumbnail</strong>, etc.
Patch derived from <code class="file docutils literal notranslate"><span class="pre">0063-Handle-properly-CODEC-specific-tags.patch</span></code>
(<a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2580">MapTools bugzilla #2580</a>) by Raphaël Hertzog.
Fixes:
<a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2580">MapTools bugzilla #2580</a>,
<a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2693">MapTools bugzilla #2693</a>,
<a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2625">MapTools bugzilla #2625</a> (<a class="reference external" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10095">CVE-2016-10095</a>),
<a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2564">MapTools bugzilla #2564</a> (<a class="reference external" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7554">CVE-2015-7554</a>),
<a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2561">MapTools bugzilla #2561</a> (<a class="reference external" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5318">CVE-2016-5318</a>),
<a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2499">MapTools bugzilla #2499</a> (<a class="reference external" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8128">CVE-2014-8128</a>),
<a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2441">MapTools bugzilla #2441</a>,
<a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2433">MapTools bugzilla #2433</a>.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_swab.c</span></code>: if <code class="xref c c-macro docutils literal notranslate"><span class="pre">DISABLE_CHECK_TIFFSWABMACROS</span></code> is defined, do not do
the <code class="docutils literal notranslate"><span class="pre">#ifdef</span> <span class="pre">TIFFSwabXXX</span></code> checks. Make it easier for GDAL to rename the symbols
of its internal libtiff copy.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_dirread.c</span></code>: fix regression of libtiff 4.0.8 in
<code class="xref c c-func docutils literal notranslate"><span class="pre">ChopUpSingleUncompressedStrip()</span></code> regarding update of newly single-strip
uncompressed files whose bytecount is 0. Before the change of 2016-12-03,
the condition <code class="docutils literal notranslate"><span class="pre">bytecount==0</span></code> used to trigger an early exit/disabling of
strip chop. Re-introduce that in update mode. Otherwise this cause
later incorrect setting for the value of <code class="docutils literal notranslate"><span class="pre">StripByteCounts</span></code>/<code class="docutils literal notranslate"><span class="pre">StripOffsets</span></code>.
(<a class="reference external" href="http://trac.osgeo.org/gdal/ticket/6924">GDAL trac #6924</a>).</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_dirread.c</span></code>: <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFFetchStripThing()</span></code>: limit the number of items
read in <code class="docutils literal notranslate"><span class="pre">StripOffsets</span></code>/<code class="docutils literal notranslate"><span class="pre">StripByteCounts</span></code> tags to the number of strips to avoid
excessive memory allocation.
Fixes <a class="reference external" href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2215">OSS-Fuzz #2215</a>.
Credit to OSS Fuzz</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_getimage.c</span></code>: avoid many (harmless) <span class="c-expr sig sig-inline c"><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span></span> overflows.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_fax3.c</span></code>: avoid <span class="c-expr sig sig-inline c"><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span></span> overflow in <code class="xref c c-func docutils literal notranslate"><span class="pre">Fax3Encode2DRow()</span></code>. Could
potentially be a bug with huge rows.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_jpeg.c</span></code>: avoid (harmless) <span class="c-expr sig sig-inline c"><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span></span> overflow on tiled images.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_dirread.c</span></code>: avoid <span class="c-expr sig sig-inline c"><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span></span> overflow in <code class="xref c c-func docutils literal notranslate"><span class="pre">EstimateStripByteCounts()</span></code>
and <code class="docutils literal notranslate"><span class="pre">BYTECOUNTLOOKSBAD</span></code> when file is too short.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_predict.c</span></code>: decorate legitimate functions where <span class="c-expr sig sig-inline c"><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span></span>
overflow occur with <code class="xref c c-macro docutils literal notranslate"><span class="pre">TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW</span></code></p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_dirread.c</span></code>: avoid <span class="c-expr sig sig-inline c"><span class="kt">unsigned</span><span class="w"> </span><span class="kt">int</span></span> overflow in <code class="xref c c-func docutils literal notranslate"><span class="pre">EstimateStripByteCounts()</span></code></p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tiffiop.h</span></code>: add <code class="xref c c-macro docutils literal notranslate"><span class="pre">TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW</span></code> macro to
disable CLang warnings raised by <code class="docutils literal notranslate"><span class="pre">-fsanitize=undefined,unsigned-integer-overflow</span></code></p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_jpeg.c</span></code>: add anti-denial of service measure to avoid excessive
CPU consumption on progressive JPEGs with a huge number of scans.
See <a class="reference external" href="http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf">http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf</a>.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Only affects libtiff since 2014-12-29 where support of non-baseline JPEG
was added.</p>
</div>
</li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_jpeg.c</span></code>: error out at decoding time if anticipated libjpeg
memory allocation is above 100 MB. libjpeg in case of multiple scans,
which is allowed even in baseline JPEG, if components are spread over several
scans and not interleavedin a single one, needs to allocate memory (or
backing store) for the whole strip/tile.
See <a class="reference external" href="http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf">http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf</a>.
This limitation may be overridden by setting the
<code class="docutils literal notranslate"><span class="pre">LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC</span></code> environment variable, or recompiling
libtiff with a custom value of <code class="xref c c-macro docutils literal notranslate"><span class="pre">TIFF_LIBJPEG_LARGEST_MEM_ALLOC</span></code> macro.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_jbig.c</span></code>: fix memory leak in error code path of <code class="xref c c-func docutils literal notranslate"><span class="pre">JBIGDecode()</span></code>.
Fixes <a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2706">MapTools bugzilla #2706</a>.
Reported by team OWL337</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_dirread.c</span></code>: in <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFReadDirEntryFloat()</span></code>, check that a
double value can fit in a float before casting. Patch by Nicolas RUFF</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tiffiop.h</span></code>, <code class="file docutils literal notranslate"><span class="pre">libtiff/tif_jpeg.c</span></code>, <code class="file docutils literal notranslate"><span class="pre">libtiff/tif_jpeg_12.c</span></code>,
<code class="file docutils literal notranslate"><span class="pre">libtiff/tif_read.c</span></code>: make <a class="reference internal" href="../functions/TIFFReadScanline.html#c.TIFFReadScanline" title="TIFFReadScanline"><code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFReadScanline()</span></code></a> works in
<code class="xref c c-macro docutils literal notranslate"><span class="pre">CHUNKY_STRIP_READ_SUPPORT</span></code> mode with JPEG stream with multiple scans.
Also make configurable through a <code class="docutils literal notranslate"><span class="pre">LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER</span></code>
environment variable the maximum number of scans allowed. Defaults to
100.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_read.c</span></code>: <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFFillTile()</span></code>: add limitation to the number
of bytes read in case td_stripbytecount[strip] is bigger than
reasonable, so as to avoid excessive memory allocation (similarly to
what was done for <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFFileStrip()</span></code> on 2017-05-10)</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_getimage.c</span></code>: use <code class="xref c c-func docutils literal notranslate"><span class="pre">_TIFFReadEncodedStripAndAllocBuffer()</span></code>.
Fixes <a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2708">MapTools bugzilla #2708</a> and
<a class="reference external" href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2433">OSS-Fuzz #2433</a>.
Credit to OSS Fuzz</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_read.c</span></code>, tiffiop.h: add a <code class="xref c c-func docutils literal notranslate"><span class="pre">_TIFFReadEncodedStripAndAllocBuffer()</span></code>
function, variant of <a class="reference internal" href="../functions/TIFFReadEncodedStrip.html#c.TIFFReadEncodedStrip" title="TIFFReadEncodedStrip"><code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFReadEncodedStrip()</span></code></a> that allocates the
decoded buffer only after a first successful <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFFillStrip()</span></code>. This avoids
excessive memory allocation on corrupted files.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_dirwrite.c</span></code>: in <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFWriteDirectoryTagCheckedXXXX()</span></code>
functions associated with LONG8/SLONG8 data type, replace assertion that
the file is BigTIFF, by a non-fatal error.
Fixes <a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2712">MapTools bugzilla #2712</a>
Reported by team OWL337</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_read.c</span></code>: <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFStartTile()</span></code>: set tif_rawcc to
tif_rawdataloaded when it is set. Similarly to <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFStartStrip()</span></code>.
This issue was revealed by the change of 2017-06-30 in <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFFileTile()</span></code>,
limiting the number of bytes read. But it could probably have been hit
too in CHUNKY_STRIP_READ_SUPPORT mode previously ?
Fixes <a class="reference external" href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454">OSS-Fuzz #2454</a>
Credit to OSS Fuzz</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_error.c,</span> <span class="pre">tif_warning.c</span></code>: correctly use va_list when both
an old-style and new-style warning/error handlers are installed.
Patch by Paavo Helde (sent on the mailing list)</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_getimage.c</span></code>: use <code class="xref c c-func docutils literal notranslate"><span class="pre">_TIFFReadTileAndAllocBuffer()</span></code>.
Fixes <a class="reference external" href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2470">OSS-Fuzz #2470</a>
Credit to OSS Fuzz.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_read.c</span></code>, tiffiop.h: add a <code class="xref c c-func docutils literal notranslate"><span class="pre">_TIFFReadEncodedTileAndAllocBuffer()</span></code>
and <code class="xref c c-func docutils literal notranslate"><span class="pre">_TIFFReadTileAndAllocBuffer()</span></code> variants of <a class="reference internal" href="../functions/TIFFReadEncodedTile.html#c.TIFFReadEncodedTile" title="TIFFReadEncodedTile"><code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFReadEncodedTile()</span></code></a> and
<a class="reference internal" href="../functions/TIFFReadTile.html#c.TIFFReadTile" title="TIFFReadTile"><code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFReadTile()</span></code></a> that allocates the decoded buffer only after a first
successful <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFFillTile()</span></code>. This avoids excessive memory allocation
on corrupted files.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_pixarlog.c</span></code>: avoid excessive memory allocation on decoding
when RowsPerStrip tag is not defined (and thus td_rowsperstrip == UINT_MAX)
Fixes <a class="reference external" href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2554">OSS-Fuzz #2554</a>
Credit to OSS Fuzz</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_lzw.c</span></code>: fix 4.0.8 regression in the decoding of old-style LZW
compressed files.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_lzw.c</span></code>: fix potential out-of-buffer read on 1-byte LZW
strips. Crashing issue only on memory mapped files, where the strip
offset is the last byte of the file, and the file size is a multiple
of one page size on the CPU architecture (typically 4096). Credit
to myself :-)</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_dir.c</span></code>: avoid potential null pointer dereference in
<code class="xref c c-func docutils literal notranslate"><span class="pre">_TIFFVGetField()</span></code> on corrupted TIFFTAG_NUMBEROFINKS tag instance.
Fixes <a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2713">MapTools bugzilla #2713</a></p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">tools/tiff2pdf.c</span></code>: prevent heap buffer overflow write in “Raw”
mode on <code class="docutils literal notranslate"><span class="pre">PlanarConfig=Contig</span></code> input images.
Fixes <a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2715">MapTools bugzilla #2715</a>
Reported by team OWL337</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_read.c</span></code>: <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFFillStrip()</span></code> / <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFFillTile()</span></code>.
Complementary fix for <a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2708">MapTools bugzilla #2708</a>
in the <code class="xref c c-func docutils literal notranslate"><span class="pre">isMapped()</span></code> case, so as to avoid excessive memory allocation
when we need a temporary buffer but the file is truncated.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_read.c</span></code>: <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFFillStrip()</span></code> / <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFFillTile()</span></code>.
Complementary fix for <a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2708">MapTools bugzilla #2708</a>
in the <code class="xref c c-func docutils literal notranslate"><span class="pre">isMapped()</span></code> case, so as to avoid excessive memory allocation
when we need a temporary buffer but the file is truncated.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_read.c</span></code>: in <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFFetchStripThing()</span></code>, only grow the
arrays that hold StripOffsets/StripByteCounts, when they are smaller
than the expected number of striles, up to 1 million striles, and
error out beyond. Can be tweaked by setting the environment variable
<code class="docutils literal notranslate"><span class="pre">LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT</span></code>.
This partially goes against a change added on 2002-12-17 to accept
those arrays of wrong sizes, but is needed to avoid denial of services.
Fixes <a class="reference external" href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350">OSS-Fuzz #2350</a>
Credit to OSS Fuzz</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_read.c</span></code>: in <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFFetchStripThing()</span></code>, only grow the
arrays that hold <code class="docutils literal notranslate"><span class="pre">StripOffsets</span></code>/<code class="docutils literal notranslate"><span class="pre">StripByteCounts</span></code>, when they are smaller
than the expected number of striles, up to 1 million striles, and
error out beyond. Can be tweaked by setting the environment variable
<code class="docutils literal notranslate"><span class="pre">LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT</span></code>.
This partially goes against a change added on 2002-12-17 to accept
those arrays of wrong sizes, but is needed to avoid denial of services.
Fixes <a class="reference external" href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350">OSS-Fuzz #2350</a>
Credit to OSS Fuzz</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_read.c</span></code>: add protection against excessive memory
allocation attempts in <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFReadDirEntryArray()</span></code> on short files.
Effective for mmap’ed case. And non-mmap’ed case, but restricted
to 64bit builds.
Fixes <a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2675">MapTools bugzilla #2675</a></p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_read.c</span></code>: add protection against excessive memory
allocation attempts in <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFReadDirEntryArray()</span></code> on short files.
Effective for mmap’ed case. And non-mmap’ed case, but restricted
to 64bit builds.
Fixes <a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2675">MapTools bugzilla #2675</a></p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_luv.c</span></code>: <code class="xref c c-func docutils literal notranslate"><span class="pre">LogLuvInitState()</span></code>: avoid excessive memory
allocation when <code class="docutils literal notranslate"><span class="pre">RowsPerStrip</span></code> tag is missing.
Fixes <a class="reference external" href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2683">OSS-Fuzz #2683</a>
Credit to OSS-Fuzz</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_getimage.c</span></code>: <code class="xref c c-func docutils literal notranslate"><span class="pre">gtTileContig()</span></code> and <code class="xref c c-func docutils literal notranslate"><span class="pre">gtTileSeparate()</span></code>:
properly break from loops on error when <code class="docutils literal notranslate"><span class="pre">stoponerr</span></code> is set, instead
of going on iterating on row based loop.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_getimage.c</span></code>: fix fromskew computation when to-be-skipped
pixel number is not a multiple of the horizontal subsampling, and
also in some other cases. Impact <code class="docutils literal notranslate"><span class="pre">putcontig8bitYCbCr44tile</span></code>,
<code class="docutils literal notranslate"><span class="pre">putcontig8bitYCbCr42tile</span></code>, <code class="docutils literal notranslate"><span class="pre">putcontig8bitYCbCr41tile</span></code>,
<code class="docutils literal notranslate"><span class="pre">putcontig8bitYCbCr21tile</span></code> and <code class="docutils literal notranslate"><span class="pre">putcontig8bitYCbCr12tile</span></code>.
Fixes <a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2637">MapTools bugzilla #2637</a> (discovered by Agostino Sarubbo)
and <a class="reference external" href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2691">OSS-Fuzz #2691</a> (credit to OSS Fuzz)</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_luv.c</span></code>: further reduce memory requirements for temporary
buffer when <code class="docutils literal notranslate"><span class="pre">RowsPerStrip</span> <span class="pre">&gt;=</span> <span class="pre">image_length</span></code> in <code class="xref c c-func docutils literal notranslate"><span class="pre">LogLuvInitState()</span></code> and
<code class="xref c c-func docutils literal notranslate"><span class="pre">LogL16InitState()</span></code>.
Fixes <a class="reference external" href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2700">OSS-Fuzz #2700</a>
Credit to OSS Fuzz</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_dirwrite.c</span></code>: replace assertion related to not finding the
<code class="docutils literal notranslate"><span class="pre">SubIFD</span></code> tag by runtime check (in <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFWriteDirectorySec()</span></code>)
Fixes <a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2727">MapTools bugzilla #2727</a>
Reported by team OWL337</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_dirwrite.c</span></code>: replace assertion to tag value not fitting
on <code class="xref c c-type docutils literal notranslate"><span class="pre">uint32</span></code> when selecting the value of <code class="docutils literal notranslate"><span class="pre">SubIFD</span></code> tag by runtime check
(in <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFWriteDirectoryTagSubifd()</span></code>).
Fixes <a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2728">MapTools bugzilla #2728</a>
Reported by team OWL337</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_jpeg.c</span></code>: accept reading the last strip of a JPEG compressed
file if the codestream height is larger than the truncated height of the
strip. Emit a warning in this situation since this is non compliant.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tiffiop.h</span></code>, <code class="xref c c-type docutils literal notranslate"><span class="pre">tif_aux.c</span></code>: redirect <code class="xref c c-func docutils literal notranslate"><span class="pre">SeekOK()</span></code> macro to a <code class="xref c c-func docutils literal notranslate"><span class="pre">_TIFFSeekoK()</span></code>
function that checks if the offset is not bigger than <code class="xref c c-macro docutils literal notranslate"><span class="pre">INT64_MAX</span></code>, so as
to avoid a <code class="docutils literal notranslate"><span class="pre">-1</span></code> error return code of <code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFSeekFile()</span></code> to match a required
seek to <code class="xref c c-macro docutils literal notranslate"><span class="pre">UINT64_MAX</span></code>/<code class="docutils literal notranslate"><span class="pre">-1</span></code>.
Fixes <a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2726">MapTools bugzilla #2726</a>
Adapted from proposal by Nicolas Ruff.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_dirread.c</span></code>: add <code class="xref c c-macro docutils literal notranslate"><span class="pre">NULL</span></code> check to avoid likely false positive
null-pointer dereference warning by CLang Static Analyzer.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/libtiff.def</span></code>: add <a class="reference internal" href="../functions/TIFFReadRGBAStrip.html#c.TIFFReadRGBAStripExt" title="TIFFReadRGBAStripExt"><code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFReadRGBAStripExt()</span></code></a> and <a class="reference internal" href="../functions/TIFFReadRGBATile.html#c.TIFFReadRGBATileExt" title="TIFFReadRGBATileExt"><code class="xref c c-func docutils literal notranslate"><span class="pre">TIFFReadRGBATileExt()</span></code></a>
Fixes <a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2735">MapTools bugzilla #2735</a></p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_jpeg.c</span></code>: add compatibility with libjpeg-turbo 1.5.2 that
honours <code class="docutils literal notranslate"><span class="pre">max_memory_to_use</span> <span class="pre">&gt;</span> <span class="pre">0</span></code>.
Cf <a class="reference external" href="https://github.com/libjpeg-turbo/libjpeg-turbo/issues/162">https://github.com/libjpeg-turbo/libjpeg-turbo/issues/162</a>.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">libtiff/tif_getimage.c</span></code>: avoid floating point division by zero in
<code class="xref c c-func docutils literal notranslate"><span class="pre">initCIELabConversion()</span></code>
Fixes <a class="reference external" href="https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3733">OSS-Fuzz #3733</a>
Credit to OSS Fuzz</p></li>
</ul>
</section>
<section id="tools-changes">
<h2>Tools changes<a class="headerlink" href="#tools-changes" title="Permalink to this heading">¶</a></h2>
<ul class="simple">
<li><p><code class="file docutils literal notranslate"><span class="pre">tools/tiff2pdf.c</span></code>: prevent heap buffer overflow write in “Raw”
mode on <code class="docutils literal notranslate"><span class="pre">PlanarConfig=Contig</span></code> input images.
Fixes <a class="reference external" href="http://bugzilla.maptools.org/show_bug.cgi?id=2715">MapTools bugzilla #2715</a>
Reported by team OWL337</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">tools/tiffset.c</span></code>: fix setting a single value for the <code class="docutils literal notranslate"><span class="pre">ExtraSamples</span></code> tag
(and other tags with variable number of values).
So <code class="docutils literal notranslate"><span class="pre">tiffset</span> <span class="pre">-s</span> <span class="pre">ExtraSamples</span> <span class="pre">1</span> <span class="pre">X</span></code>. This only worked
when setting 2 or more values, but not just one.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">tools/fax2tiff.c</span></code> (<code class="docutils literal notranslate"><span class="pre">_FAX_Client_Data</span></code>): Pass <code class="docutils literal notranslate"><span class="pre">FAX_Client_Data</span></code> as the
client data.  This client data is not used at all at the moment,
but it makes the most sense.  Issue that the value of
<code class="docutils literal notranslate"><span class="pre">client_data.fd</span></code> was passed where a pointer is expected was reported
via email by Gerald Schade on Sun, 29 Oct 2017.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">tools/tiff2pdf.c</span></code> (<code class="docutils literal notranslate"><span class="pre">t2p_sample_realize_palette</span></code>): Fix possible
arithmetic overflow in bounds checking code and eliminate
comparison between signed and unsigned type.</p></li>
<li><p><code class="file docutils literal notranslate"><span class="pre">tools/tiff2bw.c</span></code> (<code class="xref c c-func docutils literal notranslate"><span class="pre">main()</span></code>): Free memory allocated in the <strong class="program">tiff2bw</strong>
program.  This is in response to the report associated with
<a class="reference external" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16232">CVE-2017-16232</a> but does not solve the extremely high memory usage
with the associated POC file.</p></li>
</ul>
</section>
<section id="contributed-software-changes">
<h2>Contributed software changes<a class="headerlink" href="#contributed-software-changes" title="Permalink to this heading">¶</a></h2>
<p>None</p>
</section>
</section>


            <div class="clearer"></div>
          </div>
        </div>
      </div>
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <div>
    <h3><a href="../index.html">Table of Contents</a></h3>
    <ul>
<li><a class="reference internal" href="#">Changes in TIFF v4.0.9</a><ul>
<li><a class="reference internal" href="#major-changes">Major changes</a></li>
<li><a class="reference internal" href="#software-configuration-changes">Software configuration changes</a></li>
<li><a class="reference internal" href="#library-changes">Library changes</a></li>
<li><a class="reference internal" href="#tools-changes">Tools changes</a></li>
<li><a class="reference internal" href="#contributed-software-changes">Contributed software changes</a></li>
</ul>
</li>
</ul>

  </div>
  <div>
    <h4>Previous topic</h4>
    <p class="topless"><a href="v4.0.10.html"
                          title="previous chapter">Changes in TIFF v4.0.10</a></p>
  </div>
  <div>
    <h4>Next topic</h4>
    <p class="topless"><a href="v4.0.8.html"
                          title="next chapter">Changes in TIFF v4.0.8</a></p>
  </div>
  <div role="note" aria-label="source link">
    <h3>This Page</h3>
    <ul class="this-page-menu">
      <li><a href="../_sources/releases/v4.0.9.rst.txt"
            rel="nofollow">Show Source</a></li>
    </ul>
   </div>
<div id="searchbox" style="display: none" role="search">
  <h3 id="searchlabel">Quick search</h3>
    <div class="searchformwrapper">
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" aria-labelledby="searchlabel" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false"/>
      <input type="submit" value="Go" />
    </form>
    </div>
</div>
<script>document.getElementById('searchbox').style.display = "block"</script>
        </div>
      </div>
      <div class="clearer"></div>
    </div>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="../genindex.html" title="General Index"
             >index</a></li>
        <li class="right" >
          <a href="v4.0.8.html" title="Changes in TIFF v4.0.8"
             >next</a> |</li>
        <li class="right" >
          <a href="v4.0.10.html" title="Changes in TIFF v4.0.10"
             >previous</a> |</li>
        <li class="nav-item nav-item-0"><a href="../index.html">LibTIFF 4.6.0 documentation</a> &#187;</li>
          <li class="nav-item nav-item-1"><a href="index.html" >Release history</a> &#187;</li>
        <li class="nav-item nav-item-this"><a href="">Changes in TIFF v4.0.9</a></li> 
      </ul>
    </div>
    <div class="footer" role="contentinfo">
        &#169; Copyright 1988-2022, LibTIFF contributors.
      Created using <a href="https://www.sphinx-doc.org/">Sphinx</a> 7.0.1.
    </div>
  </body>
</html>

Anon7 - 2021