Changelog
tiff (4.0.7-2) unstable; urgency=high
* Backport security fixes:
- fix uint32 overflow in TIFFReadEncodedStrip() that caused an integer
division by zero,
- avoid uint32 underflow in cpDecodedStrips that can cause various
issues, such as buffer overflows in the library,
- fix heap-based buffer overflow on generation of PixarLog / LUV
compressed files, with ColorMap, TransferFunction attached and nasty
plays with bitspersample,
- fix ChopUpSingleUncompressedStrip() in reading outside of the
StripByCounts/StripOffsets arrays when using TIFFReadScanline()
(closes: #846837),
- make OJPEGDecode() early exit in case of failure in OJPEGPreDecode() to
avoid a divide by zero, and potential other issues,
- fix readContigStripsIntoBuffer() in -i (ignore) mode so that the
output buffer is correctly incremented to avoid write outside bounds,
- add 3 extra bytes at end of strip buffer in
readSeparateStripsIntoBuffer() to avoid read outside of heap allocated
buffer,
- fix integer division by zero when BitsPerSample is missing
(closes: #846838),
- fix null pointer dereference in -r mode when the image has no
StripByteCount tag,
- avoid potential division by zero if BitsPerSamples tag is missing,
- limit the return number of inks to SamplesPerPixel in
TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) , so that code that parses ink
names doesn't go past the end of the buffer,
- avoid another potential division by zero if BitsPerSamples tag is
missing,
- fix uint32 underflow/overflow that can cause heap-based buffer overflow,
- replace assert( (bps % 8) == 0 ) by a non assert check.
* Remove thumbnail and rgb2ycbcr documentations, these tools no longer
present.
-- Laszlo Boszormenyi (GCS) <email address hidden> Sun, 04 Dec 2016 12:24:44 +0000