Changelog
tiff (4.1.0+git201212-1) unstable; urgency=high
* Git snapshot, fixing the following security issues:
- TIFFSetupStrips: enforce 2GB limitation of
Strip/Tile Offsets/ByteCounts arrays,
- tiff2ps: fix heap buffer read overflow in PSDataColorContig() ,
- tiff2pdf: palette bound check in t2p_sample_realize_palette() ,
- tiffcrop: fix asan runtime error caused by integer promotion,
- raw2tiff: avoid divide by zero,
- tif_fax3.c: check buffer overflow in Fax4Decode() ,
- tif_fax3: better fix for CVE-2011-0192,
- TIFFReadCustomDirectory(): fix potential heap buffer overflow when
reading a custom directory, after a regular directory where a codec was
active,
- tif_fax3.h: check for buffer overflow in EXPAND2D before "calling"
CLEANUP_RUNS() ,
- contrib/win_dib/tiff2dib: fix uninitialized variable: lpBits,
- Fax3SetupState(): check consistency of rowbytes and rowpixels,
potential heap overflow in tiff2pdf,
- tiff2pdf: avoid divide by zero, use-after-free in t2p_writeproc()
function,
- tiffcp/tiff2pdf/tiff2ps: enforce maximum malloc size,
- tif_fax3: more buffer overflow checks in Fax3Decode2D() ,
- tiffset: check memory allocation, use of allocated memory without null
pointer check,
- tiffdump: avoid unaligned memory access,
- tiff2pdf: normalizePoint() macro to normalize the white point, avoid
divide by zero,
- tif_fax3: quit Fax3Decode2D() when a buffer overflow occurs,
- tiffcrop: enforce memory allocation limit,
- tiffinfo: fix dump of Tiled images, heap out of bounds read in
TIFFReadRawData() ,
- Fax3PreDecode(): reset curruns and refruns state variables,
heap-buffer-overflow in Fax3Decode2D() ,
- tif_fax3.h: extra buffer overflow checks, heap-buffer-overflow in
Fax3Decode2D() ,
- TIFFStartStrip(): avoid potential crash in WebP codec when using
scanline access on corrupted files,
- gtTileContig(): check Tile width for overflow,
- avoid buffer overflow while writing jpeg end of file marker,
- tiff2ps.c: fix buffer overread, heap-buffer-overflow in PSDataBW() ,
- fix potential overflow in gtStripContig() ,
- more overflow fixes for large width,
- enforce (configurable) memory limit in tiff2rgba,
- tiff2pdf: enforce memory limit for tiled pictures,
- tiffcrop: fix buffer overrun in extractContigSamples24bits() .
* Build with libdeflate support.
* Update libtiff5 symbols.
* Update debhelper level to 13 .
* Update Standards-Version to 4.5.1 .
-- Laszlo Boszormenyi (GCS) <email address hidden> Sun, 13 Dec 2020 07:52:33 +0100