We don't want it to randomly pick up system libwebp on Linux.
If there is a use case for webp compression here it should use the
pkgsrc library.
Reported-by: "Dr. Thomas Orgis" <thomas.orgis@uni-hamburg.de>
Upstream changes are basically minor improvements and bugfixes.
Specifically upstream states that there are no ABI changes.
Multiple security bugs are fixed due to fuzzing; patches are dropped
because they were backported from upstream.
It has been a year since the previous release. This is the first
release made from the Git repository at
https://gitlab.com/libtiff/libtiff using a collaborative process.
Since the previous release, a number of security issues have been
fixed, and some significant new features have been added.
This release adds support for Zstd and WebP compression algorithms.
In their own way, each of these compression algorithms is highly
complimentary to TIFF.
Zstd provides improved compression and decompression speed vs zlib's
Deflate as well as a broader range of compression ratios. Zstd is
developed by Facebook and the implementation continues to be improved.
WebP is optimized for small/medium 8-bit images while offering
improved compression performance vs traditional JPEG. WebP works well
in strips or tiles to compress large images down to very small files,
while preserving a good looking image. WebP is developed by Google,
and its implementation continues to be improved.
Due to Adobe's TIFF tag registration interface going off-line, we have
had to assign our own tags for Zstd and WebP.
From 681748ec2f5ce88da5f9fa6831e1653e46af8a66 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 14 Oct 2018 16:38:29 +0200
Subject: [PATCH 1/1] JBIG: fix potential out-of-bounds write in JBIGDecode()
JBIGDecode doesn't check if the user provided buffer is large enough
to store the JBIG decoded image, which can potentially cause out-of-bounds
write in the buffer.
This issue was reported and analyzed by Thomas Dullien.
Also fixes a (harmless) potential use of uninitialized memory when
tif->tif_rawsize > tif->tif_rawcc
And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
that whole strip data is provided to JBIGDecode()
The last part (CHUNKY_STRIP_READ_SUPPORT) was adapted by myself to fit
the libtiff release.
Bump PKGREVISION.
Pkgsrc changes:
* Adapt PLIST, remove patches for now-integrated bugfixes.
Upstream changes:
* Many changes related to security & stability.
See the source's ChangeLog for the details.
Pkgsrc changes:
* Adapt PLIST, remove patches for now-integrated bugfixes.
As the release announcement says:
All of the changes are bug and security fixes.
Upstream changes:
CHANGES IN LIBTIFF:
* libtiff/tif_getimage.c, libtiff/tif_open.c: add parenthesis to
fix cppcheck clarifyCalculation warnings * libtiff/tif_predict.c,
libtiff/tif_print.c: fix printf unsigned vs signed formatting
(cppcheck invalidPrintfArgType_uint warnings)
* libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in
TIFFReadEncodedStrip() that caused an integer division by zero.
Reported by Agostino Sarubbo. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2596
* libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer
overflow on generation of PixarLog / LUV compressed files, with
ColorMap, TransferFunction attached and nasty plays with
bitspersample. The fix for LUV has not been tested, but suffers
from the same kind of issue of PixarLog. Reported by Agostino
Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604
* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips()
done for http://bugzilla.maptools.org/show_bug.cgi?id=2587 /
CVE-2016-9273 since the above change is a better fix that makes
it unnecessary.
* libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip()
to instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength,
rowsperstrip), instead of a logic based on the total size of
data. Which is faulty is the total size of data is not sufficient
to fill the whole image, and thus results in reading outside of
the StripByCounts/StripOffsets arrays when using TIFFReadScanline().
Reported by Agostino Sarubbo. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2608.
* libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of
failure in OJPEGPreDecode(). This will avoid a divide by zero,
and potential other issues. Reported by Agostino Sarubbo. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2611
* libtiff/tif_write.c: fix misleading indentation as warned by GCC.
* libtiff/tif_fax3.h: revert change done on 2016-01-09 that made
Param member of TIFFFaxTabEnt structure a uint16 to reduce size
of the binary. It happens that the Hylafax software uses the
tables that follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable,
TIFFFaxBlackTable), although they are not in a public libtiff
header. Raised by Lee Howard. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2636
* libtiff/tiffio.h, libtiff/tif_getimage.c: add TIFFReadRGBAStripExt()
and TIFFReadRGBATileExt() variants of the functions without ext,
with an extra argument to control the stop_on_error behaviour.
* libtiff/tif_getimage.c: fix potential memory leaks in error code
path of TIFFRGBAImageBegin(). Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2627
* libtiff/tif_jpeg.c: increase libjpeg max memory usable to 10 MB
instead of libjpeg 1MB default. This helps when creating files
with "big" tile, without using libjpeg temporary files. Related
to https://trac.osgeo.org/gdal/ticket/6757
* libtiff/tif_jpeg.c: avoid integer division by zero in
JPEGSetupEncode() when horizontal or vertical sampling is set
to 0. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2653
* libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedRational,
replace assertion by runtime check to error out if passed value
is strictly negative. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2535
* libtiff/tif_dirread.c: avoid division by floating point 0 in
TIFFReadDirEntryCheckedRational() and
TIFFReadDirEntryCheckedSrational(), and return 0 in that case
(instead of infinity as before presumably) Apparently some
sanitizers do not like those divisions by zero. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2644
* libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement
various clampings of double to other data types to avoid undefined
behaviour if the output range isn't big enough to hold the input
value. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643http://bugzilla.maptools.org/show_bug.cgi?id=2642http://bugzilla.maptools.org/show_bug.cgi?id=2646http://bugzilla.maptools.org/show_bug.cgi?id=2647
* libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode()
to avoid undefined behaviour caused by invalid shift exponent.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
* libtiff/tif_read.c: avoid potential undefined behaviour on signed
integer addition in TIFFReadRawStrip1() in isMapped() case.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650
* libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile
to avoid UndefinedBehaviorSanitizer warning. Patch by Nicolás
Peña. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2658
* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to
zero initialize tif_rawdata. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2651
* libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc()
* libtiff/tif_luv.c, tif_lzw.c, tif_packbits.c: return 0 in Encode
functions instead of -1 when TIFFFlushData1() fails. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2130
* libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesQTable,
OJPEGReadHeaderInfoSecTablesDcTable and
OJPEGReadHeaderInfoSecTablesAcTable when read fails. Patch by
Nicolás Peña. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659
* libtiff/tif_jpeg.c: only run JPEGFixupTagsSubsampling() if the
YCbCrSubsampling tag is not explicitly present. This helps a
bit to reduce the I/O amount when the tag is present (especially
on cloud hosted files).
* libtiff/tif_lzw.c: in LZWPostEncode(), increase, if necessary,
the code bit-width after flushing the remaining code and before
emitting the EOI code. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=1982
* libtiff/tif_pixarlog.c: fix memory leak in error code path of
PixarLogSetupDecode(). Patch by Nicolás Peña. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2665
* libtiff/tif_fax3.c, tif_predict.c, tif_getimage.c: fix GCC 7
-Wimplicit-fallthrough warnings.
* libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD
mode (ie default) when there is both a StripOffsets and TileOffsets
tag, or a StripByteCounts and TileByteCounts Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2689
* libtiff/tif_ojpeg.c: fix potential memory leak in
OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable
and OJPEGReadHeaderInfoSecTablesAcTable Patch by Nicolás Peña.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2670
* libtiff/tif_fax3.c: avoid crash in Fax3Close() on empty file.
Patch by Alan Coopersmith + complement by myself. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2673
* libtiff/tif_read.c: TIFFFillStrip(): add limitation to the number
of bytes read in case td_stripbytecount[strip] is bigger than
reasonable, so as to avoid excessive memory allocation.
* libtiff/tif_zip.c, tif_pixarlog.c, tif_predict.c: fix memory
leak when the underlying codec (ZIP, PixarLog) succeeds its
setupdecode() method, but PredictorSetup fails. Credit to OSS-Fuzz
(locally run, on GDAL)
* libtiff/tif_read.c: TIFFFillStrip() and TIFFFillTile(): avoid
excessive memory allocation in case of shorten files. Only
effective on 64 bit builds and non-mapped cases. Credit to
OSS-Fuzz (locally run, on GDAL)
* libtiff/tif_read.c: TIFFFillStripPartial() / TIFFSeek(), avoid
potential integer overflows with read_ahead in CHUNKY_STRIP_READ_SUPPORT
mode. Should especially occur on 32 bit platforms.
* libtiff/tif_read.c: TIFFFillStripPartial(): avoid excessive
memory allocation in case of shorten files. Only effective on
64 bit builds. Credit to OSS-Fuzz (locally run, on GDAL)
* libtiff/tif_read.c: update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT
mode with tif_rawdataloaded when calling TIFFStartStrip() or
TIFFFillStripPartial(). This avoids reading beyond tif_rawdata
when bytecount > tif_rawdatasize. Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1545.
Credit to OSS-Fuzz
* libtiff/tif_color.c: avoid potential int32 overflow in
TIFFYCbCrToRGBInit() Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533 Credit
to OSS-Fuzz
* libtiff/tif_pixarlog.c, tif_luv.c: avoid potential int32 overflows
in multiply_ms() and add_ms(). Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1558 Credit
to OSS-Fuzz
* libtiff/tif_packbits.c: fix out-of-buffer read in PackBitsDecode()
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1563
Credit to OSS-Fuzz
* libtiff/tif_luv.c: LogL16InitState(): avoid excessive memory
allocation when RowsPerStrip tag is missing. Credit to OSS-Fuzz
(locally run, on GDAL)
* libtiff/tif_lzw.c: update dec_bitsleft at beginning of LZWDecode(),
and update tif_rawcc at end of LZWDecode(). This is needed to
properly work with the latest chnges in tif_read.c in
CHUNKY_STRIP_READ_SUPPORT mode.
* libtiff/tif_pixarlog.c: PixarLogDecode(): resync tif_rawcp with
next_in and tif_rawcc with avail_in at beginning and end of
function, similarly to what is done in LZWDecode(). Likely needed
so that it works properly with latest chnges in tif_read.c in
CHUNKY_STRIP_READ_SUPPORT mode. But untested...
* libtiff/tif_getimage.c: initYCbCrConversion(): add basic validation
of luma and refBlackWhite coefficients (just check they are not
NaN for now), to avoid potential float to int overflows. Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663 Credit
to OSS Fuzz
* libtiff/tif_read.c: _TIFFVSetField(): fix outside range cast of
double to float. Credit to Google Autofuzz project
* libtiff/tif_getimage.c: initYCbCrConversion(): check luma[1] is
not zero to avoid division by zero. Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665 Credit
to OSS Fuzz
* libtiff/tif_read.c: _TIFFVSetField(): fix outside range cast of
double to float. Credit to Google Autofuzz project
* libtiff/tif_getimage.c: initYCbCrConversion(): check luma[1] is
not zero to avoid division by zero. Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1665 Credit
to OSS Fuzz
* libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation
for refBlackWhite coefficients values. To avoid invalid float->int32
conversion. Fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1718 Credit
to OSS Fuzz
CHANGES IN THE TOOLS:
* tools/fax2tiff.c (main): Applied patch by Jörg Ahrens to fix
passing client data for Win32 builds using tif_win32.c
(USE_WIN32_FILEIO defined) for file I/O. Patch was provided via
email on November 20, 2016.
* tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that
can cause various issues, such as buffer overflows in the library.
Reported by Agostino Sarubbo. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2598
* tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore)
mode so that the output buffer is correctly incremented to avoid
write outside bounds. Reported by Agostino Sarubbo. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2620
* tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in
readSeparateStripsIntoBuffer() to avoid read outside of heap
allocated buffer. Reported by Agostino Sarubbo. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2621
* tools/tiffcrop.c: fix integer division by zero when BitsPerSample
is missing. Reported by Agostino Sarubbo. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2619
* tools/tiffinfo.c: fix null pointer dereference in -r mode when
the image has no StripByteCount tag. Reported by Agostino Sarubbo.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594
* tools/tiffcp.c: avoid potential division by zero is BitsPerSamples
tag is missing. Reported by Agostino Sarubbo. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2597
* tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is
called, limit the return number of inks to SamplesPerPixel, so
that code that parses ink names doesn't go past the end of the
buffer. Reported by Agostino Sarubbo. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2599
* tools/tiffcp.c: avoid potential division by zero is BitsPerSamples
tag is missing. Reported by Agostino Sarubbo. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2607
* tools/tiffcp.c: fix uint32 underflow/overflow that can cause
heap-based buffer overflow. Reported by Agostino Sarubbo. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2610
* tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert
check. Reported by Agostino Sarubbo. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2605
* tools/tiff2ps.c: fix 2 heap-based buffer overflows (in PSDataBW
and PSDataColorContig). Reported by Agostino Sarubbo. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2633 and
http://bugzilla.maptools.org/show_bug.cgi?id=2634.
* tools/tiff2pdf.c: prevent heap-based buffer overflow in -j mode
on a paletted image. Note: this fix errors out before the overflow
happens. There could probably be a better fix. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2635
* tools/tiff2pdf.c: fix wrong usage of memcpy() that can trigger
unspecified behaviour. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2638
* tools/tiff2pdf.c: avoid potential invalid memory read in
t2p_writeproc. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
* tools/tiff2pdf.c: avoid potential heap-based overflow in
t2p_readwrite_pdf_image_tile(). Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2640
* tools/tiffcrop.c: remove extraneous TIFFClose() in error code
path, that caused double free. Related to
http://bugzilla.maptools.org/show_bug.cgi?id=2535
* tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based
overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656
and http://bugzilla.maptools.org/show_bug.cgi?id=2657
* tools/raw2tiff.c: avoid integer division by zero. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2631
* tools/tiff2ps.c: call TIFFClose() in error code paths.
* tools/fax2tiff.c: emit appropriate message if the input file is
empty. Patch by Alan Coopersmith. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2672
* tools/tiff2bw.c: close TIFF handle in error code path. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2677
MAJOR CHANGES:
• The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr
are completely removed from the distribution. These tools were written in
the late 1980s and early 1990s for test and demonstration purposes. In some
cases the tools were never updated to support updates to the file format,
or the file formats are now rarely used. In all cases these tools increased
the libtiff security and maintenance exposure beyond the value offered by
the tool.
CHANGES IN LIBTIFF:
• libtiff/tif_dirread.c: in TIFFFetchNormalTag(), do not dereference NULL
pointer when values of tags with TIFF_SETGET_C16_ASCII /
TIFF_SETGET_C32_ASCII access are 0-byte arrays. Fixes http://
bugzilla.maptools.org/show_bug.cgi?id=2593 (regression introduced by
previous fix done on 2016-11-11 for CVE-2016-9297). Reported by Henri Salo.
Assigned as CVE-2016-9448
• libtiff/tif_aux.c: fix crash in TIFFVGetFieldDefaulted() when requesting
Predictor tag and that the zip/lzw codec is not configured. Fixes http://
bugzilla.maptools.org/show_bug.cgi?id=2591
• libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that values of
tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII access are null
terminated, to avoid potential read outside buffer in _TIFFPrintField().
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590
• libtiff/tif_dirread.c: reject images with OJPEG compression that have no
TileOffsets/StripOffsets tag, when OJPEG compression is disabled. Prevent
null pointer dereference in TIFFReadRawStrip1() and other functions that
expect td_stripbytecount to be non NULL. Fixes http://bugzilla.maptools.org
/show_bug.cgi?id=2585
• libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips
value when it is non-zero, instead of recomputing it. This is needed in
TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of
array in tiffsplit (or other utilities using TIFFNumberOfStrips()). Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2587 (CVE-2016-9273)
• libtiff/tif_predict.h, libtiff/tif_predict.c: Replace assertions by runtime
checks to avoid assertions in debug mode, or buffer overflows in release
mode. Can happen when dealing with unusual tile size like YCbCr with
subsampling. Reported as MSVR 35105 by Axel Souchet & Vishal Chauhan from
the MSRC Vulnerabilities & Mitigations
• libtiff/tif_dir.c: discard values of SMinSampleValue and SMaxSampleValue
when they have been read and the value of SamplesPerPixel is changed
afterwards (like when reading a OJPEG compressed image with a missing
SamplesPerPixel tag, and whose photometric is RGB or YCbCr, forcing
SamplesPerPixel being 3). Otherwise when rewriting the directory (for
example with tiffset, we will expect 3 values whereas the array had been
allocated with just one), thus causing a out of bound read access. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2500 (CVE-2014-8127,
duplicate: CVE-2016-3658)
• libtiff/tif_dirwrite.c: avoid null pointer dereference on td_stripoffset
when writing directory, if FIELD_STRIPOFFSETS was artificially set for a
hack case in OJPEG case. Fixes http://bugzilla.maptools.org/show_bug.cgi?id
=2500 (CVE-2014-8127, duplicate: CVE-2016-3658)
• libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to read floating
point images.
• libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
requirements of floating point predictor (3). Fixes CVE-2016-3622 "Divide
By Zero in the tiff2rgba tool."
• libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities in heap
allocated buffers. Reported as MSVR 35094. Discovered by Axel Souchet and
Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
• libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1() that
didn't reset the tif_rawcc and tif_rawcp members. I'm not completely sure
if that could happen in practice outside of the odd behaviour of
t2p_seekproc() of tiff2pdf). The report points that a better fix could be
to check the return value of TIFFFlushData1() in places where it isn't done
currently, but it seems this patch is enough. Reported as MSVR 35095.
Discovered by Axel Souchet & Vishal Chauhan & Suha Can from the MSRC
Vulnerabilities & Mitigations team.
• libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode if more
input samples are provided than expected by PixarLogSetupEncode. Idea based
on libtiff-CVE-2016-3990.patch from libtiff-4.0.3-25.el7_2.src.rpm by
Nikola Forro, but with different and simpler check. (bugzilla #2544)
• libtiff/tif_read.c: Fix out-of-bounds read on memory-mapped files in
TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset is beyond
tmsize_t max value (reported by Mathias Svensson)
• libtiff/tif_read.c: make TIFFReadEncodedStrip() and TIFFReadEncodedTile()
directly use user provided buffer when no compression (and other
conditions) to save a memcpy()
• libtiff/tif_write.c: make TIFFWriteEncodedStrip() and TIFFWriteEncodedTile
() directly use user provided buffer when no compression to save a memcpy
().
• libtiff/tif_luv.c: validate that for COMPRESSION_SGILOG and
PHOTOMETRIC_LOGL, there is only one sample per pixel. Avoid potential
invalid memory write on corrupted/unexpected images when using the
TIFFRGBAImageBegin() interface (reported by Clay Wood)
• libtiff/tif_pixarlog.c: fix potential buffer write overrun in
PixarLogDecode() on corrupted/unexpected images (reported by Mathias
Svensson) (CVE-2016-5875)
• libtiff/libtiff.def: Added _TIFFMultiply32 and _TIFFMultiply64 to
libtiff.def
• libtiff/tif_config.vc.h (HAVE_SNPRINTF): Add a '1' to the HAVE_SNPRINTF
definition.
• libtiff/tif_config.vc.h (HAVE_SNPRINTF): Applied patch by Edward Lam to
define HAVE_SNPRINTF for Visual Studio 2015.
• libtiff/tif_dirread.c: when compiled with DEFER_STRILE_LOAD, fix
regression, introduced on 2014-12-23, when reading a one-strip file without
a StripByteCounts tag. GDAL #6490
• libtiff/*: upstream typo fixes (mostly contributed by Kurt Schwehr) coming
from GDAL internal libtiff
• libtiff/tif_fax3.h: make Param member of TIFFFaxTabEnt structure a uint16
to reduce size of the binary.
• libtiff/tif_read.c, tif_dirread.c: fix indentation issues raised by GCC 6
-Wmisleading-indentation
• libtiff/tif_pixarlog.c: avoid zlib error messages to pass a NULL string to
%s formatter, which is undefined behaviour in sprintf().
• libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif (bugzilla #
2508)
• libtiff/tif_luv.c: fix potential out-of-bound writes in decode functions in
non debug builds by replacing assert()s by regular if checks (bugzilla #
2522). Fix potential out-of-bound reads in case of short input data.
• libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage interface
in case of unsupported values of SamplesPerPixel/ExtraSamples for LogLUV /
CIELab. Add explicit call to TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix
CVE-2015-8665 reported by limingxing and CVE-2015-8683 reported by zzf of
Alibaba.
• libtiff/tif_dirread.c: workaround false positive warning of Clang Static
Analyzer about null pointer dereference in TIFFCheckDirOffset().
• libtiff/tif_fax3.c: remove dead assignment in Fax3PutEOLgdal(). Found by
Clang Static Analyzer
• libtiff/tif_dirwrite.c: fix truncation to 32 bit of file offsets in
TIFFLinkDirectory() and TIFFWriteDirectorySec() when aligning directory
offsets on a even offset (affects BigTIFF). This was a regression of the
changeset of 2015-10-19.
• libtiff/tif_write.c: TIFFWriteEncodedStrip() and TIFFWriteEncodedTile()
should return -1 in case of failure of tif_encodestrip() as documented
• libtiff/tif_dumpmode.c: DumpModeEncode() should return 0 in case of failure
so that the above mentionned functions detect the error.
• libtiff/*.c: fix MSVC warnings related to cast shortening and assignment
within conditional expression
• libtiff/*.c: fix clang -Wshorten-64-to-32 warnings
• libtiff/tif_dirread.c: prevent reading ColorMap or TransferFunction if
BitsPerPixel > 24, so as to avoid huge memory allocation and file read
attempts
• libtiff/tif_dirread.c: remove duplicated assignment (reported by Clang
static analyzer)
• libtiff/tif_dir.c, libtiff/tif_dirinfo.c, libtiff/tif_compress.c, libtiff/
tif_jpeg_12.c: suppress warnings about 'no previous declaration/prototype'
• libtiff/tiffiop.h, libtiff/tif_dirwrite.c: suffix constants by U to fix
'warning: negative integer implicitly converted to unsigned type' warning
(part of -Wconversion)
• libtiff/tif_dir.c, libtiff/tif_dirread.c, libtiff/tif_getimage.c, libtiff/
tif_print.c: fix -Wshadow warnings (only in libtiff/)
CHANGES IN THE TOOLS:
• tools/Makefile.am: The libtiff tools bmp2tiff, gif2tiff, ras2tiff,
sgi2tiff, sgisv, and ycbcr are completely removed from the distribution.
The libtiff tools rgb2ycbcr and thumbnail are only built in the build tree
for testing. Old files are put in new 'archive' subdirectory of the source
repository, but not in distribution archives. These changes are made in
order to lessen the maintenance burden.
• tools/tiff2pdf.c: avoid undefined behaviour related to overlapping of
source and destination buffer in memcpy() call in t2p_sample_rgbaa_to_rgb()
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2577
• tools/tiff2pdf.c: fix potential integer overflows on 32 bit builds in
t2p_read_tiff_size() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=
2576
• tools/fax2tiff.c: fix segfault when specifying -r without argument. Patch
by Yuriy M. Kaminskiy. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=
2572
• tools/tiffinfo.c: fix out-of-bound read on some tiled images. (http://
bugzilla.maptools.org/show_bug.cgi?id=2517)
• tools/tiffcrop.c: fix multiple uint32 overflows in
writeBufferToSeparateStrips(), writeBufferToContigTiles() and
writeBufferToSeparateTiles() that could cause heap buffer overflows.
Reported by Henri Salo from Nixu Corporation. Fixes http://
bugzilla.maptools.org/show_bug.cgi?id=2592
• tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet &
Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
• tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on JPEG compressed
images. Reported by Tyler Bohan of Cisco Talos as TALOS-CAN-0187 /
CVE-2016-5652. Also prevents writing 2 extra uninitialized bytes to the
file stream.
• tools/tiffcp.c: fix out-of-bounds write on tiled images with odd tile width
vs image width. Reported as MSVR 35103 by Axel Souchet and Vishal Chauhan
from the MSRC Vulnerabilities & Mitigations team.
• tools/tiff2pdf.c: fix read -largely- outsize of buffer in
t2p_readwrite_pdf_image_tile(), causing crash, when reading a JPEG
compressed image with TIFFTAG_JPEGTABLES length being one. Reported as MSVR
35101 by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
Mitigations team.
• tools/tiffcp.c: fix read of undefined variable in case of missing required
tags. Found on test case of MSVR 35100.
• tools/tiffcrop.c: fix read of undefined buffer in
readContigStripsIntoBuffer() due to uint16 overflow. Probably not a
security issue but I can be wrong. Reported as MSVR 35100 by Axel Souchet
from the MSRC Vulnerabilities & Mitigations team.
• tools/tiffcrop.c: fix various out-of-bounds write vulnerabilities in heap
or stack allocated buffers. Reported as MSVR 35093, MSVR 35096 and MSVR
35097. Discovered by Axel Souchet and Vishal Chauhan from the MSRC
Vulnerabilities & Mitigations team.
• tools/tiff2pdf.c: fix out-of-bounds write vulnerabilities in heap allocate
buffer in t2p_process_jpeg_strip(). Reported as MSVR 35098. Discovered by
Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations
team.
• tools/tiff2bw.c: fix weight computation that could result of color value
overflow (no security implication). Fix bugzilla #2550. Patch by Frank
Freudenberg.
• tools/rgb2ycbcr.c: validate values of -v and -h parameters to avoid
potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
• tools/tiffcrop.c: Fix out-of-bounds write in loadImage(). From patch
libtiff-CVE-2016-3991.patch from libtiff-4.0.3-25.el7_2.src.rpm by Nikola
Forro (bugzilla #2543)
• tools/tiff2rgba.c: Fix integer overflow in size of allocated buffer, when
-b mode is enabled, that could result in out-of-bounds write. Based
initially on patch tiff-CVE-2016-3945.patch from
libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid
tests that rejected valid files. (bugzilla #2545)
• tools/tiffcrop.c: Avoid access outside of stack allocated array on a tiled
separate TIFF with more than 8 samples per pixel. Reported by Kaixiang
Zhang of the Cloud Security Team, Qihoo 360 (CVE-2016-5321 / CVE-2016-5323
, bugzilla #2558 / #2559)
• tools/tiffdump.c: fix a few misaligned 64-bit reads warned by -fsanitize
• tools/tiffdump.c (ReadDirectory): Remove uint32 cast to _TIFFmalloc()
argument which resulted in Coverity report. Added more mutiplication
overflow checks.
Problems found with existing digests:
Package fotoxx distfile fotoxx-14.03.1.tar.gz
ac2033f87de2c23941261f7c50160cddf872c110 [recorded]
118e98a8cc0414676b3c4d37b8df407c28a1407c [calculated]
Package ploticus-examples distfile ploticus-2.00/plnode200.tar.gz
34274a03d0c41fae5690633663e3d4114b9d7a6d [recorded]
da39a3ee5e6b4b0d3255bfef95601890afd80709 [calculated]
Problems found locating distfiles:
Package AfterShotPro: missing distfile AfterShotPro-1.1.0.30/AfterShotPro_i386.deb
Package pgraf: missing distfile pgraf-20010131.tar.gz
Package qvplay: missing distfile qvplay-0.95.tar.gz
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
MAJOR CHANGES:
Now builds with CMake 2.8.9 and newer (previously required
3.0.0)
CHANGES IN THE SOFTWARE CONFIGURATION:
CMakeLists.txt / CMake
Supports CMake 2.8.9 and later.
Add missing file which wasn't being distributed, causing
unit tests to fail.
Make shared/static library building configurable.
CMake reads all version information directly from configure.ac
to avoid duplication of values.
CMake builds are now included in 'distcheck' target.
Makefile.am
Autotools 'make distcheck' now tests the CMake-based build
if CMake is available.
CHANGES IN LIBTIFF:
Fixes to avoid undefined behaviour of signed types (C standard
compliance).
Fixes to avoid possible isses when casting to unsigned char.
Fixes to avoid undefined behaviour with shifts.
Fix generation of output with 16 bit or 32 bit integer, when
byte swapping is needed, in horizontal predictor (#2521).
Fix decoding when there is a single pixel to decode (unlikely
case...) and byte swapping is involved.
Add add explicit masking with 0xff before casting to uchar in
floating-point horizontal differencing and accumulation routines.
Eliminate requirement for and use of 64-bit constant values.
CHANGES IN THE TOOLS:
tiffgt
Silence glut API deprecation warnings on MacOS X.
fax2ps
Detect failure to write to temporary file.
Changelog:
2015-06-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff 4.0.4 released.
* configure.ac: Add a HAVE_FOO Automake conditional for each
add-on library.
* test/Makefile.am (JPEG_DEPENDENT_CHECK_PROG): raw_decode
requires JPEG support to compile. Use Automake conditional to
only include it when JPEG support is available.
* html/build.html: Try to improve the nmake-based VC++ build
description.
* libtiff/tiffconf.vc.h: Build fixes based on testing.
* libtiff/tif_config.vc.h: Build fixes based on testing.
* libtiff/libtiff.def: TIFFRasterScanline does not exist so remove
export for it.
2015-06-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff/tif_config.vc.h: Make adjustments to match the new
definitions that configure produces, including for WIN64. Still
needs to be tested.
* configure.ac: For 64-bit MinGW, fix SSIZE_FORMAT formatting
specifier. 64-bit MinGW supports 'long long' but support for
'lld' is not assured by the run-time DLLs and so GCC warns.
Add TIFF_SIZE_T and TIFF_SIZE_FORMAT to provide a type definition
and printf format specifier to deal with printing values of
'size_t' type. In particular, this was necessary for WIN64.
Added a configure test for if the system headers provide 'optarg'
(normal case) and block out the many explicit 'extern' statements
in the utilities. This was found to be necessary under Windows
when getopt is in a DLL and the symbols are already imported with
dllimport via standard header files.
* test/raw_decode.c (XMD_H): Avoid conflicting typedefs for INT32
and boolean in MinGW build due to including jpeglib.h.
* test/rewrite_tag.c (main): Fix problem with location of variable
declaration.
* libtiff/libtiff.def: Added exports for TIFFGetConfiguredCODECs,
TIFFReadRGBAImageOriented, TIFFSetCompressionScheme,
TIFFSwabArrayOfTriples, TIFFVGetFieldDefaulted, _TIFFCheckRealloc,
TIFFRasterScanline, TIFFSetErrorHandlerExt,
TIFFSetWarningHandlerExt, TIFFNumberOfDirectories,
TIFFCreateCustomDirectory, TIFFCreateEXIFDirectory,
TIFFWriteCustomDirectory, _TIFFRewriteField as recommended by
Roger Leigh and justified by use in libtiff tests, documentation,
and changelog notes. Also sorted symbol list and removed
duplicate entries.
2015-06-16 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff/tif_getimage.c: Fix four Coverity issues related to
unintended sign extension.
2015-06-16 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_unix.c: fix compilation with MSVC (fix by Jeff McKenna)
2015-06-14 Lee Howard <faxguy@howardsilvan.com>
* libtiff/tif_unix.c: contribution from Vadim Zeitlin on
Bugzilla Bug #2510 fixes several harmless but still annoying
warnings
* configure: contribution from Ludolf Holzheid on Bugzilla
Bug #2498. Adds an option to select the file I/O style on
Windows hosts.
* libtiff/tif_getimage.c: contribution from Gary Cramblitt
on Bugzilla Bug #2409. Correct reading of certain tiled TIFFs.
* configure, configure.ac: contribution from Marcos H. Woehrmann
on Bugzilla Bug #2405. Correct shell equality operator.
* tools/tiffgt.c (raster_draw): contribution from Jay Berkenbilt
on Bugzilla Bug #2401. Appropriately call glFlush().
* tools/tiff2pdf.c: change ColorTransform from "0" to "1"
following Bugzilla Bug #2150.
2015-06-13 Lee Howard <faxguy@howardsilvan.com>
* libtiff/tif_lzw.c: contribution from Andy Cave - decode
files that contain consecutive CODE_CLEAR codes.
* tools/tiff2pdf.c: contribution from Antti S. Lankila on
Bugzilla Bug #2078. Suppress initial output of the header.
* tools/tiff2pdf.c: contribution from Yuriy M. Kaminskiy -
Take care in using the return value from snprintf().
* tools/tiffcrop.c: contribution from Eduardo Robles Elvira -
correctly copy the compression tag from the source TIFF.
* tools/tiff2ps.c: contribution from Eduardo Robles Elvira -
correct sizing and scaling problems with output document.
2015-06-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff/tif_jpeg.c (JPEGDecode): Split JPEGDecode() into two
clean implementations in order to avoid pre-processor hell. Only
one of the implementations is used in a given build.
2015-06-08 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_jpeg.c: Fix compilation in BITS_IN_JSAMPLE == 12
case
2015-06-07 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff/tif_write.c (TIFFWriteEncodedStrip): Fix Coverity 715975
"Division or modulo by zero".
(TIFFWriteEncodedTile): Fix Coverity 715976 and 715977 "Division
or modulo by zero".
(TIFFWriteRawStrip): Fix Coverity 715978 "Division or modulo by
zero".
(TIFFWriteScanline): Fix Coverity 715979 "Division or modulo by
zero".
* libtiff/tif_read.c (TIFFStartTile): Fix Coverity 715973 and
715974 "Division or modulo by zero".
2015-05-31 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff/tif_dir.c (TIFFNumberOfDirectories): Quiet Coverity
1134470 "Logically dead code" by making the roll-over check
explicit.
* libtiff/tif_luv.c (LogLuvDecodeTile): Fix Coverity 991227
"Division or modulo by zero".
(LogLuvDecodeStrip): Fix Coverity 991239 "Division or modulo by
zero".
(LogLuvEncodeStrip): Fix Coverity 991240 "Division or modulo by
zero".
(LogLuvEncodeTile): Fix Coverity 991241 "Division or modulo by
zero".
* libtiff/tif_dirread.c (TIFFReadDirEntryDoubleArray): Fix
Coverity 298626 "Logically dead code".
(TIFFReadDirEntryFloatArray): Fix Coverity 298627 "Logically dead
code".
(TIFFReadDirEntryIfd8Array): Fix Coverity 298628 "Logically dead
code".
(TIFFReadDirEntrySlong8Array): Fix Coverity 298629 "Logically dead
code"
* libtiff/tif_dir.c (TIFFNumberOfDirectories): Don't depend on ++
operator precedenc in evaluation. Might quench Coverity 1134470
"Logically dead code".
* libtiff/tif_jpeg.c (JPEGDecode): Fix Coverity 602597 "Operands
don't affect result". This change uses ifdefs to include
applicable code based on properties of libjpeg. Still needs to be
re-tested with 12-bit "6b" and "MK1".
2015-05-30 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* libtiff/tif_dirwrite.c (_TIFFRewriteField): Fix Coverity 1024310
"Resource leak".
* libtiff/tif_ojpeg.c (OJPEGReadHeaderInfoSecStreamDht): Fix
Coverity 601720 "Resource leak".
* libtiff/tif_jpeg.c (JPEGCleanup): Fix Coverity 298624
"Dereference before null check".
* libtiff/tif_ojpeg.c (OJPEGReadBufferFill): Fix Coverity 603400
"Missing break in switch".
* contrib/addtiffo/tif_overview.c (TIFF_DownSample): Check buffer
size calculation for overflow.
* contrib/addtiffo/addtiffo.c (main): Possibly address Coverity
1024226 "Untrusted value as argument".
* tools/gif2tiff.c (readgifimage): Fix Coverity 1024222 "Untrusted
value as argument".
(checksignature): Fix Coverity 1024894 "Ignoring number of bytes
read".
(readextension): Fix Coverity 1024893 "Ignoring number of bytes
read".
(readgifimage): Fix Coverity 1024890 "Ignoring number of bytes
read".
(readraster): Fix Coverity 1024891 "Ignoring number of bytes
read".
(readgifimage): Fix Coverity 1024892 "Ignoring number of bytes
read".
* tools/tiff2pdf.c (t2p_readwrite_pdf_image): Fix Coverity 1024181
"Structurally dead code".
* tools/raw2tiff.c (main): Fix Coverity 1024887 "Unchecked return
value from library".
(guessSize): Fix Coverity 1024888 "Unchecked return value from
library".
(guessSize): Fix Coverity 1214162 "Ignoring number of bytes read".
(guessSize): Fix Coverity 1024889 "Unchecked return value from
library".
* tools/tiff2pdf.c (t2p_readwrite_pdf_image): Fix Coverity 298621
"Resource leak".
(t2p_readwrite_pdf_image): Fix Coverity 1024181 "Structurally dead
code".
(t2p_write_pdf): Fix Coverity 1227690 "Unused value".
2015-05-29 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* contrib/iptcutil/iptcutil.c (formatIPTC): Fix Coverity 1024468
"Infinite loop".
(formatIPTC): Fix Coverity 1024727 "Truncated stdio return value".
(formatIPTC): Fix Coverity 1214240 "Untrusted loop bound".
2015-05-28 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* contrib/addtiffo/tif_ovrcache.c (TIFFCreateOvrCache): Fix
Coverity 298615 "Resource leak".
(TIFFGetOvrBlock): Fix Coverity 1024649 "Unintended sign
extension".
* tools/bmp2tiff.c (main): Fix Coverity 1024225 "Untrusted value
as argument".
(main): Fix Coverity 1024678 "Unchecked return value from
library".
(main): Fix Coverity 1024679 "Unchecked return value from
library".
(main): Fix Coverity 1214160 "Ignoring number of bytes read".
* contrib/addtiffo/tif_ovrcache.c (TIFFCreateOvrCache): Fix
Coverity 298615 "Resource leak".
* tools/tiffcp.c: Fix Coverity 1024306, 1024307, 1024308, 1024309
"Resource leak".
* tools/tiffsplit.c (cpTiles): Fix Coverity 1024304 "Resource
leak".
(cpStrips): Fix Coverity 1024305 "Resource leak".
2015-05-27 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* tools/ras2tiff.c: Fix Sun Raster header definition to be safe
for 64-bit systems. Add some header validations. Should fix many
Coverity issues.
(main): Fix Coverity 1301206: "Integer handling issues (BAD_SHIFT)".
(main): Quiet Coverity 1024223 "Untrusted value as argument".
* tools/tiffmedian.c (GetInputLine): Fix Coverity 1024795 "Nesting
level does not match indentation".
(get_histogram): Quiet Coverity 1024386 "Out-of-bounds read".
This was a benign mis-diagnosis but added code to enforce against
buffer overflow.
* tools/tiffcrop.c (ROTATE_ANY): Fix Coverity 1294542 "Logical
vs. bitwise operator".
(readContigStripsIntoBuffer): Fix Coverity 1024545 "Division or
modulo by zero".
(readContigTilesIntoBuffer): Fix Coverity 1024586 "Logically dead
code".
(writeSingleSection): Fix Coverity 1024796 "Nesting level does not
match indentation".
(writeCroppedImage): Fix Coverity 1024797 "Nesting level does not
match indentation".
(loadImage): Fix Coverity 1299741 "Dereference before null check".
(loadImage): Fix Coverity 1299740 "Out-of-bounds write".
2015-03-02 Even Rouault <even.rouault@spatialys.com>
* tools/tiffdither.c: check memory allocations to avoid writing to
NULL pointer. Also check multiplication overflow. Fixes#2501,
CVE-2014-8128. Derived from patch by Petr Gajdos.
and use-after-free problems in the "gif2tiff" and "tiff2pdf"
command line tools (the library is not affected)
(CVE-2013-4231, CVE-2013-4232, CVE-2013-4244)
bump PKGREV
MAJOR CHANGES:
None
CHANGES IN THE SOFTWARE CONFIGURATION:
Updated to use Automake 1.12.4. Avoids security problem with 'make distcheck' (CVE-2012-3386).
CHANGES IN LIBTIFF:
Various memory buffer access fixes.
Fix handling when writing RGBA jpeg compressed imagery (http://trac.osgeo.org/gdal/ticket/4732).
Fix to work properly with IJG JPEG 7+.
New functions TIFFFieldTag(), TIFFFieldName(), TIFFFieldDataType(), TIFFFieldPassCount(), TIFFFieldReadCount(), TIFFFieldWriteCount() to use as external accessors for the opaque type TIFFField.
Fix bug rewriting image tiles in a compressed file (http://trac.osgeo.org/gdal/ticket/4771).
Add TIFF/FX tag support in libtiff.
CHANGES IN THE TOOLS:
tiff2pdf: Fail when TIFFSetDirectory() fails. This prevents core dumps or perhaps even arbitrary code execution when processing a corrupt input file (CVE-2012-3401).
tiff2pdf: Fix two places where t2p_error didn't get set after a malloc failure. No crash risk AFAICS, but the program might not report exit code 1 as desired.
CHANGES IN THE CONTRIB AREA:
None
* tif_getimage.c: added support for _SEPARATED CMYK images.
* tif_getimage.c: Added support for greyscale + alpha.
* Added TIFFCreateCustomDirectory() and TIFFCreateEXIFDirectory()
functions.
* tif_print.c: Lots of fixes around printing corrupt or hostile input.
* Improve handling of corrupt ycbcrsubsampling values.
* tif_unix.c: use strerror to get meaningful error messages.
* tif_jpeg.c: fix serious bugs in JPEGDecodeRaw().
* tif_jpeg.c: Fix size overflow (zdi-can-1221,CVE-2012-1173).
