2016.10.28 18:50 "[Tiff] New release ? + remaining CVE tickets", by Even Rouault

2016.12.13 04:56 "[Tiff] one little ill-advised change in v4.0.7 broke functionality for HylaFAX", by Lee Howard

See:

http://bugzilla.maptools.org/show_bug.cgi?id=2636

---------------------------------------------------------

So, for a few weeks now a couple of folks on the HylaFAX mailing lists have complained that HylaFAX does not work for them after they upgrade to libtiff v4.0.7. After looking into it I have found the culprit...

*******************************************************************

Index: ChangeLog
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/ChangeLog,v
retrieving revision 1.1109
retrieving revision 1.1110
diff -u -r1.1109 -r1.1110

--- ChangeLog   3 Jan 2016 10:01:25 -0000    1.1109
+++ ChangeLog   9 Jan 2016 22:19:21 -0000    1.1110

@@ -1,3 +1,8 @@
+2016-01-09 Even Rouault <even.rouault at spatialys.com>
+

+    * libtiff/tif_fax3.h: make Param member of TIFFFaxTabEnt structure
+    a uint16 to reduce size of the binary.

+
  2016-01-03 Even Rouault <even.rouault at spatialys.com>

         * libtiff/tif_read.c, tif_dirread.c: fix indentation issues raised

Index: libtiff/tif_fax3.h

=================================================================== RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_fax3.h,v retrieving revision 1.9

retrieving revision 1.10
diff -u -r1.9 -r1.10

--- libtiff/tif_fax3.h  10 Mar 2011 20:23:07 -0000    1.9

+++ libtiff/tif_fax3.h  9 Jan 2016 22:19:21 -0000    1.10

@@ -1,4 +1,4 @@

-/* $Id: tif_fax3.h,v 1.9 2011-03-10 20:23:07 fwarmerdam Exp $ */ +/* $Id: tif_fax3.h,v 1.10 2016-01-09 22:19:21 erouault Exp $ */

  /*
   * Copyright (c) 1990-1997 Sam Leffler
@@ -84,7 +84,7 @@
  typedef struct { /* state table entry */

         unsigned char State;    /* see above */
         unsigned char Width;    /* width of code in bits */

-    uint32 Param;           /* unsigned 32-bit run length in bits */
+    uint16 Param;           /* unsigned 16-bit run length in bits */

  } TIFFFaxTabEnt;

  extern const TIFFFaxTabEnt TIFFFaxMainTable[];

*******************************************************************

I cannot see this change to reduce the size of the binary being discussed at all on the libtiff mailing list... and unfortunately I did not test libtiff CVS code in HylaFAX this year until now.

Anyway, the "Param" field here in TIFFFaxTabEnt corresponds to TIFFTAG_FAXRECVPARAMS which elsewhere in libtiff (like libtiff/tif_dirinfo.c) is known to be 32-bits long.

The consequence of this change is that any software that utilizes TIFFTAG_FAXRECVPARAMS (and HylaFAX does so quite heavily) will likely see their "params" data corrupted/lost... leading to all sorts of problems with image data operations.

Please reverse the attached patch.

--- libtiff/tif_fax3.h  10 Mar 2011 20:23:07 -0000      1.9
+++ libtiff/tif_fax3.h  9 Jan 2016 22:19:21 -0000       1.10

@@ -84,7 +84,7 @@
 typedef struct {                /* state table entry */

        unsigned char State;    /* see above */
        unsigned char Width;    /* width of code in bits */

-       uint32 Param;           /* unsigned 32-bit run length in bits */
+       uint16 Param;           /* unsigned 16-bit run length in bits */

 } TIFFFaxTabEnt;

 extern const TIFFFaxTabEnt TIFFFaxMainTable[];