Changes in TIFF v4.7.2
======================

.. table:: References
    :widths: auto

    ======================  ==========================================
    Current Version         v4.7.2 (:tag:`v4.7.2`)
    Previous Version        :doc:`v4.7.1 <v4.7.1>`
    Primary Download Site   `<https://download.osgeo.org/libtiff/>`_
    Home HTTP Site #1       `<https://libtiff.gitlab.io/libtiff/>`_
    Home HTTP Site #2       `<http://www.simplesystems.org/libtiff/>`_
    ======================  ==========================================

This document provides a summary of significant changes made to the
software between the *previous* and *current* versions (see
above). A fully-detailed change summary is provided by the :file:`ChangeLog` file
included in the release package and by the Git commit history.

Major changes
-------------

None

Software configuration changes
------------------------------

* cmake: Fix bundle identifiers to use reverse-DNS format

* cmake: Fix and improve Apple framework build support

* cmake: Use TurboJPEG CONFIG by default (:issue:`767`)

* cmake: changes related to 8-/12-bit modes

* cmake: Replace CMath::CMath with direct link to avoid export.

* Support for iOS-derived builds

* Simplify cmake byte order version check

* Add additional warnings, primarily floating precision conversions and integer
  arithmetic conversions

* configure.ac: Require bootstrap with at least Autoconf 2.71.

Library changes
---------------

New/improved functionalities:

* Add TIFFGetMaxCompressionRatio() and use it in _TIFFReadEncoded[Tile|Strip)AndAllocBuffer()
  (:issue:`781`)

API/ABI breaks:

* None

Bug fixes:

* Handle negative TIFFReadFile results before state updates (:issue:`854`)

* tif_dirread.c: fix copy-paste bug in ChopUpSingleUncompressedStrip

* tif_read.c: Fixed division by zero in TIFFStartStrip() (:issue:`777`)

* tif_dirwrite.c: add integer overflow checks to allocation size calculations

* tif_print.c: add integer overflow checks to allocation size calculations

* tif_write.c: fix OOB read and underflow in TIFFAppendToStrip copy loop

* DumpModeSeek: add bounds check to prevent OOB pointer advance

* TIFFGrowStrips: fix use-after-free on partial realloc failure.

* Fix NULL dereference in _TIFFReserveLargeEnoughWriteBuffer() by validating
  the strip bytecount array before accessing it.

* TIFFRGBAImage: avoid int overflows in put functions (:issue:`830`)

* tif_getimage: fix inconsistent fromskew handling in put16bitbwtile (:issue:`792`)

* tif_getimage: Widen pointer-offset arithmetic in tif_getimage

* putcontig8bitYCbCr44tile: fix wrong fromskew computation (:issue:`798`)

* putcontig8bitYCbCr42tile: Reject invalid YCbCr subsampling when image dimensions
  are smaller than the subsampling block to prevent out-of-bounds writes. (:issue:`753`)

* TIFFReadRGBAImage(): prevent integer overflow and later heap overflow (:issue:`787`)

* TIFFFillStrip/Tile(): avoid excessive memory allocation (:issue:`831`)

* TIFFLinkDirectory() checks for IFD loops (:issue:`788`)

* Check result of _TIFFCheckRealloc to prevent memory leaks and segmentation fault when reallocation fails.

* TIFFVTileSize64(): in YCbCr contig non upsampled mode, validate td_samplesperpixel==3 (:issue:`805`)

* TIFFReadDirEntryPersampleShort(): be tolerant to tags like SampleFormat not
  having 1 or SamplesPerPixel values (https://github.com/OSGeo/gdal/issues/13465)

* tif_getimage: reject tile widths that would overflow toskew (:issue:`808`)

* Fix integer overflow in _TIFFPartialReadStripArray on 32-bit.

* TIFFAppendToStrip(): add some checks to avoid null-pointer-dereferencing (:issue:`777`).

* _TIFFGetStrileOffsetOrByteCountValue(): fix potential crash on corrupted files
   when file opened in 'O' mode (https://issues.oss-fuzz.com/issues/471328917)

* TIFFReadDirectory(): re-set TIFF_LAZYSTRILELOAD if file opened in 'O' mode

* _TIFFMergeFields(): avoid NULL ptr dereference (:issue:`755`).

* Check td_stripbytecount_p and td_stripoffset_p for NULL pointer before (re-)writing to file.
   (:issue:`749`)

* JPEGDecodeRaw: initialize output buffer to avoid returning uninitialized memory
   (:issue:`892`)

* JPEG decompressor: initialize output buffer when JPEG image is smaller than
  strile dimension to avoid heap memory disclosure (:issue:`826`)

* JPEG: fix generation of tiled 12-bit JPEG compressed files with libjpeg-turbo 3.0.3
   (:issue:`773`)

* JPEGDecode(): fix memory leak in error code path
  (https://issues.oss-fuzz.com/issues/471945501)

* tif_jpeg: reject mismatched JPEG data precision to avoid write overflow

* Fix signed left-shift UB in LogLuv RANDITHER encoding (:issue:`850`)

* PixarLog: error out on invalid ABGR output buffer sizes.

* PixarLog: complete ABGR bounds check for multi-row strip decoding.

* PixarLog: fix heap-buffer-overflow in 8BITABGR decode with stride 3 (:issue:`824`)

* PixarLog: fix undoing horizontal differencing when SamplesPerPixel != 3 and 4 (:issue:`789`).

* PixarLog codec: fix potential integer overflow/out-of-bounds access (:issue:`797`)

* TIFFAdvanceDirectory(): avoid potential read heap-buffer-overflow in mmap code path on 32 bit builds
  (https://issues.oss-fuzz.com/issues/506737072)

* OJPEG: fix integer overflow in subsampling buffer allocation.

* OJPEG: fix nullptr deref when changing compression method from OJPEG to
  something else (:issue:`795`).

* OJPEG  fix potential integer overflow/out-of-bounds access (:issue:`796`).

* ojpeg: prevent EOF infinite loop (fixes commit 2a3d55b)

* tif_jbig.c don't discard validly decoded data if errors occur

* fix null pointer deference in :issue:`782`.

* fix stack-overflow in :issue:`784`.

Other changes:

* Change EXIF and GPS tag type from IFD8 to LONG8 per EXIF-specification (:issue:`739`).

* Harden integer size and offset calculations (:issue:`897`)

* TIFFComputeTile/TIFFComputeStrip: use overflow-checked multiplication

* Move widening casts inside multiplication scope.

* Lots of compiler warning fixes related to enabling more warning flags

* Align writing and reading of TIFF_LONG8 and TIFF_IFD8 tags (:issue:`773`)

* TIFFFillStrip(): prevent harmless unsigned integer overflow

Documentation
-------------

* Doc: TIFFFdOpen(): clarify role of filename parameter (:issue:`823`)

* Add libtiff/README_for_libtiff_developpers.md

Tools changes
-------------

New/improved functionality:

None

Bug fixes:

* tools: validate numeric command-line arguments (:issue:`799`)

* tiff2pdf: add overflow checks to RGBA/RGBAA sample count computation

* tiff2pdf: Fix integer overflow in RGBA raster allocation in tiff2pdf by
  validating size computation before _TIFFrealloc() (:issue:`804`)

* tiffcrop: fix integer overflow in extractImageSection.

* tiffcrop: fix byte carry for left/right composite bit offsets.

* tiffcrop: recompute composite crop dimensions before allocation.

* tiffcrop: fix uint32 overflows in writeImageSections and getCropOffsets
  (:issue:`834`, :issue:`835`, :issue:`836`)

* tiffcrop: size separated region buffers from actual dimensions

* tiffcrop: Fix heap-buffer-overflow in composite mode by allocating buffer based
  on final image layout instead of region-based bufftotal  (:issue:`803`)

* tiffcrop: fix undefined behaviour (:issue:`790`)

* tiffcrop: avoid dangling pointer in loadImage by clearing *read_ptr after free (:issue:`751`)

* tiffcrop: fix undefined behaviour in reverseSamples32bits() (:issue:`752`)

* Fix integer wraparound checks in raw2tiff/tiffcrop and add missing
  zero-divisor guards in tiff2rgba (:issue:`832`)

* tiffsplit: use 7-digit numbered output names.

* tiffsplit: fix global-buffer-overflow (:issue:`790`)

* tiffsplit: check filename length (:issue:`769`)

* tiffcmp: validate scanline buffer sizes in mixed planar comparison to prevent out-of-bounds reads (:issue:`802`)

* tiffmedian: fix use after free (:issue:`790`)

* tiffcp: avoid integer overflow in iskew and oskew (:issue:`770`)

* fax2tiff: avoid endless loop on corrupt input (:issue:`759`)

* tiffdump: Avoid unaligned memory access for tag field values.

* tiff2ps: Checking the range of double values in before converting to int32_t. (:issue:`679`)

Changes to contributed and unsupported tools
--------------------------------------------

* thumbnail: prevent integer overflow by capping row count at 256

* thumbnail: add/improve integer overflow check for image memory allocation.

* thumbnail: add error handling for missing strip and tile byte counts.

* thumbnail: fix Out-of-Bounds Write (:issue:`790`)

* rgb2ycbcr: fix integer overflow check for pixel count calculation.

* iptcutil: out-of-bound read fix (:issue:`750`)
