2026-06-27  Even Rouault  <even.rouault@spatialys.com>

	libtiff 4.7.2 release

2026-06-27  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'revert_mr_910' into 'master'
	Revert "_TIFFSetDefaultCompressionState(): reset postdecode callback"

	Closes #860

	See merge request libtiff/libtiff!915

2026-06-27  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'mr_810_revert' into 'master'
	Revert "tif_jbig.c don't discard validly decoded data if errors occur"

	See merge request libtiff/libtiff!914

2026-06-27  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'rst_formatting_fix' into 'master'
	v4.7.2.rst: formatting fix

	See merge request libtiff/libtiff!913

2026-06-27  Even Rouault  <even.rouault@spatialys.com>

	Revert "_TIFFSetDefaultCompressionState(): reset postdecode callback"
	This reverts commit b7a73279cc83e39a2d3425d69185281009f7554a.

	Fixes #860, but re-opens #795

2026-06-27  Even Rouault  <even.rouault@spatialys.com>

	Revert "tif_jbig.c don't discard validly decoded data if errors occur"
	This reverts commit fd4e85614c479b9cac7b4d961648cac6f15ad81f.

	This causes a null-ptr deref in jbigkit on some corrupted images. See https://gitlab.com/libtiff/libtiff/-/merge_requests/810#note_3500232812

2026-06-27  Even Rouault  <even.rouault@spatialys.com>

	v4.7.2.rst: formatting fix.

2026-06-25  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'fix_859' into 'master'
	Revert "OJPEG: fix nullptr deref when changing compression method from OJPEG to something else"

	Closes #795

	See merge request libtiff/libtiff!910

2026-06-25  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'tif_jbig-benign_errors' into 'master'
	tif_jbig.c don't discard validly decoded data if errors occur

	See merge request libtiff/libtiff!810

2026-06-25  Lee Howard  <faxguy@howardsilvan.com>

	tif_jbig.c don't discard validly decoded data if errors occur.

2026-06-25  Even Rouault  <even.rouault@spatialys.com>

	_TIFFSetDefaultCompressionState(): reset postdecode callback.
	Fixes #795

	Revert "OJPEG: fix nullptr deref when changing compression method from OJPEG to something else"
	This reverts commit 04607e3ce091ac0579317f185ab2cc378c3f6d39.

2026-06-19  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'add_missing_export_symbols' into 'master'
	libtiff.def/libtiff.map: add semi-public/private symbols added recently

	Closes #857

	See merge request libtiff/libtiff!902

2026-06-19  Even Rouault  <even.rouault@spatialys.com>

	tiffdump.c: fix build error on Windows.

	libtiff/tiffiop.h: fix ftell() macro in HAVE_FSEEKO case.

	libtiff.def/libtiff.map: add semi-public/private symbols added recently.

2026-06-18  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'issue-846-integer_overflow' into 'master'
	Harden integer size and offset calculations in libtiff, tools, and contrib

	See merge request libtiff/libtiff!897

2026-06-18  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'issue-850-Luv32fromLuv48' into 'master'
	Fix signed left-shift UB in LogLuv RANDITHER encoding (#850)

	See merge request libtiff/libtiff!898

2026-06-18  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'issue-854-TIFFReadAndRealloc' into 'master'
	Handle negative TIFFReadFile results before state updates (#854)

	See merge request libtiff/libtiff!901

2026-06-16  waugustus  <wangdw.augustus@qq.com>

	Handle negative TIFFReadFile results before state updates (#854)

	Harden integer size and offset calculations in libtiff, tools, and contrib

2026-06-12  waugustus  <wangdw.augustus@qq.com>

	Fix signed left-shift UB in LogLuv RANDITHER encoding (#850)

2026-06-10  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'patch-1' into 'master'
	oss-fuzz: fix broken build

	See merge request libtiff/libtiff!896

2026-06-10  david korczynski  <david@adalogics.com>

	oss-fuzz: fix broken build.

2026-06-08  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'DumpModeDecode_signedness_warning' into 'master'
	DumpModeSeek(): fix -Wsign-compare on 32 bit platforms

	See merge request libtiff/libtiff!894

2026-06-08  Even Rouault  <even.rouault@spatialys.com>

	DumpModeSeek(): fix -Wsign-compare on 32 bit platforms.

2026-06-08  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'formatting_fixes' into 'master'
	Formatting fixes (apply pre-commit run --all)

	See merge request libtiff/libtiff!893

2026-06-08  Even Rouault  <even.rouault@spatialys.com>

	Formatting fixes (apply pre-commit run --all)

2026-06-08  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'fix/ojpeg-overflow-and-misc-fixes' into 'master'
	Fix integer overflows, copy-paste bug, and loop underflow

	See merge request libtiff/libtiff!891

2026-06-08  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'jpegdecoderaw-uninit-heap' into 'master'
	JPEGDecodeRaw: initialize output buffer to avoid returning uninitialized memory

	See merge request libtiff/libtiff!892

2026-06-06  evilgensec  <evil.gen.sec@gmail.com>

	JPEGDecodeRaw: initialize output buffer to avoid returning uninitialized memory
	JPEGDecodeRaw() (the YCbCr-subsampled "raw" decode path) writes at most
	sp->cinfo.d.image_height rows, and within each scanline only the
	clumps_per_line clumps derived from the JPEG codestream width. When a
	strip/tile is declared larger than the embedded JPEG SOF dimensions --
	which JPEGPreDecode() only warns about rather than rejecting -- the
	unwritten tail of the caller's buffer is left untouched and returned as
	decoded data.

	Callers such as TIFFReadEncodedStrip/TIFFReadEncodedTile (and the tools
	built on them: tiffinfo -d, tiff2rgba, plus downstream users like GDAL
	and tiff2pdf) hand in an uninitialized malloc'd buffer, so the contents
	of previously freed heap are disclosed to the consumer. The amount of
	leaked data scales with the declared strip/tile height.

	JPEGDecode() already zeroes its output buffer for this case, but
	JPEGDecodeRaw() does not. A conditional memset mirroring JPEGDecode()'s
	dimension test is not sufficient here: for subsampled data the per-clump
	write stride can leave part of the caller buffer untouched even for
	spec-compliant images, so the buffer is zeroed unconditionally before the
	decode loop.

2026-05-31  Anthony Hurtado  <amhurtado@protonmail.com>

	tiff2pdf.c: add overflow checks to RGBA/RGBAA sample count computation.
	The YCBCR-to-RGB conversion path uses TIFFSafeMultiply for the
	tiff_width * tiff_length computation, but the RGBA-to-RGB and
	RGBAA-to-RGB paths perform raw uint32_t multiplication. The same
	inconsistency exists in the tile path with tiles_tilewidth *
	tiles_tilelength.

	For crafted TIFF files with large dimensions, the unchecked
	multiplication overflows and passes a wrong sample count to
	t2p_sample_rgba_to_rgb / t2p_sample_rgbaa_to_rgb, causing
	out-of-bounds buffer access in those conversion functions.

	Add TIFFSafeMultiply overflow checks consistent with the YCBCR path,
	covering both the image path (tiff_width * tiff_length) and the tile
	path (tiles_tilewidth * tiles_tilelength).

2026-05-31  Anthony Hurtado  <amhurtado@protonmail.com>

	tiffcrop.c: fix integer overflow in extractImageSection.
	The computations img_width * spp * bps and sect_width * spp * bps are
	performed in uint32_t (img_width/sect_width are uint32_t, spp/bps are
	uint16_t promoted to int, but the product is truncated back to uint32_t
	when assigned). For images with large dimensions and high bit depth,
	these products can overflow, producing incorrect img_rowsize and
	full_bytes values that lead to out-of-bounds buffer access.

	Use uint64_t intermediates and check against UINT32_MAX before use.

2026-05-31  Anthony Hurtado  <amhurtado@protonmail.com>

	tif_write.c: fix OOB read and underflow in TIFFAppendToStrip copy loop.
	When TIFFAppendToStrip needs to relocate strip data to the end of the
	file, it copies in chunks of tempSize (up to 1 MB). On the final
	iteration, toCopy may be less than tempSize, but the loop unconditionally
	reads and writes tempSize bytes. This causes:

	1. OOB file read past the end of the original strip data
	2. uint64_t underflow when toCopy -= tempSize wraps, causing the loop
	   to run indefinitely

	Introduce a chunkSize variable that is min(toCopy, tempSize) to
	correctly handle the final partial iteration.

2026-05-31  Anthony Hurtado  <amhurtado@protonmail.com>

	tif_dirread.c: fix copy-paste bug in ChopUpSingleUncompressedStrip.
	Line 8024 assigns offset = TIFFGetStrileByteCount(tif, 0) but should
	use TIFFGetStrileOffset(tif, 0). The variable is used at lines
	8061-8063 to perform a file-size sanity check that prevents excessive
	memory allocation when chopping a single-strip TIFF into multiple
	strips.

	With the byte count instead of the offset, the sanity check compares
	the wrong value against the file size, allowing a crafted uncompressed
	single-strip TIFF with a small byte count but large nstrips to bypass
	the guard and trigger excessive allocation from TIFFReadDirectory().

2026-05-31  Anthony Hurtado  <amhurtado@protonmail.com>

	tif_ojpeg.c: fix integer overflow in subsampling buffer allocation.
	The computation of subsampling_convert_ybuflen (ylinelen * ylines),
	subsampling_convert_cbuflen (clinelen * clines), and their sum
	subsampling_convert_ycbcrbuflen is performed in uint32_t and can
	silently overflow for large strile_width values. The existing overflow
	check at line 1362 only guards the ylinelen addition, not the
	subsequent multiplications.

	When the product wraps to a small value, _TIFFcallocExt allocates an
	undersized buffer. Row pointers are then computed using the
	non-overflowed stride, pointing past the allocation. Libjpeg writes
	decompressed scanline data through these out-of-bounds pointers,
	causing heap buffer overflow.

	Use 64-bit intermediates for the multiplications and check against
	UINT32_MAX before truncating back to uint32_t. Return an error
	instead of proceeding with a corrupted allocation size.

2026-05-29  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'issue-832-raw2tiff' into 'master'
	Fix integer wraparound checks in raw2tiff/tiffcrop and add missing zero-divisor guards in tiff2rgba (#832).

	See merge request libtiff/libtiff!885

2026-05-29  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'issue-836-tiffcrop' into 'master'
	tiffcrop: Fix tiffcrop composite crop buffer sizing (#836)

	See merge request libtiff/libtiff!884

2026-05-29  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'fix/compute-tile-strip-overflow' into 'master'
	TIFFComputeTile/TIFFComputeStrip: use overflow-checked multiplication

	See merge request libtiff/libtiff!890

2026-05-29  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'fix/dumpmode-seek-oob' into 'master'
	DumpModeSeek: add bounds check to prevent OOB pointer advance

	See merge request libtiff/libtiff!888

2026-05-29  Anthony Hurtado  <amhurtado@protonmail.com>

	TIFFComputeTile/TIFFComputeStrip: use overflow-checked multiplication.
	TIFFComputeTile() computes xpt * ypt * zpt using raw uint32_t
	multiplication that can silently overflow for images with small tile
	dimensions and large image dimensions. The wrapped result is used as a
	tile index into the strip offset/bytecount arrays, causing out-of-bounds
	array access.

	TIFFComputeStrip() has the same issue with (uint32_t)sample *
	td_stripsperimage.

	Replace raw multiplication with _TIFFMultiply32() in both functions,
	consistent with their TIFFNumberOf* counterparts in the same files.
	_TIFFMultiply32() reports an error and returns 0 on overflow instead of
	silently wrapping. Added early return when overflow is detected (result
	is 0 but operands are non-zero) to prevent using a bogus index.

2026-05-29  Anthony Hurtado  <amhurtado@protonmail.com>

	DumpModeSeek: add bounds check to prevent OOB pointer advance.
	DumpModeSeek() advances tif_rawcp by nrows * td_scanlinesize without
	any bounds check against tif_rawcc (remaining buffer bytes). A crafted
	TIFF with COMPRESSION_NONE can trigger an arbitrary forward seek past
	the raw data buffer, causing subsequent DumpModeDecode() calls to read
	from out-of-bounds heap memory.

	Added pre-multiplication overflow check using TIFF_TMSIZE_T_MAX
	division (avoiding undefined behavior from signed overflow detection),
	then bounds check against tif_rawcc before advancing the pointer.

	Note the contrast with DumpModeDecode() in the same file, which
	correctly checks tif_rawcc < cc before any access.

2026-05-29  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'fix/growstrips-uaf' into 'master'
	TIFFGrowStrips: fix use-after-free on partial realloc failure

	See merge request libtiff/libtiff!889

2026-05-29  Anthony Hurtado  <amhurtado@protonmail.com>

	TIFFGrowStrips: fix use-after-free on partial realloc failure.
	TIFFGrowStrips() performs two realloc calls for td_stripoffset_p and
	td_stripbytecount_p. If the first realloc succeeds (potentially moving
	the allocation) but the second fails, the error path frees the new
	pointer while td->td_stripoffset_p still points to the old (now-freed)
	memory. When TIFFFreeDirectory() later frees td_stripoffset_p, it
	triggers a double-free of the dangling pointer.

	Fix by updating each struct member immediately after its successful
	realloc, before attempting the second realloc. If either realloc fails,
	the struct members point to valid memory (either the successfully
	reallocated block or the original unchanged block), preventing any
	dangling pointer.

2026-05-25  waugustus  <wangdw.augustus@qq.com>

	Address review feedback for overflow guard fixes.

2026-05-14  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'issue-844-_TIFFReserveLargeEnoughWriteBuffer' into 'master'
	Fix NULL dereference in _TIFFReserveLargeEnoughWriteBuffer() by validating the strip bytecount array before accessing it (#844)

	See merge request libtiff/libtiff!886

2026-05-14  waugustus  <wangdw.augustus@qq.com>

	Fix NULL dereference in _TIFFReserveLargeEnoughWriteBuffer() by validating the strip bytecount array before accessing it.

	Fix integer wraparound checks in raw2tiff/tiffcrop and add missing zero-divisor guards in tiff2rgba (#832).

2026-05-11  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'fix_834_835_836' into 'master'
	tiffcrop: fix uint32 overflows in writeImageSections and getCropOffsets

	Closes #834, #835, and #836

	See merge request libtiff/libtiff!879

2026-05-09  waugustus  <wangdw.augustus@qq.com>

	tiffcrop: fix byte carry for left/right composite bit offsets.

	tiffcrop: recompute composite crop dimensions before allocation.

2026-05-09  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'issue-828-horizontalAccumulate8abgr' into 'master'
	pixarlog: complete ABGR bounds check for multi-row strip decoding

	See merge request libtiff/libtiff!883

2026-05-09  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'fix_830' into 'master'
	TIFFRGBAImage: avoid int overflows in put functions

	Closes #830

	See merge request libtiff/libtiff!881

2026-05-07  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'fix_831' into 'master'
	TIFFFillStrip/Tile(): avoid excessive memory allocation

	Closes #831

	See merge request libtiff/libtiff!880

2026-05-07  Even Rouault  <even.rouault@spatialys.com>

	TIFFFillStrip/Tile(): avoid excessive memory allocation.
	Closes #831

2026-05-07  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'fix_823' into 'master'
	Doc: TIFFFdOpen(): clarify role of filename parameter

	Closes #823

	See merge request libtiff/libtiff!882

2026-05-07  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'fix_788_Write_IFDLoop' into 'master'
	TIFFLinkDirectory() checks for IFD loops (fixes 788)

	Closes #788

	See merge request libtiff/libtiff!878

2026-05-07  Su Laus  <sulau@freenet.de>

	TIFFLinkDirectory() checks for IFD loops (fixes 788)

2026-05-07  waugustus  <wangdw.augustus@qq.com>

	pixarlog: error out on invalid ABGR output buffer sizes.

	pixarlog: complete ABGR bounds check for multi-row strip decoding.

2026-05-05  Niels Provos  <provos@gmail.com>

	tiffcrop: simplify safeAccumUInt32 overflow check.
	Use the canonical unsigned-overflow idiom (a > MAX - b) instead of a
	uint64_t cast, per maintainer suggestion.

2026-05-05  Even Rouault  <even.rouault@spatialys.com>

	Doc: TIFFFdOpen(): clarify role of filename parameter.
	Fixes #823

	TIFFRGBAImage: avoid int overflows in put functions.
	Fixes #830

2026-05-04  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'TIFFGetMaxCompressionRatio' into 'master'
	Add TIFFGetMaxCompressionRatio() and use it in _TIFFReadEncoded[Tile|Strip)AndAllocBuffer()

	Closes #781

	See merge request libtiff/libtiff!872

2026-05-03  Niels Provos  <provos@gmail.com>

	tiffcrop: fix uint32 overflows in writeImageSections and getCropOffsets.
	Three uint32 wraps in tiffcrop allowed crafted TIFFs to bypass
	loadImage()'s buffer-size guard:

	* writeImageSections:8301 computed sectsize via ceil((n+7)/8.0) (double),
	  which overcounts bytes-per-row by 1 vs. loadImage:7209's integer
	  (n+7)/8, then multiplied in uint32. Now uses uint64_t with the same
	  integer formula and rejects results exceeding UINT32_MAX-3.

	* getCropOffsets accumulates crop->combined_{width,length} in uint32
	  across zones for all four EDGE_* branches; sums >= 2^32 wrap and
	  under-size the crop_buff allocation in processCropSelections. A
	  safeAccumUInt32() helper now guards each accumulation.

	Fixes #834, #835, #836.

2026-04-29  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'fix_826' into 'master'
	JPEG decompressor: initialize output buffer when JPEG image is smaller than...

	Closes #826

	See merge request libtiff/libtiff!877

2026-04-29  Even Rouault  <even.rouault@spatialys.com>

	JPEG decompressor: initialize output buffer when JPEG image is smaller than strile dimension to avoid heap memory disclosure
	Fixes #826

2026-04-28  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'fix_ossfuzz_506737072' into 'master'
	TIFFAdvanceDirectory(): avoid potential read heap-buffer-overflow in mmap code...

	See merge request libtiff/libtiff!876

2026-04-28  Even Rouault  <even.rouault@spatialys.com>

	TIFFAdvanceDirectory(): avoid potential read heap-buffer-overflow in mmap code path on 32 bit builds
	Fixes https://issues.oss-fuzz.com/issues/506737072

	```
	==250==ERROR: AddressSanitizer: SEGV on unknown address 0x73402dbf (pc 0xf7cc6656 bp 0xff9cc408 sp 0xff9cbfb8 T0)
	==250==The signal is caused by a READ memory access.
		    0 0xf7cc6656 in libc.so.6
		    1 0x5763d373 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:63:3
		    2 0x57f675ba in gdal__TIFFmemcpy gdal/frmts/gtiff/libtiff/tif_vsi.c:174:2
		    3 0x57f631a9 in gdal_TIFFAdvanceDirectory gdal/frmts/gtiff/libtiff/tif_dir.c:1878:13
	```

	with
	```
	$ tiffdump test.tif
	test.tif:
	Magic: 0x4949 <little-endian> Version: 0x2a <ClassicTIFF>
	Directory 0: offset 8 (0x8) next 2147483647 (0x7fffffff)
	[...]
	```

2026-04-25  Roger Leigh  <rleigh@codelibre.net>

	Merge branch 'cmake-macos-framework' into 'master'
	Build: Support for iOS-derived builds

	See merge request libtiff/libtiff!780

2026-04-25  Roger Leigh  <rleigh@codelibre.net>

	cmake: Fix bundle identifiers to use reverse-DNS format.
	PRODUCT_BUNDLE_IDENTIFIER and MACOSX_FRAMEWORK_IDENTIFIER must use
	reverse-DNS dot notation (com.gitlab.libtiff.libtiff_tiff), not
	URL-style slashes which are not valid in bundle ID strings.

2026-04-25  Treata11  <treata11@yahoo.com>

	cmake: Incorporate improvements from treata11/cmake-macos-framework.
	- .gitignore: add build* to ignore build directories
	- CMakeLists.txt: add framework build status message in configure summary
	- libtiff/CMakeLists.txt: refactor duplicate if(tiff-framework) blocks
	  into a set_framework_properties(target headers_var) macro, eliminating
	  repetition between the tiff and tiffxx targets
	- tools/CMakeLists.txt: extract install target list into libtiff_tools
	  variable for clarity

2026-04-25  Roger Leigh  <rleigh@codelibre.net>

	cmake: Fix and improve Apple framework build support.
	- Fix FRAMEWORK_VERSION to use conventional letter "A" instead of the
	  full version string, which incorrectly named the Versions/ directory
	- Remove FRAMEWORK/BUNDLE properties from fax2ps and other executables;
	  only shared libraries can be frameworks, and framework linking is
	  implicit for executables via target_link_libraries
	- Remove BUNDLE DESTINATION from tools install rule; CLI tools are not
	  app bundles
	- Add framework properties to tiffxx (C++ wrapper library), including
	  FRAMEWORK DESTINATION in its install rule
	- Move OPENGL_SUPPORT=OFF for embedded Apple platforms into the root
	  CMakeLists.txt, gated on CMAKE_SYSTEM_NAME rather than tiff-framework,
	  so it is driven by platform identity and applies before subdirectories
	  are processed
	- Default tiff-framework to ON for non-Darwin Apple platforms (iOS,
	  tvOS, watchOS, visionOS) where .dylib is not permitted by the App
	  Store; keep OFF on macOS where .dylib is the conventional format
	- Short-circuit HAVE_LD_VERSION_SCRIPT=FALSE on Apple unconditionally,
	  since ld64 does not support --version-script, avoiding a noisy probe

2026-04-25  Treata11  <treata11@yahoo.com>

	Build: Support for iOS-derived builds.

2026-04-25  Roger Leigh  <rleigh@codelibre.net>

	Merge branch 'oss-fuzz' into 'master'
	Add fuzzer for libtiff write logic

	See merge request libtiff/libtiff!875

2026-04-25  Roger Leigh  <rleigh@codelibre.net>

	Remove unused __TIFFSafeMultiply macro and MAX_SIZE constant.

2026-04-25  Arthur Chan  <arthur.chan@adalogics.com>

	Fix formatting and build script.

	Fix formatting accordingly.

	Create new fuzzer and integrate to libtiff.

2026-04-25  Roger Leigh  <rleigh@codelibre.net>

	Merge branch 'fix-bufoverflow' into 'master'
	tiffcrop: avoid buffer overflow in combineSeparateTileSamplesBytes()

	See merge request libtiff/libtiff!848

2026-04-25  Roger Leigh  <rleigh@codelibre.net>

	Merge branch 'tiffsplit-kostasl' into 'master'
	tiffsplit: use 7-digit numbered output names

	See merge request libtiff/libtiff!874

2026-04-25  Kostas Lagogiannis  <costaslag@gmail.com>

	tiffsplit: use 7-digit numbered output names.

2026-04-25  Roger Leigh  <rleigh@codelibre.net>

	Merge branch 'issue-824-horizontalAccumulate8abgr' into 'master'
	pixarlog: fix heap-buffer-overflow in 8BITABGR decode with stride 3 (#824)

	See merge request libtiff/libtiff!873

2026-04-25  Roger Leigh  <rleigh@codelibre.net>

	Merge branch 'fix/thumbnail-integer-overflow' into 'master'
	thumbnail: prevent integer overflow by capping row count at 256

	See merge request libtiff/libtiff!852

2026-04-25  Roger Leigh  <rleigh@codelibre.net>

	Merge branch 'support_arm64_arm64ec' into 'master'
	Enable support for arm64EC

	See merge request libtiff/libtiff!830

2026-04-25  Roger Leigh  <rleigh@codelibre.net>

	Merge branch 'cmake-turbojpeg' into 'master'
	cmake: Use TurboJPEG CONFIG by default

	Closes #767

	See merge request libtiff/libtiff!806

2026-04-25  Roger Leigh  <rleigh@codelibre.net>

	cmake: JPEG dual mode requires both functions.

	cmake: Update JPEG dual mode check to use correct library target.

	cmake: Update JPEG dual mode check to use check_symbol_exists.
	* The existing approach failed with clang due to it not using declared symbols

	cmake: Enable 8-/12-bit modes with TurboJPEG CONFIG.

	cmake: Use TurboJPEG CONFIG by default.

2026-04-24  waugustus  <wangdw.augustus@qq.com>

	pixarlog: add comment explaining 4-byte advance in ABGR decode.

2026-04-23  waugustus  <wangdw.augustus@qq.com>

	pixarlog: fix heap-buffer-overflow in 8BITABGR decode with stride 3 (#824)

2026-04-22  Even Rouault  <even.rouault@spatialys.com>

	Add libtiff/README_for_libtiff_developpers.md and reference it in various GetMaxCompressionRatio() functions

2026-04-22  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'issue-816-tiffcrop' into 'master'
	tiffcrop: size separated region buffers from actual dimensions (#816)

	See merge request libtiff/libtiff!871

2026-04-21  Even Rouault  <even.rouault@spatialys.com>

	Add TIFFGetMaxCompressionRatio() and use it in _TIFFReadEncoded[Tile|Strip)AndAllocBuffer()
	```rst

	.. c:function:: uint64_t TIFFGetMaxCompressionRatio(TIFF *tif);

	Description
	-----------

	:c:func:`TIFFGetMaxCompressionRatio` returns the maximum compression ratio
	for the current codec, which is typically achieved for a uncompressed buffer
	with all bytes at zero.

	This function can be used to determine if the compressed size of a strip or tile
	is realistic compared to the expected uncompressed size, to prevent some
	denial-of-service scenarios.

	Depending on the codec, it may take into account the strip or tile size,
	number of samples per pixel, etc.

	Some codecs don't implement that method, or only for a subset of configurations,
	and may return 0 when the maximum compression ratio is unknown.

	Return values
	-------------

	0 is returned if no maximum compression ratio is known.
	1 is returned when there is no compression.
	Values strictly bigger than 1 are returned when a maximum compression ratio is
	known.
	```

	Fixes #781

2026-04-21  waugustus  <wangdw.augustus@qq.com>

	tiffcrop: size separated region buffers from actual dimensions.

2026-04-21  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'reformat' into 'master'
	Update pre-commit clang-format to v22.1.3 and apply 'pre-commit run --all'

	See merge request libtiff/libtiff!870

2026-04-20  Even Rouault  <even.rouault@spatialys.com>

	Update pre-commit clang-format to v22.1.3 and apply 'pre-commit run --all'

2026-04-20  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'warning_fixes_armhf_32bit' into 'master'
	Fix warning fixes with arm-linux-gnueabihf-gcc-13

	See merge request libtiff/libtiff!868

2026-04-20  Even Rouault  <even.rouault@spatialys.com>

	Fix warning fixes with arm-linux-gnueabihf-gcc-13.
	Fixes
	```
	 /home/runner/work/gdal/gdal/frmts/gtiff/libtiff/tiffiop.h:296:68: error: comparison of integer expressions of different signedness: 'tmsize_t' {aka 'long int'} and 'long unsigned int' [-Werror=sign-compare]
	  296 | #define ReadOK(tif, buf, size) (TIFFReadFile((tif), (buf), (size)) == (size))
	      |                                                                    ^~
	/home/runner/work/gdal/gdal/frmts/gtiff/libtiff/tif_dirread.c:6141:14: note: in expansion of macro 'ReadOK'
	 6141 |         if (!ReadOK(tif, origdir, (tmsize_t)dircount16 * dirsize))
	      |              ^~~~~~
	/home/runner/work/gdal/gdal/frmts/gtiff/libtiff/tif_dirread.c:6270:29: error: comparison of integer expressions of different signedness: 'tmsize_t' {aka 'long int'} and 'long unsigned int' [-Werror=sign-compare]
	 6270 |         if ((m < off) || (m < (tmsize_t)dircount16 * dirsize) ||
	      |                             ^
	```

2026-04-20  Roger Leigh  <rleigh@codelibre.net>

	Merge branch 'warning-additions5' into 'master'
	Add extra warnings, with a focus upon the preprocessor

	See merge request libtiff/libtiff!805

2026-04-19  Roger Leigh  <rleigh@codelibre.net>

	tif_write: Make expression less ambiguous.

	tif_config: Don't check if macro defined when undefined.

2026-04-18  Roger Leigh  <rleigh@codelibre.net>

	Run clang-format on all modified files.
	Suggested-by: Timothy Lyanguzov <theta682@gitlab.com>
	Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-18  Roger Leigh  <rleigh@codelibre.net>

	Use lowercase float literal suffixes.
	Replace all uppercase F float literal suffixes with the more conventional
	lowercase f across all source files for consistency.

	Suggested-by: Timothy Lyanguzov <theta682@gitlab.com>
	Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-18  Roger Leigh  <rleigh@codelibre.net>

	Simplify cmake byte order version check.
	The CMAKE_VERSION >= 3.20 guard is redundant since CMAKE_C_BYTE_ORDER
	is only defined by CMake 3.20+. If it's defined, the version is already
	sufficient.

	Suggested-by: Timothy Lyanguzov <theta682@gitlab.com>
	Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-18  Roger Leigh  <rleigh@codelibre.net>

	Add -Wtrampolines to extra-warnings.

	Add -Walloc-zero to extra-warnings.

	Add -Wstringop-overflow=4 to extra-warnings.

	Add -Warray-bounds=3 to extra-warnings.

	Add -Wvla to extra-warnings.

	Add -Wnested-externs to extra-warnings.

	Add -Wold-style-definition to extra-warnings.

	Add -Wundef to extra-warnings.

	cmake: Add extra broken-warnings.
	* Will promote to extra-warnings after testing

	cmake: Unset /W3 before setting /W4.

	tools: Use HAVE_UNISTD_H consistently.

	cmake: Suppress warnings in Windows system headers.

	tif_jpeg: Use HAVE_DECL_OPTARG consistently.

	tif_jpeg: Use JPEG_LIB_MK1_OR_12BIT consistently.

	port: Correct HAVE_GETOPT and HAVE_UNISTD_H usage.

	cmake: Modernise endianness checks.

	Correct WORDS_BIGENDIAN to always be defined to 1 or 0.

	Add extra MSVC warnings.

2026-04-18  Roger Leigh  <rleigh@codelibre.net>

	Merge branch 'warning-additions4' into 'master'
	Add additional warnings, primarily floating precision conversions and integer arithmetic conversions

	See merge request libtiff/libtiff!804

2026-04-18  Roger Leigh  <rleigh@codelibre.net>

	Merge remote-tracking branch 'origin/master' into warning-additions4.

2026-04-12  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'fix-integer-overflows' into 'master'
	fix: add integer overflow checks to allocation size calculations

	See merge request libtiff/libtiff!862

2026-04-12  mohammadmseet-hue  <mohammadmseet@gmail.com>

	fix: add integer overflow checks to allocation size calculations.
	Several allocation sites compute buffer sizes using unchecked 32-bit
	multiplication of attacker-controlled TIFF tag values. When the product
	exceeds UINT32_MAX, the result wraps to a small value, causing undersized
	allocations followed by heap buffer overflows.

	Changes across 2 files (5 overflow sites):

	- tif_dirwrite.c: 4 unchecked count*sizeof() replaced with
	  _TIFFCheckMalloc
	- tif_print.c: 1 tv_size*value_count replaced with _TIFFCheckMalloc

	All 158 existing tests pass.

2026-04-11  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'fix_777_part1_division_by_zero_and_move_params_to_tif_dir' into 'master'
	tif_read.c: Fixed division by zero in TIFFStartStrip() by correctly initialising the parameters and checking for zero (fixes #777 first part)

	See merge request libtiff/libtiff!863

2026-04-10  Su_Laus  <sulau@freenet.de>

	Some editorials due to suggestions.

2026-04-09  Even Rouault  <even.rouault@spatialys.com>

	Merge branch 'master' into 'master'
	Check result of _TIFFCheckRealloc

	See merge request libtiff/libtiff!865

2026-04-08  Roger Leigh  <rleigh@codelibre.net>

	Widen pointer-offset arithmetic in tif_getimage.c.
	Cast `line` to `size_t` before multiplying by `w` in the horizontal
	flip loops, so the pointer offset computation happens at pointer
	width rather than uint32_t. Prevents overflow for large images
	where line * w exceeds UINT32_MAX.

2026-04-08  Roger Leigh  <rleigh@codelibre.net>

	Move widening casts inside arithmetic scope (additional cases)
	Extend the approach from 96ea0393 to additional cases: place widening
	casts on operands rather than wrapping the arithmetic result, so the
	computation happens at the wider type. This covers additions,
	subtractions, and multiplications used for memory sizes, buffer
	offsets, and function arguments.

	For cases where the moved cast creates a same-precedence ambiguity
	(e.g. in % or / expressions), add grouping parentheses to preserve
	the original semantics.

2026-04-07  Aymeric Esparre  <aymeric.esparre@gmail.com>

	Check result of _TIFFCheckRealloc to prevent memory leaks and segmentation fault when reallocation fails.

2026-04-06  Su_Laus  <sulau@freenet.de>

	tif_read.c: Fixed division by zero in TIFFStartStrip() by correctly initialising the parameters and checking for zero (resolves the first issue from #777)
	Move the tif-directory related parameters tif_scanlinesize, tif_tilesize, tif_row, tif_curstrip, tif_col, tif_curtile, tif_tilesize from the tif structure to the tif_dir structure.
	Initialise these parameters not only in TIFFClientOpenExt(), but also in TIFFDefaultDirectory() using the new function _TIFFResetTifDirAndInitStrileCounters().
	The partial initialisation of these parameters is removed from TIFFReadDirectory(), TIFFCreateDirectory(), TIFFCreateCustomDirectory() and TIFFUnlinkDirectory(), where TIFFDefaultDirectory() and thus _TIFFResetTifDirAndInitStrileCounters() is called.

	In TIFFStartStrip(), check for td_stripsperimage == 0 to avoid division by zero.

	This initialisation resolves the first issue from #777.

2026-04-05  Roger Leigh  <rleigh@codelibre.net>

	Move widening casts inside multiplication scope.
	Place widening casts where the multiplication is performed rather
	than wrapping the entire result. This ensures arithmetic happens
	at the wider type, reducing the chance of overflow.

	For sizeof patterns, cast the non-sizeof operand to (size_t)
	before multiplication: (tmsize_t)((size_t)count * sizeof(type)).
	For integer arithmetic, cast the variable directly:
	constant + (uint64_t)dircount * constant + constant.

2026-04-05  Roger Leigh  <rleigh@codelibre.net>

	Use dircount64 directly to avoid unnecessary narrowing and widening.
	Where dircount64 (uint64_t) is already validated and in scope, use it
	directly in multiplication instead of narrowing to uint16_t and casting
	back. Remove the now-unused dircount/dircount16 variables from the
	affected blocks.

	Add TIFF_FLOAT_EQ/TIFF_DOUBLE_EQ macros and use throughout.
	Define TIFF_FLOAT_EQ and TIFF_DOUBLE_EQ macros in tiffiop.h to
	centralise the fabs/fabsf-based float equality pattern used to
	suppress -Wfloat-equal warnings. Replace all inline occurrences
	across library, tools, and test files with the new macros.

	Use lowercase float literal suffixes.
	Replace all uppercase F float literal suffixes with the more conventional
	lowercase f across all source files for consistency.

2026-04-05  Roger Leigh  <rleigh@codelibre.net>

	Remove redundant (size_t) casts in tmsize_t allocation expressions.
	When the count operand is already unsigned (uint16_t, uint32_t,
	uint64_t), the intermediate (size_t) cast in expressions like
	(tmsize_t)((size_t)count * sizeof(T)) is redundant — the
	multiplication with sizeof (which returns size_t) already promotes
	the unsigned count via the usual arithmetic conversions.

	Simplify to (tmsize_t)(count * sizeof(T)) for all 40 occurrences
	where the count is unsigned. Retain the (size_t) cast for the 18
	occurrences where the count is signed (int, tmsize_t, int32_t).

2026-04-05  Roger Leigh  <rleigh@codelibre.net>

	Simplify typecasts using unsigned constant suffixes and better types.
	Use U-suffixed constants (1U, 255U, 12U, 20U) instead of explicit
	(uint32_t) casts on expressions. Change CMYK local variables from
	uint16_t/uint32_t to unsigned int to match the natural arithmetic
	type. Remove redundant intermediate casts: inner (int16_t) before
	shift in tif_luv.c, unnecessary (size_t) wrapping in tif_dirread.c,
	and redundant (double) on already-double variables in tiff2ps.c.

	tif_color: Use 1.0F instead of 1 in Code2V ternary and remove redundant cast
	Use a float literal for the fallback value so both branches of the
	ternary have the same type, and drop the now-unnecessary outer (float)
	cast.

	test: Fix -Wconversion warnings in test_transferfunction_write_read.c.
	Add explicit (size_t) and (tmsize_t) casts in buffer size calculations
	to prevent implicit integer conversion warnings when computing
	allocation sizes and memcmp lengths.

	test: Fix -Wdouble-promotion and operator precedence warnings in test_write_read_tags.c
	Add (double) casts on float arguments to printf and in float-to-double
	arithmetic. Fix operator precedence in (short)(i + 1) * 7 which casts
	before multiplying — should be (short)((i + 1) * 7).

	test: Fix -Wdouble-promotion warnings in rational_precision2double.c.
	Add explicit (double) casts on float arguments passed to variadic
	functions (printf, TIFFSetField) and in arithmetic expressions where
	float is implicitly promoted to double.

	test: Use check_tag.h include in tifftest.h instead of inline declarations
	Replace the inline function declarations with an include of check_tag.h
	which provides the canonical declarations for CheckShortField,
	CheckShortPairedField, and CheckLongField.

	test: Use tifftest.h include instead of extern declaration in long_tag.c
	Replace the bare extern declaration of CheckLongField with an include
	of tifftest.h, which provides all check function declarations via
