Blame SOURCES/libtiff-CVE-2014-8129.patch

460672
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
460672
index 8bf3ea7..f812fa2 100644
460672
--- a/libtiff/tif_dir.c
460672
+++ b/libtiff/tif_dir.c
460672
@@ -160,6 +160,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
460672
 	TIFFDirectory* td = &tif->tif_dir;
460672
 	int status = 1;
460672
 	uint32 v32, i, v;
460672
+    double dblval;
460672
 	char* s;
460672
 	const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY);
460672
 	uint32 standard_tag = tag;
460672
@@ -283,10 +284,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
460672
 			setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel);
460672
 		break;
460672
 	case TIFFTAG_XRESOLUTION:
460672
-		td->td_xresolution = (float) va_arg(ap, double);
460672
+        dblval = va_arg(ap, double);
460672
+        if( dblval < 0 )
460672
+            goto badvaluedouble;
460672
+		td->td_xresolution = (float) dblval;
460672
 		break;
460672
 	case TIFFTAG_YRESOLUTION:
460672
-		td->td_yresolution = (float) va_arg(ap, double);
460672
+        dblval = va_arg(ap, double);
460672
+        if( dblval < 0 )
460672
+            goto badvaluedouble;
460672
+		td->td_yresolution = (float) dblval;
460672
 		break;
460672
 	case TIFFTAG_PLANARCONFIG:
460672
 		v = (uint16) va_arg(ap, uint16_vap);
460672
@@ -693,6 +700,16 @@ badvalue32:
460672
 		va_end(ap);
460672
         }
460672
 	return (0);
460672
+badvaluedouble:
460672
+        {
460672
+		const TIFFField* fip=TIFFFieldWithTag(tif,tag);
460672
+        TIFFErrorExt(tif->tif_clientdata, module,
460672
+             "%s: Bad value %f for \"%s\" tag",
460672
+             tif->tif_name, dblval,
460672
+		     fip->field_name);
460672
+        va_end(ap);
460672
+        }
460672
+    return (0);
460672
 }
460672
 
460672
 /*
460672
diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
460672
index 524e127..81084ff 100644
460672
--- a/libtiff/tif_next.c
460672
+++ b/libtiff/tif_next.c
460672
@@ -102,6 +102,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
460672
 		default: {
460672
 			uint32 npixels = 0, grey;
460672
 			uint32 imagewidth = tif->tif_dir.td_imagewidth;
460672
+            if( isTiled(tif) )
460672
+                imagewidth = tif->tif_dir.td_tilewidth;
460672
 
460672
 			/*
460672
 			 * The scanline is composed of a sequence of constant
460672
@@ -139,10 +141,28 @@ bad:
460672
 	return (0);
460672
 }
460672
 
460672
+static int
460672
+NeXTPreDecode(TIFF* tif, uint16 s)
460672
+{
460672
+	static const char module[] = "NeXTPreDecode";
460672
+	TIFFDirectory *td = &tif->tif_dir;
460672
+	(void)s;
460672
+
460672
+	if( td->td_bitspersample != 2 )
460672
+	{
460672
+		TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d",
460672
+					 td->td_bitspersample);
460672
+		return (0);
460672
+	}
460672
+	return (1);
460672
+}
460672
+
460672
+
460672
 int
460672
 TIFFInitNeXT(TIFF* tif, int scheme)
460672
 {
460672
 	(void) scheme;
460672
+	tif->tif_predecode = NeXTPreDecode;
460672
 	tif->tif_decoderow = NeXTDecode;  
460672
 	tif->tif_decodestrip = NeXTDecode;  
460672
 	tif->tif_decodetile = NeXTDecode;
460672
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
460672
index 26a1acb..2a64ec3 100644
460672
--- a/tools/tiff2pdf.c
460672
+++ b/tools/tiff2pdf.c
460672
@@ -1165,6 +1165,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
460672
 		if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0)
460672
 			&& (xuint16 == PLANARCONFIG_SEPARATE ) ){
460672
 				TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16);
460672
+                if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 )
460672
+                {
460672
+                    TIFFError(
460672
+                        TIFF2PDF_MODULE, 
460672
+                        "Invalid tile count, %s", 
460672
+                        TIFFFileName(input));
460672
+                    t2p->t2p_error = T2P_ERR_ERROR;
460672
+                    return;
460672
+                }
460672
 				t2p->tiff_tiles[i].tiles_tilecount/= xuint16;
460672
 		}
460672
 		if( t2p->tiff_tiles[i].tiles_tilecount > 0){
460672
@@ -1545,6 +1554,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
460672
 #endif
460672
 			break;
460672
 		case PHOTOMETRIC_CIELAB:
460672
+            if( t2p->tiff_samplesperpixel != 3){
460672
+                TIFFError(
460672
+                    TIFF2PDF_MODULE, 
460672
+                    "Unsupported samplesperpixel = %d for CIELAB", 
460672
+                    t2p->tiff_samplesperpixel);
460672
+                t2p->t2p_error = T2P_ERR_ERROR;
460672
+                return;
460672
+            }
460672
+            if( t2p->tiff_bitspersample != 8){
460672
+                TIFFError(
460672
+                    TIFF2PDF_MODULE, 
460672
+                    "Invalid bitspersample = %d for CIELAB", 
460672
+                    t2p->tiff_bitspersample);
460672
+                t2p->t2p_error = T2P_ERR_ERROR;
460672
+                return;
460672
+            }
460672
 			t2p->pdf_labrange[0]= -127;
460672
 			t2p->pdf_labrange[1]= 127;
460672
 			t2p->pdf_labrange[2]= -127;
460672
@@ -1560,6 +1585,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
460672
 			t2p->pdf_colorspace=T2P_CS_LAB;
460672
 			break;
460672
 		case PHOTOMETRIC_ITULAB:
460672
+            if( t2p->tiff_samplesperpixel != 3){
460672
+                TIFFError(
460672
+                    TIFF2PDF_MODULE, 
460672
+                    "Unsupported samplesperpixel = %d for ITULAB", 
460672
+                    t2p->tiff_samplesperpixel);
460672
+                t2p->t2p_error = T2P_ERR_ERROR;
460672
+                return;
460672
+            }
460672
+            if( t2p->tiff_bitspersample != 8){
460672
+                TIFFError(
460672
+                    TIFF2PDF_MODULE, 
460672
+                    "Invalid bitspersample = %d for ITULAB", 
460672
+                    t2p->tiff_bitspersample);
460672
+                t2p->t2p_error = T2P_ERR_ERROR;
460672
+                return;
460672
+            }
460672
 			t2p->pdf_labrange[0]=-85;
460672
 			t2p->pdf_labrange[1]=85;
460672
 			t2p->pdf_labrange[2]=-75;
460672
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
460672
index abeb4f6..ea4f7a1 100644
460672
--- a/tools/tiffcrop.c
460672
+++ b/tools/tiffcrop.c
460672
@@ -1205,9 +1205,10 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
460672
   tsize_t tilesize = TIFFTileSize(out);
460672
   unsigned char *tilebuf = NULL;
460672
 
460672
-  TIFFGetField(out, TIFFTAG_TILELENGTH, &tl;;
460672
-  TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
460672
-  TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps;;
460672
+  if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
460672
+      !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
460672
+      !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
460672
+      return 1;
460672
 
460672
   tile_buffsize = tilesize;
460672
   if (tilesize < (tsize_t)(tl * tile_rowsize))