diff --git a/SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch b/SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch
new file mode 100644
index 0000000..5486431
--- /dev/null
+++ b/SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch
@@ -0,0 +1,43 @@
+From 686002d8cd9d41f0a4b7915be9866979c25bd5d7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
+Date: Thu, 5 May 2022 14:38:04 +0200
+Subject: [PATCH] Back off the minimum required automake version to 1.11.
+
+There isn't anything in libtiff currently that actually requires 1.12,
+and changing this allows the package to be built on pre-F18 machines for
+easier testing. This patch can go away once we no longer care about
+testing on pre-F18.
+---
+ Makefile.am | 2 +-
+ test/Makefile.am | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 418a3b93..fa8bf4c0 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -25,7 +25,7 @@
+
+ docdir = $(LIBTIFF_DOCDIR)
+
+-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign
++AUTOMAKE_OPTIONS = 1.11 dist-zip foreign
+ ACLOCAL_AMFLAGS = -I m4
+
+ docfiles = \
+diff --git a/test/Makefile.am b/test/Makefile.am
+index 2052487c..227f228f 100644
+--- a/test/Makefile.am
++++ b/test/Makefile.am
+@@ -23,7 +23,7 @@
+
+ # Process this file with automake to produce Makefile.in.
+
+-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign
++AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign
+
+ LIBTIFF = $(top_builddir)/libtiff/libtiff.la
+
+--
+2.34.1
+
diff --git a/SOURCES/0002-Fix-Makefile.patch b/SOURCES/0002-Fix-Makefile.patch
new file mode 100644
index 0000000..f252fff
--- /dev/null
+++ b/SOURCES/0002-Fix-Makefile.patch
@@ -0,0 +1,24 @@
+From 42425abcf2204e46544aff5cd95a129944e15894 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
+Date: Thu, 5 May 2022 14:42:52 +0200
+Subject: [PATCH] Fix Makefile
+
+---
+ html/man/Makefile.am | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/html/man/Makefile.am b/html/man/Makefile.am
+index 3ed00d44..8a64925a 100644
+--- a/html/man/Makefile.am
++++ b/html/man/Makefile.am
+@@ -90,7 +90,6 @@ docfiles = \
+ tiffcrop.1.html \
+ tiffdither.1.html \
+ tiffdump.1.html \
+- tiffgt.1.html \
+ tiffinfo.1.html \
+ tiffmedian.1.html \
+ tiffset.1.html \
+--
+2.34.1
+
diff --git a/SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch b/SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch
new file mode 100644
index 0000000..933f6ea
--- /dev/null
+++ b/SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch
@@ -0,0 +1,130 @@
+From e5d227c83f487e8a87d336f6cebf39042520d5cd Mon Sep 17 00:00:00 2001
+From: Nathan Baker <nathanb@lenovo-chrome.com>
+Date: Tue, 6 Feb 2018 10:13:57 -0500
+Subject: [PATCH] (CVE-2018-5784) Fix for bug 2772
+
+It is possible to craft a TIFF document where the IFD list is circular,
+leading to an infinite loop while traversing the chain. The libtiff
+directory reader has a failsafe that will break out of this loop after
+reading 65535 directory entries, but it will continue processing,
+consuming time and resources to process what is essentially a bogus TIFF
+document.
+
+This change fixes the above behavior by breaking out of processing when
+a TIFF document has >= 65535 directories and terminating with an error.
+
+(cherry picked from commit 473851d211cf8805a161820337ca74cc9615d6ef)
+---
+ contrib/addtiffo/tif_overview.c | 14 +++++++++++++-
+ tools/tiff2pdf.c | 10 ++++++++++
+ tools/tiffcrop.c | 13 +++++++++++--
+ 3 files changed, 34 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
+index c61ffbb8..03b35733 100644
+--- a/contrib/addtiffo/tif_overview.c
++++ b/contrib/addtiffo/tif_overview.c
+@@ -65,6 +65,8 @@
+ # define MAX(a,b) ((a>b) ? a : b)
+ #endif
+
++#define TIFF_DIR_MAX 65534
++
+ void TIFFBuildOverviews( TIFF *, int, int *, int, const char *,
+ int (*)(double,void*), void * );
+
+@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
+ {
+ toff_t nBaseDirOffset;
+ toff_t nOffset;
++ tdir_t iNumDir;
+
+ (void) bUseSubIFDs;
+
+@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
+ return 0;
+
+ TIFFWriteDirectory( hTIFF );
+- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );
++ iNumDir = TIFFNumberOfDirectories(hTIFF);
++ if( iNumDir > TIFF_DIR_MAX )
++ {
++ TIFFErrorExt( TIFFClientdata(hTIFF),
++ "TIFF_WriteOverview",
++ "File `%s' has too many directories.\n",
++ TIFFFileName(hTIFF) );
++ exit(-1);
++ }
++ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );
+
+ nOffset = TIFFCurrentDirOffset( hTIFF );
+
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 454befbd..bdb91262 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
+
+ #define PS_UNIT_SIZE 72.0F
+
++#define TIFF_DIR_MAX 65534
++
+ /* This type is of PDF color spaces. */
+ typedef enum {
+ T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */
+@@ -1049,6 +1051,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ uint16 xuint16=0;
+
+ directorycount=TIFFNumberOfDirectories(input);
++ if(directorycount > TIFF_DIR_MAX) {
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "TIFF contains too many directories, %s",
++ TIFFFileName(input));
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
+ t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
+ if(t2p->tiff_pages==NULL){
+ TIFFError(
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index c69177e0..c60cb389 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
+ #define DUMP_TEXT 1
+ #define DUMP_RAW 2
+
++#define TIFF_DIR_MAX 65534
++
+ /* Offsets into buffer for margins and fixed width and length segments */
+ struct offset {
+ uint32 tmargin;
+@@ -2233,7 +2235,7 @@ main(int argc, char* argv[])
+ pageNum = -1;
+ else
+ total_images = 0;
+- /* read multiple input files and write to output file(s) */
++ /* Read multiple input files and write to output file(s) */
+ while (optind < argc - 1)
+ {
+ in = TIFFOpen (argv[optind], "r");
+@@ -2241,7 +2243,14 @@ main(int argc, char* argv[])
+ return (-3);
+
+ /* If only one input file is specified, we can use directory count */
+- total_images = TIFFNumberOfDirectories(in);
++ total_images = TIFFNumberOfDirectories(in);
++ if (total_images > TIFF_DIR_MAX)
++ {
++ TIFFError (TIFFFileName(in), "File contains too many directories");
++ if (out != NULL)
++ (void) TIFFClose(out);
++ return (1);
++ }
+ if (image_count == 0)
+ {
+ dirnum = 0;
+--
+2.34.1
+
diff --git a/SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch b/SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch
new file mode 100644
index 0000000..0a3af0a
--- /dev/null
+++ b/SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch
@@ -0,0 +1,173 @@
+From 688dc47dfcbbc4e54dc617c9701cf46a03f8e069 Mon Sep 17 00:00:00 2001
+From: Hugo Lefeuvre <hle@debian.org>
+Date: Sun, 8 Apr 2018 14:07:08 -0400
+Subject: [PATCH] (CVE-2018-7456) Fix NULL pointer dereference in
+ TIFFPrintDirectory
+
+The TIFFPrintDirectory function relies on the following assumptions,
+supposed to be guaranteed by the specification:
+
+(a) A Transfer Function field is only present if the TIFF file has
+ photometric type < 3.
+
+(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
+ has count SamplesPerPixel - (Color Channels) and contains
+ information about supplementary channels.
+
+While respect of (a) and (b) are essential for the well functioning of
+TIFFPrintDirectory, no checks are realized neither by the callee nor
+by TIFFPrintDirectory itself. Hence, following scenarios might happen
+and trigger the NULL pointer dereference:
+
+(1) TIFF File of photometric type 4 or more has illegal Transfer
+ Function field.
+
+(2) TIFF File has photometric type 3 or less and defines a
+ SamplesPerPixel field such that SamplesPerPixel > Color Channels
+ without defining all extra samples in the ExtraSamples fields.
+
+In this patch, we address both issues with respect of the following
+principles:
+
+(A) In the case of (1), the defined transfer table should be printed
+ safely even if it isn't 'legal'. This allows us to avoid expensive
+ checks in TIFFPrintDirectory. Also, it is quite possible that
+ an alternative photometric type would be developed (not part of the
+ standard) and would allow definition of Transfer Table. We want
+ libtiff to be able to handle this scenario out of the box.
+
+(B) In the case of (2), the transfer table should be printed at its
+ right size, that is if TIFF file has photometric type Palette
+ then the transfer table should have one row and not three, even
+ if two extra samples are declared.
+
+In order to fulfill (A) we simply add a new 'i < 3' end condition to
+the broken TIFFPrintDirectory loop. This makes sure that in any case
+where (b) would be respected but not (a), everything stays fine.
+
+(B) is fulfilled by the loop condition
+'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
+long as (b) is respected.
+
+Naturally, we also make sure (b) is respected. This is done in the
+TIFFReadDirectory function by making sure any non-color channel is
+counted in ExtraSamples.
+
+This commit addresses CVE-2018-7456.
+
+(cherry picked from commit be4c85b16e8801a16eec25e80eb9f3dd6a96731b)
+---
+ libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++
+ libtiff/tif_print.c | 2 +-
+ 2 files changed, 63 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 5e62e813..80aaf8d1 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
+ static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
+ static void ChopUpSingleUncompressedStrip(TIFF*);
+ static uint64 TIFFReadUInt64(const uint8 *value);
++static int _TIFFGetMaxColorChannels(uint16 photometric);
+
+ static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
+
+@@ -3506,6 +3507,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c
+ }
+ }
+
++/*
++ * Return the maximum number of color channels specified for a given photometric
++ * type. 0 is returned if photometric type isn't supported or no default value
++ * is defined by the specification.
++ */
++static int _TIFFGetMaxColorChannels( uint16 photometric )
++{
++ switch (photometric) {
++ case PHOTOMETRIC_PALETTE:
++ case PHOTOMETRIC_MINISWHITE:
++ case PHOTOMETRIC_MINISBLACK:
++ return 1;
++ case PHOTOMETRIC_YCBCR:
++ case PHOTOMETRIC_RGB:
++ case PHOTOMETRIC_CIELAB:
++ return 3;
++ case PHOTOMETRIC_SEPARATED:
++ case PHOTOMETRIC_MASK:
++ return 4;
++ case PHOTOMETRIC_LOGL:
++ case PHOTOMETRIC_LOGLUV:
++ case PHOTOMETRIC_CFA:
++ case PHOTOMETRIC_ITULAB:
++ case PHOTOMETRIC_ICCLAB:
++ default:
++ return 0;
++ }
++}
++
+ /*
+ * Read the next TIFF directory from a file and convert it to the internal
+ * format. We read directories sequentially.
+@@ -3522,6 +3552,7 @@ TIFFReadDirectory(TIFF* tif)
+ uint32 fii=FAILED_FII;
+ toff_t nextdiroff;
+ int bitspersample_read = FALSE;
++ int color_channels;
+
+ tif->tif_diroff=tif->tif_nextdiroff;
+ if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
+@@ -4026,6 +4057,37 @@ TIFFReadDirectory(TIFF* tif)
+ }
+ }
+ }
++
++ /*
++ * Make sure all non-color channels are extrasamples.
++ * If it's not the case, define them as such.
++ */
++ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
++ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
++ uint16 old_extrasamples;
++ uint16 *new_sampleinfo;
++
++ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
++ "color channels and ExtraSamples doesn't match SamplesPerPixel. "
++ "Defining non-color channels as ExtraSamples.");
++
++ old_extrasamples = tif->tif_dir.td_extrasamples;
++ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
++
++ // sampleinfo should contain information relative to these new extra samples
++ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
++ if (!new_sampleinfo) {
++ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
++ "temporary new sampleinfo array (%d 16 bit elements)",
++ tif->tif_dir.td_extrasamples);
++ goto bad;
++ }
++
++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
++ _TIFFfree(new_sampleinfo);
++ }
++
+ /*
+ * Verify Palette image has a Colormap.
+ */
+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
+index 24d4b98a..10a588ea 100644
+--- a/libtiff/tif_print.c
++++ b/libtiff/tif_print.c
+@@ -546,7 +546,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
+ uint16 i;
+ fprintf(fd, " %2ld: %5u",
+ l, td->td_transferfunction[0][l]);
+- for (i = 1; i < td->td_samplesperpixel; i++)
++ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)
+ fprintf(fd, " %5u",
+ td->td_transferfunction[i][l]);
+ fputc('\n', fd);
+--
+2.34.1
+
diff --git a/SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch b/SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch
new file mode 100644
index 0000000..c76ee4a
--- /dev/null
+++ b/SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch
@@ -0,0 +1,155 @@
+From 5b984e1b9296c4a3b80c5650f17cb4db575250e4 Mon Sep 17 00:00:00 2001
+From: Brian May <brian@linuxpenguins.xyz>
+Date: Thu, 7 Dec 2017 07:46:47 +1100
+Subject: [PATCH] (CVE-2017-9935) tiff2pdf: Fix CVE-2017-9935
+
+Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
+
+This vulnerability - at least for the supplied test case - is because we
+assume that a tiff will only have one transfer function that is the same
+for all pages. This is not required by the TIFF standards.
+
+We than read the transfer function for every page. Depending on the
+transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
+We allocate this memory after we read in the transfer function for the
+page.
+
+For the first exploit - POC1, this file has 3 pages. For the first page
+we allocate 2 extra extra XREF entries. Then for the next page 2 more
+entries. Then for the last page the transfer function changes and we
+allocate 4 more entries.
+
+When we read the file into memory, we assume we have 4 bytes extra for
+each and every page (as per the last transfer function we read). Which
+is not correct, we only have 2 bytes extra for the first 2 pages. As a
+result, we end up writing past the end of the buffer.
+
+There are also some related issues that this also fixes. For example,
+TIFFGetField can return uninitalized pointer values, and the logic to
+detect a N=3 vs N=1 transfer function seemed rather strange.
+
+It is also strange that we declare the transfer functions to be of type
+float, when the standard says they are unsigned 16 bit values. This is
+fixed in another patch.
+
+This patch will check to ensure that the N value for every transfer
+function is the same for every page. If this changes, we abort with an
+error. In theory, we should perhaps check that the transfer function
+itself is identical for every page, however we don't do that due to the
+confusion of the type of the data in the transfer function.
+
+(cherry picked from commit 3dd8f6a357981a4090f126ab9025056c938b6940)
+---
+ libtiff/tif_dir.c | 3 +++
+ tools/tiff2pdf.c | 65 ++++++++++++++++++++++++++++++++---------------
+ 2 files changed, 47 insertions(+), 21 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index f00f8080..c36a5f3f 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
+ if (td->td_samplesperpixel - td->td_extrasamples > 1) {
+ *va_arg(ap, uint16**) = td->td_transferfunction[1];
+ *va_arg(ap, uint16**) = td->td_transferfunction[2];
++ } else {
++ *va_arg(ap, uint16**) = NULL;
++ *va_arg(ap, uint16**) = NULL;
+ }
+ break;
+ case TIFFTAG_REFERENCEBLACKWHITE:
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index bdb91262..ef5d6a01 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ uint16 pagen=0;
+ uint16 paged=0;
+ uint16 xuint16=0;
++ uint16 tiff_transferfunctioncount=0;
++ float* tiff_transferfunction[3];
+
+ directorycount=TIFFNumberOfDirectories(input);
+ if(directorycount > TIFF_DIR_MAX) {
+@@ -1157,26 +1159,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ }
+ #endif
+ if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
+- &(t2p->tiff_transferfunction[0]),
+- &(t2p->tiff_transferfunction[1]),
+- &(t2p->tiff_transferfunction[2]))) {
+- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
+- (t2p->tiff_transferfunction[1] !=
+- t2p->tiff_transferfunction[0])) {
+- t2p->tiff_transferfunctioncount = 3;
+- t2p->tiff_pages[i].page_extra += 4;
+- t2p->pdf_xrefcount += 4;
+- } else {
+- t2p->tiff_transferfunctioncount = 1;
+- t2p->tiff_pages[i].page_extra += 2;
+- t2p->pdf_xrefcount += 2;
+- }
+- if(t2p->pdf_minorversion < 2)
+- t2p->pdf_minorversion = 2;
++ &(tiff_transferfunction[0]),
++ &(tiff_transferfunction[1]),
++ &(tiff_transferfunction[2]))) {
++
++ if((tiff_transferfunction[1] != (float*) NULL) &&
++ (tiff_transferfunction[2] != (float*) NULL)
++ ) {
++ tiff_transferfunctioncount=3;
++ } else {
++ tiff_transferfunctioncount=1;
++ }
+ } else {
+- t2p->tiff_transferfunctioncount=0;
++ tiff_transferfunctioncount=0;
+ }
++
++ if (i > 0){
++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Different transfer function on page %d",
++ i);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
++ }
++
++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
++ if(tiff_transferfunctioncount == 3){
++ t2p->tiff_pages[i].page_extra += 4;
++ t2p->pdf_xrefcount += 4;
++ if(t2p->pdf_minorversion < 2)
++ t2p->pdf_minorversion = 2;
++ } else if (tiff_transferfunctioncount == 1){
++ t2p->tiff_pages[i].page_extra += 2;
++ t2p->pdf_xrefcount += 2;
++ if(t2p->pdf_minorversion < 2)
++ t2p->pdf_minorversion = 2;
++ }
++
+ if( TIFFGetField(
+ input,
+ TIFFTAG_ICCPROFILE,
+@@ -1838,9 +1862,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ &(t2p->tiff_transferfunction[1]),
+ &(t2p->tiff_transferfunction[2]))) {
+ if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
+- (t2p->tiff_transferfunction[1] !=
+- t2p->tiff_transferfunction[0])) {
++ (t2p->tiff_transferfunction[2] != (float*) NULL)
++ ) {
+ t2p->tiff_transferfunctioncount=3;
+ } else {
+ t2p->tiff_transferfunctioncount=1;
+--
+2.34.1
+
diff --git a/SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch b/SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch
new file mode 100644
index 0000000..80522ba
--- /dev/null
+++ b/SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch
@@ -0,0 +1,61 @@
+From 8e3772f232bf8f8c1959f229b5d922dd33a1e558 Mon Sep 17 00:00:00 2001
+From: Brian May <brian@linuxpenguins.xyz>
+Date: Thu, 7 Dec 2017 07:49:20 +1100
+Subject: [PATCH] (CVE-2017-9935) tiff2pdf: Fix apparent incorrect type for
+ transfer table
+
+The standard says the transfer table contains unsigned 16 bit values,
+I have no idea why we refer to them as floats.
+
+(cherry picked from commit d4f213636b6f950498a1386083199bd7f65676b9)
+---
+ tools/tiff2pdf.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index ef5d6a01..bd23c9e5 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -239,7 +239,7 @@ typedef struct {
+ float tiff_whitechromaticities[2];
+ float tiff_primarychromaticities[6];
+ float tiff_referenceblackwhite[2];
+- float* tiff_transferfunction[3];
++ uint16* tiff_transferfunction[3];
+ int pdf_image_interpolate; /* 0 (default) : do not interpolate,
+ 1 : interpolate */
+ uint16 tiff_transferfunctioncount;
+@@ -1050,7 +1050,7 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ uint16 paged=0;
+ uint16 xuint16=0;
+ uint16 tiff_transferfunctioncount=0;
+- float* tiff_transferfunction[3];
++ uint16* tiff_transferfunction[3];
+
+ directorycount=TIFFNumberOfDirectories(input);
+ if(directorycount > TIFF_DIR_MAX) {
+@@ -1163,8 +1163,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ &(tiff_transferfunction[1]),
+ &(tiff_transferfunction[2]))) {
+
+- if((tiff_transferfunction[1] != (float*) NULL) &&
+- (tiff_transferfunction[2] != (float*) NULL)
++ if((tiff_transferfunction[1] != (uint16*) NULL) &&
++ (tiff_transferfunction[2] != (uint16*) NULL)
+ ) {
+ tiff_transferfunctioncount=3;
+ } else {
+@@ -1861,8 +1861,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ &(t2p->tiff_transferfunction[0]),
+ &(t2p->tiff_transferfunction[1]),
+ &(t2p->tiff_transferfunction[2]))) {
+- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+- (t2p->tiff_transferfunction[2] != (float*) NULL)
++ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
++ (t2p->tiff_transferfunction[2] != (uint16*) NULL)
+ ) {
+ t2p->tiff_transferfunctioncount=3;
+ } else {
+--
+2.34.1
+
diff --git a/SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch b/SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch
new file mode 100644
index 0000000..8c23d07
--- /dev/null
+++ b/SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch
@@ -0,0 +1,37 @@
+From 4d6c37328f38636d5002a6f1b584ad8e6031c61c Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 31 Dec 2017 15:09:41 +0100
+Subject: [PATCH] (CVE-2017-18013) libtiff/tif_print.c: TIFFPrintDirectory():
+ fix null pointer dereference on corrupted file. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2770
+
+(cherry picked from commit c6f41df7b581402dfba3c19a1e3df4454c551a01)
+---
+ libtiff/tif_print.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
+index 10a588ea..b9b53a0f 100644
+--- a/libtiff/tif_print.c
++++ b/libtiff/tif_print.c
+@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
+ (unsigned long) s,
+- (unsigned __int64) td->td_stripoffset[s],
+- (unsigned __int64) td->td_stripbytecount[s]);
++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
+ #else
+ fprintf(fd, " %3lu: [%8llu, %8llu]\n",
+ (unsigned long) s,
+- (unsigned long long) td->td_stripoffset[s],
+- (unsigned long long) td->td_stripbytecount[s]);
++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
+ #endif
+ }
+ }
+--
+2.34.1
+
diff --git a/SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch b/SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch
new file mode 100644
index 0000000..db6c0e5
--- /dev/null
+++ b/SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch
@@ -0,0 +1,55 @@
+From 54972f69399628fd2105753cbcddb36ede510507 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 12 May 2018 15:32:31 +0200
+Subject: [PATCH] (CVE-2018-8905) LZWDecodeCompat(): fix potential
+ index-out-of-bounds write. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905
+
+The fix consists in using the similar code LZWDecode() to validate we
+don't write outside of the output buffer.
+
+(cherry picked from commit 58a898cb4459055bb488ca815c23b880c242a27d)
+---
+ libtiff/tif_lzw.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
+index bc8f9c84..186ea3ca 100644
+--- a/libtiff/tif_lzw.c
++++ b/libtiff/tif_lzw.c
+@@ -604,6 +604,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+ char *tp;
+ unsigned char *bp;
+ int code, nbits;
++ int len;
+ long nextbits, nextdata, nbitsmask;
+ code_t *codep, *free_entp, *maxcodep, *oldcodep;
+
+@@ -755,13 +756,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+ } while (--occ);
+ break;
+ }
+- assert(occ >= codep->length);
+- op += codep->length;
+- occ -= codep->length;
+- tp = op;
++ len = codep->length;
++ tp = op + len;
+ do {
+- *--tp = codep->value;
+- } while( (codep = codep->next) != NULL );
++ int t;
++ --tp;
++ t = codep->value;
++ codep = codep->next;
++ *tp = (char)t;
++ } while (codep && tp > op);
++ assert(occ >= len);
++ op += len;
++ occ -= len;
+ } else {
+ *op++ = (char)code;
+ occ--;
+--
+2.34.1
+
diff --git a/SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch b/SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch
new file mode 100644
index 0000000..58c6ff2
--- /dev/null
+++ b/SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch
@@ -0,0 +1,32 @@
+From 142912f9f5bce169d9d0b16a687c00f9edec5825 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 12 May 2018 14:24:15 +0200
+Subject: [PATCH] (CVE-2018-10963) TIFFWriteDirectorySec: avoid assertion.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
+
+(cherry picked from commit de144fd228e4be8aa484c3caf3d814b6fa88c6d9)
+---
+ libtiff/tif_dirwrite.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index c68d6d21..5d0a6699 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
+ }
+ break;
+ default:
+- assert(0); /* we should never get here */
+- break;
++ TIFFErrorExt(tif->tif_clientdata,module,
++ "Cannot write tag %d (%s)",
++ TIFFFieldTag(o),
++ o->field_name ? o->field_name : "unknown");
++ goto bad;
+ }
+ }
+ }
+--
+2.34.1
+
diff --git a/SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch b/SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch
new file mode 100644
index 0000000..22fb539
--- /dev/null
+++ b/SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch
@@ -0,0 +1,41 @@
+From a04b4c4aec3bbfbbde9602ddb4e00809a1a4f92c Mon Sep 17 00:00:00 2001
+From: Young_X <YangX92@hotmail.com>
+Date: Sat, 8 Sep 2018 14:46:27 +0800
+Subject: [PATCH] (CVE-2018-17100) avoid potential int32 overflows in
+ multiply_ms()
+
+(cherry picked from commit 6da1fb3f64d43be37e640efbec60400d1f1ac39e)
+---
+ tools/ppm2tiff.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
+index 91415e96..81ffa3db 100644
+--- a/tools/ppm2tiff.c
++++ b/tools/ppm2tiff.c
+@@ -72,15 +72,16 @@ BadPPM(char* file)
+ exit(-2);
+ }
+
++
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
++
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+- tmsize_t bytes = m1 * m2;
+-
+- if (m1 && bytes / m1 != m2)
+- bytes = 0;
+-
+- return bytes;
++ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
++ return 0;
++ return m1 * m2;
+ }
+
+ int
+--
+2.34.1
+
diff --git a/SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch b/SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch
new file mode 100644
index 0000000..5cbdde0
--- /dev/null
+++ b/SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch
@@ -0,0 +1,110 @@
+From dfd5030637f8643990161311eb6b47f3292ab076 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 14 Oct 2018 16:38:29 +0200
+Subject: [PATCH] (CVE-2018-18557) JBIG: fix potential out-of-bounds write in
+ JBIGDecode()
+
+JBIGDecode doesn't check if the user provided buffer is large enough
+to store the JBIG decoded image, which can potentially cause out-of-bounds
+write in the buffer.
+This issue was reported and analyzed by Thomas Dullien.
+
+Also fixes a (harmless) potential use of uninitialized memory when
+tif->tif_rawsize > tif->tif_rawcc
+
+And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
+that whole strip data is provided to JBIGDecode()
+
+(cherry picked from commit 681748ec2f5ce88da5f9fa6831e1653e46af8a66)
+---
+ libtiff/tif_jbig.c | 32 ++++++++++++++++++++++++++------
+ libtiff/tif_read.c | 6 ++++++
+ 2 files changed, 32 insertions(+), 6 deletions(-)
+
+diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
+index 7a14dd9a..8136c77b 100644
+--- a/libtiff/tif_jbig.c
++++ b/libtiff/tif_jbig.c
+@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
+ struct jbg_dec_state decoder;
+ int decodeStatus = 0;
+ unsigned char* pImage = NULL;
+- (void) size, (void) s;
++ unsigned long decodedSize;
++ (void) s;
+
+ if (isFillOrder(tif, tif->tif_dir.td_fillorder))
+ {
+- TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize);
++ TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc);
+ }
+
+ jbg_dec_init(&decoder);
+
+ #if defined(HAVE_JBG_NEWLEN)
+- jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize);
++ jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc);
+ /*
+ * I do not check the return status of jbg_newlen because even if this
+ * function fails it does not necessarily mean that decoding the image
+@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
+ */
+ #endif /* HAVE_JBG_NEWLEN */
+
+- decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata,
+- (size_t)tif->tif_rawdatasize, NULL);
++ decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp,
++ (size_t)tif->tif_rawcc, NULL);
+ if (JBG_EOK != decodeStatus)
+ {
+ /*
+@@ -98,9 +99,28 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
+ return 0;
+ }
+
++ decodedSize = jbg_dec_getsize(&decoder);
++ if( (tmsize_t)decodedSize < size )
++ {
++ TIFFWarningExt(tif->tif_clientdata, "JBIG",
++ "Only decoded %lu bytes, whereas %lu requested",
++ decodedSize, (unsigned long)size);
++ }
++ else if( (tmsize_t)decodedSize > size )
++ {
++ TIFFErrorExt(tif->tif_clientdata, "JBIG",
++ "Decoded %lu bytes, whereas %lu were requested",
++ decodedSize, (unsigned long)size);
++ jbg_dec_free(&decoder);
++ return 0;
++ }
+ pImage = jbg_dec_getimage(&decoder, 0);
+- _TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder));
++ _TIFFmemcpy(buffer, pImage, decodedSize);
+ jbg_dec_free(&decoder);
++
++ tif->tif_rawcp += tif->tif_rawcc;
++ tif->tif_rawcc = 0;
++
+ return 1;
+ }
+
+diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
+index 2ba985a7..04100f4d 100644
+--- a/libtiff/tif_read.c
++++ b/libtiff/tif_read.c
+@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 sample )
+ return 0;
+ whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10
+ || isMapped(tif);
++ if( td->td_compression == COMPRESSION_JBIG )
++ {
++ /* Ideally plugins should have a way to declare they don't support
++ * chunk strip */
++ whole_strip = 1;
++ }
+ #else
+ whole_strip = 1;
+ #endif
+--
+2.34.1
+
diff --git a/SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch b/SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch
new file mode 100644
index 0000000..18b6f0e
--- /dev/null
+++ b/SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch
@@ -0,0 +1,122 @@
+From 44ef4d3a8e92171f7470620649e8911a8056297c Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 30 Oct 2018 18:50:27 +0100
+Subject: [PATCH] (CVE-2018-18661) tiff2bw: avoid null pointer dereference in
+ case of out of memory situation. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2819 / CVE-2018-18661
+
+(cherry picked from commit 99b10edde9a0fc28cc0e7b7757aa18ac4c8c225f)
+---
+ libtiff/tiffiop.h | 1 +
+ tools/tiff2bw.c | 30 ++++++++++++++++++++++++++----
+ tools/tiffcrop.c | 5 -----
+ 3 files changed, 27 insertions(+), 9 deletions(-)
+
+diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
+index daa291c0..08e5dc44 100644
+--- a/libtiff/tiffiop.h
++++ b/libtiff/tiffiop.h
+@@ -72,6 +72,7 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
+ #endif
+
+ #define streq(a,b) (strcmp(a,b) == 0)
++#define strneq(a,b,n) (strncmp(a,b,n) == 0)
+
+ #ifndef TRUE
+ #define TRUE 1
+diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
+index dad54afa..1f3bb2cd 100644
+--- a/tools/tiff2bw.c
++++ b/tools/tiff2bw.c
+@@ -40,9 +40,7 @@
+ #endif
+
+ #include "tiffio.h"
+-
+-#define streq(a,b) (strcmp((a),(b)) == 0)
+-#define strneq(a,b,n) (strncmp(a,b,n) == 0)
++#include "tiffiop.h"
+
+ /* x% weighting -> fraction of full color */
+ #define PCT(x) (((x)*256+50)/100)
+@@ -223,6 +221,11 @@ main(int argc, char* argv[])
+ TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
+ TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
+ outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++ if( !outbuf )
++ {
++ fprintf(stderr, "Out of memory\n");
++ goto tiff2bw_error;
++ }
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
+ TIFFDefaultStripSize(out, rowsperstrip));
+
+@@ -246,6 +249,11 @@ main(int argc, char* argv[])
+ #undef CVT
+ }
+ inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
++ if( !inbuf )
++ {
++ fprintf(stderr, "Out of memory\n");
++ goto tiff2bw_error;
++ }
+ for (row = 0; row < h; row++) {
+ if (TIFFReadScanline(in, inbuf, row, 0) < 0)
+ break;
+@@ -256,6 +264,11 @@ main(int argc, char* argv[])
+ break;
+ case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG):
+ inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
++ if( !inbuf )
++ {
++ fprintf(stderr, "Out of memory\n");
++ goto tiff2bw_error;
++ }
+ for (row = 0; row < h; row++) {
+ if (TIFFReadScanline(in, inbuf, row, 0) < 0)
+ break;
+@@ -265,8 +278,16 @@ main(int argc, char* argv[])
+ }
+ break;
+ case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE):
++ {
++ tmsize_t inbufsize;
+ rowsize = TIFFScanlineSize(in);
+- inbuf = (unsigned char *)_TIFFmalloc(3*rowsize);
++ inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize);
++ inbuf = (unsigned char *)_TIFFmalloc(inbufsize);
++ if( !inbuf )
++ {
++ fprintf(stderr, "Out of memory\n");
++ goto tiff2bw_error;
++ }
+ for (row = 0; row < h; row++) {
+ for (s = 0; s < 3; s++)
+ if (TIFFReadScanline(in,
+@@ -278,6 +299,7 @@ main(int argc, char* argv[])
+ break;
+ }
+ break;
++ }
+ }
+ #undef pack
+ if (inbuf)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index c60cb389..3862b1ca 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -150,11 +150,6 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
+
+ #define TIFF_UINT32_MAX 0xFFFFFFFFU
+
+-#ifndef streq
+-#define streq(a,b) (strcmp((a),(b)) == 0)
+-#endif
+-#define strneq(a,b,n) (strncmp((a),(b),(n)) == 0)
+-
+ #define TRUE 1
+ #define FALSE 0
+
+--
+2.34.1
+
diff --git a/SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch b/SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch
new file mode 100644
index 0000000..0eff22e
--- /dev/null
+++ b/SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch
@@ -0,0 +1,43 @@
+From 14212e5d19b47d02a4989aa31b9a326c1b131460 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Wed, 31 Oct 2018 11:50:48 +0100
+Subject: [PATCH] (bz1602597) Fix two resource leaks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Nikola Forró <nforro@redhat.com>
+(cherry picked from commit 2f694198f1931e144e0a07a7fb50546b5b70e3ef)
+---
+ tools/ppm2tiff.c | 2 ++
+ tools/tiff2pdf.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
+index 81ffa3db..a02e865a 100644
+--- a/tools/ppm2tiff.c
++++ b/tools/ppm2tiff.c
+@@ -285,6 +285,8 @@ main(int argc, char* argv[])
+ if (TIFFWriteScanline(out, buf, row, 0) < 0)
+ break;
+ }
++ if (in != stdin)
++ fclose(in);
+ (void) TIFFClose(out);
+ if (buf)
+ _TIFFfree(buf);
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index bd23c9e5..ff7b9c22 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -3020,6 +3020,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
+ "for t2p_readwrite_pdf_image_tile, %s",
+ (unsigned long) t2p->tiff_datasize,
+ TIFFFileName(input));
++ _TIFFfree(buffer);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return(0);
+ }
+--
+2.34.1
+
diff --git a/SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch b/SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch
new file mode 100644
index 0000000..3a25723
--- /dev/null
+++ b/SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch
@@ -0,0 +1,50 @@
+From 98e37a5c822bdfed2343e6ab9d03680e85783aef Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Mon, 11 Feb 2019 10:05:33 +0100
+Subject: [PATCH] (CVE-2018-12900) check that (Tile Width)*(Samples/Pixel) do
+ no overflow
+
+fixes bug 2833
+
+(cherry picked from commit 2b0d0e699730d1f26bbeba8397bfdf0e9e01e59d)
+---
+ tools/tiffcp.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 489459a7..96f14728 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -43,6 +43,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+
+ #include <ctype.h>
+
+@@ -1391,7 +1392,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ int status = 1;
+ uint32 imagew = TIFFRasterScanlineSize(in);
+ uint32 tilew = TIFFTileRowSize(in);
+- int iskew = imagew - tilew*spp;
++ int iskew;
+ tsize_t tilesize = TIFFTileSize(in);
+ tdata_t tilebuf;
+ uint8* bufp = (uint8*) buf;
+@@ -1399,6 +1400,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ uint32 row;
+ uint16 bps = 0, bytes_per_sample;
+
++ if (tilew && spp > (INT_MAX / tilew))
++ {
++ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
++ return 0;
++ }
++ iskew = imagew - tilew*spp;
+ tilebuf = _TIFFmalloc(tilesize);
+ if (tilebuf == 0)
+ return 0;
+--
+2.34.1
+
diff --git a/SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch b/SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch
new file mode 100644
index 0000000..713178a
--- /dev/null
+++ b/SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch
@@ -0,0 +1,426 @@
+From 00aeede6bdba3cb74943932b24accc7ba61d2cb0 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 10 Aug 2019 18:25:03 +0200
+Subject: [PATCH] (CVE-2019-14973) Fix integer overflow in _TIFFCheckMalloc()
+ and other implementation-defined behaviour (CVE-2019-14973)
+
+_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow
+in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus
+signed), which was especially easily triggered on 32-bit builds (with recent
+enough compilers that assume that signed multiplication cannot overflow, since
+this is undefined behaviour by the C standard). The original issue which lead to
+this fix was trigged from tif_fax3.c
+
+There were also unsafe (implementation defied), and broken in practice on 64bit
+builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing
+(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known
+at that time exploits, but are better to fix in a more bullet-proof way.
+Or similarly use of (int64)uint64_var <= 0.
+
+(cherry picked from commit 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773)
+---
+ libtiff/tif_aux.c | 49 +++++++++++++++++++++++++++++++++++++-----
+ libtiff/tif_getimage.c | 6 ++----
+ libtiff/tif_luv.c | 8 +------
+ libtiff/tif_pixarlog.c | 7 +-----
+ libtiff/tif_read.c | 38 +++++++++-----------------------
+ libtiff/tif_strip.c | 35 ++++--------------------------
+ libtiff/tif_tile.c | 27 +++--------------------
+ libtiff/tiffiop.h | 7 +++++-
+ 8 files changed, 71 insertions(+), 106 deletions(-)
+
+diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
+index 10b8d00c..38a98b67 100644
+--- a/libtiff/tif_aux.c
++++ b/libtiff/tif_aux.c
+@@ -59,18 +59,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where)
+ return bytes;
+ }
+
++tmsize_t
++_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where)
++{
++ if( first <= 0 || second <= 0 )
++ {
++ if( tif != NULL && where != NULL )
++ {
++ TIFFErrorExt(tif->tif_clientdata, where,
++ "Invalid argument to _TIFFMultiplySSize() in %s", where);
++ }
++ return 0;
++ }
++
++ if( first > TIFF_TMSIZE_T_MAX / second )
++ {
++ if( tif != NULL && where != NULL )
++ {
++ TIFFErrorExt(tif->tif_clientdata, where,
++ "Integer overflow in %s", where);
++ }
++ return 0;
++ }
++ return first * second;
++}
++
++tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module)
++{
++ if( val > (uint64)TIFF_TMSIZE_T_MAX )
++ {
++ if( tif != NULL && module != NULL )
++ {
++ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
++ }
++ return 0;
++ }
++ return (tmsize_t)val;
++}
++
+ void*
+ _TIFFCheckRealloc(TIFF* tif, void* buffer,
+ tmsize_t nmemb, tmsize_t elem_size, const char* what)
+ {
+ void* cp = NULL;
+- tmsize_t bytes = nmemb * elem_size;
+-
++ tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL);
+ /*
+- * XXX: Check for integer overflow.
++ * Check for integer overflow.
+ */
+- if (nmemb && elem_size && bytes / elem_size == nmemb)
+- cp = _TIFFrealloc(buffer, bytes);
++ if (count != 0)
++ {
++ cp = _TIFFrealloc(buffer, count);
++ }
+
+ if (cp == NULL) {
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index fc554cca..ec09feaf 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -757,9 +757,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ uint32 leftmost_tw;
+
+ tilesize = TIFFTileSize(tif);
+- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize);
++ bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate");
+ if (bufsize == 0) {
+- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
+ return (0);
+ }
+
+@@ -1021,9 +1020,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ uint16 colorchannels;
+
+ stripsize = TIFFStripSize(tif);
+- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize);
++ bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate");
+ if (bufsize == 0) {
+- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
+ return (0);
+ }
+
+diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
+index 4b25244b..c4cb73a3 100644
+--- a/libtiff/tif_luv.c
++++ b/libtiff/tif_luv.c
+@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td)
+ return (SGILOGDATAFMT_UNKNOWN);
+ }
+
+-
+-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+-
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
+- return 0;
+- return m1 * m2;
++ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
+ }
+
+ static int
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index 979858da..8e9eaa1d 100644
+--- a/libtiff/tif_pixarlog.c
++++ b/libtiff/tif_pixarlog.c
+@@ -636,15 +636,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td)
+ return guess;
+ }
+
+-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+-
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
+- return 0;
+- return m1 * m2;
++ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
+ }
+
+ static tmsize_t
+diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
+index 04100f4d..9a0e6e95 100644
+--- a/libtiff/tif_read.c
++++ b/libtiff/tif_read.c
+@@ -31,9 +31,6 @@
+ #include "tiffiop.h"
+ #include <stdio.h>
+
+-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+-
+ int TIFFFillStrip(TIFF* tif, uint32 strip);
+ int TIFFFillTile(TIFF* tif, uint32 tile);
+ static int TIFFStartStrip(TIFF* tif, uint32 strip);
+@@ -51,6 +48,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m
+ #define THRESHOLD_MULTIPLIER 10
+ #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
+
++#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF)
++
+ /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
+ * Returns 1 in case of success, 0 otherwise. */
+ static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
+@@ -735,23 +734,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
+ return ((tmsize_t)(-1));
+ }
+ bytecount = td->td_stripbytecount[strip];
+- if ((int64)bytecount <= 0) {
+-#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+- TIFFErrorExt(tif->tif_clientdata, module,
+- "%I64u: Invalid strip byte count, strip %lu",
+- (unsigned __int64) bytecount,
+- (unsigned long) strip);
+-#else
+- TIFFErrorExt(tif->tif_clientdata, module,
+- "%llu: Invalid strip byte count, strip %lu",
+- (unsigned long long) bytecount,
+- (unsigned long) strip);
+-#endif
+- return ((tmsize_t)(-1));
+- }
+- bytecountm = (tmsize_t)bytecount;
+- if ((uint64)bytecountm!=bytecount) {
+- TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow");
++ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module);
++ if (bytecountm == 0) {
+ return ((tmsize_t)(-1));
+ }
+ if (size != (tmsize_t)(-1) && size < bytecountm)
+@@ -775,7 +759,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
+ if ((tif->tif_flags&TIFF_NOREADRAW)==0)
+ {
+ uint64 bytecount = td->td_stripbytecount[strip];
+- if ((int64)bytecount <= 0) {
++ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Invalid strip byte count %I64u, strip %lu",
+@@ -802,7 +786,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
+ (bytecount - 4096) / 10 > (uint64)stripsize )
+ {
+ uint64 newbytecount = (uint64)stripsize * 10 + 4096;
+- if( (int64)newbytecount >= 0 )
++ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
+ {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFWarningExt(tif->tif_clientdata, module,
+@@ -1197,10 +1181,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
+ bytecount64 = td->td_stripbytecount[tile];
+ if (size != (tmsize_t)(-1) && (uint64)size < bytecount64)
+ bytecount64 = (uint64)size;
+- bytecountm = (tmsize_t)bytecount64;
+- if ((uint64)bytecountm!=bytecount64)
+- {
+- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
++ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
++ if( bytecountm == 0 ) {
+ return ((tmsize_t)(-1));
+ }
+ return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
+@@ -1222,7 +1204,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
+ if ((tif->tif_flags&TIFF_NOREADRAW)==0)
+ {
+ uint64 bytecount = td->td_stripbytecount[tile];
+- if ((int64)bytecount <= 0) {
++ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%I64u: Invalid tile byte count, tile %lu",
+@@ -1249,7 +1231,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
+ (bytecount - 4096) / 10 > (uint64)stripsize )
+ {
+ uint64 newbytecount = (uint64)stripsize * 10 + 4096;
+- if( (int64)newbytecount >= 0 )
++ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
+ {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFWarningExt(tif->tif_clientdata, module,
+diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
+index 6e9f2ef6..321ad6b9 100644
+--- a/libtiff/tif_strip.c
++++ b/libtiff/tif_strip.c
+@@ -131,15 +131,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows)
+ {
+ static const char module[] = "TIFFVStripSize";
+ uint64 m;
+- tmsize_t n;
+ m=TIFFVStripSize64(tif,nrows);
+- n=(tmsize_t)m;
+- if ((uint64)n!=m)
+- {
+- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+- n=0;
+- }
+- return(n);
++ return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+
+ /*
+@@ -213,15 +206,8 @@ TIFFStripSize(TIFF* tif)
+ {
+ static const char module[] = "TIFFStripSize";
+ uint64 m;
+- tmsize_t n;
+ m=TIFFStripSize64(tif);
+- n=(tmsize_t)m;
+- if ((uint64)n!=m)
+- {
+- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+- n=0;
+- }
+- return(n);
++ return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+
+ /*
+@@ -332,14 +318,8 @@ TIFFScanlineSize(TIFF* tif)
+ {
+ static const char module[] = "TIFFScanlineSize";
+ uint64 m;
+- tmsize_t n;
+ m=TIFFScanlineSize64(tif);
+- n=(tmsize_t)m;
+- if ((uint64)n!=m) {
+- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
+- n=0;
+- }
+- return(n);
++ return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+
+ /*
+@@ -368,15 +348,8 @@ TIFFRasterScanlineSize(TIFF* tif)
+ {
+ static const char module[] = "TIFFRasterScanlineSize";
+ uint64 m;
+- tmsize_t n;
+ m=TIFFRasterScanlineSize64(tif);
+- n=(tmsize_t)m;
+- if ((uint64)n!=m)
+- {
+- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
+- n=0;
+- }
+- return(n);
++ return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+
+ /* vim: set ts=8 sts=8 sw=8 noet: */
+diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c
+index 388e168a..7d057509 100644
+--- a/libtiff/tif_tile.c
++++ b/libtiff/tif_tile.c
+@@ -183,15 +183,8 @@ TIFFTileRowSize(TIFF* tif)
+ {
+ static const char module[] = "TIFFTileRowSize";
+ uint64 m;
+- tmsize_t n;
+ m=TIFFTileRowSize64(tif);
+- n=(tmsize_t)m;
+- if ((uint64)n!=m)
+- {
+- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+- n=0;
+- }
+- return(n);
++ return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+
+ /*
+@@ -250,15 +243,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows)
+ {
+ static const char module[] = "TIFFVTileSize";
+ uint64 m;
+- tmsize_t n;
+ m=TIFFVTileSize64(tif,nrows);
+- n=(tmsize_t)m;
+- if ((uint64)n!=m)
+- {
+- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+- n=0;
+- }
+- return(n);
++ return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+
+ /*
+@@ -274,15 +260,8 @@ TIFFTileSize(TIFF* tif)
+ {
+ static const char module[] = "TIFFTileSize";
+ uint64 m;
+- tmsize_t n;
+ m=TIFFTileSize64(tif);
+- n=(tmsize_t)m;
+- if ((uint64)n!=m)
+- {
+- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+- n=0;
+- }
+- return(n);
++ return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+
+ /*
+diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
+index 08e5dc44..d4b86314 100644
+--- a/libtiff/tiffiop.h
++++ b/libtiff/tiffiop.h
+@@ -79,6 +79,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
+ #define FALSE 0
+ #endif
+
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
++
+ typedef struct client_info {
+ struct client_info *next;
+ void *data;
+@@ -260,7 +263,7 @@ struct tiff {
+ #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3)
+ #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y))
+
+-/* Safe multiply which returns zero if there is an integer overflow */
++/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */
+ #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
+
+ #define TIFFmax(A,B) ((A)>(B)?(A):(B))
+@@ -366,6 +369,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt;
+
+ extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*);
+ extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*);
++extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*);
++extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*);
+ extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*);
+ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
+
+--
+2.34.1
+
diff --git a/SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch b/SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch
new file mode 100644
index 0000000..4520181
--- /dev/null
+++ b/SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch
@@ -0,0 +1,105 @@
+From a1c493aa4f22f9d1a4757c05a60addc877519cea Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 15 Aug 2019 15:05:28 +0200
+Subject: [PATCH] (CVE-2019-17546) RGBA interface: fix integer overflow
+ potentially causing write heap buffer overflow, especially on 32 bit builds.
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to
+ OSS Fuzz
+
+(cherry picked from commit 4bb584a35f87af42d6cf09d15e9ce8909a839145)
+---
+ libtiff/tif_getimage.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index ec09feaf..c6edd27c 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -951,16 +951,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ fromskew = (w < imagewidth ? imagewidth - w : 0);
+ for (row = 0; row < h; row += nrow)
+ {
++ uint32 temp;
+ rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
+ nrow = (row + rowstoread > h ? h - row : rowstoread);
+ nrowsub = nrow;
+ if ((nrowsub%subsamplingver)!=0)
+ nrowsub+=subsamplingver-nrowsub%subsamplingver;
++ temp = (row + img->row_offset)%rowsperstrip + nrowsub;
++ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
++ {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
++ return 0;
++ }
+ if (_TIFFReadEncodedStripAndAllocBuffer(tif,
+ TIFFComputeStrip(tif,row+img->row_offset, 0),
+ (void**)(&buf),
+ maxstripsize,
+- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
++ temp * scanline)==(tmsize_t)(-1)
+ && (buf == NULL || img->stoponerr))
+ {
+ ret = 0;
+@@ -1053,15 +1060,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ fromskew = (w < imagewidth ? imagewidth - w : 0);
+ for (row = 0; row < h; row += nrow)
+ {
++ uint32 temp;
+ rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
+ nrow = (row + rowstoread > h ? h - row : rowstoread);
+ offset_row = row + img->row_offset;
++ temp = (row + img->row_offset)%rowsperstrip + nrow;
++ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
++ {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
++ return 0;
++ }
+ if( buf == NULL )
+ {
+ if (_TIFFReadEncodedStripAndAllocBuffer(
+ tif, TIFFComputeStrip(tif, offset_row, 0),
+ (void**) &buf, bufsize,
+- ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
++ temp * scanline)==(tmsize_t)(-1)
+ && (buf == NULL || img->stoponerr))
+ {
+ ret = 0;
+@@ -1081,7 +1095,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ }
+ }
+ else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
+- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
++ p0, temp * scanline)==(tmsize_t)(-1)
+ && img->stoponerr)
+ {
+ ret = 0;
+@@ -1089,7 +1103,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ }
+ if (colorchannels > 1
+ && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
+- p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
++ p1, temp * scanline) == (tmsize_t)(-1)
+ && img->stoponerr)
+ {
+ ret = 0;
+@@ -1097,7 +1111,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ }
+ if (colorchannels > 1
+ && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
+- p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
++ p2, temp * scanline) == (tmsize_t)(-1)
+ && img->stoponerr)
+ {
+ ret = 0;
+@@ -1106,7 +1120,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ if (alpha)
+ {
+ if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
+- pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
++ pa, temp * scanline)==(tmsize_t)(-1)
+ && img->stoponerr)
+ {
+ ret = 0;
+--
+2.34.1
+
diff --git a/SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch b/SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch
new file mode 100644
index 0000000..a943dca
--- /dev/null
+++ b/SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch
@@ -0,0 +1,89 @@
+From 8f70b086e6553b4d41aaff2c5fb4266859436626 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sun, 15 Nov 2020 17:02:51 +0100
+Subject: [PATCH] (CVE-2020-35521 CVE-2020-35522) enforce (configurable) memory
+ limit in tiff2rgba
+
+fixes #207
+fixes #209
+
+(cherry picked from commit 98a254f5b92cea22f5436555ff7fceb12afee84d)
+---
+ tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index 4de96aec..e6de2209 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1;
+ int process_by_block = 0; /* default is whole image at once */
+ int no_alpha = 0;
+ int bigtiff_output = 0;
++#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
++/* malloc size limit (in bytes)
++ * disabled when set to 0 */
++static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
+
+
+ static int tiffcvt(TIFF* in, TIFF* out);
+@@ -70,8 +74,11 @@ main(int argc, char* argv[])
+ extern char *optarg;
+ #endif
+
+- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
++ while ((c = getopt(argc, argv, "c:r:t:bn8M:")) != -1)
+ switch (c) {
++ case 'M':
++ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
++ break;
+ case 'b':
+ process_by_block = 1;
+ break;
+@@ -397,6 +404,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
+ (unsigned long)width, (unsigned long)height);
+ return 0;
+ }
++ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
++ TIFFError(TIFFFileName(in),
++ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
++ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
++ return 0;
++ }
+
+ rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+@@ -522,6 +535,13 @@ tiffcvt(TIFF* in, TIFF* out)
+ TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
+ CopyField(TIFFTAG_DOCUMENTNAME, stringv);
+
++ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
++ {
++ TIFFError(TIFFFileName(in),
++ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
++ (uint64)TIFFStripSize(in), (uint64)maxMalloc);
++ return 0;
++ }
+ if( process_by_block && TIFFIsTiled( in ) )
+ return( cvt_by_tile( in, out ) );
+ else if( process_by_block )
+@@ -531,7 +551,7 @@ tiffcvt(TIFF* in, TIFF* out)
+ }
+
+ static char* stuff[] = {
+- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
++ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
+ "where comp is one of the following compression algorithms:",
+ " jpeg\t\tJPEG encoding",
+ " zip\t\tZip/Deflate encoding",
+@@ -543,6 +563,7 @@ static char* stuff[] = {
+ " -b (progress by block rather than as a whole image)",
+ " -n don't emit alpha component.",
+ " -8 write BigTIFF file instead of ClassicTIFF",
++ " -M set the memory allocation limit in MiB. 0 to disable limit",
+ NULL
+ };
+
+--
+2.34.1
+
diff --git a/SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch b/SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch
new file mode 100644
index 0000000..be5176b
--- /dev/null
+++ b/SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch
@@ -0,0 +1,53 @@
+From a7786e10d1bab22f34322e6e711b93b377d6155e Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 10 Nov 2020 01:54:30 +0100
+Subject: [PATCH] (CVE-2020-35523) gtTileContig(): check Tile width for
+ overflow
+
+fixes #211
+
+(cherry picked from commit c8d613ef497058fe653c467fc84c70a62a4a71b2)
+---
+ libtiff/tif_getimage.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index c6edd27c..b1f7cc95 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -31,6 +31,7 @@
+ */
+ #include "tiffiop.h"
+ #include <stdio.h>
++#include <limits.h>
+
+ static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
+ static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
+@@ -647,12 +648,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+
+ flip = setorientation(img);
+ if (flip & FLIP_VERTICALLY) {
+- y = h - 1;
+- toskew = -(int32)(tw + w);
++ if ((tw + w) > INT_MAX) {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
++ return (0);
++ }
++ y = h - 1;
++ toskew = -(int32)(tw + w);
+ }
+ else {
+- y = 0;
+- toskew = -(int32)(tw - w);
++ if (tw > (INT_MAX + w)) {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
++ return (0);
++ }
++ y = 0;
++ toskew = -(int32)(tw - w);
+ }
+
+ /*
+--
+2.34.1
+
diff --git a/SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch b/SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch
new file mode 100644
index 0000000..7aff264
--- /dev/null
+++ b/SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch
@@ -0,0 +1,41 @@
+From 55cd158269c43c83c23636dc9197816b3b359aa4 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sat, 14 Nov 2020 12:53:01 +0000
+Subject: [PATCH] (CVE-2020-35524) tiff2pdf.c: properly calculate datasize when
+ saving to JPEG YCbCr
+
+fixes #220
+
+(cherry picked from commit 7be2e452ddcf6d7abca88f41d3761e6edab72b22)
+---
+ tools/tiff2pdf.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index ff7b9c22..a5db1f64 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -2049,9 +2049,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
+ #endif
+ (void) 0;
+ }
+- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
++#ifdef JPEG_SUPPORT
++ if(t2p->pdf_compression == T2P_COMPRESS_JPEG
++ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
++ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
++ } else
++#endif
++ {
++ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
++ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
++ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
++ }
+ }
+ if (k == 0) {
+ /* Assume we had overflow inside TIFFScanlineSize */
+--
+2.34.1
+
diff --git a/SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch b/SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch
new file mode 100644
index 0000000..eb61fab
--- /dev/null
+++ b/SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch
@@ -0,0 +1,92 @@
+From 25f99f92536fe2c7bf8e1a7fe12f0145c67a0383 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Mon, 11 Feb 2019 23:08:25 +0100
+Subject: [PATCH] (CVE-2020-19131) tiffcrop.c: fix invertImage() for bps 2 and
+ 4
+
+too much bytes were processed, causing a heap buffer overrun
+ http://bugzilla.maptools.org/show_bug.cgi?id=2831
+the loop counter must be
+ for (col = 0; col < width; col += 8 / bps)
+
+Also the values were not properly calculated. It should be
+255-x, 15-x, 3-x for bps 8, 4, 2.
+
+But anyway it is easyer to invert all bits as 255-x = ~x, etc.
+(substracting from a binary number composed of all 1 is like inverting
+the bits)
+
+(cherry picked from commit 9cfa5c469109c207bf3b916c52e618d4400ba2c0)
+---
+ tools/tiffcrop.c | 37 ++++++-------------------------------
+ 1 file changed, 6 insertions(+), 31 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 3862b1ca..a6129148 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -9142,7 +9142,6 @@ static int
+ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 length, unsigned char *work_buff)
+ {
+ uint32 row, col;
+- unsigned char bytebuff1, bytebuff2, bytebuff3, bytebuff4;
+ unsigned char *src;
+ uint16 *src_uint16;
+ uint32 *src_uint32;
+@@ -9172,7 +9171,7 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len
+ for (row = 0; row < length; row++)
+ for (col = 0; col < width; col++)
+ {
+- *src_uint32 = (uint32)0xFFFFFFFF - *src_uint32;
++ *src_uint32 = ~(*src_uint32);
+ src_uint32++;
+ }
+ break;
+@@ -9180,39 +9179,15 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len
+ for (row = 0; row < length; row++)
+ for (col = 0; col < width; col++)
+ {
+- *src_uint16 = (uint16)0xFFFF - *src_uint16;
++ *src_uint16 = ~(*src_uint16);
+ src_uint16++;
+ }
+ break;
+- case 8: for (row = 0; row < length; row++)
+- for (col = 0; col < width; col++)
+- {
+- *src = (uint8)255 - *src;
+- src++;
+- }
+- break;
+- case 4: for (row = 0; row < length; row++)
+- for (col = 0; col < width; col++)
+- {
+- bytebuff1 = 16 - (uint8)(*src & 240 >> 4);
+- bytebuff2 = 16 - (*src & 15);
+- *src = bytebuff1 << 4 & bytebuff2;
+- src++;
+- }
+- break;
+- case 2: for (row = 0; row < length; row++)
+- for (col = 0; col < width; col++)
+- {
+- bytebuff1 = 4 - (uint8)(*src & 192 >> 6);
+- bytebuff2 = 4 - (uint8)(*src & 48 >> 4);
+- bytebuff3 = 4 - (uint8)(*src & 12 >> 2);
+- bytebuff4 = 4 - (uint8)(*src & 3);
+- *src = (bytebuff1 << 6) || (bytebuff2 << 4) || (bytebuff3 << 2) || bytebuff4;
+- src++;
+- }
+- break;
++ case 8:
++ case 4:
++ case 2:
+ case 1: for (row = 0; row < length; row++)
+- for (col = 0; col < width; col += 8 /(spp * bps))
++ for (col = 0; col < width; col += 8 / bps)
+ {
+ *src = ~(*src);
+ src++;
+--
+2.34.1
+
diff --git a/SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch b/SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch
new file mode 100644
index 0000000..fb1652b
--- /dev/null
+++ b/SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch
@@ -0,0 +1,30 @@
+From b94f6754796d32e204b874b3660a125973815933 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 6 Feb 2022 13:08:38 +0100
+Subject: [PATCH] (CVE-2022-0561) TIFFFetchStripThing(): avoid calling memcpy()
+ with a null source pointer and size of zero (fixes #362)
+
+(cherry picked from commit eecb0712f4c3a5b449f70c57988260a667ddbdef)
+---
+ libtiff/tif_dirread.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 80aaf8d1..1e6f1c2f 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -5633,8 +5633,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp)
+ _TIFFfree(data);
+ return(0);
+ }
+- _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
+- _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
++ if( dir->tdir_count )
++ _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
++ _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
+ _TIFFfree(data);
+ data=resizeddata;
+ }
+--
+2.34.1
+
diff --git a/SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch b/SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch
new file mode 100644
index 0000000..ef22de3
--- /dev/null
+++ b/SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch
@@ -0,0 +1,28 @@
+From b7426cc131d837de8d139b8007f66f9db59c4f6a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 5 Feb 2022 20:36:41 +0100
+Subject: [PATCH] (CVE-2022-0562) TIFFReadDirectory(): avoid calling memcpy()
+ with a null source pointer and size of zero (fixes #362)
+
+(cherry picked from commit 561599c99f987dc32ae110370cfdd7df7975586b)
+---
+ libtiff/tif_dirread.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 1e6f1c2f..d68aecc5 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -4083,7 +4083,8 @@ TIFFReadDirectory(TIFF* tif)
+ goto bad;
+ }
+
+- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++ if (old_extrasamples > 0)
++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+ _TIFFfree(new_sampleinfo);
+ }
+--
+2.34.1
+
diff --git a/SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch b/SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch
new file mode 100644
index 0000000..49e4e9d
--- /dev/null
+++ b/SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch
@@ -0,0 +1,39 @@
+From 377a37d06f8ea753cba404cd6954b988ca861ad3 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 25 Jan 2022 16:25:28 +0000
+Subject: [PATCH] (CVE-2022-22844) tiffset: fix global-buffer-overflow for
+ ASCII tags where count is required (fixes #355)
+
+(cherry picked from commit 03047a26952a82daaa0792957ce211e0aa51bc64)
+---
+ tools/tiffset.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffset.c b/tools/tiffset.c
+index 894c9f1f..e4b0d49f 100644
+--- a/tools/tiffset.c
++++ b/tools/tiffset.c
+@@ -134,9 +134,19 @@ main(int argc, char* argv[])
+
+ arg_index++;
+ if (TIFFFieldDataType(fip) == TIFF_ASCII) {
+- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
++ if(TIFFFieldPassCount( fip )) {
++ size_t len;
++ len = strlen(argv[arg_index]) + 1;
++ if (len > ((uint16)(~0)) || TIFFSetField(tiff, TIFFFieldTag(fip),
++ (uint16)len, argv[arg_index]) != 1)
+ fprintf( stderr, "Failed to set %s=%s\n",
+ TIFFFieldName(fip), argv[arg_index] );
++ } else {
++ if (TIFFSetField(tiff, TIFFFieldTag(fip),
++ argv[arg_index]) != 1)
++ fprintf( stderr, "Failed to set %s=%s\n",
++ TIFFFieldName(fip), argv[arg_index] );
++ }
+ } else if (TIFFFieldWriteCount(fip) > 0
+ || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
+ int ret = 1;
+--
+2.34.1
+
diff --git a/SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch b/SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch
new file mode 100644
index 0000000..87eb654
--- /dev/null
+++ b/SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch
@@ -0,0 +1,36 @@
+From 2d598cd7523cba7ee8441fac96bfe422ec277efc Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 24 Feb 2022 22:26:02 +0100
+Subject: [PATCH] (CVE-2022-0865) tif_jbig.c: fix crash when reading a file
+ with multiple IFD in memory-mapped mode and when bit reversal is needed
+ (fixes #385)
+
+(cherry picked from commit a1c933dabd0e1c54a412f3f84ae0aa58115c6067)
+---
+ libtiff/tif_jbig.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
+index 8136c77b..698428f0 100644
+--- a/libtiff/tif_jbig.c
++++ b/libtiff/tif_jbig.c
+@@ -210,6 +210,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
+ */
+ tif->tif_flags |= TIFF_NOBITREV;
+ tif->tif_flags &= ~TIFF_MAPPED;
++ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
++ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
++ * value to be consistent with the state of a non-memory mapped file.
++ */
++ if (tif->tif_flags&TIFF_BUFFERMMAP) {
++ tif->tif_rawdata = NULL;
++ tif->tif_rawdatasize = 0;
++ tif->tif_flags &= ~TIFF_BUFFERMMAP;
++ tif->tif_flags |= TIFF_MYBUFFER;
++ }
+
+ /* Setup the function pointers for encode, decode, and cleanup. */
+ tif->tif_setupdecode = JBIGSetupDecode;
+--
+2.34.1
+
diff --git a/SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch b/SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch
new file mode 100644
index 0000000..af2e18d
--- /dev/null
+++ b/SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch
@@ -0,0 +1,201 @@
+From 465c2d93e2a2d20ac4844ad0d98b35f00e8063fb Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Tue, 8 Mar 2022 17:02:44 +0000
+Subject: [PATCH] (CVE-2022-0891) tiffcrop: fix issue #380 and #382 heap buffer
+ overflow in extractImageSection
+
+(cherry picked from commit 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c)
+---
+ tools/tiffcrop.c | 84 ++++++++++++++++++------------------------------
+ 1 file changed, 32 insertions(+), 52 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index a6129148..83cf80ad 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -6668,10 +6668,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #ifdef DEVELMODE
+ uint32 img_length;
+ #endif
+- uint32 j, shift1, shift2, trailing_bits;
++ uint32 j, shift1, trailing_bits;
+ uint32 row, first_row, last_row, first_col, last_col;
+ uint32 src_offset, dst_offset, row_offset, col_offset;
+- uint32 offset1, offset2, full_bytes;
++ uint32 offset1, full_bytes;
+ uint32 sect_width;
+ #ifdef DEVELMODE
+ uint32 sect_length;
+@@ -6681,7 +6681,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #ifdef DEVELMODE
+ int k;
+ unsigned char bitset;
+- static char *bitarray = NULL;
+ #endif
+
+ img_width = image->width;
+@@ -6699,17 +6698,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ dst_offset = 0;
+
+ #ifdef DEVELMODE
+- if (bitarray == NULL)
+- {
+- if ((bitarray = (char *)malloc(img_width)) == NULL)
+- {
+- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
+- return (-1);
+- }
+- }
++ char bitarray[39];
+ #endif
+
+- /* rows, columns, width, length are expressed in pixels */
++ /* rows, columns, width, length are expressed in pixels
++ * first_row, last_row, .. are index into image array starting at 0 to width-1,
++ * last_col shall be also extracted. */
+ first_row = section->y1;
+ last_row = section->y2;
+ first_col = section->x1;
+@@ -6719,9 +6713,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #ifdef DEVELMODE
+ sect_length = last_row - first_row + 1;
+ #endif
+- img_rowsize = ((img_width * bps + 7) / 8) * spp;
++ /* The read function loadImage() used copy separate plane data into a buffer as interleaved
++ * samples rather than separate planes so the same logic works to extract regions
++ * regardless of the way the data are organized in the input file.
++ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
++ */
++ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
+- trailing_bits = (sect_width * bps) % 8;
++ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
+
+ #ifdef DEVELMODE
+ TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n",
+@@ -6734,10 +6733,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+
+ if ((bps % 8) == 0)
+ {
+- col_offset = first_col * spp * bps / 8;
++ col_offset = (first_col * spp * bps) / 8;
+ for (row = first_row; row <= last_row; row++)
+ {
+- /* row_offset = row * img_width * spp * bps / 8; */
+ row_offset = row * img_rowsize;
+ src_offset = row_offset + col_offset;
+
+@@ -6750,14 +6748,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ }
+ else
+ { /* bps != 8 */
+- shift1 = spp * ((first_col * bps) % 8);
+- shift2 = spp * ((last_col * bps) % 8);
++ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/
+ for (row = first_row; row <= last_row; row++)
+ {
+ /* pull out the first byte */
+ row_offset = row * img_rowsize;
+- offset1 = row_offset + (first_col * bps / 8);
+- offset2 = row_offset + (last_col * bps / 8);
++ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */
+
+ #ifdef DEVELMODE
+ for (j = 0, k = 7; j < 8; j++, k--)
+@@ -6769,12 +6765,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ sprintf(&bitarray[9], " ");
+ for (j = 10, k = 7; j < 18; j++, k--)
+ {
+- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
++ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
+ sprintf(&bitarray[j], (bitset) ? "1" : "0");
+ }
+ bitarray[18] = '\0';
+- TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Shift2: %d\n",
+- row, offset1, shift1, offset2, shift2);
++ TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Trailing_bits: %d\n",
++ row, offset1, shift1, offset1+full_bytes, trailing_bits);
+ #endif
+
+ bytebuff1 = bytebuff2 = 0;
+@@ -6798,11 +6794,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+
+ if (trailing_bits != 0)
+ {
+- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
++ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
++ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
+ sect_buff[dst_offset] = bytebuff2;
+ #ifdef DEVELMODE
+ TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n",
+- offset2, dst_offset);
++ offset1 + full_bytes, dst_offset);
+ for (j = 30, k = 7; j < 38; j++, k--)
+ {
+ bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
+@@ -6821,8 +6818,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #endif
+ for (j = 0; j <= full_bytes; j++)
+ {
++ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
++ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
+ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
+- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
++ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
+ sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
+ }
+ #ifdef DEVELMODE
+@@ -6838,35 +6837,16 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #endif
+ dst_offset += full_bytes;
+
++ /* Copy the trailing_bits for the last byte in the destination buffer.
++ Could come from one ore two bytes of the source buffer. */
+ if (trailing_bits != 0)
+ {
+ #ifdef DEVELMODE
+- TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n", offset1 + full_bytes, dst_offset);
+-#endif
+- if (shift2 > shift1)
+- {
+- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
+- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
+- sect_buff[dst_offset] = bytebuff2;
+-#ifdef DEVELMODE
+- TIFFError ("", " Shift2 > Shift1\n");
++ TIFFError("", " Trailing bits %4d src offset: %8d, Dst offset: %8d\n", trailing_bits, offset1 + full_bytes, dst_offset);
+ #endif
+- }
+- else
+- {
+- if (shift2 < shift1)
+- {
+- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
+- sect_buff[dst_offset] &= bytebuff2;
+-#ifdef DEVELMODE
+- TIFFError ("", " Shift2 < Shift1\n");
+-#endif
+- }
+-#ifdef DEVELMODE
+- else
+- TIFFError ("", " Shift2 == Shift1\n");
+-#endif
+- }
++ /* More than necessary bits are already copied into last destination buffer,
++ * only masking of last byte in destination buffer is necessary.*/
++ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
+ }
+ #ifdef DEVELMODE
+ sprintf(&bitarray[28], " ");
+@@ -7020,7 +7000,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
+ width = sections[i].x2 - sections[i].x1 + 1;
+ length = sections[i].y2 - sections[i].y1 + 1;
+ sectsize = (uint32)
+- ceil((width * image->bps + 7) / (double)8) * image->spp * length;
++ ceil((width * image->bps * image->spp + 7) / (double)8) * length;
+ /* allocate a buffer if we don't have one already */
+ if (createImageSection(sectsize, sect_buff_ptr))
+ {
+--
+2.34.1
+
diff --git a/SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch b/SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch
new file mode 100644
index 0000000..769799f
--- /dev/null
+++ b/SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch
@@ -0,0 +1,54 @@
+From 0bbe164e12be733a1b7e0fe9939ea3461ed7fff2 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Thu, 10 Mar 2022 08:48:00 +0000
+Subject: [PATCH] (CVE-2022-0924) fix heap buffer overflow in tiffcp (#278)
+
+(cherry picked from commit 88d79a45a31c74cba98c697892fed5f7db8b963a)
+---
+ tools/tiffcp.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 96f14728..d5f1d248 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -1506,12 +1506,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
+ tdata_t obuf;
+ tstrip_t strip = 0;
+ tsample_t s;
++ uint16 bps = 0, bytes_per_sample;
+
+ obuf = _TIFFmalloc(stripsize);
+ if (obuf == NULL)
+ return (0);
+ _TIFFmemset(obuf, 0, stripsize);
+ (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
++ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
++ if( bps == 0 )
++ {
++ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
++ _TIFFfree(obuf);
++ return 0;
++ }
++ if( (bps % 8) != 0 )
++ {
++ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
++ _TIFFfree(obuf);
++ return 0;
++ }
++ bytes_per_sample = bps/8;
+ for (s = 0; s < spp; s++) {
+ uint32 row;
+ for (row = 0; row < imagelength; row += rowsperstrip) {
+@@ -1521,7 +1536,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
+
+ cpContigBufToSeparateBuf(
+ obuf, (uint8*) buf + row*rowsize + s,
+- nrows, imagewidth, 0, 0, spp, 1);
++ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
+ if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
+ TIFFError(TIFFFileName(out),
+ "Error, can't write strip %u",
+--
+2.34.1
+
diff --git a/SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch b/SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch
new file mode 100644
index 0000000..6ffaba8
--- /dev/null
+++ b/SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch
@@ -0,0 +1,33 @@
+From fb2bd72a49496d10c4860102b7c26b9bc8adff70 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 8 Mar 2022 16:22:04 +0000
+Subject: [PATCH] (CVE-2022-0909) fix the FPE in tiffcrop (#393)
+
+(cherry picked from commit 32ea0722ee68f503b7a3f9b2d557acb293fc8cde)
+---
+ libtiff/tif_dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index c36a5f3f..f126f2aa 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -320,13 +320,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ break;
+ case TIFFTAG_XRESOLUTION:
+ dblval = va_arg(ap, double);
+- if( dblval < 0 )
++ if( dblval != dblval || dblval < 0 )
+ goto badvaluedouble;
+ td->td_xresolution = TIFFClampDoubleToFloat( dblval );
+ break;
+ case TIFFTAG_YRESOLUTION:
+ dblval = va_arg(ap, double);
+- if( dblval < 0 )
++ if( dblval != dblval || dblval < 0 )
+ goto badvaluedouble;
+ td->td_yresolution = TIFFClampDoubleToFloat( dblval );
+ break;
+--
+2.34.1
+
diff --git a/SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch b/SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch
new file mode 100644
index 0000000..b76d47f
--- /dev/null
+++ b/SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch
@@ -0,0 +1,30 @@
+From e1ee7d9aa1936d5d2f8c7e1a453ad669ed6b38dd Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 17 Feb 2022 15:28:43 +0100
+Subject: [PATCH] (CVE-2022-0908) TIFFFetchNormalTag(): avoid calling memcpy()
+ with a null source pointer and size of zero (fixes #383)
+
+(cherry picked from commit a95b799f65064e4ba2e2dfc206808f86faf93e85)
+---
+ libtiff/tif_dirread.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index d68aecc5..b72e6a3b 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -4972,7 +4972,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
+ _TIFFfree(data);
+ return(0);
+ }
+- _TIFFmemcpy(o,data,(uint32)dp->tdir_count);
++ if (dp->tdir_count > 0 )
++ {
++ _TIFFmemcpy(o,data,(uint32)dp->tdir_count);
++ }
+ o[(uint32)dp->tdir_count]=0;
+ if (data!=0)
+ _TIFFfree(data);
+--
+2.34.1
+
diff --git a/SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch b/SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch
new file mode 100644
index 0000000..deb2812
--- /dev/null
+++ b/SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch
@@ -0,0 +1,58 @@
+From b43def1519d18fecb6f23778e045838e30e027cc Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sat, 2 Apr 2022 22:33:31 +0200
+Subject: [PATCH] (CVE-2022-1355) tiffcp: avoid buffer overflow in "mode"
+ string (fixes #400)
+
+(cherry picked from commit fb1db384959698edd6caeea84e28253d272a0f96)
+---
+ tools/tiffcp.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index d5f1d248..fb98bd57 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -249,19 +249,34 @@ main(int argc, char* argv[])
+ deftilewidth = atoi(optarg);
+ break;
+ case 'B':
+- *mp++ = 'b'; *mp = '\0';
++ if (strlen(mode) < (sizeof(mode) - 1))
++ {
++ *mp++ = 'b'; *mp = '\0';
++ }
+ break;
+ case 'L':
+- *mp++ = 'l'; *mp = '\0';
++ if (strlen(mode) < (sizeof(mode) - 1))
++ {
++ *mp++ = 'l'; *mp = '\0';
++ }
+ break;
+ case 'M':
+- *mp++ = 'm'; *mp = '\0';
++ if (strlen(mode) < (sizeof(mode) - 1))
++ {
++ *mp++ = 'm'; *mp = '\0';
++ }
+ break;
+ case 'C':
+- *mp++ = 'c'; *mp = '\0';
++ if (strlen(mode) < (sizeof(mode) - 1))
++ {
++ *mp++ = 'c'; *mp = '\0';
++ }
+ break;
+ case '8':
+- *mp++ = '8'; *mp = '\0';
++ if (strlen(mode) < (sizeof(mode)-1))
++ {
++ *mp++ = '8'; *mp = '\0';
++ }
+ break;
+ case 'x':
+ pageInSeq = 1;
+--
+2.34.1
+
diff --git a/SOURCES/libtiff-CVE-2017-18013.patch b/SOURCES/libtiff-CVE-2017-18013.patch
deleted file mode 100644
index 77afc48..0000000
--- a/SOURCES/libtiff-CVE-2017-18013.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From b1997b9c3ac0d6bac5effd7558141986487217a9 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sun, 31 Dec 2017 15:09:41 +0100
-Subject: [PATCH 2/4] libtiff/tif_print.c: TIFFPrintDirectory(): fix null
- pointer dereference on corrupted file. Fixes
- http://bugzilla.maptools.org/show_bug.cgi?id=2770 / CVE-2017-18013
-
----
- libtiff/tif_print.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
-index 10a588e..b9b53a0 100644
---- a/libtiff/tif_print.c
-+++ b/libtiff/tif_print.c
-@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
- (unsigned long) s,
-- (unsigned __int64) td->td_stripoffset[s],
-- (unsigned __int64) td->td_stripbytecount[s]);
-+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
-+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
- #else
- fprintf(fd, " %3lu: [%8llu, %8llu]\n",
- (unsigned long) s,
-- (unsigned long long) td->td_stripoffset[s],
-- (unsigned long long) td->td_stripbytecount[s]);
-+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
-+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
- #endif
- }
- }
---
-2.17.0
-
diff --git a/SOURCES/libtiff-CVE-2017-9935.patch b/SOURCES/libtiff-CVE-2017-9935.patch
deleted file mode 100644
index 39327ff..0000000
--- a/SOURCES/libtiff-CVE-2017-9935.patch
+++ /dev/null
@@ -1,164 +0,0 @@
-From e1cd2d7ab032e7fe80b4c13e07895194c8bac85e Mon Sep 17 00:00:00 2001
-From: Brian May <brian@linuxpenguins.xyz>
-Date: Thu, 7 Dec 2017 07:46:47 +1100
-Subject: [PATCH 1/4] [PATCH] tiff2pdf: Fix CVE-2017-9935
-
-Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
-
-This vulnerability - at least for the supplied test case - is because we
-assume that a tiff will only have one transfer function that is the same
-for all pages. This is not required by the TIFF standards.
-
-We than read the transfer function for every page. Depending on the
-transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
-We allocate this memory after we read in the transfer function for the
-page.
-
-For the first exploit - POC1, this file has 3 pages. For the first page
-we allocate 2 extra extra XREF entries. Then for the next page 2 more
-entries. Then for the last page the transfer function changes and we
-allocate 4 more entries.
-
-When we read the file into memory, we assume we have 4 bytes extra for
-each and every page (as per the last transfer function we read). Which
-is not correct, we only have 2 bytes extra for the first 2 pages. As a
-result, we end up writing past the end of the buffer.
-
-There are also some related issues that this also fixes. For example,
-TIFFGetField can return uninitalized pointer values, and the logic to
-detect a N=3 vs N=1 transfer function seemed rather strange.
-
-It is also strange that we declare the transfer functions to be of type
-float, when the standard says they are unsigned 16 bit values. This is
-fixed in another patch.
-
-This patch will check to ensure that the N value for every transfer
-function is the same for every page. If this changes, we abort with an
-error. In theory, we should perhaps check that the transfer function
-itself is identical for every page, however we don't do that due to the
-confusion of the type of the data in the transfer function.
----
- libtiff/tif_dir.c | 3 +++
- tools/tiff2pdf.c | 69 +++++++++++++++++++++++++++++++----------------
- 2 files changed, 49 insertions(+), 23 deletions(-)
-
-diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
-index f00f808..c36a5f3 100644
---- a/libtiff/tif_dir.c
-+++ b/libtiff/tif_dir.c
-@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
- if (td->td_samplesperpixel - td->td_extrasamples > 1) {
- *va_arg(ap, uint16**) = td->td_transferfunction[1];
- *va_arg(ap, uint16**) = td->td_transferfunction[2];
-+ } else {
-+ *va_arg(ap, uint16**) = NULL;
-+ *va_arg(ap, uint16**) = NULL;
- }
- break;
- case TIFFTAG_REFERENCEBLACKWHITE:
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index bdb9126..bd23c9e 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -239,7 +239,7 @@ typedef struct {
- float tiff_whitechromaticities[2];
- float tiff_primarychromaticities[6];
- float tiff_referenceblackwhite[2];
-- float* tiff_transferfunction[3];
-+ uint16* tiff_transferfunction[3];
- int pdf_image_interpolate; /* 0 (default) : do not interpolate,
- 1 : interpolate */
- uint16 tiff_transferfunctioncount;
-@@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
- uint16 pagen=0;
- uint16 paged=0;
- uint16 xuint16=0;
-+ uint16 tiff_transferfunctioncount=0;
-+ uint16* tiff_transferfunction[3];
-
- directorycount=TIFFNumberOfDirectories(input);
- if(directorycount > TIFF_DIR_MAX) {
-@@ -1157,26 +1159,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
- }
- #endif
- if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
-- &(t2p->tiff_transferfunction[0]),
-- &(t2p->tiff_transferfunction[1]),
-- &(t2p->tiff_transferfunction[2]))) {
-- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
-- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
-- (t2p->tiff_transferfunction[1] !=
-- t2p->tiff_transferfunction[0])) {
-- t2p->tiff_transferfunctioncount = 3;
-- t2p->tiff_pages[i].page_extra += 4;
-- t2p->pdf_xrefcount += 4;
-- } else {
-- t2p->tiff_transferfunctioncount = 1;
-- t2p->tiff_pages[i].page_extra += 2;
-- t2p->pdf_xrefcount += 2;
-- }
-- if(t2p->pdf_minorversion < 2)
-- t2p->pdf_minorversion = 2;
-+ &(tiff_transferfunction[0]),
-+ &(tiff_transferfunction[1]),
-+ &(tiff_transferfunction[2]))) {
-+
-+ if((tiff_transferfunction[1] != (uint16*) NULL) &&
-+ (tiff_transferfunction[2] != (uint16*) NULL)
-+ ) {
-+ tiff_transferfunctioncount=3;
-+ } else {
-+ tiff_transferfunctioncount=1;
-+ }
- } else {
-- t2p->tiff_transferfunctioncount=0;
-+ tiff_transferfunctioncount=0;
- }
-+
-+ if (i > 0){
-+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
-+ TIFFError(
-+ TIFF2PDF_MODULE,
-+ "Different transfer function on page %d",
-+ i);
-+ t2p->t2p_error = T2P_ERR_ERROR;
-+ return;
-+ }
-+ }
-+
-+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
-+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
-+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
-+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
-+ if(tiff_transferfunctioncount == 3){
-+ t2p->tiff_pages[i].page_extra += 4;
-+ t2p->pdf_xrefcount += 4;
-+ if(t2p->pdf_minorversion < 2)
-+ t2p->pdf_minorversion = 2;
-+ } else if (tiff_transferfunctioncount == 1){
-+ t2p->tiff_pages[i].page_extra += 2;
-+ t2p->pdf_xrefcount += 2;
-+ if(t2p->pdf_minorversion < 2)
-+ t2p->pdf_minorversion = 2;
-+ }
-+
- if( TIFFGetField(
- input,
- TIFFTAG_ICCPROFILE,
-@@ -1837,10 +1861,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
- &(t2p->tiff_transferfunction[0]),
- &(t2p->tiff_transferfunction[1]),
- &(t2p->tiff_transferfunction[2]))) {
-- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
-- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
-- (t2p->tiff_transferfunction[1] !=
-- t2p->tiff_transferfunction[0])) {
-+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
-+ (t2p->tiff_transferfunction[2] != (uint16*) NULL)
-+ ) {
- t2p->tiff_transferfunctioncount=3;
- } else {
- t2p->tiff_transferfunctioncount=1;
---
-2.17.0
-
diff --git a/SOURCES/libtiff-CVE-2018-10963.patch b/SOURCES/libtiff-CVE-2018-10963.patch
deleted file mode 100644
index 039b7c1..0000000
--- a/SOURCES/libtiff-CVE-2018-10963.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 98ed6179dec22db48f6e235d8ca9e2708bf4e71a Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 12 May 2018 14:24:15 +0200
-Subject: [PATCH 4/4] TIFFWriteDirectorySec: avoid assertion. Fixes
- http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
-
----
- libtiff/tif_dirwrite.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
-index c68d6d2..5d0a669 100644
---- a/libtiff/tif_dirwrite.c
-+++ b/libtiff/tif_dirwrite.c
-@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
- }
- break;
- default:
-- assert(0); /* we should never get here */
-- break;
-+ TIFFErrorExt(tif->tif_clientdata,module,
-+ "Cannot write tag %d (%s)",
-+ TIFFFieldTag(o),
-+ o->field_name ? o->field_name : "unknown");
-+ goto bad;
- }
- }
- }
---
-2.17.0
-
diff --git a/SOURCES/libtiff-CVE-2018-12900.patch b/SOURCES/libtiff-CVE-2018-12900.patch
deleted file mode 100644
index c7c3d30..0000000
--- a/SOURCES/libtiff-CVE-2018-12900.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 775b0d85eab499ccf577e72ec202eb4c6fb37197 Mon Sep 17 00:00:00 2001
-From: Thomas Bernard <miniupnp@free.fr>
-Date: Mon, 11 Feb 2019 10:05:33 +0100
-Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow
-
-fixes bug 2833
----
- tools/tiffcp.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/tools/tiffcp.c b/tools/tiffcp.c
-index 489459a..0c66229 100644
---- a/tools/tiffcp.c
-+++ b/tools/tiffcp.c
-@@ -43,6 +43,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-+#include <limits.h>
-
- #include <ctype.h>
-
-@@ -1391,7 +1392,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
- int status = 1;
- uint32 imagew = TIFFRasterScanlineSize(in);
- uint32 tilew = TIFFTileRowSize(in);
-- int iskew = imagew - tilew*spp;
-+ int iskew;
- tsize_t tilesize = TIFFTileSize(in);
- tdata_t tilebuf;
- uint8* bufp = (uint8*) buf;
-@@ -1399,6 +1400,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
- uint32 row;
- uint16 bps = 0, bytes_per_sample;
-
-+ if (tilew && spp > (INT_MAX / tilew))
-+ {
-+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
-+ return 0;
-+ }
-+ iskew = imagew - tilew*spp;
- tilebuf = _TIFFmalloc(tilesize);
- if (tilebuf == 0)
- return 0;
---
-2.21.0
-
diff --git a/SOURCES/libtiff-CVE-2018-17100.patch b/SOURCES/libtiff-CVE-2018-17100.patch
deleted file mode 100644
index 8ed6dca..0000000
--- a/SOURCES/libtiff-CVE-2018-17100.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 491e3acc55d7a54e2588de476733e93c4c7ffea0 Mon Sep 17 00:00:00 2001
-From: Young_X <YangX92@hotmail.com>
-Date: Sat, 8 Sep 2018 14:46:27 +0800
-Subject: [PATCH] avoid potential int32 overflows in multiply_ms()
-
----
- tools/ppm2tiff.c | 13 +++++++------
- 1 file changed, 7 insertions(+), 6 deletions(-)
-
-diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
-index 91415e9..81ffa3d 100644
---- a/tools/ppm2tiff.c
-+++ b/tools/ppm2tiff.c
-@@ -72,15 +72,16 @@ BadPPM(char* file)
- exit(-2);
- }
-
-+
-+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
-+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
-+
- static tmsize_t
- multiply_ms(tmsize_t m1, tmsize_t m2)
- {
-- tmsize_t bytes = m1 * m2;
--
-- if (m1 && bytes / m1 != m2)
-- bytes = 0;
--
-- return bytes;
-+ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
-+ return 0;
-+ return m1 * m2;
- }
-
- int
---
-2.17.2
-
diff --git a/SOURCES/libtiff-CVE-2018-18557.patch b/SOURCES/libtiff-CVE-2018-18557.patch
deleted file mode 100644
index d2cd3c5..0000000
--- a/SOURCES/libtiff-CVE-2018-18557.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From 2683f6c21aefc760d2f7e56dac6b4383841886d6 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sun, 14 Oct 2018 16:38:29 +0200
-Subject: [PATCH 2/2] JBIG: fix potential out-of-bounds write in JBIGDecode()
-
-JBIGDecode doesn't check if the user provided buffer is large enough
-to store the JBIG decoded image, which can potentially cause out-of-bounds
-write in the buffer.
-This issue was reported and analyzed by Thomas Dullien.
-
-Also fixes a (harmless) potential use of uninitialized memory when
-tif->tif_rawsize > tif->tif_rawcc
-
-And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
-that whole strip data is provided to JBIGDecode()
----
- libtiff/tif_jbig.c | 32 ++++++++++++++++++++++++++------
- libtiff/tif_read.c | 6 ++++++
- 2 files changed, 32 insertions(+), 6 deletions(-)
-
-diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
-index 7a14dd9..8136c77 100644
---- a/libtiff/tif_jbig.c
-+++ b/libtiff/tif_jbig.c
-@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
- struct jbg_dec_state decoder;
- int decodeStatus = 0;
- unsigned char* pImage = NULL;
-- (void) size, (void) s;
-+ unsigned long decodedSize;
-+ (void) s;
-
- if (isFillOrder(tif, tif->tif_dir.td_fillorder))
- {
-- TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize);
-+ TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc);
- }
-
- jbg_dec_init(&decoder);
-
- #if defined(HAVE_JBG_NEWLEN)
-- jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize);
-+ jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc);
- /*
- * I do not check the return status of jbg_newlen because even if this
- * function fails it does not necessarily mean that decoding the image
-@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
- */
- #endif /* HAVE_JBG_NEWLEN */
-
-- decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata,
-- (size_t)tif->tif_rawdatasize, NULL);
-+ decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp,
-+ (size_t)tif->tif_rawcc, NULL);
- if (JBG_EOK != decodeStatus)
- {
- /*
-@@ -98,9 +99,28 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
- return 0;
- }
-
-+ decodedSize = jbg_dec_getsize(&decoder);
-+ if( (tmsize_t)decodedSize < size )
-+ {
-+ TIFFWarningExt(tif->tif_clientdata, "JBIG",
-+ "Only decoded %lu bytes, whereas %lu requested",
-+ decodedSize, (unsigned long)size);
-+ }
-+ else if( (tmsize_t)decodedSize > size )
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, "JBIG",
-+ "Decoded %lu bytes, whereas %lu were requested",
-+ decodedSize, (unsigned long)size);
-+ jbg_dec_free(&decoder);
-+ return 0;
-+ }
- pImage = jbg_dec_getimage(&decoder, 0);
-- _TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder));
-+ _TIFFmemcpy(buffer, pImage, decodedSize);
- jbg_dec_free(&decoder);
-+
-+ tif->tif_rawcp += tif->tif_rawcc;
-+ tif->tif_rawcc = 0;
-+
- return 1;
- }
-
-diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
-index 2ba985a..04100f4 100644
---- a/libtiff/tif_read.c
-+++ b/libtiff/tif_read.c
-@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 sample )
- return 0;
- whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10
- || isMapped(tif);
-+ if( td->td_compression == COMPRESSION_JBIG )
-+ {
-+ /* Ideally plugins should have a way to declare they don't support
-+ * chunk strip */
-+ whole_strip = 1;
-+ }
- #else
- whole_strip = 1;
- #endif
---
-2.17.2
-
diff --git a/SOURCES/libtiff-CVE-2018-18661.patch b/SOURCES/libtiff-CVE-2018-18661.patch
deleted file mode 100644
index 9a7430b..0000000
--- a/SOURCES/libtiff-CVE-2018-18661.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From 20dbecdf69cf0209ad0246707aaf142bb1fee96e Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Tue, 30 Oct 2018 18:50:27 +0100
-Subject: [PATCH] tiff2bw: avoid null pointer dereference in case of out of
- memory situation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2819 /
- CVE-2018-18661
-
----
- libtiff/tiffiop.h | 1 +
- tools/tiff2bw.c | 30 ++++++++++++++++++++++++++----
- tools/tiffcrop.c | 5 -----
- 3 files changed, 27 insertions(+), 9 deletions(-)
-
-diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
-index daa291c..08e5dc4 100644
---- a/libtiff/tiffiop.h
-+++ b/libtiff/tiffiop.h
-@@ -72,6 +72,7 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
- #endif
-
- #define streq(a,b) (strcmp(a,b) == 0)
-+#define strneq(a,b,n) (strncmp(a,b,n) == 0)
-
- #ifndef TRUE
- #define TRUE 1
-diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
-index dad54af..1f3bb2c 100644
---- a/tools/tiff2bw.c
-+++ b/tools/tiff2bw.c
-@@ -40,9 +40,7 @@
- #endif
-
- #include "tiffio.h"
--
--#define streq(a,b) (strcmp((a),(b)) == 0)
--#define strneq(a,b,n) (strncmp(a,b,n) == 0)
-+#include "tiffiop.h"
-
- /* x% weighting -> fraction of full color */
- #define PCT(x) (((x)*256+50)/100)
-@@ -223,6 +221,11 @@ main(int argc, char* argv[])
- TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
- TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
- outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
-+ if( !outbuf )
-+ {
-+ fprintf(stderr, "Out of memory\n");
-+ goto tiff2bw_error;
-+ }
- TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
- TIFFDefaultStripSize(out, rowsperstrip));
-
-@@ -246,6 +249,11 @@ main(int argc, char* argv[])
- #undef CVT
- }
- inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
-+ if( !inbuf )
-+ {
-+ fprintf(stderr, "Out of memory\n");
-+ goto tiff2bw_error;
-+ }
- for (row = 0; row < h; row++) {
- if (TIFFReadScanline(in, inbuf, row, 0) < 0)
- break;
-@@ -256,6 +264,11 @@ main(int argc, char* argv[])
- break;
- case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG):
- inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
-+ if( !inbuf )
-+ {
-+ fprintf(stderr, "Out of memory\n");
-+ goto tiff2bw_error;
-+ }
- for (row = 0; row < h; row++) {
- if (TIFFReadScanline(in, inbuf, row, 0) < 0)
- break;
-@@ -265,8 +278,16 @@ main(int argc, char* argv[])
- }
- break;
- case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE):
-+ {
-+ tmsize_t inbufsize;
- rowsize = TIFFScanlineSize(in);
-- inbuf = (unsigned char *)_TIFFmalloc(3*rowsize);
-+ inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize);
-+ inbuf = (unsigned char *)_TIFFmalloc(inbufsize);
-+ if( !inbuf )
-+ {
-+ fprintf(stderr, "Out of memory\n");
-+ goto tiff2bw_error;
-+ }
- for (row = 0; row < h; row++) {
- for (s = 0; s < 3; s++)
- if (TIFFReadScanline(in,
-@@ -278,6 +299,7 @@ main(int argc, char* argv[])
- break;
- }
- break;
-+ }
- }
- #undef pack
- if (inbuf)
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index c60cb38..3862b1c 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -150,11 +150,6 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
-
- #define TIFF_UINT32_MAX 0xFFFFFFFFU
-
--#ifndef streq
--#define streq(a,b) (strcmp((a),(b)) == 0)
--#endif
--#define strneq(a,b,n) (strncmp((a),(b),(n)) == 0)
--
- #define TRUE 1
- #define FALSE 0
-
---
-2.17.2
-
diff --git a/SOURCES/libtiff-CVE-2018-5784.patch b/SOURCES/libtiff-CVE-2018-5784.patch
deleted file mode 100644
index 5f26e5d..0000000
--- a/SOURCES/libtiff-CVE-2018-5784.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From 49723b0eb683cca80142b01a48ba1475fed5188a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
-Date: Fri, 23 Mar 2018 15:35:39 +0100
-Subject: [PATCH] Fix for bug 2772
-
-It is possible to craft a TIFF document where the IFD list is circular,
-leading to an infinite loop while traversing the chain. The libtiff
-directory reader has a failsafe that will break out of this loop after
-reading 65535 directory entries, but it will continue processing,
-consuming time and resources to process what is essentially a bogus TIFF
-document.
-
-This change fixes the above behavior by breaking out of processing when
-a TIFF document has >= 65535 directories and terminating with an error.
----
- contrib/addtiffo/tif_overview.c | 14 +++++++++++++-
- tools/tiff2pdf.c | 10 ++++++++++
- tools/tiffcrop.c | 13 +++++++++++--
- 3 files changed, 34 insertions(+), 3 deletions(-)
-
-diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
-index c61ffbb..03b3573 100644
---- a/contrib/addtiffo/tif_overview.c
-+++ b/contrib/addtiffo/tif_overview.c
-@@ -65,6 +65,8 @@
- # define MAX(a,b) ((a>b) ? a : b)
- #endif
-
-+#define TIFF_DIR_MAX 65534
-+
- void TIFFBuildOverviews( TIFF *, int, int *, int, const char *,
- int (*)(double,void*), void * );
-
-@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
- {
- toff_t nBaseDirOffset;
- toff_t nOffset;
-+ tdir_t iNumDir;
-
- (void) bUseSubIFDs;
-
-@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
- return 0;
-
- TIFFWriteDirectory( hTIFF );
-- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );
-+ iNumDir = TIFFNumberOfDirectories(hTIFF);
-+ if( iNumDir > TIFF_DIR_MAX )
-+ {
-+ TIFFErrorExt( TIFFClientdata(hTIFF),
-+ "TIFF_WriteOverview",
-+ "File `%s' has too many directories.\n",
-+ TIFFFileName(hTIFF) );
-+ exit(-1);
-+ }
-+ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );
-
- nOffset = TIFFCurrentDirOffset( hTIFF );
-
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index 454befb..bdb9126 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
-
- #define PS_UNIT_SIZE 72.0F
-
-+#define TIFF_DIR_MAX 65534
-+
- /* This type is of PDF color spaces. */
- typedef enum {
- T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */
-@@ -1049,6 +1051,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
- uint16 xuint16=0;
-
- directorycount=TIFFNumberOfDirectories(input);
-+ if(directorycount > TIFF_DIR_MAX) {
-+ TIFFError(
-+ TIFF2PDF_MODULE,
-+ "TIFF contains too many directories, %s",
-+ TIFFFileName(input));
-+ t2p->t2p_error = T2P_ERR_ERROR;
-+ return;
-+ }
- t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
- if(t2p->tiff_pages==NULL){
- TIFFError(
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index c69177e..c60cb38 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
- #define DUMP_TEXT 1
- #define DUMP_RAW 2
-
-+#define TIFF_DIR_MAX 65534
-+
- /* Offsets into buffer for margins and fixed width and length segments */
- struct offset {
- uint32 tmargin;
-@@ -2233,7 +2235,7 @@ main(int argc, char* argv[])
- pageNum = -1;
- else
- total_images = 0;
-- /* read multiple input files and write to output file(s) */
-+ /* Read multiple input files and write to output file(s) */
- while (optind < argc - 1)
- {
- in = TIFFOpen (argv[optind], "r");
-@@ -2241,7 +2243,14 @@ main(int argc, char* argv[])
- return (-3);
-
- /* If only one input file is specified, we can use directory count */
-- total_images = TIFFNumberOfDirectories(in);
-+ total_images = TIFFNumberOfDirectories(in);
-+ if (total_images > TIFF_DIR_MAX)
-+ {
-+ TIFFError (TIFFFileName(in), "File contains too many directories");
-+ if (out != NULL)
-+ (void) TIFFClose(out);
-+ return (1);
-+ }
- if (image_count == 0)
- {
- dirnum = 0;
---
-2.13.6
-
diff --git a/SOURCES/libtiff-CVE-2018-7456.patch b/SOURCES/libtiff-CVE-2018-7456.patch
deleted file mode 100644
index 65a8947..0000000
--- a/SOURCES/libtiff-CVE-2018-7456.patch
+++ /dev/null
@@ -1,170 +0,0 @@
-From de5385cd882a5ff0970f63f4d93da0cbc87230c2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
-Date: Tue, 17 Apr 2018 18:42:09 +0200
-Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory
-
-The TIFFPrintDirectory function relies on the following assumptions,
-supposed to be guaranteed by the specification:
-
-(a) A Transfer Function field is only present if the TIFF file has
- photometric type < 3.
-
-(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
- has count SamplesPerPixel - (Color Channels) and contains
- information about supplementary channels.
-
-While respect of (a) and (b) are essential for the well functioning of
-TIFFPrintDirectory, no checks are realized neither by the callee nor
-by TIFFPrintDirectory itself. Hence, following scenarios might happen
-and trigger the NULL pointer dereference:
-
-(1) TIFF File of photometric type 4 or more has illegal Transfer
- Function field.
-
-(2) TIFF File has photometric type 3 or less and defines a
- SamplesPerPixel field such that SamplesPerPixel > Color Channels
- without defining all extra samples in the ExtraSamples fields.
-
-In this patch, we address both issues with respect of the following
-principles:
-
-(A) In the case of (1), the defined transfer table should be printed
- safely even if it isn't 'legal'. This allows us to avoid expensive
- checks in TIFFPrintDirectory. Also, it is quite possible that
- an alternative photometric type would be developed (not part of the
- standard) and would allow definition of Transfer Table. We want
- libtiff to be able to handle this scenario out of the box.
-
-(B) In the case of (2), the transfer table should be printed at its
- right size, that is if TIFF file has photometric type Palette
- then the transfer table should have one row and not three, even
- if two extra samples are declared.
-
-In order to fulfill (A) we simply add a new 'i < 3' end condition to
-the broken TIFFPrintDirectory loop. This makes sure that in any case
-where (b) would be respected but not (a), everything stays fine.
-
-(B) is fulfilled by the loop condition
-'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
-long as (b) is respected.
-
-Naturally, we also make sure (b) is respected. This is done in the
-TIFFReadDirectory function by making sure any non-color channel is
-counted in ExtraSamples.
-
-This commit addresses CVE-2018-7456.
----
- libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++
- libtiff/tif_print.c | 2 +-
- 2 files changed, 63 insertions(+), 1 deletion(-)
-
-diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
-index 5e62e81..80aaf8d 100644
---- a/libtiff/tif_dirread.c
-+++ b/libtiff/tif_dirread.c
-@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
- static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
- static void ChopUpSingleUncompressedStrip(TIFF*);
- static uint64 TIFFReadUInt64(const uint8 *value);
-+static int _TIFFGetMaxColorChannels(uint16 photometric);
-
- static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
-
-@@ -3506,6 +3507,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c
- }
- }
-
-+/*
-+ * Return the maximum number of color channels specified for a given photometric
-+ * type. 0 is returned if photometric type isn't supported or no default value
-+ * is defined by the specification.
-+ */
-+static int _TIFFGetMaxColorChannels( uint16 photometric )
-+{
-+ switch (photometric) {
-+ case PHOTOMETRIC_PALETTE:
-+ case PHOTOMETRIC_MINISWHITE:
-+ case PHOTOMETRIC_MINISBLACK:
-+ return 1;
-+ case PHOTOMETRIC_YCBCR:
-+ case PHOTOMETRIC_RGB:
-+ case PHOTOMETRIC_CIELAB:
-+ return 3;
-+ case PHOTOMETRIC_SEPARATED:
-+ case PHOTOMETRIC_MASK:
-+ return 4;
-+ case PHOTOMETRIC_LOGL:
-+ case PHOTOMETRIC_LOGLUV:
-+ case PHOTOMETRIC_CFA:
-+ case PHOTOMETRIC_ITULAB:
-+ case PHOTOMETRIC_ICCLAB:
-+ default:
-+ return 0;
-+ }
-+}
-+
- /*
- * Read the next TIFF directory from a file and convert it to the internal
- * format. We read directories sequentially.
-@@ -3522,6 +3552,7 @@ TIFFReadDirectory(TIFF* tif)
- uint32 fii=FAILED_FII;
- toff_t nextdiroff;
- int bitspersample_read = FALSE;
-+ int color_channels;
-
- tif->tif_diroff=tif->tif_nextdiroff;
- if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
-@@ -4026,6 +4057,37 @@ TIFFReadDirectory(TIFF* tif)
- }
- }
- }
-+
-+ /*
-+ * Make sure all non-color channels are extrasamples.
-+ * If it's not the case, define them as such.
-+ */
-+ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
-+ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
-+ uint16 old_extrasamples;
-+ uint16 *new_sampleinfo;
-+
-+ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
-+ "color channels and ExtraSamples doesn't match SamplesPerPixel. "
-+ "Defining non-color channels as ExtraSamples.");
-+
-+ old_extrasamples = tif->tif_dir.td_extrasamples;
-+ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
-+
-+ // sampleinfo should contain information relative to these new extra samples
-+ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
-+ if (!new_sampleinfo) {
-+ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
-+ "temporary new sampleinfo array (%d 16 bit elements)",
-+ tif->tif_dir.td_extrasamples);
-+ goto bad;
-+ }
-+
-+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
-+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
-+ _TIFFfree(new_sampleinfo);
-+ }
-+
- /*
- * Verify Palette image has a Colormap.
- */
-diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
-index 24d4b98..10a588e 100644
---- a/libtiff/tif_print.c
-+++ b/libtiff/tif_print.c
-@@ -546,7 +546,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
- uint16 i;
- fprintf(fd, " %2ld: %5u",
- l, td->td_transferfunction[0][l]);
-- for (i = 1; i < td->td_samplesperpixel; i++)
-+ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)
- fprintf(fd, " %5u",
- td->td_transferfunction[i][l]);
- fputc('\n', fd);
---
-2.17.0
-
diff --git a/SOURCES/libtiff-CVE-2018-8905.patch b/SOURCES/libtiff-CVE-2018-8905.patch
deleted file mode 100644
index be6bee4..0000000
--- a/SOURCES/libtiff-CVE-2018-8905.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 1c127eb3cb7653bd61b61f9c3cfeb36fd10edab1 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 12 May 2018 15:32:31 +0200
-Subject: [PATCH 3/4] LZWDecodeCompat(): fix potential index-out-of-bounds
- write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 /
- CVE-2018-8905
-
-The fix consists in using the similar code LZWDecode() to validate we
-don't write outside of the output buffer.
----
- libtiff/tif_lzw.c | 18 ++++++++++++------
- 1 file changed, 12 insertions(+), 6 deletions(-)
-
-diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
-index bc8f9c8..186ea3c 100644
---- a/libtiff/tif_lzw.c
-+++ b/libtiff/tif_lzw.c
-@@ -604,6 +604,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- char *tp;
- unsigned char *bp;
- int code, nbits;
-+ int len;
- long nextbits, nextdata, nbitsmask;
- code_t *codep, *free_entp, *maxcodep, *oldcodep;
-
-@@ -755,13 +756,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- } while (--occ);
- break;
- }
-- assert(occ >= codep->length);
-- op += codep->length;
-- occ -= codep->length;
-- tp = op;
-+ len = codep->length;
-+ tp = op + len;
- do {
-- *--tp = codep->value;
-- } while( (codep = codep->next) != NULL );
-+ int t;
-+ --tp;
-+ t = codep->value;
-+ codep = codep->next;
-+ *tp = (char)t;
-+ } while (codep && tp > op);
-+ assert(occ >= len);
-+ op += len;
-+ occ -= len;
- } else {
- *op++ = (char)code;
- occ--;
---
-2.17.0
-
diff --git a/SOURCES/libtiff-CVE-2019-14973.patch b/SOURCES/libtiff-CVE-2019-14973.patch
deleted file mode 100644
index f98ea1e..0000000
--- a/SOURCES/libtiff-CVE-2019-14973.patch
+++ /dev/null
@@ -1,424 +0,0 @@
-From 218c3753fba788c78a9b5e515e884043f6e2ba28 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 10 Aug 2019 18:25:03 +0200
-Subject: [PATCH] Fix integer overflow in _TIFFCheckMalloc() and other
- implementation-defined behaviour (CVE-2019-14973)
-
-_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow
-in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus
-signed), which was especially easily triggered on 32-bit builds (with recent
-enough compilers that assume that signed multiplication cannot overflow, since
-this is undefined behaviour by the C standard). The original issue which lead to
-this fix was trigged from tif_fax3.c
-
-There were also unsafe (implementation defied), and broken in practice on 64bit
-builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing
-(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known
-at that time exploits, but are better to fix in a more bullet-proof way.
-Or similarly use of (int64)uint64_var <= 0.
----
- libtiff/tif_aux.c | 49 +++++++++++++++++++++++++++++++++++++-----
- libtiff/tif_getimage.c | 6 ++----
- libtiff/tif_luv.c | 8 +------
- libtiff/tif_pixarlog.c | 7 +-----
- libtiff/tif_read.c | 38 +++++++++-----------------------
- libtiff/tif_strip.c | 35 ++++--------------------------
- libtiff/tif_tile.c | 27 +++--------------------
- libtiff/tiffiop.h | 7 +++++-
- 8 files changed, 71 insertions(+), 106 deletions(-)
-
-diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
-index 10b8d00..38a98b6 100644
---- a/libtiff/tif_aux.c
-+++ b/libtiff/tif_aux.c
-@@ -59,18 +59,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where)
- return bytes;
- }
-
-+tmsize_t
-+_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where)
-+{
-+ if( first <= 0 || second <= 0 )
-+ {
-+ if( tif != NULL && where != NULL )
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, where,
-+ "Invalid argument to _TIFFMultiplySSize() in %s", where);
-+ }
-+ return 0;
-+ }
-+
-+ if( first > TIFF_TMSIZE_T_MAX / second )
-+ {
-+ if( tif != NULL && where != NULL )
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, where,
-+ "Integer overflow in %s", where);
-+ }
-+ return 0;
-+ }
-+ return first * second;
-+}
-+
-+tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module)
-+{
-+ if( val > (uint64)TIFF_TMSIZE_T_MAX )
-+ {
-+ if( tif != NULL && module != NULL )
-+ {
-+ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
-+ }
-+ return 0;
-+ }
-+ return (tmsize_t)val;
-+}
-+
- void*
- _TIFFCheckRealloc(TIFF* tif, void* buffer,
- tmsize_t nmemb, tmsize_t elem_size, const char* what)
- {
- void* cp = NULL;
-- tmsize_t bytes = nmemb * elem_size;
--
-+ tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL);
- /*
-- * XXX: Check for integer overflow.
-+ * Check for integer overflow.
- */
-- if (nmemb && elem_size && bytes / elem_size == nmemb)
-- cp = _TIFFrealloc(buffer, bytes);
-+ if (count != 0)
-+ {
-+ cp = _TIFFrealloc(buffer, count);
-+ }
-
- if (cp == NULL) {
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
-index fc554cc..ec09fea 100644
---- a/libtiff/tif_getimage.c
-+++ b/libtiff/tif_getimage.c
-@@ -757,9 +757,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- uint32 leftmost_tw;
-
- tilesize = TIFFTileSize(tif);
-- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize);
-+ bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate");
- if (bufsize == 0) {
-- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
- return (0);
- }
-
-@@ -1021,9 +1020,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- uint16 colorchannels;
-
- stripsize = TIFFStripSize(tif);
-- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize);
-+ bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate");
- if (bufsize == 0) {
-- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
- return (0);
- }
-
-diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
-index 4b25244..c4cb73a 100644
---- a/libtiff/tif_luv.c
-+++ b/libtiff/tif_luv.c
-@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td)
- return (SGILOGDATAFMT_UNKNOWN);
- }
-
--
--#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
--#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
--
- static tmsize_t
- multiply_ms(tmsize_t m1, tmsize_t m2)
- {
-- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
-- return 0;
-- return m1 * m2;
-+ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
- }
-
- static int
-diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
-index 979858d..8e9eaa1 100644
---- a/libtiff/tif_pixarlog.c
-+++ b/libtiff/tif_pixarlog.c
-@@ -636,15 +636,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td)
- return guess;
- }
-
--#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
--#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
--
- static tmsize_t
- multiply_ms(tmsize_t m1, tmsize_t m2)
- {
-- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
-- return 0;
-- return m1 * m2;
-+ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
- }
-
- static tmsize_t
-diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
-index 04100f4..9a0e6e9 100644
---- a/libtiff/tif_read.c
-+++ b/libtiff/tif_read.c
-@@ -31,9 +31,6 @@
- #include "tiffiop.h"
- #include <stdio.h>
-
--#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
--#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
--
- int TIFFFillStrip(TIFF* tif, uint32 strip);
- int TIFFFillTile(TIFF* tif, uint32 tile);
- static int TIFFStartStrip(TIFF* tif, uint32 strip);
-@@ -51,6 +48,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m
- #define THRESHOLD_MULTIPLIER 10
- #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
-
-+#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF)
-+
- /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
- * Returns 1 in case of success, 0 otherwise. */
- static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
-@@ -735,23 +734,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
- return ((tmsize_t)(-1));
- }
- bytecount = td->td_stripbytecount[strip];
-- if ((int64)bytecount <= 0) {
--#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
-- TIFFErrorExt(tif->tif_clientdata, module,
-- "%I64u: Invalid strip byte count, strip %lu",
-- (unsigned __int64) bytecount,
-- (unsigned long) strip);
--#else
-- TIFFErrorExt(tif->tif_clientdata, module,
-- "%llu: Invalid strip byte count, strip %lu",
-- (unsigned long long) bytecount,
-- (unsigned long) strip);
--#endif
-- return ((tmsize_t)(-1));
-- }
-- bytecountm = (tmsize_t)bytecount;
-- if ((uint64)bytecountm!=bytecount) {
-- TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow");
-+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module);
-+ if (bytecountm == 0) {
- return ((tmsize_t)(-1));
- }
- if (size != (tmsize_t)(-1) && size < bytecountm)
-@@ -775,7 +759,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
- if ((tif->tif_flags&TIFF_NOREADRAW)==0)
- {
- uint64 bytecount = td->td_stripbytecount[strip];
-- if ((int64)bytecount <= 0) {
-+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- TIFFErrorExt(tif->tif_clientdata, module,
- "Invalid strip byte count %I64u, strip %lu",
-@@ -802,7 +786,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
- (bytecount - 4096) / 10 > (uint64)stripsize )
- {
- uint64 newbytecount = (uint64)stripsize * 10 + 4096;
-- if( (int64)newbytecount >= 0 )
-+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
- {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- TIFFWarningExt(tif->tif_clientdata, module,
-@@ -1197,10 +1181,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
- bytecount64 = td->td_stripbytecount[tile];
- if (size != (tmsize_t)(-1) && (uint64)size < bytecount64)
- bytecount64 = (uint64)size;
-- bytecountm = (tmsize_t)bytecount64;
-- if ((uint64)bytecountm!=bytecount64)
-- {
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
-+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
-+ if( bytecountm == 0 ) {
- return ((tmsize_t)(-1));
- }
- return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
-@@ -1222,7 +1204,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
- if ((tif->tif_flags&TIFF_NOREADRAW)==0)
- {
- uint64 bytecount = td->td_stripbytecount[tile];
-- if ((int64)bytecount <= 0) {
-+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- TIFFErrorExt(tif->tif_clientdata, module,
- "%I64u: Invalid tile byte count, tile %lu",
-@@ -1249,7 +1231,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
- (bytecount - 4096) / 10 > (uint64)stripsize )
- {
- uint64 newbytecount = (uint64)stripsize * 10 + 4096;
-- if( (int64)newbytecount >= 0 )
-+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
- {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- TIFFWarningExt(tif->tif_clientdata, module,
-diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
-index 6e9f2ef..321ad6b 100644
---- a/libtiff/tif_strip.c
-+++ b/libtiff/tif_strip.c
-@@ -131,15 +131,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows)
- {
- static const char module[] = "TIFFVStripSize";
- uint64 m;
-- tmsize_t n;
- m=TIFFVStripSize64(tif,nrows);
-- n=(tmsize_t)m;
-- if ((uint64)n!=m)
-- {
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
-- n=0;
-- }
-- return(n);
-+ return _TIFFCastUInt64ToSSize(tif, m, module);
- }
-
- /*
-@@ -213,15 +206,8 @@ TIFFStripSize(TIFF* tif)
- {
- static const char module[] = "TIFFStripSize";
- uint64 m;
-- tmsize_t n;
- m=TIFFStripSize64(tif);
-- n=(tmsize_t)m;
-- if ((uint64)n!=m)
-- {
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
-- n=0;
-- }
-- return(n);
-+ return _TIFFCastUInt64ToSSize(tif, m, module);
- }
-
- /*
-@@ -332,14 +318,8 @@ TIFFScanlineSize(TIFF* tif)
- {
- static const char module[] = "TIFFScanlineSize";
- uint64 m;
-- tmsize_t n;
- m=TIFFScanlineSize64(tif);
-- n=(tmsize_t)m;
-- if ((uint64)n!=m) {
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
-- n=0;
-- }
-- return(n);
-+ return _TIFFCastUInt64ToSSize(tif, m, module);
- }
-
- /*
-@@ -368,15 +348,8 @@ TIFFRasterScanlineSize(TIFF* tif)
- {
- static const char module[] = "TIFFRasterScanlineSize";
- uint64 m;
-- tmsize_t n;
- m=TIFFRasterScanlineSize64(tif);
-- n=(tmsize_t)m;
-- if ((uint64)n!=m)
-- {
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
-- n=0;
-- }
-- return(n);
-+ return _TIFFCastUInt64ToSSize(tif, m, module);
- }
-
- /* vim: set ts=8 sts=8 sw=8 noet: */
-diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c
-index 388e168..7d05750 100644
---- a/libtiff/tif_tile.c
-+++ b/libtiff/tif_tile.c
-@@ -183,15 +183,8 @@ TIFFTileRowSize(TIFF* tif)
- {
- static const char module[] = "TIFFTileRowSize";
- uint64 m;
-- tmsize_t n;
- m=TIFFTileRowSize64(tif);
-- n=(tmsize_t)m;
-- if ((uint64)n!=m)
-- {
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
-- n=0;
-- }
-- return(n);
-+ return _TIFFCastUInt64ToSSize(tif, m, module);
- }
-
- /*
-@@ -250,15 +243,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows)
- {
- static const char module[] = "TIFFVTileSize";
- uint64 m;
-- tmsize_t n;
- m=TIFFVTileSize64(tif,nrows);
-- n=(tmsize_t)m;
-- if ((uint64)n!=m)
-- {
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
-- n=0;
-- }
-- return(n);
-+ return _TIFFCastUInt64ToSSize(tif, m, module);
- }
-
- /*
-@@ -274,15 +260,8 @@ TIFFTileSize(TIFF* tif)
- {
- static const char module[] = "TIFFTileSize";
- uint64 m;
-- tmsize_t n;
- m=TIFFTileSize64(tif);
-- n=(tmsize_t)m;
-- if ((uint64)n!=m)
-- {
-- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
-- n=0;
-- }
-- return(n);
-+ return _TIFFCastUInt64ToSSize(tif, m, module);
- }
-
- /*
-diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
-index 08e5dc4..d4b8631 100644
---- a/libtiff/tiffiop.h
-+++ b/libtiff/tiffiop.h
-@@ -79,6 +79,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
- #define FALSE 0
- #endif
-
-+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
-+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
-+
- typedef struct client_info {
- struct client_info *next;
- void *data;
-@@ -260,7 +263,7 @@ struct tiff {
- #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3)
- #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y))
-
--/* Safe multiply which returns zero if there is an integer overflow */
-+/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */
- #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
-
- #define TIFFmax(A,B) ((A)>(B)?(A):(B))
-@@ -366,6 +369,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt;
-
- extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*);
- extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*);
-+extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*);
-+extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*);
- extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*);
- extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
-
---
-2.21.0
-
diff --git a/SOURCES/libtiff-CVE-2019-17546.patch b/SOURCES/libtiff-CVE-2019-17546.patch
deleted file mode 100644
index b802ce6..0000000
--- a/SOURCES/libtiff-CVE-2019-17546.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From 3d451e3f95cbb67dd771a986991b5b6107140c4e Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Thu, 15 Aug 2019 15:05:28 +0200
-Subject: [PATCH] RGBA interface: fix integer overflow potentially causing
- write heap buffer overflow, especially on 32 bit builds. Fixes
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS
- Fuzz
-
----
- libtiff/tif_getimage.c | 26 ++++++++++++++++++++------
- 1 file changed, 20 insertions(+), 6 deletions(-)
-
-diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
-index ec09fea..c6edd27 100644
---- a/libtiff/tif_getimage.c
-+++ b/libtiff/tif_getimage.c
-@@ -951,16 +951,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- fromskew = (w < imagewidth ? imagewidth - w : 0);
- for (row = 0; row < h; row += nrow)
- {
-+ uint32 temp;
- rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
- nrow = (row + rowstoread > h ? h - row : rowstoread);
- nrowsub = nrow;
- if ((nrowsub%subsamplingver)!=0)
- nrowsub+=subsamplingver-nrowsub%subsamplingver;
-+ temp = (row + img->row_offset)%rowsperstrip + nrowsub;
-+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
-+ return 0;
-+ }
- if (_TIFFReadEncodedStripAndAllocBuffer(tif,
- TIFFComputeStrip(tif,row+img->row_offset, 0),
- (void**)(&buf),
- maxstripsize,
-- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
-+ temp * scanline)==(tmsize_t)(-1)
- && (buf == NULL || img->stoponerr))
- {
- ret = 0;
-@@ -1053,15 +1060,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- fromskew = (w < imagewidth ? imagewidth - w : 0);
- for (row = 0; row < h; row += nrow)
- {
-+ uint32 temp;
- rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
- nrow = (row + rowstoread > h ? h - row : rowstoread);
- offset_row = row + img->row_offset;
-+ temp = (row + img->row_offset)%rowsperstrip + nrow;
-+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
-+ return 0;
-+ }
- if( buf == NULL )
- {
- if (_TIFFReadEncodedStripAndAllocBuffer(
- tif, TIFFComputeStrip(tif, offset_row, 0),
- (void**) &buf, bufsize,
-- ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
-+ temp * scanline)==(tmsize_t)(-1)
- && (buf == NULL || img->stoponerr))
- {
- ret = 0;
-@@ -1081,7 +1095,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- }
- }
- else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
-- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
-+ p0, temp * scanline)==(tmsize_t)(-1)
- && img->stoponerr)
- {
- ret = 0;
-@@ -1089,7 +1103,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- }
- if (colorchannels > 1
- && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
-- p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
-+ p1, temp * scanline) == (tmsize_t)(-1)
- && img->stoponerr)
- {
- ret = 0;
-@@ -1097,7 +1111,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- }
- if (colorchannels > 1
- && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
-- p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
-+ p2, temp * scanline) == (tmsize_t)(-1)
- && img->stoponerr)
- {
- ret = 0;
-@@ -1106,7 +1120,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- if (alpha)
- {
- if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
-- pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
-+ pa, temp * scanline)==(tmsize_t)(-1)
- && img->stoponerr)
- {
- ret = 0;
---
-2.21.1
-
diff --git a/SOURCES/libtiff-CVE-2020-19131.patch b/SOURCES/libtiff-CVE-2020-19131.patch
deleted file mode 100644
index 6db20cc..0000000
--- a/SOURCES/libtiff-CVE-2020-19131.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From b64713005e6110c36265750435cfa641d3a9281f Mon Sep 17 00:00:00 2001
-From: Thomas Bernard <miniupnp@free.fr>
-Date: Mon, 11 Feb 2019 23:08:25 +0100
-Subject: [PATCH] tiffcrop.c: fix invertImage() for bps 2 and 4
-
-too much bytes were processed, causing a heap buffer overrun
- http://bugzilla.maptools.org/show_bug.cgi?id=2831
-the loop counter must be
- for (col = 0; col < width; col += 8 / bps)
-
-Also the values were not properly calculated. It should be
-255-x, 15-x, 3-x for bps 8, 4, 2.
-
-But anyway it is easyer to invert all bits as 255-x = ~x, etc.
-(substracting from a binary number composed of all 1 is like inverting
-the bits)
----
- tools/tiffcrop.c | 37 ++++++-------------------------------
- 1 file changed, 6 insertions(+), 31 deletions(-)
-
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 3862b1c..a612914 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -9142,7 +9142,6 @@ static int
- invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 length, unsigned char *work_buff)
- {
- uint32 row, col;
-- unsigned char bytebuff1, bytebuff2, bytebuff3, bytebuff4;
- unsigned char *src;
- uint16 *src_uint16;
- uint32 *src_uint32;
-@@ -9172,7 +9171,7 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len
- for (row = 0; row < length; row++)
- for (col = 0; col < width; col++)
- {
-- *src_uint32 = (uint32)0xFFFFFFFF - *src_uint32;
-+ *src_uint32 = ~(*src_uint32);
- src_uint32++;
- }
- break;
-@@ -9180,39 +9179,15 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len
- for (row = 0; row < length; row++)
- for (col = 0; col < width; col++)
- {
-- *src_uint16 = (uint16)0xFFFF - *src_uint16;
-+ *src_uint16 = ~(*src_uint16);
- src_uint16++;
- }
- break;
-- case 8: for (row = 0; row < length; row++)
-- for (col = 0; col < width; col++)
-- {
-- *src = (uint8)255 - *src;
-- src++;
-- }
-- break;
-- case 4: for (row = 0; row < length; row++)
-- for (col = 0; col < width; col++)
-- {
-- bytebuff1 = 16 - (uint8)(*src & 240 >> 4);
-- bytebuff2 = 16 - (*src & 15);
-- *src = bytebuff1 << 4 & bytebuff2;
-- src++;
-- }
-- break;
-- case 2: for (row = 0; row < length; row++)
-- for (col = 0; col < width; col++)
-- {
-- bytebuff1 = 4 - (uint8)(*src & 192 >> 6);
-- bytebuff2 = 4 - (uint8)(*src & 48 >> 4);
-- bytebuff3 = 4 - (uint8)(*src & 12 >> 2);
-- bytebuff4 = 4 - (uint8)(*src & 3);
-- *src = (bytebuff1 << 6) || (bytebuff2 << 4) || (bytebuff3 << 2) || bytebuff4;
-- src++;
-- }
-- break;
-+ case 8:
-+ case 4:
-+ case 2:
- case 1: for (row = 0; row < length; row++)
-- for (col = 0; col < width; col += 8 /(spp * bps))
-+ for (col = 0; col < width; col += 8 / bps)
- {
- *src = ~(*src);
- src++;
---
-2.32.0
-
diff --git a/SOURCES/libtiff-CVE-2020-35521_CVE-2020-35522.patch b/SOURCES/libtiff-CVE-2020-35521_CVE-2020-35522.patch
deleted file mode 100644
index 83c7ae7..0000000
--- a/SOURCES/libtiff-CVE-2020-35521_CVE-2020-35522.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 1205e9800a359b4bb4f35b2a7ff5821986e74f19 Mon Sep 17 00:00:00 2001
-From: Thomas Bernard <miniupnp@free.fr>
-Date: Sun, 15 Nov 2020 17:02:51 +0100
-Subject: [PATCH 1/3] enforce (configurable) memory limit in tiff2rgba
-
-fixes #207
-fixes #209
----
- tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
- 1 file changed, 23 insertions(+), 2 deletions(-)
-
-diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
-index 4de96ae..e6de220 100644
---- a/tools/tiff2rgba.c
-+++ b/tools/tiff2rgba.c
-@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1;
- int process_by_block = 0; /* default is whole image at once */
- int no_alpha = 0;
- int bigtiff_output = 0;
-+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
-+/* malloc size limit (in bytes)
-+ * disabled when set to 0 */
-+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
-
-
- static int tiffcvt(TIFF* in, TIFF* out);
-@@ -70,8 +74,11 @@ main(int argc, char* argv[])
- extern char *optarg;
- #endif
-
-- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
-+ while ((c = getopt(argc, argv, "c:r:t:bn8M:")) != -1)
- switch (c) {
-+ case 'M':
-+ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
-+ break;
- case 'b':
- process_by_block = 1;
- break;
-@@ -397,6 +404,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
- (unsigned long)width, (unsigned long)height);
- return 0;
- }
-+ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
-+ TIFFError(TIFFFileName(in),
-+ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
-+ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
-+ return 0;
-+ }
-
- rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
- TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
-@@ -522,6 +535,13 @@ tiffcvt(TIFF* in, TIFF* out)
- TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
- CopyField(TIFFTAG_DOCUMENTNAME, stringv);
-
-+ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
-+ {
-+ TIFFError(TIFFFileName(in),
-+ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
-+ (uint64)TIFFStripSize(in), (uint64)maxMalloc);
-+ return 0;
-+ }
- if( process_by_block && TIFFIsTiled( in ) )
- return( cvt_by_tile( in, out ) );
- else if( process_by_block )
-@@ -531,7 +551,7 @@ tiffcvt(TIFF* in, TIFF* out)
- }
-
- static char* stuff[] = {
-- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
-+ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
- "where comp is one of the following compression algorithms:",
- " jpeg\t\tJPEG encoding",
- " zip\t\tZip/Deflate encoding",
-@@ -543,6 +563,7 @@ static char* stuff[] = {
- " -b (progress by block rather than as a whole image)",
- " -n don't emit alpha component.",
- " -8 write BigTIFF file instead of ClassicTIFF",
-+ " -M set the memory allocation limit in MiB. 0 to disable limit",
- NULL
- };
-
---
-2.31.1
-
diff --git a/SOURCES/libtiff-CVE-2020-35523.patch b/SOURCES/libtiff-CVE-2020-35523.patch
deleted file mode 100644
index 0f2ca43..0000000
--- a/SOURCES/libtiff-CVE-2020-35523.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 058e0d9c5822a912fe75ab3bd2d24b3350f4e44d Mon Sep 17 00:00:00 2001
-From: Thomas Bernard <miniupnp@free.fr>
-Date: Tue, 10 Nov 2020 01:54:30 +0100
-Subject: [PATCH 2/3] gtTileContig(): check Tile width for overflow
-
-fixes #211
----
- libtiff/tif_getimage.c | 17 +++++++++++++----
- 1 file changed, 13 insertions(+), 4 deletions(-)
-
-diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
-index c6edd27..b1f7cc9 100644
---- a/libtiff/tif_getimage.c
-+++ b/libtiff/tif_getimage.c
-@@ -31,6 +31,7 @@
- */
- #include "tiffiop.h"
- #include <stdio.h>
-+#include <limits.h>
-
- static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
- static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
-@@ -647,12 +648,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
-
- flip = setorientation(img);
- if (flip & FLIP_VERTICALLY) {
-- y = h - 1;
-- toskew = -(int32)(tw + w);
-+ if ((tw + w) > INT_MAX) {
-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
-+ return (0);
-+ }
-+ y = h - 1;
-+ toskew = -(int32)(tw + w);
- }
- else {
-- y = 0;
-- toskew = -(int32)(tw - w);
-+ if (tw > (INT_MAX + w)) {
-+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
-+ return (0);
-+ }
-+ y = 0;
-+ toskew = -(int32)(tw - w);
- }
-
- /*
---
-2.31.1
-
diff --git a/SOURCES/libtiff-CVE-2020-35524.patch b/SOURCES/libtiff-CVE-2020-35524.patch
deleted file mode 100644
index 3dda4e2..0000000
--- a/SOURCES/libtiff-CVE-2020-35524.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From f74e26a36dd32050774f1c4a9256147fb25ae595 Mon Sep 17 00:00:00 2001
-From: Thomas Bernard <miniupnp@free.fr>
-Date: Sat, 14 Nov 2020 12:53:01 +0000
-Subject: [PATCH 3/3] tiff2pdf.c: properly calculate datasize when saving to
- JPEG YCbCr
-
-fixes #220
----
- tools/tiff2pdf.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index a15a3ef..db380ec 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -2049,9 +2049,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
- #endif
- (void) 0;
- }
-- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
-- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
-- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
-+#ifdef JPEG_SUPPORT
-+ if(t2p->pdf_compression == T2P_COMPRESS_JPEG
-+ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
-+ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
-+ } else
-+#endif
-+ {
-+ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
-+ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
-+ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
-+ }
- }
- if (k == 0) {
- /* Assume we had overflow inside TIFFScanlineSize */
---
-2.31.1
-
diff --git a/SOURCES/libtiff-am-version.patch b/SOURCES/libtiff-am-version.patch
deleted file mode 100644
index c94c2e0..0000000
--- a/SOURCES/libtiff-am-version.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Back off the minimum required automake version to 1.11. There isn't
-anything in libtiff currently that actually requires 1.12, and changing
-this allows the package to be built on pre-F18 machines for easier testing.
-
-This patch can go away once we no longer care about testing on pre-F18.
-
-
-diff -Naur tiff-4.0.3.orig/Makefile.am tiff-4.0.3/Makefile.am
---- tiff-4.0.3.orig/Makefile.am 2012-09-20 09:22:47.000000000 -0400
-+++ tiff-4.0.3/Makefile.am 2012-10-30 11:33:30.312823564 -0400
-@@ -25,7 +25,7 @@
-
- docdir = $(LIBTIFF_DOCDIR)
-
--AUTOMAKE_OPTIONS = 1.12 dist-zip foreign
-+AUTOMAKE_OPTIONS = 1.11 dist-zip foreign
- ACLOCAL_AMFLAGS = -I m4
-
- docfiles = \
-diff -Naur tiff-4.0.3.orig/test/Makefile.am tiff-4.0.3/test/Makefile.am
---- tiff-4.0.3.orig/test/Makefile.am 2012-09-20 09:22:28.000000000 -0400
-+++ tiff-4.0.3/test/Makefile.am 2012-10-30 11:33:17.109696812 -0400
-@@ -23,7 +23,7 @@
-
- # Process this file with automake to produce Makefile.in.
-
--AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign
-+AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign
-
- LIBTIFF = $(top_builddir)/libtiff/libtiff.la
-
diff --git a/SOURCES/libtiff-coverity.patch b/SOURCES/libtiff-coverity.patch
deleted file mode 100644
index 04a445a..0000000
--- a/SOURCES/libtiff-coverity.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
-index 81ffa3d..a02e865 100644
---- a/tools/ppm2tiff.c
-+++ b/tools/ppm2tiff.c
-@@ -285,6 +285,8 @@ main(int argc, char* argv[])
- if (TIFFWriteScanline(out, buf, row, 0) < 0)
- break;
- }
-+ if (in != stdin)
-+ fclose(in);
- (void) TIFFClose(out);
- if (buf)
- _TIFFfree(buf);
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index bd23c9e..a15a3ef 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -3020,6 +3020,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
- "for t2p_readwrite_pdf_image_tile, %s",
- (unsigned long) t2p->tiff_datasize,
- TIFFFileName(input));
-+ _TIFFfree(buffer);
- t2p->t2p_error = T2P_ERR_ERROR;
- return(0);
- }
-@@ -3747,11 +3748,11 @@ t2p_sample_rgbaa_to_rgb(tdata_t data, uint32 samplecount)
- {
- uint32 i;
-
-- /* For the 3 first samples, there is overlapping between souce and
-- destination, so use memmove().
-- See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */
-- for(i = 0; i < 3 && i < samplecount; i++)
-- memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
-+ /* For the 3 first samples, there is overlapping between souce and
-+ destination, so use memmove().
-+ See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */
-+ for(i = 0; i < 3 && i < samplecount; i++)
-+ memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
- for(; i < samplecount; i++)
- memcpy((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
-
diff --git a/SOURCES/libtiff-make-check.patch b/SOURCES/libtiff-make-check.patch
deleted file mode 100644
index e79dc94..0000000
--- a/SOURCES/libtiff-make-check.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/html/man/Makefile.am b/html/man/Makefile.am
-index 587296c..696005e 100644
---- a/html/man/Makefile.am
-+++ b/html/man/Makefile.am
-@@ -92,7 +92,6 @@ docfiles = \
- tiffcrop.1.html \
- tiffdither.1.html \
- tiffdump.1.html \
-- tiffgt.1.html \
- tiffinfo.1.html \
- tiffmedian.1.html \
- tiffset.1.html \
diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec
index 5ea5d20..5e51860 100644
--- a/SPECS/libtiff.spec
+++ b/SPECS/libtiff.spec
@@ -1,32 +1,46 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
Version: 4.0.9
-Release: 21%{?dist}
+Release: 23%{?dist}
License: libtiff
Group: System Environment/Libraries
URL: http://www.simplesystems.org/libtiff/
Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz
-Patch0: libtiff-am-version.patch
-Patch1: libtiff-make-check.patch
-Patch2: libtiff-CVE-2018-5784.patch
-Patch3: libtiff-CVE-2018-7456.patch
-Patch4: libtiff-CVE-2017-9935.patch
-Patch5: libtiff-CVE-2017-18013.patch
-Patch6: libtiff-CVE-2018-8905.patch
-Patch7: libtiff-CVE-2018-10963.patch
-Patch8: libtiff-CVE-2018-17100.patch
-Patch9: libtiff-coverity.patch
-Patch10: libtiff-CVE-2018-18557.patch
-Patch11: libtiff-CVE-2018-18661.patch
-Patch12: libtiff-CVE-2018-12900.patch
-Patch13: libtiff-CVE-2019-14973.patch
-Patch14: libtiff-CVE-2019-17546.patch
-Patch15: libtiff-CVE-2020-35521_CVE-2020-35522.patch
-Patch16: libtiff-CVE-2020-35523.patch
-Patch17: libtiff-CVE-2020-35524.patch
-Patch18: libtiff-CVE-2020-19131.patch
+
+# Patches generated from https://gitlab.cee.redhat.com/mmuzila/libtiff/-/tree/rhel-8.7.0
+# Patches were generated by: git format-patch -N ...
+Patch0001: 0001-Back-off-the-minimum-required-automake-version-to-1..patch
+Patch0002: 0002-Fix-Makefile.patch
+Patch0003: 0003-CVE-2018-5784-Fix-for-bug-2772.patch
+Patch0004: 0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch
+Patch0005: 0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch
+Patch0006: 0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch
+Patch0007: 0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch
+Patch0008: 0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch
+Patch0009: 0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch
+Patch0010: 0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch
+Patch0011: 0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch
+Patch0012: 0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch
+Patch0013: 0013-bz1602597-Fix-two-resource-leaks.patch
+Patch0014: 0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch
+Patch0015: 0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch
+Patch0016: 0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch
+Patch0017: 0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch
+Patch0018: 0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch
+Patch0019: 0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch
+Patch0020: 0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch
+Patch0021: 0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch
+Patch0022: 0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch
+Patch0023: 0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch
+Patch0024: 0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch
+Patch0025: 0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch
+Patch0026: 0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch
+Patch0027: 0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch
+Patch0028: 0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch
+Patch0029: 0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch
+
BuildRequires: gcc, gcc-c++
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
@@ -76,27 +90,7 @@ This package contains command-line programs for manipulating TIFF format
image files using the libtiff library.
%prep
-%setup -q -n tiff-%{version}
-
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
+%autosetup -p1 -n tiff-%{version}
# Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4
@@ -200,6 +194,11 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/*
%changelog
+* Thu May 12 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-23
+- Fix various CVEs
+- Resolves: CVE-2022-0561 CVE-2022-0562 CVE-2022-22844 CVE-2022-0865
+ CVE-2022-0891 CVE-2022-0924 CVE-2022-0909 CVE-2022-0908 CVE-2022-1355
+
* Wed Sep 29 2021 Nikola Forró <nforro@redhat.com> - 4.0.9-21
- Fix CVE-2020-19131 (#2006535)