diff --git a/SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch b/SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch
new file mode 100644
index 0000000..5486431
--- /dev/null
+++ b/SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch
@@ -0,0 +1,43 @@
+From 686002d8cd9d41f0a4b7915be9866979c25bd5d7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
+Date: Thu, 5 May 2022 14:38:04 +0200
+Subject: [PATCH] Back off the minimum required automake version to 1.11.
+
+There isn't anything in libtiff currently that actually requires 1.12,
+and changing this allows the package to be built on pre-F18 machines for
+easier testing. This patch can go away once we no longer care about
+testing on pre-F18.
+---
+ Makefile.am      | 2 +-
+ test/Makefile.am | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 418a3b93..fa8bf4c0 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -25,7 +25,7 @@
+ 
+ docdir = $(LIBTIFF_DOCDIR)
+ 
+-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign
++AUTOMAKE_OPTIONS = 1.11 dist-zip foreign
+ ACLOCAL_AMFLAGS = -I m4
+ 
+ docfiles = \
+diff --git a/test/Makefile.am b/test/Makefile.am
+index 2052487c..227f228f 100644
+--- a/test/Makefile.am
++++ b/test/Makefile.am
+@@ -23,7 +23,7 @@
+ 
+ # Process this file with automake to produce Makefile.in.
+ 
+-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign
++AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign
+ 
+ LIBTIFF = $(top_builddir)/libtiff/libtiff.la
+ 
+-- 
+2.34.1
+
diff --git a/SOURCES/0002-Fix-Makefile.patch b/SOURCES/0002-Fix-Makefile.patch
new file mode 100644
index 0000000..f252fff
--- /dev/null
+++ b/SOURCES/0002-Fix-Makefile.patch
@@ -0,0 +1,24 @@
+From 42425abcf2204e46544aff5cd95a129944e15894 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
+Date: Thu, 5 May 2022 14:42:52 +0200
+Subject: [PATCH] Fix Makefile
+
+---
+ html/man/Makefile.am | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/html/man/Makefile.am b/html/man/Makefile.am
+index 3ed00d44..8a64925a 100644
+--- a/html/man/Makefile.am
++++ b/html/man/Makefile.am
+@@ -90,7 +90,6 @@ docfiles = \
+ 	tiffcrop.1.html \
+ 	tiffdither.1.html \
+ 	tiffdump.1.html \
+-	tiffgt.1.html \
+ 	tiffinfo.1.html \
+ 	tiffmedian.1.html \
+ 	tiffset.1.html \
+-- 
+2.34.1
+
diff --git a/SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch b/SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch
new file mode 100644
index 0000000..933f6ea
--- /dev/null
+++ b/SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch
@@ -0,0 +1,130 @@
+From e5d227c83f487e8a87d336f6cebf39042520d5cd Mon Sep 17 00:00:00 2001
+From: Nathan Baker <nathanb@lenovo-chrome.com>
+Date: Tue, 6 Feb 2018 10:13:57 -0500
+Subject: [PATCH] (CVE-2018-5784) Fix for bug 2772
+
+It is possible to craft a TIFF document where the IFD list is circular,
+leading to an infinite loop while traversing the chain. The libtiff
+directory reader has a failsafe that will break out of this loop after
+reading 65535 directory entries, but it will continue processing,
+consuming time and resources to process what is essentially a bogus TIFF
+document.
+
+This change fixes the above behavior by breaking out of processing when
+a TIFF document has >= 65535 directories and terminating with an error.
+
+(cherry picked from commit 473851d211cf8805a161820337ca74cc9615d6ef)
+---
+ contrib/addtiffo/tif_overview.c | 14 +++++++++++++-
+ tools/tiff2pdf.c                | 10 ++++++++++
+ tools/tiffcrop.c                | 13 +++++++++++--
+ 3 files changed, 34 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
+index c61ffbb8..03b35733 100644
+--- a/contrib/addtiffo/tif_overview.c
++++ b/contrib/addtiffo/tif_overview.c
+@@ -65,6 +65,8 @@
+ #  define MAX(a,b)      ((a>b) ? a : b)
+ #endif
+ 
++#define TIFF_DIR_MAX  65534
++
+ void TIFFBuildOverviews( TIFF *, int, int *, int, const char *,
+                          int (*)(double,void*), void * );
+ 
+@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
+ {
+     toff_t	nBaseDirOffset;
+     toff_t	nOffset;
++    tdir_t	iNumDir;
+ 
+     (void) bUseSubIFDs;
+ 
+@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
+         return 0;
+ 
+     TIFFWriteDirectory( hTIFF );
+-    TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );
++    iNumDir = TIFFNumberOfDirectories(hTIFF);
++    if( iNumDir > TIFF_DIR_MAX )
++    {
++        TIFFErrorExt( TIFFClientdata(hTIFF),
++                      "TIFF_WriteOverview",
++                      "File `%s' has too many directories.\n",
++                      TIFFFileName(hTIFF) );
++        exit(-1);
++    }
++    TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );
+ 
+     nOffset = TIFFCurrentDirOffset( hTIFF );
+ 
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 454befbd..bdb91262 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
+ 
+ #define PS_UNIT_SIZE	72.0F
+ 
++#define TIFF_DIR_MAX    65534
++
+ /* This type is of PDF color spaces. */
+ typedef enum {
+ 	T2P_CS_BILEVEL = 0x01,	/* Bilevel, black and white */
+@@ -1049,6 +1051,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ 	uint16 xuint16=0;
+ 
+ 	directorycount=TIFFNumberOfDirectories(input);
++	if(directorycount > TIFF_DIR_MAX) {
++		TIFFError(
++			TIFF2PDF_MODULE,
++			"TIFF contains too many directories, %s",
++			TIFFFileName(input));
++		t2p->t2p_error = T2P_ERR_ERROR;
++		return;
++	}
+ 	t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
+ 	if(t2p->tiff_pages==NULL){
+ 		TIFFError(
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index c69177e0..c60cb389 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
+ #define DUMP_TEXT   1
+ #define DUMP_RAW    2
+ 
++#define TIFF_DIR_MAX  65534
++
+ /* Offsets into buffer for margins and fixed width and length segments */
+ struct offset {
+   uint32  tmargin;
+@@ -2233,7 +2235,7 @@ main(int argc, char* argv[])
+     pageNum = -1;
+   else
+     total_images = 0;
+-  /* read multiple input files and write to output file(s) */
++  /* Read multiple input files and write to output file(s) */
+   while (optind < argc - 1)
+     {
+     in = TIFFOpen (argv[optind], "r");
+@@ -2241,7 +2243,14 @@ main(int argc, char* argv[])
+       return (-3);
+ 
+     /* If only one input file is specified, we can use directory count */
+-    total_images = TIFFNumberOfDirectories(in); 
++    total_images = TIFFNumberOfDirectories(in);
++    if (total_images > TIFF_DIR_MAX)
++      {
++      TIFFError (TIFFFileName(in), "File contains too many directories");
++      if (out != NULL)
++        (void) TIFFClose(out);
++      return (1);
++      }
+     if (image_count == 0)
+       {
+       dirnum = 0;
+-- 
+2.34.1
+
diff --git a/SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch b/SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch
new file mode 100644
index 0000000..0a3af0a
--- /dev/null
+++ b/SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch
@@ -0,0 +1,173 @@
+From 688dc47dfcbbc4e54dc617c9701cf46a03f8e069 Mon Sep 17 00:00:00 2001
+From: Hugo Lefeuvre <hle@debian.org>
+Date: Sun, 8 Apr 2018 14:07:08 -0400
+Subject: [PATCH] (CVE-2018-7456) Fix NULL pointer dereference in
+ TIFFPrintDirectory
+
+The TIFFPrintDirectory function relies on the following assumptions,
+supposed to be guaranteed by the specification:
+
+(a) A Transfer Function field is only present if the TIFF file has
+    photometric type < 3.
+
+(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
+    has count SamplesPerPixel - (Color Channels) and contains
+    information about supplementary channels.
+
+While respect of (a) and (b) are essential for the well functioning of
+TIFFPrintDirectory, no checks are realized neither by the callee nor
+by TIFFPrintDirectory itself. Hence, following scenarios might happen
+and trigger the NULL pointer dereference:
+
+(1) TIFF File of photometric type 4 or more has illegal Transfer
+    Function field.
+
+(2) TIFF File has photometric type 3 or less and defines a
+    SamplesPerPixel field such that SamplesPerPixel > Color Channels
+    without defining all extra samples in the ExtraSamples fields.
+
+In this patch, we address both issues with respect of the following
+principles:
+
+(A) In the case of (1), the defined transfer table should be printed
+    safely even if it isn't 'legal'. This allows us to avoid expensive
+    checks in TIFFPrintDirectory. Also, it is quite possible that
+    an alternative photometric type would be developed (not part of the
+    standard) and would allow definition of Transfer Table. We want
+    libtiff to be able to handle this scenario out of the box.
+
+(B) In the case of (2), the transfer table should be printed at its
+    right size, that is if TIFF file has photometric type Palette
+    then the transfer table should have one row and not three, even
+    if two extra samples are declared.
+
+In order to fulfill (A) we simply add a new 'i < 3' end condition to
+the broken TIFFPrintDirectory loop. This makes sure that in any case
+where (b) would be respected but not (a), everything stays fine.
+
+(B) is fulfilled by the loop condition
+'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
+long as (b) is respected.
+
+Naturally, we also make sure (b) is respected. This is done in the
+TIFFReadDirectory function by making sure any non-color channel is
+counted in ExtraSamples.
+
+This commit addresses CVE-2018-7456.
+
+(cherry picked from commit be4c85b16e8801a16eec25e80eb9f3dd6a96731b)
+---
+ libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++
+ libtiff/tif_print.c   |  2 +-
+ 2 files changed, 63 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 5e62e813..80aaf8d1 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
+ static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
+ static void ChopUpSingleUncompressedStrip(TIFF*);
+ static uint64 TIFFReadUInt64(const uint8 *value);
++static int _TIFFGetMaxColorChannels(uint16 photometric);
+ 
+ static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
+ 
+@@ -3506,6 +3507,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c
+ 	}
+ }
+ 
++/*
++ * Return the maximum number of color channels specified for a given photometric
++ * type. 0 is returned if photometric type isn't supported or no default value
++ * is defined by the specification.
++ */
++static int _TIFFGetMaxColorChannels( uint16 photometric )
++{
++    switch (photometric) {
++	case PHOTOMETRIC_PALETTE:
++	case PHOTOMETRIC_MINISWHITE:
++	case PHOTOMETRIC_MINISBLACK:
++            return 1;
++	case PHOTOMETRIC_YCBCR:
++	case PHOTOMETRIC_RGB:
++	case PHOTOMETRIC_CIELAB:
++            return 3;
++	case PHOTOMETRIC_SEPARATED:
++	case PHOTOMETRIC_MASK:
++            return 4;
++	case PHOTOMETRIC_LOGL:
++	case PHOTOMETRIC_LOGLUV:
++	case PHOTOMETRIC_CFA:
++	case PHOTOMETRIC_ITULAB:
++	case PHOTOMETRIC_ICCLAB:
++	default:
++            return 0;
++    }
++}
++
+ /*
+  * Read the next TIFF directory from a file and convert it to the internal
+  * format. We read directories sequentially.
+@@ -3522,6 +3552,7 @@ TIFFReadDirectory(TIFF* tif)
+ 	uint32 fii=FAILED_FII;
+         toff_t nextdiroff;
+     int bitspersample_read = FALSE;
++        int color_channels;
+ 
+ 	tif->tif_diroff=tif->tif_nextdiroff;
+ 	if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
+@@ -4026,6 +4057,37 @@ TIFFReadDirectory(TIFF* tif)
+ 			}
+ 		}
+ 	}
++
++	/*
++	 * Make sure all non-color channels are extrasamples.
++	 * If it's not the case, define them as such.
++	 */
++        color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
++        if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
++                uint16 old_extrasamples;
++                uint16 *new_sampleinfo;
++
++                TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
++                    "color channels and ExtraSamples doesn't match SamplesPerPixel. "
++                    "Defining non-color channels as ExtraSamples.");
++
++                old_extrasamples = tif->tif_dir.td_extrasamples;
++                tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
++
++                // sampleinfo should contain information relative to these new extra samples
++                new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
++                if (!new_sampleinfo) {
++                    TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
++                                "temporary new sampleinfo array (%d 16 bit elements)",
++                                tif->tif_dir.td_extrasamples);
++                    goto bad;
++                }
++
++                memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++                _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
++                _TIFFfree(new_sampleinfo);
++        }
++
+ 	/*
+ 	 * Verify Palette image has a Colormap.
+ 	 */
+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
+index 24d4b98a..10a588ea 100644
+--- a/libtiff/tif_print.c
++++ b/libtiff/tif_print.c
+@@ -546,7 +546,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
+ 				uint16 i;
+ 				fprintf(fd, "    %2ld: %5u",
+ 				    l, td->td_transferfunction[0][l]);
+-				for (i = 1; i < td->td_samplesperpixel; i++)
++				for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)
+ 					fprintf(fd, " %5u",
+ 					    td->td_transferfunction[i][l]);
+ 				fputc('\n', fd);
+-- 
+2.34.1
+
diff --git a/SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch b/SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch
new file mode 100644
index 0000000..c76ee4a
--- /dev/null
+++ b/SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch
@@ -0,0 +1,155 @@
+From 5b984e1b9296c4a3b80c5650f17cb4db575250e4 Mon Sep 17 00:00:00 2001
+From: Brian May <brian@linuxpenguins.xyz>
+Date: Thu, 7 Dec 2017 07:46:47 +1100
+Subject: [PATCH] (CVE-2017-9935) tiff2pdf: Fix CVE-2017-9935
+
+Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
+
+This vulnerability - at least for the supplied test case - is because we
+assume that a tiff will only have one transfer function that is the same
+for all pages. This is not required by the TIFF standards.
+
+We than read the transfer function for every page.  Depending on the
+transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
+We allocate this memory after we read in the transfer function for the
+page.
+
+For the first exploit - POC1, this file has 3 pages. For the first page
+we allocate 2 extra extra XREF entries. Then for the next page 2 more
+entries. Then for the last page the transfer function changes and we
+allocate 4 more entries.
+
+When we read the file into memory, we assume we have 4 bytes extra for
+each and every page (as per the last transfer function we read). Which
+is not correct, we only have 2 bytes extra for the first 2 pages. As a
+result, we end up writing past the end of the buffer.
+
+There are also some related issues that this also fixes. For example,
+TIFFGetField can return uninitalized pointer values, and the logic to
+detect a N=3 vs N=1 transfer function seemed rather strange.
+
+It is also strange that we declare the transfer functions to be of type
+float, when the standard says they are unsigned 16 bit values. This is
+fixed in another patch.
+
+This patch will check to ensure that the N value for every transfer
+function is the same for every page. If this changes, we abort with an
+error. In theory, we should perhaps check that the transfer function
+itself is identical for every page, however we don't do that due to the
+confusion of the type of the data in the transfer function.
+
+(cherry picked from commit 3dd8f6a357981a4090f126ab9025056c938b6940)
+---
+ libtiff/tif_dir.c |  3 +++
+ tools/tiff2pdf.c  | 65 ++++++++++++++++++++++++++++++++---------------
+ 2 files changed, 47 insertions(+), 21 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index f00f8080..c36a5f3f 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
+ 			if (td->td_samplesperpixel - td->td_extrasamples > 1) {
+ 				*va_arg(ap, uint16**) = td->td_transferfunction[1];
+ 				*va_arg(ap, uint16**) = td->td_transferfunction[2];
++			} else {
++				*va_arg(ap, uint16**) = NULL;
++				*va_arg(ap, uint16**) = NULL;
+ 			}
+ 			break;
+ 		case TIFFTAG_REFERENCEBLACKWHITE:
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index bdb91262..ef5d6a01 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ 	uint16 pagen=0;
+ 	uint16 paged=0;
+ 	uint16 xuint16=0;
++	uint16 tiff_transferfunctioncount=0;
++	float* tiff_transferfunction[3];
+ 
+ 	directorycount=TIFFNumberOfDirectories(input);
+ 	if(directorycount > TIFF_DIR_MAX) {
+@@ -1157,26 +1159,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+                 }
+ #endif
+ 		if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
+-                                 &(t2p->tiff_transferfunction[0]),
+-                                 &(t2p->tiff_transferfunction[1]),
+-                                 &(t2p->tiff_transferfunction[2]))) {
+-			if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+-                           (t2p->tiff_transferfunction[2] != (float*) NULL) &&
+-                           (t2p->tiff_transferfunction[1] !=
+-                            t2p->tiff_transferfunction[0])) {
+-				t2p->tiff_transferfunctioncount = 3;
+-				t2p->tiff_pages[i].page_extra += 4;
+-				t2p->pdf_xrefcount += 4;
+-			} else {
+-				t2p->tiff_transferfunctioncount = 1;
+-				t2p->tiff_pages[i].page_extra += 2;
+-				t2p->pdf_xrefcount += 2;
+-			}
+-			if(t2p->pdf_minorversion < 2)
+-				t2p->pdf_minorversion = 2;
++                                 &(tiff_transferfunction[0]),
++                                 &(tiff_transferfunction[1]),
++                                 &(tiff_transferfunction[2]))) {
++
++                        if((tiff_transferfunction[1] != (float*) NULL) &&
++                           (tiff_transferfunction[2] != (float*) NULL)
++                          ) {
++                            tiff_transferfunctioncount=3;
++                        } else {
++                            tiff_transferfunctioncount=1;
++                        }
+                 } else {
+-			t2p->tiff_transferfunctioncount=0;
++			tiff_transferfunctioncount=0;
+ 		}
++
++                if (i > 0){
++                    if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
++                        TIFFError(
++                            TIFF2PDF_MODULE,
++                            "Different transfer function on page %d",
++                            i);
++                        t2p->t2p_error = T2P_ERR_ERROR;
++                        return;
++                    }
++                }
++
++                t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
++                t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
++                t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
++                t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
++                if(tiff_transferfunctioncount == 3){
++                        t2p->tiff_pages[i].page_extra += 4;
++                        t2p->pdf_xrefcount += 4;
++                        if(t2p->pdf_minorversion < 2)
++                                t2p->pdf_minorversion = 2;
++                } else if (tiff_transferfunctioncount == 1){
++                        t2p->tiff_pages[i].page_extra += 2;
++                        t2p->pdf_xrefcount += 2;
++                        if(t2p->pdf_minorversion < 2)
++                                t2p->pdf_minorversion = 2;
++                }
++
+ 		if( TIFFGetField(
+ 			input, 
+ 			TIFFTAG_ICCPROFILE, 
+@@ -1838,9 +1862,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ 			 &(t2p->tiff_transferfunction[1]),
+ 			 &(t2p->tiff_transferfunction[2]))) {
+ 		if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+-                   (t2p->tiff_transferfunction[2] != (float*) NULL) &&
+-                   (t2p->tiff_transferfunction[1] !=
+-                    t2p->tiff_transferfunction[0])) {
++                   (t2p->tiff_transferfunction[2] != (float*) NULL)
++                  ) {
+ 			t2p->tiff_transferfunctioncount=3;
+ 		} else {
+ 			t2p->tiff_transferfunctioncount=1;
+-- 
+2.34.1
+
diff --git a/SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch b/SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch
new file mode 100644
index 0000000..80522ba
--- /dev/null
+++ b/SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch
@@ -0,0 +1,61 @@
+From 8e3772f232bf8f8c1959f229b5d922dd33a1e558 Mon Sep 17 00:00:00 2001
+From: Brian May <brian@linuxpenguins.xyz>
+Date: Thu, 7 Dec 2017 07:49:20 +1100
+Subject: [PATCH] (CVE-2017-9935) tiff2pdf: Fix apparent incorrect type for
+ transfer table
+
+The standard says the transfer table contains unsigned 16 bit values,
+I have no idea why we refer to them as floats.
+
+(cherry picked from commit d4f213636b6f950498a1386083199bd7f65676b9)
+---
+ tools/tiff2pdf.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index ef5d6a01..bd23c9e5 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -239,7 +239,7 @@ typedef struct {
+ 	float tiff_whitechromaticities[2];
+ 	float tiff_primarychromaticities[6];
+ 	float tiff_referenceblackwhite[2];
+-	float* tiff_transferfunction[3];
++	uint16* tiff_transferfunction[3];
+ 	int pdf_image_interpolate;	/* 0 (default) : do not interpolate,
+ 					   1 : interpolate */
+ 	uint16 tiff_transferfunctioncount;
+@@ -1050,7 +1050,7 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ 	uint16 paged=0;
+ 	uint16 xuint16=0;
+ 	uint16 tiff_transferfunctioncount=0;
+-	float* tiff_transferfunction[3];
++	uint16* tiff_transferfunction[3];
+ 
+ 	directorycount=TIFFNumberOfDirectories(input);
+ 	if(directorycount > TIFF_DIR_MAX) {
+@@ -1163,8 +1163,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+                                  &(tiff_transferfunction[1]),
+                                  &(tiff_transferfunction[2]))) {
+ 
+-                        if((tiff_transferfunction[1] != (float*) NULL) &&
+-                           (tiff_transferfunction[2] != (float*) NULL)
++                        if((tiff_transferfunction[1] != (uint16*) NULL) &&
++                           (tiff_transferfunction[2] != (uint16*) NULL)
+                           ) {
+                             tiff_transferfunctioncount=3;
+                         } else {
+@@ -1861,8 +1861,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ 			 &(t2p->tiff_transferfunction[0]),
+ 			 &(t2p->tiff_transferfunction[1]),
+ 			 &(t2p->tiff_transferfunction[2]))) {
+-		if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
+-                   (t2p->tiff_transferfunction[2] != (float*) NULL)
++		if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
++                   (t2p->tiff_transferfunction[2] != (uint16*) NULL)
+                   ) {
+ 			t2p->tiff_transferfunctioncount=3;
+ 		} else {
+-- 
+2.34.1
+
diff --git a/SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch b/SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch
new file mode 100644
index 0000000..8c23d07
--- /dev/null
+++ b/SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch
@@ -0,0 +1,37 @@
+From 4d6c37328f38636d5002a6f1b584ad8e6031c61c Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 31 Dec 2017 15:09:41 +0100
+Subject: [PATCH] (CVE-2017-18013) libtiff/tif_print.c: TIFFPrintDirectory():
+ fix null pointer dereference on corrupted file. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2770
+
+(cherry picked from commit c6f41df7b581402dfba3c19a1e3df4454c551a01)
+---
+ libtiff/tif_print.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
+index 10a588ea..b9b53a0f 100644
+--- a/libtiff/tif_print.c
++++ b/libtiff/tif_print.c
+@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 			fprintf(fd, "    %3lu: [%8I64u, %8I64u]\n",
+ 			    (unsigned long) s,
+-			    (unsigned __int64) td->td_stripoffset[s],
+-			    (unsigned __int64) td->td_stripbytecount[s]);
++			    td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
++			    td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
+ #else
+ 			fprintf(fd, "    %3lu: [%8llu, %8llu]\n",
+ 			    (unsigned long) s,
+-			    (unsigned long long) td->td_stripoffset[s],
+-			    (unsigned long long) td->td_stripbytecount[s]);
++			    td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
++			    td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
+ #endif
+ 	}
+ }
+-- 
+2.34.1
+
diff --git a/SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch b/SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch
new file mode 100644
index 0000000..db6c0e5
--- /dev/null
+++ b/SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch
@@ -0,0 +1,55 @@
+From 54972f69399628fd2105753cbcddb36ede510507 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 12 May 2018 15:32:31 +0200
+Subject: [PATCH] (CVE-2018-8905) LZWDecodeCompat(): fix potential
+ index-out-of-bounds write. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905
+
+The fix consists in using the similar code LZWDecode() to validate we
+don't write outside of the output buffer.
+
+(cherry picked from commit 58a898cb4459055bb488ca815c23b880c242a27d)
+---
+ libtiff/tif_lzw.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
+index bc8f9c84..186ea3ca 100644
+--- a/libtiff/tif_lzw.c
++++ b/libtiff/tif_lzw.c
+@@ -604,6 +604,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+ 	char *tp;
+ 	unsigned char *bp;
+ 	int code, nbits;
++	int len;
+ 	long nextbits, nextdata, nbitsmask;
+ 	code_t *codep, *free_entp, *maxcodep, *oldcodep;
+ 
+@@ -755,13 +756,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+ 				}  while (--occ);
+ 				break;
+ 			}
+-			assert(occ >= codep->length);
+-			op += codep->length;
+-			occ -= codep->length;
+-			tp = op;
++			len = codep->length;
++			tp = op + len;
+ 			do {
+-				*--tp = codep->value;
+-			} while( (codep = codep->next) != NULL );
++				int t;
++				--tp;
++				t = codep->value;
++				codep = codep->next;
++				*tp = (char)t;
++			} while (codep && tp > op);
++			assert(occ >= len);
++			op += len;
++			occ -= len;
+ 		} else {
+ 			*op++ = (char)code;
+ 			occ--;
+-- 
+2.34.1
+
diff --git a/SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch b/SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch
new file mode 100644
index 0000000..58c6ff2
--- /dev/null
+++ b/SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch
@@ -0,0 +1,32 @@
+From 142912f9f5bce169d9d0b16a687c00f9edec5825 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 12 May 2018 14:24:15 +0200
+Subject: [PATCH] (CVE-2018-10963) TIFFWriteDirectorySec: avoid assertion.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
+
+(cherry picked from commit de144fd228e4be8aa484c3caf3d814b6fa88c6d9)
+---
+ libtiff/tif_dirwrite.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index c68d6d21..5d0a6699 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
+ 								}
+ 								break;
+ 							default:
+-								assert(0);   /* we should never get here */
+-								break;
++								TIFFErrorExt(tif->tif_clientdata,module,
++								            "Cannot write tag %d (%s)",
++								            TIFFFieldTag(o),
++                                                                            o->field_name ? o->field_name : "unknown");
++								goto bad;
+ 						}
+ 					}
+ 				}
+-- 
+2.34.1
+
diff --git a/SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch b/SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch
new file mode 100644
index 0000000..22fb539
--- /dev/null
+++ b/SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch
@@ -0,0 +1,41 @@
+From a04b4c4aec3bbfbbde9602ddb4e00809a1a4f92c Mon Sep 17 00:00:00 2001
+From: Young_X <YangX92@hotmail.com>
+Date: Sat, 8 Sep 2018 14:46:27 +0800
+Subject: [PATCH] (CVE-2018-17100) avoid potential int32 overflows in
+ multiply_ms()
+
+(cherry picked from commit 6da1fb3f64d43be37e640efbec60400d1f1ac39e)
+---
+ tools/ppm2tiff.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
+index 91415e96..81ffa3db 100644
+--- a/tools/ppm2tiff.c
++++ b/tools/ppm2tiff.c
+@@ -72,15 +72,16 @@ BadPPM(char* file)
+ 	exit(-2);
+ }
+ 
++
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
++
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+-	tmsize_t bytes = m1 * m2;
+-
+-	if (m1 && bytes / m1 != m2)
+-		bytes = 0;
+-
+-	return bytes;
++        if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
++            return 0;
++        return m1 * m2;
+ }
+ 
+ int
+-- 
+2.34.1
+
diff --git a/SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch b/SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch
new file mode 100644
index 0000000..5cbdde0
--- /dev/null
+++ b/SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch
@@ -0,0 +1,110 @@
+From dfd5030637f8643990161311eb6b47f3292ab076 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 14 Oct 2018 16:38:29 +0200
+Subject: [PATCH] (CVE-2018-18557) JBIG: fix potential out-of-bounds write in
+ JBIGDecode()
+
+JBIGDecode doesn't check if the user provided buffer is large enough
+to store the JBIG decoded image, which can potentially cause out-of-bounds
+write in the buffer.
+This issue was reported and analyzed by Thomas Dullien.
+
+Also fixes a (harmless) potential use of uninitialized memory when
+tif->tif_rawsize > tif->tif_rawcc
+
+And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
+that whole strip data is provided to JBIGDecode()
+
+(cherry picked from commit 681748ec2f5ce88da5f9fa6831e1653e46af8a66)
+---
+ libtiff/tif_jbig.c | 32 ++++++++++++++++++++++++++------
+ libtiff/tif_read.c |  6 ++++++
+ 2 files changed, 32 insertions(+), 6 deletions(-)
+
+diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
+index 7a14dd9a..8136c77b 100644
+--- a/libtiff/tif_jbig.c
++++ b/libtiff/tif_jbig.c
+@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
+ 	struct jbg_dec_state decoder;
+ 	int decodeStatus = 0;
+ 	unsigned char* pImage = NULL;
+-	(void) size, (void) s;
++	unsigned long decodedSize;
++	(void) s;
+ 
+ 	if (isFillOrder(tif, tif->tif_dir.td_fillorder))
+ 	{
+-		TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize);
++		TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc);
+ 	}
+ 
+ 	jbg_dec_init(&decoder);
+ 
+ #if defined(HAVE_JBG_NEWLEN)
+-	jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize);
++	jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc);
+ 	/*
+ 	 * I do not check the return status of jbg_newlen because even if this
+ 	 * function fails it does not necessarily mean that decoding the image
+@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
+ 	 */
+ #endif /* HAVE_JBG_NEWLEN */
+ 
+-	decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata,
+-				  (size_t)tif->tif_rawdatasize, NULL);
++	decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp,
++				  (size_t)tif->tif_rawcc, NULL);
+ 	if (JBG_EOK != decodeStatus)
+ 	{
+ 		/*
+@@ -98,9 +99,28 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
+ 		return 0;
+ 	}
+ 
++	decodedSize = jbg_dec_getsize(&decoder);
++	if( (tmsize_t)decodedSize < size )
++	{
++	    TIFFWarningExt(tif->tif_clientdata, "JBIG",
++	                   "Only decoded %lu bytes, whereas %lu requested",
++	                   decodedSize, (unsigned long)size);
++	}
++	else if( (tmsize_t)decodedSize > size )
++	{
++	    TIFFErrorExt(tif->tif_clientdata, "JBIG",
++	                 "Decoded %lu bytes, whereas %lu were requested",
++	                 decodedSize, (unsigned long)size);
++	    jbg_dec_free(&decoder);
++	    return 0;
++	}
+ 	pImage = jbg_dec_getimage(&decoder, 0);
+-	_TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder));
++	_TIFFmemcpy(buffer, pImage, decodedSize);
+ 	jbg_dec_free(&decoder);
++
++        tif->tif_rawcp += tif->tif_rawcc;
++        tif->tif_rawcc = 0;
++
+ 	return 1;
+ }
+ 
+diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
+index 2ba985a7..04100f4d 100644
+--- a/libtiff/tif_read.c
++++ b/libtiff/tif_read.c
+@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 sample )
+             return 0;
+         whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10
+                 || isMapped(tif);
++        if( td->td_compression == COMPRESSION_JBIG )
++        {
++            /* Ideally plugins should have a way to declare they don't support
++             * chunk strip */
++            whole_strip = 1;
++        }
+ #else
+         whole_strip = 1;
+ #endif
+-- 
+2.34.1
+
diff --git a/SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch b/SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch
new file mode 100644
index 0000000..18b6f0e
--- /dev/null
+++ b/SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch
@@ -0,0 +1,122 @@
+From 44ef4d3a8e92171f7470620649e8911a8056297c Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 30 Oct 2018 18:50:27 +0100
+Subject: [PATCH] (CVE-2018-18661) tiff2bw: avoid null pointer dereference in
+ case of out of memory situation. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2819 / CVE-2018-18661
+
+(cherry picked from commit 99b10edde9a0fc28cc0e7b7757aa18ac4c8c225f)
+---
+ libtiff/tiffiop.h |  1 +
+ tools/tiff2bw.c   | 30 ++++++++++++++++++++++++++----
+ tools/tiffcrop.c  |  5 -----
+ 3 files changed, 27 insertions(+), 9 deletions(-)
+
+diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
+index daa291c0..08e5dc44 100644
+--- a/libtiff/tiffiop.h
++++ b/libtiff/tiffiop.h
+@@ -72,6 +72,7 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
+ #endif
+ 
+ #define    streq(a,b)      (strcmp(a,b) == 0)
++#define    strneq(a,b,n)   (strncmp(a,b,n) == 0)
+ 
+ #ifndef TRUE
+ #define	TRUE	1
+diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
+index dad54afa..1f3bb2cd 100644
+--- a/tools/tiff2bw.c
++++ b/tools/tiff2bw.c
+@@ -40,9 +40,7 @@
+ #endif
+ 
+ #include "tiffio.h"
+-
+-#define	streq(a,b)	(strcmp((a),(b)) == 0)
+-#define	strneq(a,b,n)	(strncmp(a,b,n) == 0)
++#include "tiffiop.h"
+ 
+ /* x% weighting -> fraction of full color */
+ #define	PCT(x)	(((x)*256+50)/100)
+@@ -223,6 +221,11 @@ main(int argc, char* argv[])
+ 	TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
+ 	TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
+ 	outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++        if( !outbuf )
++        {
++            fprintf(stderr, "Out of memory\n");
++            goto tiff2bw_error;
++        }
+ 	TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
+ 	    TIFFDefaultStripSize(out, rowsperstrip));
+ 
+@@ -246,6 +249,11 @@ main(int argc, char* argv[])
+ #undef CVT
+ 		}
+ 		inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
++                if( !inbuf )
++                {
++                    fprintf(stderr, "Out of memory\n");
++                    goto tiff2bw_error;
++                }
+ 		for (row = 0; row < h; row++) {
+ 			if (TIFFReadScanline(in, inbuf, row, 0) < 0)
+ 				break;
+@@ -256,6 +264,11 @@ main(int argc, char* argv[])
+ 		break;
+ 	case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG):
+ 		inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
++                if( !inbuf )
++                {
++                    fprintf(stderr, "Out of memory\n");
++                    goto tiff2bw_error;
++                }
+ 		for (row = 0; row < h; row++) {
+ 			if (TIFFReadScanline(in, inbuf, row, 0) < 0)
+ 				break;
+@@ -265,8 +278,16 @@ main(int argc, char* argv[])
+ 		}
+ 		break;
+ 	case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE):
++        {
++                tmsize_t inbufsize;
+ 		rowsize = TIFFScanlineSize(in);
+-		inbuf = (unsigned char *)_TIFFmalloc(3*rowsize);
++                inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize);
++		inbuf = (unsigned char *)_TIFFmalloc(inbufsize);
++                if( !inbuf )
++                {
++                    fprintf(stderr, "Out of memory\n");
++                    goto tiff2bw_error;
++                }
+ 		for (row = 0; row < h; row++) {
+ 			for (s = 0; s < 3; s++)
+ 				if (TIFFReadScanline(in,
+@@ -278,6 +299,7 @@ main(int argc, char* argv[])
+ 				break;
+ 		}
+ 		break;
++        }
+ 	}
+ #undef pack
+         if (inbuf)
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index c60cb389..3862b1ca 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -150,11 +150,6 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
+ 
+ #define TIFF_UINT32_MAX     0xFFFFFFFFU
+ 
+-#ifndef streq
+-#define	streq(a,b)	(strcmp((a),(b)) == 0)
+-#endif
+-#define	strneq(a,b,n)	(strncmp((a),(b),(n)) == 0)
+-
+ #define	TRUE	1
+ #define	FALSE	0
+ 
+-- 
+2.34.1
+
diff --git a/SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch b/SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch
new file mode 100644
index 0000000..0eff22e
--- /dev/null
+++ b/SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch
@@ -0,0 +1,43 @@
+From 14212e5d19b47d02a4989aa31b9a326c1b131460 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Wed, 31 Oct 2018 11:50:48 +0100
+Subject: [PATCH] (bz1602597) Fix two resource leaks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Nikola Forró <nforro@redhat.com>
+(cherry picked from commit 2f694198f1931e144e0a07a7fb50546b5b70e3ef)
+---
+ tools/ppm2tiff.c | 2 ++
+ tools/tiff2pdf.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
+index 81ffa3db..a02e865a 100644
+--- a/tools/ppm2tiff.c
++++ b/tools/ppm2tiff.c
+@@ -285,6 +285,8 @@ main(int argc, char* argv[])
+ 		if (TIFFWriteScanline(out, buf, row, 0) < 0)
+ 			break;
+ 	}
++	if (in != stdin)
++		fclose(in);
+ 	(void) TIFFClose(out);
+ 	if (buf)
+ 		_TIFFfree(buf);
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index bd23c9e5..ff7b9c22 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -3020,6 +3020,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
+                                         "for t2p_readwrite_pdf_image_tile, %s", 
+ 					(unsigned long) t2p->tiff_datasize, 
+ 					TIFFFileName(input));
++				_TIFFfree(buffer);
+ 				t2p->t2p_error = T2P_ERR_ERROR;
+ 				return(0);
+ 			}
+-- 
+2.34.1
+
diff --git a/SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch b/SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch
new file mode 100644
index 0000000..3a25723
--- /dev/null
+++ b/SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch
@@ -0,0 +1,50 @@
+From 98e37a5c822bdfed2343e6ab9d03680e85783aef Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Mon, 11 Feb 2019 10:05:33 +0100
+Subject: [PATCH] (CVE-2018-12900) check that (Tile Width)*(Samples/Pixel) do
+ no overflow
+
+fixes bug 2833
+
+(cherry picked from commit 2b0d0e699730d1f26bbeba8397bfdf0e9e01e59d)
+---
+ tools/tiffcp.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 489459a7..96f14728 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -43,6 +43,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ 
+ #include <ctype.h>
+ 
+@@ -1391,7 +1392,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ 	int status = 1;
+ 	uint32 imagew = TIFFRasterScanlineSize(in);
+ 	uint32 tilew = TIFFTileRowSize(in);
+-	int iskew  = imagew - tilew*spp;
++	int iskew;
+ 	tsize_t tilesize = TIFFTileSize(in);
+ 	tdata_t tilebuf;
+ 	uint8* bufp = (uint8*) buf;
+@@ -1399,6 +1400,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ 	uint32 row;
+ 	uint16 bps = 0, bytes_per_sample;
+ 
++	if (tilew && spp > (INT_MAX / tilew))
++	{
++		TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
++		return 0;
++	}
++	iskew = imagew - tilew*spp;
+ 	tilebuf = _TIFFmalloc(tilesize);
+ 	if (tilebuf == 0)
+ 		return 0;
+-- 
+2.34.1
+
diff --git a/SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch b/SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch
new file mode 100644
index 0000000..713178a
--- /dev/null
+++ b/SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch
@@ -0,0 +1,426 @@
+From 00aeede6bdba3cb74943932b24accc7ba61d2cb0 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 10 Aug 2019 18:25:03 +0200
+Subject: [PATCH] (CVE-2019-14973) Fix integer overflow in _TIFFCheckMalloc()
+ and other implementation-defined behaviour (CVE-2019-14973)
+
+_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow
+in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus
+signed), which was especially easily triggered on 32-bit builds (with recent
+enough compilers that assume that signed multiplication cannot overflow, since
+this is undefined behaviour by the C standard). The original issue which lead to
+this fix was trigged from tif_fax3.c
+
+There were also unsafe (implementation defied), and broken in practice on 64bit
+builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing
+(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known
+at that time exploits, but are better to fix in a more bullet-proof way.
+Or similarly use of (int64)uint64_var <= 0.
+
+(cherry picked from commit 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773)
+---
+ libtiff/tif_aux.c      | 49 +++++++++++++++++++++++++++++++++++++-----
+ libtiff/tif_getimage.c |  6 ++----
+ libtiff/tif_luv.c      |  8 +------
+ libtiff/tif_pixarlog.c |  7 +-----
+ libtiff/tif_read.c     | 38 +++++++++-----------------------
+ libtiff/tif_strip.c    | 35 ++++--------------------------
+ libtiff/tif_tile.c     | 27 +++--------------------
+ libtiff/tiffiop.h      |  7 +++++-
+ 8 files changed, 71 insertions(+), 106 deletions(-)
+
+diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
+index 10b8d00c..38a98b67 100644
+--- a/libtiff/tif_aux.c
++++ b/libtiff/tif_aux.c
+@@ -59,18 +59,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where)
+ 	return bytes;
+ }
+ 
++tmsize_t
++_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where)
++{
++    if( first <= 0 || second <= 0 )
++    {
++        if( tif != NULL && where != NULL )
++        {
++            TIFFErrorExt(tif->tif_clientdata, where,
++                        "Invalid argument to _TIFFMultiplySSize() in %s", where);
++        }
++        return 0;
++    }
++
++    if( first > TIFF_TMSIZE_T_MAX / second )
++    {
++        if( tif != NULL && where != NULL )
++        {
++            TIFFErrorExt(tif->tif_clientdata, where,
++                        "Integer overflow in %s", where);
++        }
++        return 0;
++    }
++    return first * second;
++}
++
++tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module)
++{
++    if( val > (uint64)TIFF_TMSIZE_T_MAX )
++    {
++        if( tif != NULL && module != NULL )
++        {
++            TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
++        }
++        return 0;
++    }
++    return (tmsize_t)val;
++}
++
+ void*
+ _TIFFCheckRealloc(TIFF* tif, void* buffer,
+ 		  tmsize_t nmemb, tmsize_t elem_size, const char* what)
+ {
+ 	void* cp = NULL;
+-	tmsize_t bytes = nmemb * elem_size;
+-
++        tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL);
+ 	/*
+-	 * XXX: Check for integer overflow.
++	 * Check for integer overflow.
+ 	 */
+-	if (nmemb && elem_size && bytes / elem_size == nmemb)
+-		cp = _TIFFrealloc(buffer, bytes);
++	if (count != 0)
++	{
++		cp = _TIFFrealloc(buffer, count);
++	}
+ 
+ 	if (cp == NULL) {
+ 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index fc554cca..ec09feaf 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -757,9 +757,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 	uint32 leftmost_tw;
+ 
+ 	tilesize = TIFFTileSize(tif);  
+-	bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize);
++	bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate");
+ 	if (bufsize == 0) {
+-		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
+ 		return (0);
+ 	}
+ 
+@@ -1021,9 +1020,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+         uint16 colorchannels;
+ 
+ 	stripsize = TIFFStripSize(tif);  
+-	bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize);
++	bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate");
+ 	if (bufsize == 0) {
+-		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
+ 		return (0);
+ 	}
+ 
+diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
+index 4b25244b..c4cb73a3 100644
+--- a/libtiff/tif_luv.c
++++ b/libtiff/tif_luv.c
+@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td)
+ 	return (SGILOGDATAFMT_UNKNOWN);
+ }
+ 
+-
+-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+-
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+-        if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
+-            return 0;
+-        return m1 * m2;
++        return _TIFFMultiplySSize(NULL, m1, m2, NULL);
+ }
+ 
+ static int
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index 979858da..8e9eaa1d 100644
+--- a/libtiff/tif_pixarlog.c
++++ b/libtiff/tif_pixarlog.c
+@@ -636,15 +636,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td)
+ 	return guess;
+ }
+ 
+-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+-
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+-        if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
+-            return 0;
+-        return m1 * m2;
++        return _TIFFMultiplySSize(NULL, m1, m2, NULL);
+ }
+ 
+ static tmsize_t
+diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
+index 04100f4d..9a0e6e95 100644
+--- a/libtiff/tif_read.c
++++ b/libtiff/tif_read.c
+@@ -31,9 +31,6 @@
+ #include "tiffiop.h"
+ #include <stdio.h>
+ 
+-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+-
+ int TIFFFillStrip(TIFF* tif, uint32 strip);
+ int TIFFFillTile(TIFF* tif, uint32 tile);
+ static int TIFFStartStrip(TIFF* tif, uint32 strip);
+@@ -51,6 +48,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m
+ #define THRESHOLD_MULTIPLIER 10
+ #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
+ 
++#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF)
++
+ /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
+  * Returns 1 in case of success, 0 otherwise. */
+ static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
+@@ -735,23 +734,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
+ 		return ((tmsize_t)(-1));
+ 	}
+ 	bytecount = td->td_stripbytecount[strip];
+-	if ((int64)bytecount <= 0) {
+-#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+-		TIFFErrorExt(tif->tif_clientdata, module,
+-			     "%I64u: Invalid strip byte count, strip %lu",
+-			     (unsigned __int64) bytecount,
+-			     (unsigned long) strip);
+-#else
+-		TIFFErrorExt(tif->tif_clientdata, module,
+-			     "%llu: Invalid strip byte count, strip %lu",
+-			     (unsigned long long) bytecount,
+-			     (unsigned long) strip);
+-#endif
+-		return ((tmsize_t)(-1));
+-	}
+-	bytecountm = (tmsize_t)bytecount;
+-	if ((uint64)bytecountm!=bytecount) {
+-		TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow");
++        bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module);
++	if (bytecountm == 0) {
+ 		return ((tmsize_t)(-1));
+ 	}
+ 	if (size != (tmsize_t)(-1) && size < bytecountm)
+@@ -775,7 +759,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
+ 	if ((tif->tif_flags&TIFF_NOREADRAW)==0)
+ 	{
+ 		uint64 bytecount = td->td_stripbytecount[strip];
+-		if ((int64)bytecount <= 0) {
++		if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 			TIFFErrorExt(tif->tif_clientdata, module,
+ 				"Invalid strip byte count %I64u, strip %lu",
+@@ -802,7 +786,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
+ 			    (bytecount - 4096) / 10 > (uint64)stripsize  )
+ 			{
+ 				uint64 newbytecount = (uint64)stripsize * 10 + 4096;
+-				if( (int64)newbytecount >= 0 )
++				if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
+ 				{
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 					TIFFWarningExt(tif->tif_clientdata, module,
+@@ -1197,10 +1181,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
+ 	bytecount64 = td->td_stripbytecount[tile];
+ 	if (size != (tmsize_t)(-1) && (uint64)size < bytecount64)
+ 		bytecount64 = (uint64)size;
+-	bytecountm = (tmsize_t)bytecount64;
+-	if ((uint64)bytecountm!=bytecount64)
+-	{
+-		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
++	bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
++        if( bytecountm == 0 ) {
+ 		return ((tmsize_t)(-1));
+ 	}
+ 	return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
+@@ -1222,7 +1204,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
+ 	if ((tif->tif_flags&TIFF_NOREADRAW)==0)
+ 	{
+ 		uint64 bytecount = td->td_stripbytecount[tile];
+-		if ((int64)bytecount <= 0) {
++		if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 			TIFFErrorExt(tif->tif_clientdata, module,
+ 				"%I64u: Invalid tile byte count, tile %lu",
+@@ -1249,7 +1231,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
+ 			    (bytecount - 4096) / 10 > (uint64)stripsize  )
+ 			{
+ 				uint64 newbytecount = (uint64)stripsize * 10 + 4096;
+-				if( (int64)newbytecount >= 0 )
++				if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
+ 				{
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 					TIFFWarningExt(tif->tif_clientdata, module,
+diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
+index 6e9f2ef6..321ad6b9 100644
+--- a/libtiff/tif_strip.c
++++ b/libtiff/tif_strip.c
+@@ -131,15 +131,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows)
+ {
+ 	static const char module[] = "TIFFVStripSize";
+ 	uint64 m;
+-	tmsize_t n;
+ 	m=TIFFVStripSize64(tif,nrows);
+-	n=(tmsize_t)m;
+-	if ((uint64)n!=m)
+-	{
+-		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+-		n=0;
+-	}
+-	return(n);
++        return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /*
+@@ -213,15 +206,8 @@ TIFFStripSize(TIFF* tif)
+ {
+ 	static const char module[] = "TIFFStripSize";
+ 	uint64 m;
+-	tmsize_t n;
+ 	m=TIFFStripSize64(tif);
+-	n=(tmsize_t)m;
+-	if ((uint64)n!=m)
+-	{
+-		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+-		n=0;
+-	}
+-	return(n);
++	return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /*
+@@ -332,14 +318,8 @@ TIFFScanlineSize(TIFF* tif)
+ {
+ 	static const char module[] = "TIFFScanlineSize";
+ 	uint64 m;
+-	tmsize_t n;
+ 	m=TIFFScanlineSize64(tif);
+-	n=(tmsize_t)m;
+-	if ((uint64)n!=m) {
+-		TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
+-		n=0;
+-	}
+-	return(n);
++	return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /*
+@@ -368,15 +348,8 @@ TIFFRasterScanlineSize(TIFF* tif)
+ {
+ 	static const char module[] = "TIFFRasterScanlineSize";
+ 	uint64 m;
+-	tmsize_t n;
+ 	m=TIFFRasterScanlineSize64(tif);
+-	n=(tmsize_t)m;
+-	if ((uint64)n!=m)
+-	{
+-		TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
+-		n=0;
+-	}
+-	return(n);
++	return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /* vim: set ts=8 sts=8 sw=8 noet: */
+diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c
+index 388e168a..7d057509 100644
+--- a/libtiff/tif_tile.c
++++ b/libtiff/tif_tile.c
+@@ -183,15 +183,8 @@ TIFFTileRowSize(TIFF* tif)
+ {
+ 	static const char module[] = "TIFFTileRowSize";
+ 	uint64 m;
+-	tmsize_t n;
+ 	m=TIFFTileRowSize64(tif);
+-	n=(tmsize_t)m;
+-	if ((uint64)n!=m)
+-	{
+-		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+-		n=0;
+-	}
+-	return(n);
++	return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /*
+@@ -250,15 +243,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows)
+ {
+ 	static const char module[] = "TIFFVTileSize";
+ 	uint64 m;
+-	tmsize_t n;
+ 	m=TIFFVTileSize64(tif,nrows);
+-	n=(tmsize_t)m;
+-	if ((uint64)n!=m)
+-	{
+-		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+-		n=0;
+-	}
+-	return(n);
++	return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /*
+@@ -274,15 +260,8 @@ TIFFTileSize(TIFF* tif)
+ {
+ 	static const char module[] = "TIFFTileSize";
+ 	uint64 m;
+-	tmsize_t n;
+ 	m=TIFFTileSize64(tif);
+-	n=(tmsize_t)m;
+-	if ((uint64)n!=m)
+-	{
+-		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+-		n=0;
+-	}
+-	return(n);
++	return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /*
+diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
+index 08e5dc44..d4b86314 100644
+--- a/libtiff/tiffiop.h
++++ b/libtiff/tiffiop.h
+@@ -79,6 +79,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
+ #define	FALSE	0
+ #endif
+ 
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
++
+ typedef struct client_info {
+     struct client_info *next;
+     void *data;
+@@ -260,7 +263,7 @@ struct tiff {
+ #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3)
+ #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y))
+ 
+-/* Safe multiply which returns zero if there is an integer overflow */
++/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */
+ #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
+ 
+ #define TIFFmax(A,B) ((A)>(B)?(A):(B))
+@@ -366,6 +369,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt;
+ 
+ extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*);
+ extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*);
++extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*);
++extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*);
+ extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*);
+ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
+ 
+-- 
+2.34.1
+
diff --git a/SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch b/SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch
new file mode 100644
index 0000000..4520181
--- /dev/null
+++ b/SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch
@@ -0,0 +1,105 @@
+From a1c493aa4f22f9d1a4757c05a60addc877519cea Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 15 Aug 2019 15:05:28 +0200
+Subject: [PATCH] (CVE-2019-17546) RGBA interface: fix integer overflow
+ potentially causing write heap buffer overflow, especially on 32 bit builds.
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to
+ OSS Fuzz
+
+(cherry picked from commit 4bb584a35f87af42d6cf09d15e9ce8909a839145)
+---
+ libtiff/tif_getimage.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index ec09feaf..c6edd27c 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -951,16 +951,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 	fromskew = (w < imagewidth ? imagewidth - w : 0);
+ 	for (row = 0; row < h; row += nrow)
+ 	{
++		uint32 temp;
+ 		rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
+ 		nrow = (row + rowstoread > h ? h - row : rowstoread);
+ 		nrowsub = nrow;
+ 		if ((nrowsub%subsamplingver)!=0)
+ 			nrowsub+=subsamplingver-nrowsub%subsamplingver;
++		temp = (row + img->row_offset)%rowsperstrip + nrowsub;
++		if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
++		{
++			TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
++			return 0;
++		}
+ 		if (_TIFFReadEncodedStripAndAllocBuffer(tif,
+ 		    TIFFComputeStrip(tif,row+img->row_offset, 0),
+ 		    (void**)(&buf),
+                     maxstripsize,
+-		    ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
++		    temp * scanline)==(tmsize_t)(-1)
+ 		    && (buf == NULL || img->stoponerr))
+ 		{
+ 			ret = 0;
+@@ -1053,15 +1060,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 	fromskew = (w < imagewidth ? imagewidth - w : 0);
+ 	for (row = 0; row < h; row += nrow)
+ 	{
++                uint32 temp;
+ 		rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
+ 		nrow = (row + rowstoread > h ? h - row : rowstoread);
+ 		offset_row = row + img->row_offset;
++                temp = (row + img->row_offset)%rowsperstrip + nrow;
++                if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
++                {
++                        TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
++                        return 0;
++                }
+                 if( buf == NULL )
+                 {
+                     if (_TIFFReadEncodedStripAndAllocBuffer(
+                             tif, TIFFComputeStrip(tif, offset_row, 0),
+                             (void**) &buf, bufsize,
+-                            ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
++                            temp * scanline)==(tmsize_t)(-1)
+                         && (buf == NULL || img->stoponerr))
+                     {
+                             ret = 0;
+@@ -1081,7 +1095,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+                     }
+                 }
+ 		else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
+-		    p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
++		    p0, temp * scanline)==(tmsize_t)(-1)
+ 		    && img->stoponerr)
+ 		{
+ 			ret = 0;
+@@ -1089,7 +1103,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 		}
+ 		if (colorchannels > 1 
+                     && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
+-                                            p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
++                                            p1, temp * scanline) == (tmsize_t)(-1)
+ 		    && img->stoponerr)
+ 		{
+ 			ret = 0;
+@@ -1097,7 +1111,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 		}
+ 		if (colorchannels > 1 
+                     && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
+-                                            p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
++                                            p2, temp * scanline) == (tmsize_t)(-1)
+ 		    && img->stoponerr)
+ 		{
+ 			ret = 0;
+@@ -1106,7 +1120,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 		if (alpha)
+ 		{
+ 			if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
+-			    pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
++			    pa, temp * scanline)==(tmsize_t)(-1)
+ 			    && img->stoponerr)
+ 			{
+ 				ret = 0;
+-- 
+2.34.1
+
diff --git a/SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch b/SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch
new file mode 100644
index 0000000..a943dca
--- /dev/null
+++ b/SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch
@@ -0,0 +1,89 @@
+From 8f70b086e6553b4d41aaff2c5fb4266859436626 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sun, 15 Nov 2020 17:02:51 +0100
+Subject: [PATCH] (CVE-2020-35521 CVE-2020-35522) enforce (configurable) memory
+ limit in tiff2rgba
+
+fixes #207
+fixes #209
+
+(cherry picked from commit 98a254f5b92cea22f5436555ff7fceb12afee84d)
+---
+ tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index 4de96aec..e6de2209 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1;
+ int process_by_block = 0; /* default is whole image at once */
+ int no_alpha = 0;
+ int bigtiff_output = 0;
++#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
++/* malloc size limit (in bytes)
++ * disabled when set to 0 */
++static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
+ 
+ 
+ static int tiffcvt(TIFF* in, TIFF* out);
+@@ -70,8 +74,11 @@ main(int argc, char* argv[])
+ 	extern char *optarg;
+ #endif
+ 
+-	while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
++	while ((c = getopt(argc, argv, "c:r:t:bn8M:")) != -1)
+ 		switch (c) {
++			case 'M':
++				maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
++				break;
+ 			case 'b':
+ 				process_by_block = 1;
+ 				break;
+@@ -397,6 +404,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
+ 		  (unsigned long)width, (unsigned long)height);
+         return 0;
+     }
++    if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
++	TIFFError(TIFFFileName(in),
++		  "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
++		  (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
++        return 0;
++    }
+ 
+     rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
+     TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
+@@ -522,6 +535,13 @@ tiffcvt(TIFF* in, TIFF* out)
+ 	TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
+ 	CopyField(TIFFTAG_DOCUMENTNAME, stringv);
+ 
++	if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
++	{
++		TIFFError(TIFFFileName(in),
++			  "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
++			  (uint64)TIFFStripSize(in), (uint64)maxMalloc);
++		return 0;
++	}
+         if( process_by_block && TIFFIsTiled( in ) )
+             return( cvt_by_tile( in, out ) );
+         else if( process_by_block )
+@@ -531,7 +551,7 @@ tiffcvt(TIFF* in, TIFF* out)
+ }
+ 
+ static char* stuff[] = {
+-    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
++    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
+     "where comp is one of the following compression algorithms:",
+     " jpeg\t\tJPEG encoding",
+     " zip\t\tZip/Deflate encoding",
+@@ -543,6 +563,7 @@ static char* stuff[] = {
+     " -b (progress by block rather than as a whole image)",
+     " -n don't emit alpha component.",
+     " -8 write BigTIFF file instead of ClassicTIFF",
++    " -M set the memory allocation limit in MiB. 0 to disable limit",
+     NULL
+ };
+ 
+-- 
+2.34.1
+
diff --git a/SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch b/SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch
new file mode 100644
index 0000000..be5176b
--- /dev/null
+++ b/SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch
@@ -0,0 +1,53 @@
+From a7786e10d1bab22f34322e6e711b93b377d6155e Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 10 Nov 2020 01:54:30 +0100
+Subject: [PATCH] (CVE-2020-35523) gtTileContig(): check Tile width for
+ overflow
+
+fixes #211
+
+(cherry picked from commit c8d613ef497058fe653c467fc84c70a62a4a71b2)
+---
+ libtiff/tif_getimage.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index c6edd27c..b1f7cc95 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -31,6 +31,7 @@
+  */
+ #include "tiffiop.h"
+ #include <stdio.h>
++#include <limits.h>
+ 
+ static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
+ static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
+@@ -647,12 +648,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 
+     flip = setorientation(img);
+     if (flip & FLIP_VERTICALLY) {
+-	    y = h - 1;
+-	    toskew = -(int32)(tw + w);
++        if ((tw + w) > INT_MAX) {
++            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
++            return (0);
++        }
++        y = h - 1;
++        toskew = -(int32)(tw + w);
+     }
+     else {
+-	    y = 0;
+-	    toskew = -(int32)(tw - w);
++        if (tw > (INT_MAX + w)) {
++            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
++            return (0);
++        }
++        y = 0;
++        toskew = -(int32)(tw - w);
+     }
+      
+     /*
+-- 
+2.34.1
+
diff --git a/SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch b/SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch
new file mode 100644
index 0000000..7aff264
--- /dev/null
+++ b/SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch
@@ -0,0 +1,41 @@
+From 55cd158269c43c83c23636dc9197816b3b359aa4 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sat, 14 Nov 2020 12:53:01 +0000
+Subject: [PATCH] (CVE-2020-35524) tiff2pdf.c: properly calculate datasize when
+ saving to JPEG YCbCr
+
+fixes #220
+
+(cherry picked from commit 7be2e452ddcf6d7abca88f41d3761e6edab72b22)
+---
+ tools/tiff2pdf.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index ff7b9c22..a5db1f64 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -2049,9 +2049,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
+ #endif
+ 		(void) 0;
+ 	}
+-	k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+-	if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+-		k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
++#ifdef JPEG_SUPPORT
++	if(t2p->pdf_compression == T2P_COMPRESS_JPEG
++	   && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
++		k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
++	} else
++#endif
++	{
++		k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
++		if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
++			k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
++		}
+ 	}
+ 	if (k == 0) {
+ 		/* Assume we had overflow inside TIFFScanlineSize */
+-- 
+2.34.1
+
diff --git a/SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch b/SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch
new file mode 100644
index 0000000..eb61fab
--- /dev/null
+++ b/SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch
@@ -0,0 +1,92 @@
+From 25f99f92536fe2c7bf8e1a7fe12f0145c67a0383 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Mon, 11 Feb 2019 23:08:25 +0100
+Subject: [PATCH] (CVE-2020-19131) tiffcrop.c: fix invertImage() for bps 2 and
+ 4
+
+too much bytes were processed, causing a heap buffer overrun
+    http://bugzilla.maptools.org/show_bug.cgi?id=2831
+the loop counter must be
+    for (col = 0; col < width; col += 8 / bps)
+
+Also the values were not properly calculated. It should be
+255-x, 15-x, 3-x for bps 8, 4, 2.
+
+But anyway it is easyer to invert all bits as 255-x = ~x, etc.
+(substracting from a binary number composed of all 1 is like inverting
+the bits)
+
+(cherry picked from commit 9cfa5c469109c207bf3b916c52e618d4400ba2c0)
+---
+ tools/tiffcrop.c | 37 ++++++-------------------------------
+ 1 file changed, 6 insertions(+), 31 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 3862b1ca..a6129148 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -9142,7 +9142,6 @@ static int
+ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 length, unsigned char *work_buff)
+   {
+   uint32   row, col;
+-  unsigned char  bytebuff1, bytebuff2, bytebuff3, bytebuff4;
+   unsigned char *src;
+   uint16        *src_uint16;
+   uint32        *src_uint32;
+@@ -9172,7 +9171,7 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len
+              for (row = 0; row < length; row++)
+                for (col = 0; col < width; col++)
+                  {
+-		 *src_uint32 = (uint32)0xFFFFFFFF - *src_uint32;
++		 *src_uint32 = ~(*src_uint32);
+                   src_uint32++;
+                  }
+             break;
+@@ -9180,39 +9179,15 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len
+              for (row = 0; row < length; row++)
+                for (col = 0; col < width; col++)
+                  {
+-		 *src_uint16 = (uint16)0xFFFF - *src_uint16;
++		 *src_uint16 = ~(*src_uint16);
+                   src_uint16++;
+                  }
+             break;
+-    case 8: for (row = 0; row < length; row++)
+-              for (col = 0; col < width; col++)
+-                {
+-		*src = (uint8)255 - *src;
+-                 src++;
+-                }
+-            break;
+-    case 4: for (row = 0; row < length; row++)
+-              for (col = 0; col < width; col++)
+-                {
+-		bytebuff1 = 16 - (uint8)(*src & 240 >> 4);
+-		bytebuff2 = 16 - (*src & 15);
+-		*src = bytebuff1 << 4 & bytebuff2;
+-                src++;
+-                }
+-            break;
+-    case 2: for (row = 0; row < length; row++)
+-              for (col = 0; col < width; col++)
+-                {
+-		bytebuff1 = 4 - (uint8)(*src & 192 >> 6);
+-		bytebuff2 = 4 - (uint8)(*src & 48  >> 4);
+-		bytebuff3 = 4 - (uint8)(*src & 12  >> 2);
+-		bytebuff4 = 4 - (uint8)(*src & 3);
+-		*src = (bytebuff1 << 6) || (bytebuff2 << 4) || (bytebuff3 << 2) || bytebuff4;
+-                src++;
+-                }
+-            break;
++    case 8:
++    case 4:
++    case 2:
+     case 1: for (row = 0; row < length; row++)
+-              for (col = 0; col < width; col += 8 /(spp * bps))
++              for (col = 0; col < width; col += 8 / bps)
+                 {
+                 *src = ~(*src);
+                 src++;
+-- 
+2.34.1
+
diff --git a/SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch b/SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch
new file mode 100644
index 0000000..fb1652b
--- /dev/null
+++ b/SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch
@@ -0,0 +1,30 @@
+From b94f6754796d32e204b874b3660a125973815933 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 6 Feb 2022 13:08:38 +0100
+Subject: [PATCH] (CVE-2022-0561) TIFFFetchStripThing(): avoid calling memcpy()
+ with a null source pointer and size of zero (fixes #362)
+
+(cherry picked from commit eecb0712f4c3a5b449f70c57988260a667ddbdef)
+---
+ libtiff/tif_dirread.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 80aaf8d1..1e6f1c2f 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -5633,8 +5633,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp)
+ 			_TIFFfree(data);
+ 			return(0);
+ 		}
+-                _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
+-                _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
++		if( dir->tdir_count )
++			_TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
++		_TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
+ 		_TIFFfree(data);
+ 		data=resizeddata;
+ 	}
+-- 
+2.34.1
+
diff --git a/SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch b/SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch
new file mode 100644
index 0000000..ef22de3
--- /dev/null
+++ b/SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch
@@ -0,0 +1,28 @@
+From b7426cc131d837de8d139b8007f66f9db59c4f6a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 5 Feb 2022 20:36:41 +0100
+Subject: [PATCH] (CVE-2022-0562) TIFFReadDirectory(): avoid calling memcpy()
+ with a null source pointer and size of zero (fixes #362)
+
+(cherry picked from commit 561599c99f987dc32ae110370cfdd7df7975586b)
+---
+ libtiff/tif_dirread.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 1e6f1c2f..d68aecc5 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -4083,7 +4083,8 @@ TIFFReadDirectory(TIFF* tif)
+                     goto bad;
+                 }
+ 
+-                memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++                if (old_extrasamples > 0)
++                    memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+                 _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+                 _TIFFfree(new_sampleinfo);
+         }
+-- 
+2.34.1
+
diff --git a/SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch b/SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch
new file mode 100644
index 0000000..49e4e9d
--- /dev/null
+++ b/SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch
@@ -0,0 +1,39 @@
+From 377a37d06f8ea753cba404cd6954b988ca861ad3 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 25 Jan 2022 16:25:28 +0000
+Subject: [PATCH] (CVE-2022-22844) tiffset: fix global-buffer-overflow for
+ ASCII tags where count is required (fixes #355)
+
+(cherry picked from commit 03047a26952a82daaa0792957ce211e0aa51bc64)
+---
+ tools/tiffset.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffset.c b/tools/tiffset.c
+index 894c9f1f..e4b0d49f 100644
+--- a/tools/tiffset.c
++++ b/tools/tiffset.c
+@@ -134,9 +134,19 @@ main(int argc, char* argv[])
+ 
+             arg_index++;
+             if (TIFFFieldDataType(fip) == TIFF_ASCII) {
+-                if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
++                if(TIFFFieldPassCount( fip )) {
++                    size_t len;
++                    len = strlen(argv[arg_index]) + 1;
++                    if (len > ((uint16)(~0)) || TIFFSetField(tiff, TIFFFieldTag(fip),
++                            (uint16)len, argv[arg_index]) != 1)
+                     fprintf( stderr, "Failed to set %s=%s\n",
+                              TIFFFieldName(fip), argv[arg_index] );
++                } else {
++                    if (TIFFSetField(tiff, TIFFFieldTag(fip),
++                            argv[arg_index]) != 1)
++                        fprintf( stderr, "Failed to set %s=%s\n",
++                            TIFFFieldName(fip), argv[arg_index] );
++                }
+             } else if (TIFFFieldWriteCount(fip) > 0
+ 		       || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
+                 int     ret = 1;
+-- 
+2.34.1
+
diff --git a/SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch b/SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch
new file mode 100644
index 0000000..87eb654
--- /dev/null
+++ b/SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch
@@ -0,0 +1,36 @@
+From 2d598cd7523cba7ee8441fac96bfe422ec277efc Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 24 Feb 2022 22:26:02 +0100
+Subject: [PATCH] (CVE-2022-0865) tif_jbig.c: fix crash when reading a file
+ with multiple IFD in memory-mapped mode and when bit reversal is needed
+ (fixes #385)
+
+(cherry picked from commit a1c933dabd0e1c54a412f3f84ae0aa58115c6067)
+---
+ libtiff/tif_jbig.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
+index 8136c77b..698428f0 100644
+--- a/libtiff/tif_jbig.c
++++ b/libtiff/tif_jbig.c
+@@ -210,6 +210,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
+ 	 */
+ 	tif->tif_flags |= TIFF_NOBITREV;
+ 	tif->tif_flags &= ~TIFF_MAPPED;
++	/* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
++	 * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
++	 * value to be consistent with the state of a non-memory mapped file.
++	 */
++	if (tif->tif_flags&TIFF_BUFFERMMAP) {
++		tif->tif_rawdata = NULL;
++		tif->tif_rawdatasize = 0;
++		tif->tif_flags &= ~TIFF_BUFFERMMAP;
++		tif->tif_flags |= TIFF_MYBUFFER;
++	}
+ 
+ 	/* Setup the function pointers for encode, decode, and cleanup. */
+ 	tif->tif_setupdecode = JBIGSetupDecode;
+-- 
+2.34.1
+
diff --git a/SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch b/SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch
new file mode 100644
index 0000000..af2e18d
--- /dev/null
+++ b/SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch
@@ -0,0 +1,201 @@
+From 465c2d93e2a2d20ac4844ad0d98b35f00e8063fb Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Tue, 8 Mar 2022 17:02:44 +0000
+Subject: [PATCH] (CVE-2022-0891) tiffcrop: fix issue #380 and #382 heap buffer
+ overflow in extractImageSection
+
+(cherry picked from commit 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c)
+---
+ tools/tiffcrop.c | 84 ++++++++++++++++++------------------------------
+ 1 file changed, 32 insertions(+), 52 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index a6129148..83cf80ad 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -6668,10 +6668,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #ifdef DEVELMODE
+   uint32    img_length;
+ #endif
+-  uint32    j, shift1, shift2, trailing_bits;
++  uint32    j, shift1, trailing_bits;
+   uint32    row, first_row, last_row, first_col, last_col;
+   uint32    src_offset, dst_offset, row_offset, col_offset;
+-  uint32    offset1, offset2, full_bytes;
++  uint32    offset1, full_bytes;
+   uint32    sect_width;
+ #ifdef DEVELMODE
+   uint32    sect_length;
+@@ -6681,7 +6681,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #ifdef DEVELMODE
+   int      k;
+   unsigned char bitset;
+-  static char *bitarray = NULL;
+ #endif
+ 
+   img_width = image->width;
+@@ -6699,17 +6698,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+   dst_offset = 0;
+ 
+ #ifdef DEVELMODE
+-  if (bitarray == NULL)
+-    {
+-    if ((bitarray = (char *)malloc(img_width)) == NULL)
+-      {
+-      TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
+-      return (-1);
+-      }
+-    }
++  char bitarray[39];
+ #endif
+ 
+-  /* rows, columns, width, length are expressed in pixels */
++  /* rows, columns, width, length are expressed in pixels
++   * first_row, last_row, .. are index into image array starting at 0 to width-1,
++   * last_col shall be also extracted.  */
+   first_row = section->y1;
+   last_row  = section->y2;
+   first_col = section->x1;
+@@ -6719,9 +6713,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #ifdef DEVELMODE
+   sect_length = last_row - first_row + 1;
+ #endif
+-  img_rowsize = ((img_width * bps + 7) / 8) * spp;
++    /* The read function loadImage() used copy separate plane data into a buffer as interleaved
++     * samples rather than separate planes so the same logic works to extract regions
++     * regardless of the way the data are organized in the input file.
++     * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 
++     */
++    img_rowsize = (((img_width * spp * bps) + 7) / 8);    /* row size in full bytes of source image */
+   full_bytes = (sect_width * spp * bps) / 8;   /* number of COMPLETE bytes per row in section */
+-  trailing_bits = (sect_width * bps) % 8;
++    trailing_bits = (sect_width * spp * bps) % 8;         /* trailing bits within the last byte of destination buffer */
+ 
+ #ifdef DEVELMODE
+     TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n",
+@@ -6734,10 +6733,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ 
+   if ((bps % 8) == 0)
+     {
+-    col_offset = first_col * spp * bps / 8;
++    col_offset = (first_col * spp * bps) / 8;
+     for (row = first_row; row <= last_row; row++)
+       {
+-      /* row_offset = row * img_width * spp * bps / 8; */
+       row_offset = row * img_rowsize;
+       src_offset = row_offset + col_offset;
+ 
+@@ -6750,14 +6748,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+     }
+   else
+     { /* bps != 8 */
+-    shift1  = spp * ((first_col * bps) % 8);
+-    shift2  = spp * ((last_col * bps) % 8);
++    shift1 = ((first_col * spp * bps) % 8);           /* shift1 = bits to skip in the first byte of source buffer*/
+     for (row = first_row; row <= last_row; row++)
+       {
+       /* pull out the first byte */
+       row_offset = row * img_rowsize;
+-      offset1 = row_offset + (first_col * bps / 8);
+-      offset2 = row_offset + (last_col * bps / 8);
++      offset1 = row_offset + ((first_col * spp * bps) / 8);   /* offset1 = offset into source of byte with first bits to be extracted */
+ 
+ #ifdef DEVELMODE
+       for (j = 0, k = 7; j < 8; j++, k--)
+@@ -6769,12 +6765,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+       sprintf(&bitarray[9], " ");
+       for (j = 10, k = 7; j < 18; j++, k--)
+         {
+-        bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
++        bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
+         sprintf(&bitarray[j], (bitset) ? "1" : "0");
+         }
+       bitarray[18] = '\0';
+-      TIFFError ("", "Row: %3d Offset1: %d,  Shift1: %d,    Offset2: %d,  Shift2:  %d\n", 
+-                 row, offset1, shift1, offset2, shift2); 
++      TIFFError ("", "Row: %3d Offset1: %d,  Shift1: %d,    Offset2: %d,  Trailing_bits:  %d\n",
++                 row, offset1, shift1, offset1+full_bytes, trailing_bits);
+ #endif
+ 
+       bytebuff1 = bytebuff2 = 0;
+@@ -6798,11 +6794,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ 
+         if (trailing_bits != 0)
+           {
+-	  bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
++      /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
++	  bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
+           sect_buff[dst_offset] = bytebuff2;
+ #ifdef DEVELMODE
+ 	  TIFFError ("", "        Trailing bits src offset:  %8d, Dst offset: %8d\n", 
+-                              offset2, dst_offset); 
++          offset1 + full_bytes, dst_offset);
+           for (j = 30, k = 7; j < 38; j++, k--)
+             {
+             bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
+@@ -6821,8 +6818,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #endif
+         for (j = 0; j <= full_bytes; j++) 
+           {
++          /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
++          /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
+ 	  bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
+-	  bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
++          bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
+           sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
+           }
+ #ifdef DEVELMODE
+@@ -6838,35 +6837,16 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #endif
+         dst_offset += full_bytes;
+ 
++        /* Copy the trailing_bits for the last byte in the destination buffer. 
++           Could come from one ore two bytes of the source buffer. */
+         if (trailing_bits != 0)
+           {
+ #ifdef DEVELMODE
+-	    TIFFError ("", "        Trailing bits   src offset: %8d, Dst offset: %8d\n", offset1 + full_bytes, dst_offset); 
+-#endif
+-	  if (shift2 > shift1)
+-            {
+-	    bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
+-            bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
+-            sect_buff[dst_offset] = bytebuff2;
+-#ifdef DEVELMODE
+-	    TIFFError ("", "        Shift2 > Shift1\n"); 
++          TIFFError("", "        Trailing bits %4d   src offset: %8d, Dst offset: %8d\n", trailing_bits, offset1 + full_bytes, dst_offset);
+ #endif
+-            }
+-          else
+-            {
+-	    if (shift2 < shift1)
+-              {
+-              bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
+-	      sect_buff[dst_offset] &= bytebuff2;
+-#ifdef DEVELMODE
+-	      TIFFError ("", "        Shift2 < Shift1\n"); 
+-#endif
+-              }
+-#ifdef DEVELMODE
+-            else
+-	      TIFFError ("", "        Shift2 == Shift1\n"); 
+-#endif
+-            }
++          /* More than necessary bits are already copied into last destination buffer, 
++           * only masking of last byte in destination buffer is necessary.*/ 
++          sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
+ 	  }
+ #ifdef DEVELMODE
+ 	  sprintf(&bitarray[28], " ");
+@@ -7020,7 +7000,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
+     width  = sections[i].x2 - sections[i].x1 + 1;
+     length = sections[i].y2 - sections[i].y1 + 1;
+     sectsize = (uint32)
+-	    ceil((width * image->bps + 7) / (double)8) * image->spp * length;
++	    ceil((width * image->bps * image->spp + 7) / (double)8) * length;
+     /* allocate a buffer if we don't have one already */
+     if (createImageSection(sectsize, sect_buff_ptr))
+       {
+-- 
+2.34.1
+
diff --git a/SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch b/SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch
new file mode 100644
index 0000000..769799f
--- /dev/null
+++ b/SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch
@@ -0,0 +1,54 @@
+From 0bbe164e12be733a1b7e0fe9939ea3461ed7fff2 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Thu, 10 Mar 2022 08:48:00 +0000
+Subject: [PATCH] (CVE-2022-0924) fix heap buffer overflow in tiffcp (#278)
+
+(cherry picked from commit 88d79a45a31c74cba98c697892fed5f7db8b963a)
+---
+ tools/tiffcp.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 96f14728..d5f1d248 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -1506,12 +1506,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
+ 	tdata_t obuf;
+ 	tstrip_t strip = 0;
+ 	tsample_t s;
++	uint16 bps = 0, bytes_per_sample;
+ 
+ 	obuf = _TIFFmalloc(stripsize);
+ 	if (obuf == NULL)
+ 		return (0);
+ 	_TIFFmemset(obuf, 0, stripsize);
+ 	(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
++	(void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
++	if( bps == 0 )
++        {
++            TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
++            _TIFFfree(obuf);
++            return 0;
++        }
++        if( (bps % 8) != 0 )
++        {
++            TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
++            _TIFFfree(obuf);
++            return 0;
++        }
++	bytes_per_sample = bps/8;
+ 	for (s = 0; s < spp; s++) {
+ 		uint32 row;
+ 		for (row = 0; row < imagelength; row += rowsperstrip) {
+@@ -1521,7 +1536,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
+ 
+ 			cpContigBufToSeparateBuf(
+ 			    obuf, (uint8*) buf + row*rowsize + s,
+-			    nrows, imagewidth, 0, 0, spp, 1);
++			    nrows, imagewidth, 0, 0, spp, bytes_per_sample);
+ 			if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
+ 				TIFFError(TIFFFileName(out),
+ 				    "Error, can't write strip %u",
+-- 
+2.34.1
+
diff --git a/SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch b/SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch
new file mode 100644
index 0000000..6ffaba8
--- /dev/null
+++ b/SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch
@@ -0,0 +1,33 @@
+From fb2bd72a49496d10c4860102b7c26b9bc8adff70 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 8 Mar 2022 16:22:04 +0000
+Subject: [PATCH] (CVE-2022-0909) fix the FPE in tiffcrop (#393)
+
+(cherry picked from commit 32ea0722ee68f503b7a3f9b2d557acb293fc8cde)
+---
+ libtiff/tif_dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index c36a5f3f..f126f2aa 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -320,13 +320,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ 		break;
+ 	case TIFFTAG_XRESOLUTION:
+         dblval = va_arg(ap, double);
+-        if( dblval < 0 )
++        if( dblval != dblval || dblval < 0 )
+             goto badvaluedouble;
+ 		td->td_xresolution = TIFFClampDoubleToFloat( dblval );
+ 		break;
+ 	case TIFFTAG_YRESOLUTION:
+         dblval = va_arg(ap, double);
+-        if( dblval < 0 )
++        if( dblval != dblval || dblval < 0 )
+             goto badvaluedouble;
+ 		td->td_yresolution = TIFFClampDoubleToFloat( dblval );
+ 		break;
+-- 
+2.34.1
+
diff --git a/SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch b/SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch
new file mode 100644
index 0000000..b76d47f
--- /dev/null
+++ b/SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch
@@ -0,0 +1,30 @@
+From e1ee7d9aa1936d5d2f8c7e1a453ad669ed6b38dd Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 17 Feb 2022 15:28:43 +0100
+Subject: [PATCH] (CVE-2022-0908) TIFFFetchNormalTag(): avoid calling memcpy()
+ with a null source pointer and size of zero (fixes #383)
+
+(cherry picked from commit a95b799f65064e4ba2e2dfc206808f86faf93e85)
+---
+ libtiff/tif_dirread.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index d68aecc5..b72e6a3b 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -4972,7 +4972,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
+ 								_TIFFfree(data);
+ 							return(0);
+ 						}
+-						_TIFFmemcpy(o,data,(uint32)dp->tdir_count);
++						if (dp->tdir_count > 0 )
++						{
++							_TIFFmemcpy(o,data,(uint32)dp->tdir_count);
++						}
+ 						o[(uint32)dp->tdir_count]=0;
+ 						if (data!=0)
+ 							_TIFFfree(data);
+-- 
+2.34.1
+
diff --git a/SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch b/SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch
new file mode 100644
index 0000000..deb2812
--- /dev/null
+++ b/SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch
@@ -0,0 +1,58 @@
+From b43def1519d18fecb6f23778e045838e30e027cc Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sat, 2 Apr 2022 22:33:31 +0200
+Subject: [PATCH] (CVE-2022-1355) tiffcp: avoid buffer overflow in "mode"
+ string (fixes #400)
+
+(cherry picked from commit fb1db384959698edd6caeea84e28253d272a0f96)
+---
+ tools/tiffcp.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index d5f1d248..fb98bd57 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -249,19 +249,34 @@ main(int argc, char* argv[])
+ 			deftilewidth = atoi(optarg);
+ 			break;
+ 		case 'B':
+-			*mp++ = 'b'; *mp = '\0';
++			if (strlen(mode) < (sizeof(mode) - 1))
++			{
++				*mp++ = 'b'; *mp = '\0';
++			}
+ 			break;
+ 		case 'L':
+-			*mp++ = 'l'; *mp = '\0';
++			if (strlen(mode) < (sizeof(mode) - 1))
++			{
++				*mp++ = 'l'; *mp = '\0';
++			}
+ 			break;
+ 		case 'M':
+-			*mp++ = 'm'; *mp = '\0';
++			if (strlen(mode) < (sizeof(mode) - 1))
++			{
++				*mp++ = 'm'; *mp = '\0';
++			}
+ 			break;
+ 		case 'C':
+-			*mp++ = 'c'; *mp = '\0';
++			if (strlen(mode) < (sizeof(mode) - 1))
++			{
++				*mp++ = 'c'; *mp = '\0';
++			}
+ 			break;
+ 		case '8':
+-			*mp++ = '8'; *mp = '\0';
++			if (strlen(mode) < (sizeof(mode)-1))
++			{
++				*mp++ = '8'; *mp = '\0';
++			}
+ 			break;
+ 		case 'x':
+ 			pageInSeq = 1;
+-- 
+2.34.1
+
diff --git a/SOURCES/libtiff-CVE-2017-18013.patch b/SOURCES/libtiff-CVE-2017-18013.patch
deleted file mode 100644
index 77afc48..0000000
--- a/SOURCES/libtiff-CVE-2017-18013.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From b1997b9c3ac0d6bac5effd7558141986487217a9 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sun, 31 Dec 2017 15:09:41 +0100
-Subject: [PATCH 2/4] libtiff/tif_print.c: TIFFPrintDirectory(): fix null
- pointer dereference on corrupted file. Fixes
- http://bugzilla.maptools.org/show_bug.cgi?id=2770 / CVE-2017-18013
-
----
- libtiff/tif_print.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
-index 10a588e..b9b53a0 100644
---- a/libtiff/tif_print.c
-+++ b/libtiff/tif_print.c
-@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- 			fprintf(fd, "    %3lu: [%8I64u, %8I64u]\n",
- 			    (unsigned long) s,
--			    (unsigned __int64) td->td_stripoffset[s],
--			    (unsigned __int64) td->td_stripbytecount[s]);
-+			    td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
-+			    td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
- #else
- 			fprintf(fd, "    %3lu: [%8llu, %8llu]\n",
- 			    (unsigned long) s,
--			    (unsigned long long) td->td_stripoffset[s],
--			    (unsigned long long) td->td_stripbytecount[s]);
-+			    td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
-+			    td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
- #endif
- 	}
- }
--- 
-2.17.0
-
diff --git a/SOURCES/libtiff-CVE-2017-9935.patch b/SOURCES/libtiff-CVE-2017-9935.patch
deleted file mode 100644
index 39327ff..0000000
--- a/SOURCES/libtiff-CVE-2017-9935.patch
+++ /dev/null
@@ -1,164 +0,0 @@
-From e1cd2d7ab032e7fe80b4c13e07895194c8bac85e Mon Sep 17 00:00:00 2001
-From: Brian May <brian@linuxpenguins.xyz>
-Date: Thu, 7 Dec 2017 07:46:47 +1100
-Subject: [PATCH 1/4] [PATCH] tiff2pdf: Fix CVE-2017-9935
-
-Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
-
-This vulnerability - at least for the supplied test case - is because we
-assume that a tiff will only have one transfer function that is the same
-for all pages. This is not required by the TIFF standards.
-
-We than read the transfer function for every page.  Depending on the
-transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
-We allocate this memory after we read in the transfer function for the
-page.
-
-For the first exploit - POC1, this file has 3 pages. For the first page
-we allocate 2 extra extra XREF entries. Then for the next page 2 more
-entries. Then for the last page the transfer function changes and we
-allocate 4 more entries.
-
-When we read the file into memory, we assume we have 4 bytes extra for
-each and every page (as per the last transfer function we read). Which
-is not correct, we only have 2 bytes extra for the first 2 pages. As a
-result, we end up writing past the end of the buffer.
-
-There are also some related issues that this also fixes. For example,
-TIFFGetField can return uninitalized pointer values, and the logic to
-detect a N=3 vs N=1 transfer function seemed rather strange.
-
-It is also strange that we declare the transfer functions to be of type
-float, when the standard says they are unsigned 16 bit values. This is
-fixed in another patch.
-
-This patch will check to ensure that the N value for every transfer
-function is the same for every page. If this changes, we abort with an
-error. In theory, we should perhaps check that the transfer function
-itself is identical for every page, however we don't do that due to the
-confusion of the type of the data in the transfer function.
----
- libtiff/tif_dir.c |  3 +++
- tools/tiff2pdf.c  | 69 +++++++++++++++++++++++++++++++----------------
- 2 files changed, 49 insertions(+), 23 deletions(-)
-
-diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
-index f00f808..c36a5f3 100644
---- a/libtiff/tif_dir.c
-+++ b/libtiff/tif_dir.c
-@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
- 			if (td->td_samplesperpixel - td->td_extrasamples > 1) {
- 				*va_arg(ap, uint16**) = td->td_transferfunction[1];
- 				*va_arg(ap, uint16**) = td->td_transferfunction[2];
-+			} else {
-+				*va_arg(ap, uint16**) = NULL;
-+				*va_arg(ap, uint16**) = NULL;
- 			}
- 			break;
- 		case TIFFTAG_REFERENCEBLACKWHITE:
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index bdb9126..bd23c9e 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -239,7 +239,7 @@ typedef struct {
- 	float tiff_whitechromaticities[2];
- 	float tiff_primarychromaticities[6];
- 	float tiff_referenceblackwhite[2];
--	float* tiff_transferfunction[3];
-+	uint16* tiff_transferfunction[3];
- 	int pdf_image_interpolate;	/* 0 (default) : do not interpolate,
- 					   1 : interpolate */
- 	uint16 tiff_transferfunctioncount;
-@@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
- 	uint16 pagen=0;
- 	uint16 paged=0;
- 	uint16 xuint16=0;
-+	uint16 tiff_transferfunctioncount=0;
-+	uint16* tiff_transferfunction[3];
- 
- 	directorycount=TIFFNumberOfDirectories(input);
- 	if(directorycount > TIFF_DIR_MAX) {
-@@ -1157,26 +1159,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
-                 }
- #endif
- 		if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
--                                 &(t2p->tiff_transferfunction[0]),
--                                 &(t2p->tiff_transferfunction[1]),
--                                 &(t2p->tiff_transferfunction[2]))) {
--			if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
--                           (t2p->tiff_transferfunction[2] != (float*) NULL) &&
--                           (t2p->tiff_transferfunction[1] !=
--                            t2p->tiff_transferfunction[0])) {
--				t2p->tiff_transferfunctioncount = 3;
--				t2p->tiff_pages[i].page_extra += 4;
--				t2p->pdf_xrefcount += 4;
--			} else {
--				t2p->tiff_transferfunctioncount = 1;
--				t2p->tiff_pages[i].page_extra += 2;
--				t2p->pdf_xrefcount += 2;
--			}
--			if(t2p->pdf_minorversion < 2)
--				t2p->pdf_minorversion = 2;
-+                                 &(tiff_transferfunction[0]),
-+                                 &(tiff_transferfunction[1]),
-+                                 &(tiff_transferfunction[2]))) {
-+
-+                        if((tiff_transferfunction[1] != (uint16*) NULL) &&
-+                           (tiff_transferfunction[2] != (uint16*) NULL)
-+                          ) {
-+                            tiff_transferfunctioncount=3;
-+                        } else {
-+                            tiff_transferfunctioncount=1;
-+                        }
-                 } else {
--			t2p->tiff_transferfunctioncount=0;
-+			tiff_transferfunctioncount=0;
- 		}
-+
-+                if (i > 0){
-+                    if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
-+                        TIFFError(
-+                            TIFF2PDF_MODULE,
-+                            "Different transfer function on page %d",
-+                            i);
-+                        t2p->t2p_error = T2P_ERR_ERROR;
-+                        return;
-+                    }
-+                }
-+
-+                t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
-+                t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
-+                t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
-+                t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
-+                if(tiff_transferfunctioncount == 3){
-+                        t2p->tiff_pages[i].page_extra += 4;
-+                        t2p->pdf_xrefcount += 4;
-+                        if(t2p->pdf_minorversion < 2)
-+                                t2p->pdf_minorversion = 2;
-+                } else if (tiff_transferfunctioncount == 1){
-+                        t2p->tiff_pages[i].page_extra += 2;
-+                        t2p->pdf_xrefcount += 2;
-+                        if(t2p->pdf_minorversion < 2)
-+                                t2p->pdf_minorversion = 2;
-+                }
-+
- 		if( TIFFGetField(
- 			input, 
- 			TIFFTAG_ICCPROFILE, 
-@@ -1837,10 +1861,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
- 			 &(t2p->tiff_transferfunction[0]),
- 			 &(t2p->tiff_transferfunction[1]),
- 			 &(t2p->tiff_transferfunction[2]))) {
--		if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
--                   (t2p->tiff_transferfunction[2] != (float*) NULL) &&
--                   (t2p->tiff_transferfunction[1] !=
--                    t2p->tiff_transferfunction[0])) {
-+		if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
-+                   (t2p->tiff_transferfunction[2] != (uint16*) NULL)
-+                  ) {
- 			t2p->tiff_transferfunctioncount=3;
- 		} else {
- 			t2p->tiff_transferfunctioncount=1;
--- 
-2.17.0
-
diff --git a/SOURCES/libtiff-CVE-2018-10963.patch b/SOURCES/libtiff-CVE-2018-10963.patch
deleted file mode 100644
index 039b7c1..0000000
--- a/SOURCES/libtiff-CVE-2018-10963.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 98ed6179dec22db48f6e235d8ca9e2708bf4e71a Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 12 May 2018 14:24:15 +0200
-Subject: [PATCH 4/4] TIFFWriteDirectorySec: avoid assertion. Fixes
- http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
-
----
- libtiff/tif_dirwrite.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
-index c68d6d2..5d0a669 100644
---- a/libtiff/tif_dirwrite.c
-+++ b/libtiff/tif_dirwrite.c
-@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
- 								}
- 								break;
- 							default:
--								assert(0);   /* we should never get here */
--								break;
-+								TIFFErrorExt(tif->tif_clientdata,module,
-+								            "Cannot write tag %d (%s)",
-+								            TIFFFieldTag(o),
-+                                                                            o->field_name ? o->field_name : "unknown");
-+								goto bad;
- 						}
- 					}
- 				}
--- 
-2.17.0
-
diff --git a/SOURCES/libtiff-CVE-2018-12900.patch b/SOURCES/libtiff-CVE-2018-12900.patch
deleted file mode 100644
index c7c3d30..0000000
--- a/SOURCES/libtiff-CVE-2018-12900.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 775b0d85eab499ccf577e72ec202eb4c6fb37197 Mon Sep 17 00:00:00 2001
-From: Thomas Bernard <miniupnp@free.fr>
-Date: Mon, 11 Feb 2019 10:05:33 +0100
-Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow
-
-fixes bug 2833
----
- tools/tiffcp.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/tools/tiffcp.c b/tools/tiffcp.c
-index 489459a..0c66229 100644
---- a/tools/tiffcp.c
-+++ b/tools/tiffcp.c
-@@ -43,6 +43,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-+#include <limits.h>
- 
- #include <ctype.h>
- 
-@@ -1391,7 +1392,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
- 	int status = 1;
- 	uint32 imagew = TIFFRasterScanlineSize(in);
- 	uint32 tilew = TIFFTileRowSize(in);
--	int iskew  = imagew - tilew*spp;
-+	int iskew;
- 	tsize_t tilesize = TIFFTileSize(in);
- 	tdata_t tilebuf;
- 	uint8* bufp = (uint8*) buf;
-@@ -1399,6 +1400,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
- 	uint32 row;
- 	uint16 bps = 0, bytes_per_sample;
- 
-+	if (tilew && spp > (INT_MAX / tilew))
-+	{
-+		TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
-+		return 0;
-+	}
-+	iskew = imagew - tilew*spp;
- 	tilebuf = _TIFFmalloc(tilesize);
- 	if (tilebuf == 0)
- 		return 0;
--- 
-2.21.0
-
diff --git a/SOURCES/libtiff-CVE-2018-17100.patch b/SOURCES/libtiff-CVE-2018-17100.patch
deleted file mode 100644
index 8ed6dca..0000000
--- a/SOURCES/libtiff-CVE-2018-17100.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 491e3acc55d7a54e2588de476733e93c4c7ffea0 Mon Sep 17 00:00:00 2001
-From: Young_X <YangX92@hotmail.com>
-Date: Sat, 8 Sep 2018 14:46:27 +0800
-Subject: [PATCH] avoid potential int32 overflows in multiply_ms()
-
----
- tools/ppm2tiff.c | 13 +++++++------
- 1 file changed, 7 insertions(+), 6 deletions(-)
-
-diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
-index 91415e9..81ffa3d 100644
---- a/tools/ppm2tiff.c
-+++ b/tools/ppm2tiff.c
-@@ -72,15 +72,16 @@ BadPPM(char* file)
- 	exit(-2);
- }
- 
-+
-+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
-+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
-+
- static tmsize_t
- multiply_ms(tmsize_t m1, tmsize_t m2)
- {
--	tmsize_t bytes = m1 * m2;
--
--	if (m1 && bytes / m1 != m2)
--		bytes = 0;
--
--	return bytes;
-+        if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
-+            return 0;
-+        return m1 * m2;
- }
- 
- int
--- 
-2.17.2
-
diff --git a/SOURCES/libtiff-CVE-2018-18557.patch b/SOURCES/libtiff-CVE-2018-18557.patch
deleted file mode 100644
index d2cd3c5..0000000
--- a/SOURCES/libtiff-CVE-2018-18557.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From 2683f6c21aefc760d2f7e56dac6b4383841886d6 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sun, 14 Oct 2018 16:38:29 +0200
-Subject: [PATCH 2/2] JBIG: fix potential out-of-bounds write in JBIGDecode()
-
-JBIGDecode doesn't check if the user provided buffer is large enough
-to store the JBIG decoded image, which can potentially cause out-of-bounds
-write in the buffer.
-This issue was reported and analyzed by Thomas Dullien.
-
-Also fixes a (harmless) potential use of uninitialized memory when
-tif->tif_rawsize > tif->tif_rawcc
-
-And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
-that whole strip data is provided to JBIGDecode()
----
- libtiff/tif_jbig.c | 32 ++++++++++++++++++++++++++------
- libtiff/tif_read.c |  6 ++++++
- 2 files changed, 32 insertions(+), 6 deletions(-)
-
-diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
-index 7a14dd9..8136c77 100644
---- a/libtiff/tif_jbig.c
-+++ b/libtiff/tif_jbig.c
-@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
- 	struct jbg_dec_state decoder;
- 	int decodeStatus = 0;
- 	unsigned char* pImage = NULL;
--	(void) size, (void) s;
-+	unsigned long decodedSize;
-+	(void) s;
- 
- 	if (isFillOrder(tif, tif->tif_dir.td_fillorder))
- 	{
--		TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize);
-+		TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc);
- 	}
- 
- 	jbg_dec_init(&decoder);
- 
- #if defined(HAVE_JBG_NEWLEN)
--	jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize);
-+	jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc);
- 	/*
- 	 * I do not check the return status of jbg_newlen because even if this
- 	 * function fails it does not necessarily mean that decoding the image
-@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
- 	 */
- #endif /* HAVE_JBG_NEWLEN */
- 
--	decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata,
--				  (size_t)tif->tif_rawdatasize, NULL);
-+	decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp,
-+				  (size_t)tif->tif_rawcc, NULL);
- 	if (JBG_EOK != decodeStatus)
- 	{
- 		/*
-@@ -98,9 +99,28 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
- 		return 0;
- 	}
- 
-+	decodedSize = jbg_dec_getsize(&decoder);
-+	if( (tmsize_t)decodedSize < size )
-+	{
-+	    TIFFWarningExt(tif->tif_clientdata, "JBIG",
-+	                   "Only decoded %lu bytes, whereas %lu requested",
-+	                   decodedSize, (unsigned long)size);
-+	}
-+	else if( (tmsize_t)decodedSize > size )
-+	{
-+	    TIFFErrorExt(tif->tif_clientdata, "JBIG",
-+	                 "Decoded %lu bytes, whereas %lu were requested",
-+	                 decodedSize, (unsigned long)size);
-+	    jbg_dec_free(&decoder);
-+	    return 0;
-+	}
- 	pImage = jbg_dec_getimage(&decoder, 0);
--	_TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder));
-+	_TIFFmemcpy(buffer, pImage, decodedSize);
- 	jbg_dec_free(&decoder);
-+
-+        tif->tif_rawcp += tif->tif_rawcc;
-+        tif->tif_rawcc = 0;
-+
- 	return 1;
- }
- 
-diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
-index 2ba985a..04100f4 100644
---- a/libtiff/tif_read.c
-+++ b/libtiff/tif_read.c
-@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 sample )
-             return 0;
-         whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10
-                 || isMapped(tif);
-+        if( td->td_compression == COMPRESSION_JBIG )
-+        {
-+            /* Ideally plugins should have a way to declare they don't support
-+             * chunk strip */
-+            whole_strip = 1;
-+        }
- #else
-         whole_strip = 1;
- #endif
--- 
-2.17.2
-
diff --git a/SOURCES/libtiff-CVE-2018-18661.patch b/SOURCES/libtiff-CVE-2018-18661.patch
deleted file mode 100644
index 9a7430b..0000000
--- a/SOURCES/libtiff-CVE-2018-18661.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-From 20dbecdf69cf0209ad0246707aaf142bb1fee96e Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Tue, 30 Oct 2018 18:50:27 +0100
-Subject: [PATCH] tiff2bw: avoid null pointer dereference in case of out of
- memory situation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2819 /
- CVE-2018-18661
-
----
- libtiff/tiffiop.h |  1 +
- tools/tiff2bw.c   | 30 ++++++++++++++++++++++++++----
- tools/tiffcrop.c  |  5 -----
- 3 files changed, 27 insertions(+), 9 deletions(-)
-
-diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
-index daa291c..08e5dc4 100644
---- a/libtiff/tiffiop.h
-+++ b/libtiff/tiffiop.h
-@@ -72,6 +72,7 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
- #endif
- 
- #define    streq(a,b)      (strcmp(a,b) == 0)
-+#define    strneq(a,b,n)   (strncmp(a,b,n) == 0)
- 
- #ifndef TRUE
- #define	TRUE	1
-diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
-index dad54af..1f3bb2c 100644
---- a/tools/tiff2bw.c
-+++ b/tools/tiff2bw.c
-@@ -40,9 +40,7 @@
- #endif
- 
- #include "tiffio.h"
--
--#define	streq(a,b)	(strcmp((a),(b)) == 0)
--#define	strneq(a,b,n)	(strncmp(a,b,n) == 0)
-+#include "tiffiop.h"
- 
- /* x% weighting -> fraction of full color */
- #define	PCT(x)	(((x)*256+50)/100)
-@@ -223,6 +221,11 @@ main(int argc, char* argv[])
- 	TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
- 	TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
- 	outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
-+        if( !outbuf )
-+        {
-+            fprintf(stderr, "Out of memory\n");
-+            goto tiff2bw_error;
-+        }
- 	TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
- 	    TIFFDefaultStripSize(out, rowsperstrip));
- 
-@@ -246,6 +249,11 @@ main(int argc, char* argv[])
- #undef CVT
- 		}
- 		inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
-+                if( !inbuf )
-+                {
-+                    fprintf(stderr, "Out of memory\n");
-+                    goto tiff2bw_error;
-+                }
- 		for (row = 0; row < h; row++) {
- 			if (TIFFReadScanline(in, inbuf, row, 0) < 0)
- 				break;
-@@ -256,6 +264,11 @@ main(int argc, char* argv[])
- 		break;
- 	case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG):
- 		inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
-+                if( !inbuf )
-+                {
-+                    fprintf(stderr, "Out of memory\n");
-+                    goto tiff2bw_error;
-+                }
- 		for (row = 0; row < h; row++) {
- 			if (TIFFReadScanline(in, inbuf, row, 0) < 0)
- 				break;
-@@ -265,8 +278,16 @@ main(int argc, char* argv[])
- 		}
- 		break;
- 	case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE):
-+        {
-+                tmsize_t inbufsize;
- 		rowsize = TIFFScanlineSize(in);
--		inbuf = (unsigned char *)_TIFFmalloc(3*rowsize);
-+                inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize);
-+		inbuf = (unsigned char *)_TIFFmalloc(inbufsize);
-+                if( !inbuf )
-+                {
-+                    fprintf(stderr, "Out of memory\n");
-+                    goto tiff2bw_error;
-+                }
- 		for (row = 0; row < h; row++) {
- 			for (s = 0; s < 3; s++)
- 				if (TIFFReadScanline(in,
-@@ -278,6 +299,7 @@ main(int argc, char* argv[])
- 				break;
- 		}
- 		break;
-+        }
- 	}
- #undef pack
-         if (inbuf)
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index c60cb38..3862b1c 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -150,11 +150,6 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
- 
- #define TIFF_UINT32_MAX     0xFFFFFFFFU
- 
--#ifndef streq
--#define	streq(a,b)	(strcmp((a),(b)) == 0)
--#endif
--#define	strneq(a,b,n)	(strncmp((a),(b),(n)) == 0)
--
- #define	TRUE	1
- #define	FALSE	0
- 
--- 
-2.17.2
-
diff --git a/SOURCES/libtiff-CVE-2018-5784.patch b/SOURCES/libtiff-CVE-2018-5784.patch
deleted file mode 100644
index 5f26e5d..0000000
--- a/SOURCES/libtiff-CVE-2018-5784.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From 49723b0eb683cca80142b01a48ba1475fed5188a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
-Date: Fri, 23 Mar 2018 15:35:39 +0100
-Subject: [PATCH] Fix for bug 2772
-
-It is possible to craft a TIFF document where the IFD list is circular,
-leading to an infinite loop while traversing the chain. The libtiff
-directory reader has a failsafe that will break out of this loop after
-reading 65535 directory entries, but it will continue processing,
-consuming time and resources to process what is essentially a bogus TIFF
-document.
-
-This change fixes the above behavior by breaking out of processing when
-a TIFF document has >= 65535 directories and terminating with an error.
----
- contrib/addtiffo/tif_overview.c | 14 +++++++++++++-
- tools/tiff2pdf.c                | 10 ++++++++++
- tools/tiffcrop.c                | 13 +++++++++++--
- 3 files changed, 34 insertions(+), 3 deletions(-)
-
-diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
-index c61ffbb..03b3573 100644
---- a/contrib/addtiffo/tif_overview.c
-+++ b/contrib/addtiffo/tif_overview.c
-@@ -65,6 +65,8 @@
- #  define MAX(a,b)      ((a>b) ? a : b)
- #endif
- 
-+#define TIFF_DIR_MAX  65534
-+
- void TIFFBuildOverviews( TIFF *, int, int *, int, const char *,
-                          int (*)(double,void*), void * );
- 
-@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
- {
-     toff_t	nBaseDirOffset;
-     toff_t	nOffset;
-+    tdir_t	iNumDir;
- 
-     (void) bUseSubIFDs;
- 
-@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
-         return 0;
- 
-     TIFFWriteDirectory( hTIFF );
--    TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );
-+    iNumDir = TIFFNumberOfDirectories(hTIFF);
-+    if( iNumDir > TIFF_DIR_MAX )
-+    {
-+        TIFFErrorExt( TIFFClientdata(hTIFF),
-+                      "TIFF_WriteOverview",
-+                      "File `%s' has too many directories.\n",
-+                      TIFFFileName(hTIFF) );
-+        exit(-1);
-+    }
-+    TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );
- 
-     nOffset = TIFFCurrentDirOffset( hTIFF );
- 
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index 454befb..bdb9126 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
- 
- #define PS_UNIT_SIZE	72.0F
- 
-+#define TIFF_DIR_MAX    65534
-+
- /* This type is of PDF color spaces. */
- typedef enum {
- 	T2P_CS_BILEVEL = 0x01,	/* Bilevel, black and white */
-@@ -1049,6 +1051,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
- 	uint16 xuint16=0;
- 
- 	directorycount=TIFFNumberOfDirectories(input);
-+	if(directorycount > TIFF_DIR_MAX) {
-+		TIFFError(
-+			TIFF2PDF_MODULE,
-+			"TIFF contains too many directories, %s",
-+			TIFFFileName(input));
-+		t2p->t2p_error = T2P_ERR_ERROR;
-+		return;
-+	}
- 	t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
- 	if(t2p->tiff_pages==NULL){
- 		TIFFError(
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index c69177e..c60cb38 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
- #define DUMP_TEXT   1
- #define DUMP_RAW    2
- 
-+#define TIFF_DIR_MAX  65534
-+
- /* Offsets into buffer for margins and fixed width and length segments */
- struct offset {
-   uint32  tmargin;
-@@ -2233,7 +2235,7 @@ main(int argc, char* argv[])
-     pageNum = -1;
-   else
-     total_images = 0;
--  /* read multiple input files and write to output file(s) */
-+  /* Read multiple input files and write to output file(s) */
-   while (optind < argc - 1)
-     {
-     in = TIFFOpen (argv[optind], "r");
-@@ -2241,7 +2243,14 @@ main(int argc, char* argv[])
-       return (-3);
- 
-     /* If only one input file is specified, we can use directory count */
--    total_images = TIFFNumberOfDirectories(in); 
-+    total_images = TIFFNumberOfDirectories(in);
-+    if (total_images > TIFF_DIR_MAX)
-+      {
-+      TIFFError (TIFFFileName(in), "File contains too many directories");
-+      if (out != NULL)
-+        (void) TIFFClose(out);
-+      return (1);
-+      }
-     if (image_count == 0)
-       {
-       dirnum = 0;
--- 
-2.13.6
-
diff --git a/SOURCES/libtiff-CVE-2018-7456.patch b/SOURCES/libtiff-CVE-2018-7456.patch
deleted file mode 100644
index 65a8947..0000000
--- a/SOURCES/libtiff-CVE-2018-7456.patch
+++ /dev/null
@@ -1,170 +0,0 @@
-From de5385cd882a5ff0970f63f4d93da0cbc87230c2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
-Date: Tue, 17 Apr 2018 18:42:09 +0200
-Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory
-
-The TIFFPrintDirectory function relies on the following assumptions,
-supposed to be guaranteed by the specification:
-
-(a) A Transfer Function field is only present if the TIFF file has
-    photometric type < 3.
-
-(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
-    has count SamplesPerPixel - (Color Channels) and contains
-    information about supplementary channels.
-
-While respect of (a) and (b) are essential for the well functioning of
-TIFFPrintDirectory, no checks are realized neither by the callee nor
-by TIFFPrintDirectory itself. Hence, following scenarios might happen
-and trigger the NULL pointer dereference:
-
-(1) TIFF File of photometric type 4 or more has illegal Transfer
-    Function field.
-
-(2) TIFF File has photometric type 3 or less and defines a
-    SamplesPerPixel field such that SamplesPerPixel > Color Channels
-    without defining all extra samples in the ExtraSamples fields.
-
-In this patch, we address both issues with respect of the following
-principles:
-
-(A) In the case of (1), the defined transfer table should be printed
-    safely even if it isn't 'legal'. This allows us to avoid expensive
-    checks in TIFFPrintDirectory. Also, it is quite possible that
-    an alternative photometric type would be developed (not part of the
-    standard) and would allow definition of Transfer Table. We want
-    libtiff to be able to handle this scenario out of the box.
-
-(B) In the case of (2), the transfer table should be printed at its
-    right size, that is if TIFF file has photometric type Palette
-    then the transfer table should have one row and not three, even
-    if two extra samples are declared.
-
-In order to fulfill (A) we simply add a new 'i < 3' end condition to
-the broken TIFFPrintDirectory loop. This makes sure that in any case
-where (b) would be respected but not (a), everything stays fine.
-
-(B) is fulfilled by the loop condition
-'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
-long as (b) is respected.
-
-Naturally, we also make sure (b) is respected. This is done in the
-TIFFReadDirectory function by making sure any non-color channel is
-counted in ExtraSamples.
-
-This commit addresses CVE-2018-7456.
----
- libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++
- libtiff/tif_print.c   |  2 +-
- 2 files changed, 63 insertions(+), 1 deletion(-)
-
-diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
-index 5e62e81..80aaf8d 100644
---- a/libtiff/tif_dirread.c
-+++ b/libtiff/tif_dirread.c
-@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
- static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
- static void ChopUpSingleUncompressedStrip(TIFF*);
- static uint64 TIFFReadUInt64(const uint8 *value);
-+static int _TIFFGetMaxColorChannels(uint16 photometric);
- 
- static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
- 
-@@ -3506,6 +3507,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c
- 	}
- }
- 
-+/*
-+ * Return the maximum number of color channels specified for a given photometric
-+ * type. 0 is returned if photometric type isn't supported or no default value
-+ * is defined by the specification.
-+ */
-+static int _TIFFGetMaxColorChannels( uint16 photometric )
-+{
-+    switch (photometric) {
-+	case PHOTOMETRIC_PALETTE:
-+	case PHOTOMETRIC_MINISWHITE:
-+	case PHOTOMETRIC_MINISBLACK:
-+            return 1;
-+	case PHOTOMETRIC_YCBCR:
-+	case PHOTOMETRIC_RGB:
-+	case PHOTOMETRIC_CIELAB:
-+            return 3;
-+	case PHOTOMETRIC_SEPARATED:
-+	case PHOTOMETRIC_MASK:
-+            return 4;
-+	case PHOTOMETRIC_LOGL:
-+	case PHOTOMETRIC_LOGLUV:
-+	case PHOTOMETRIC_CFA:
-+	case PHOTOMETRIC_ITULAB:
-+	case PHOTOMETRIC_ICCLAB:
-+	default:
-+            return 0;
-+    }
-+}
-+
- /*
-  * Read the next TIFF directory from a file and convert it to the internal
-  * format. We read directories sequentially.
-@@ -3522,6 +3552,7 @@ TIFFReadDirectory(TIFF* tif)
- 	uint32 fii=FAILED_FII;
-         toff_t nextdiroff;
-     int bitspersample_read = FALSE;
-+        int color_channels;
- 
- 	tif->tif_diroff=tif->tif_nextdiroff;
- 	if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
-@@ -4026,6 +4057,37 @@ TIFFReadDirectory(TIFF* tif)
- 			}
- 		}
- 	}
-+
-+	/*
-+	 * Make sure all non-color channels are extrasamples.
-+	 * If it's not the case, define them as such.
-+	 */
-+        color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
-+        if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
-+                uint16 old_extrasamples;
-+                uint16 *new_sampleinfo;
-+
-+                TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
-+                    "color channels and ExtraSamples doesn't match SamplesPerPixel. "
-+                    "Defining non-color channels as ExtraSamples.");
-+
-+                old_extrasamples = tif->tif_dir.td_extrasamples;
-+                tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
-+
-+                // sampleinfo should contain information relative to these new extra samples
-+                new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
-+                if (!new_sampleinfo) {
-+                    TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
-+                                "temporary new sampleinfo array (%d 16 bit elements)",
-+                                tif->tif_dir.td_extrasamples);
-+                    goto bad;
-+                }
-+
-+                memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
-+                _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
-+                _TIFFfree(new_sampleinfo);
-+        }
-+
- 	/*
- 	 * Verify Palette image has a Colormap.
- 	 */
-diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
-index 24d4b98..10a588e 100644
---- a/libtiff/tif_print.c
-+++ b/libtiff/tif_print.c
-@@ -546,7 +546,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
- 				uint16 i;
- 				fprintf(fd, "    %2ld: %5u",
- 				    l, td->td_transferfunction[0][l]);
--				for (i = 1; i < td->td_samplesperpixel; i++)
-+				for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)
- 					fprintf(fd, " %5u",
- 					    td->td_transferfunction[i][l]);
- 				fputc('\n', fd);
--- 
-2.17.0
-
diff --git a/SOURCES/libtiff-CVE-2018-8905.patch b/SOURCES/libtiff-CVE-2018-8905.patch
deleted file mode 100644
index be6bee4..0000000
--- a/SOURCES/libtiff-CVE-2018-8905.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 1c127eb3cb7653bd61b61f9c3cfeb36fd10edab1 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 12 May 2018 15:32:31 +0200
-Subject: [PATCH 3/4] LZWDecodeCompat(): fix potential index-out-of-bounds
- write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 /
- CVE-2018-8905
-
-The fix consists in using the similar code LZWDecode() to validate we
-don't write outside of the output buffer.
----
- libtiff/tif_lzw.c | 18 ++++++++++++------
- 1 file changed, 12 insertions(+), 6 deletions(-)
-
-diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
-index bc8f9c8..186ea3c 100644
---- a/libtiff/tif_lzw.c
-+++ b/libtiff/tif_lzw.c
-@@ -604,6 +604,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- 	char *tp;
- 	unsigned char *bp;
- 	int code, nbits;
-+	int len;
- 	long nextbits, nextdata, nbitsmask;
- 	code_t *codep, *free_entp, *maxcodep, *oldcodep;
- 
-@@ -755,13 +756,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- 				}  while (--occ);
- 				break;
- 			}
--			assert(occ >= codep->length);
--			op += codep->length;
--			occ -= codep->length;
--			tp = op;
-+			len = codep->length;
-+			tp = op + len;
- 			do {
--				*--tp = codep->value;
--			} while( (codep = codep->next) != NULL );
-+				int t;
-+				--tp;
-+				t = codep->value;
-+				codep = codep->next;
-+				*tp = (char)t;
-+			} while (codep && tp > op);
-+			assert(occ >= len);
-+			op += len;
-+			occ -= len;
- 		} else {
- 			*op++ = (char)code;
- 			occ--;
--- 
-2.17.0
-
diff --git a/SOURCES/libtiff-CVE-2019-14973.patch b/SOURCES/libtiff-CVE-2019-14973.patch
deleted file mode 100644
index f98ea1e..0000000
--- a/SOURCES/libtiff-CVE-2019-14973.patch
+++ /dev/null
@@ -1,424 +0,0 @@
-From 218c3753fba788c78a9b5e515e884043f6e2ba28 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 10 Aug 2019 18:25:03 +0200
-Subject: [PATCH] Fix integer overflow in _TIFFCheckMalloc() and other
- implementation-defined behaviour (CVE-2019-14973)
-
-_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow
-in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus
-signed), which was especially easily triggered on 32-bit builds (with recent
-enough compilers that assume that signed multiplication cannot overflow, since
-this is undefined behaviour by the C standard). The original issue which lead to
-this fix was trigged from tif_fax3.c
-
-There were also unsafe (implementation defied), and broken in practice on 64bit
-builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing
-(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known
-at that time exploits, but are better to fix in a more bullet-proof way.
-Or similarly use of (int64)uint64_var <= 0.
----
- libtiff/tif_aux.c      | 49 +++++++++++++++++++++++++++++++++++++-----
- libtiff/tif_getimage.c |  6 ++----
- libtiff/tif_luv.c      |  8 +------
- libtiff/tif_pixarlog.c |  7 +-----
- libtiff/tif_read.c     | 38 +++++++++-----------------------
- libtiff/tif_strip.c    | 35 ++++--------------------------
- libtiff/tif_tile.c     | 27 +++--------------------
- libtiff/tiffiop.h      |  7 +++++-
- 8 files changed, 71 insertions(+), 106 deletions(-)
-
-diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
-index 10b8d00..38a98b6 100644
---- a/libtiff/tif_aux.c
-+++ b/libtiff/tif_aux.c
-@@ -59,18 +59,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where)
- 	return bytes;
- }
- 
-+tmsize_t
-+_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where)
-+{
-+    if( first <= 0 || second <= 0 )
-+    {
-+        if( tif != NULL && where != NULL )
-+        {
-+            TIFFErrorExt(tif->tif_clientdata, where,
-+                        "Invalid argument to _TIFFMultiplySSize() in %s", where);
-+        }
-+        return 0;
-+    }
-+
-+    if( first > TIFF_TMSIZE_T_MAX / second )
-+    {
-+        if( tif != NULL && where != NULL )
-+        {
-+            TIFFErrorExt(tif->tif_clientdata, where,
-+                        "Integer overflow in %s", where);
-+        }
-+        return 0;
-+    }
-+    return first * second;
-+}
-+
-+tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module)
-+{
-+    if( val > (uint64)TIFF_TMSIZE_T_MAX )
-+    {
-+        if( tif != NULL && module != NULL )
-+        {
-+            TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
-+        }
-+        return 0;
-+    }
-+    return (tmsize_t)val;
-+}
-+
- void*
- _TIFFCheckRealloc(TIFF* tif, void* buffer,
- 		  tmsize_t nmemb, tmsize_t elem_size, const char* what)
- {
- 	void* cp = NULL;
--	tmsize_t bytes = nmemb * elem_size;
--
-+        tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL);
- 	/*
--	 * XXX: Check for integer overflow.
-+	 * Check for integer overflow.
- 	 */
--	if (nmemb && elem_size && bytes / elem_size == nmemb)
--		cp = _TIFFrealloc(buffer, bytes);
-+	if (count != 0)
-+	{
-+		cp = _TIFFrealloc(buffer, count);
-+	}
- 
- 	if (cp == NULL) {
- 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
-index fc554cc..ec09fea 100644
---- a/libtiff/tif_getimage.c
-+++ b/libtiff/tif_getimage.c
-@@ -757,9 +757,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- 	uint32 leftmost_tw;
- 
- 	tilesize = TIFFTileSize(tif);  
--	bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize);
-+	bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate");
- 	if (bufsize == 0) {
--		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
- 		return (0);
- 	}
- 
-@@ -1021,9 +1020,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
-         uint16 colorchannels;
- 
- 	stripsize = TIFFStripSize(tif);  
--	bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize);
-+	bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate");
- 	if (bufsize == 0) {
--		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
- 		return (0);
- 	}
- 
-diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
-index 4b25244..c4cb73a 100644
---- a/libtiff/tif_luv.c
-+++ b/libtiff/tif_luv.c
-@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td)
- 	return (SGILOGDATAFMT_UNKNOWN);
- }
- 
--
--#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
--#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
--
- static tmsize_t
- multiply_ms(tmsize_t m1, tmsize_t m2)
- {
--        if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
--            return 0;
--        return m1 * m2;
-+        return _TIFFMultiplySSize(NULL, m1, m2, NULL);
- }
- 
- static int
-diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
-index 979858d..8e9eaa1 100644
---- a/libtiff/tif_pixarlog.c
-+++ b/libtiff/tif_pixarlog.c
-@@ -636,15 +636,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td)
- 	return guess;
- }
- 
--#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
--#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
--
- static tmsize_t
- multiply_ms(tmsize_t m1, tmsize_t m2)
- {
--        if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
--            return 0;
--        return m1 * m2;
-+        return _TIFFMultiplySSize(NULL, m1, m2, NULL);
- }
- 
- static tmsize_t
-diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
-index 04100f4..9a0e6e9 100644
---- a/libtiff/tif_read.c
-+++ b/libtiff/tif_read.c
-@@ -31,9 +31,6 @@
- #include "tiffiop.h"
- #include <stdio.h>
- 
--#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
--#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
--
- int TIFFFillStrip(TIFF* tif, uint32 strip);
- int TIFFFillTile(TIFF* tif, uint32 tile);
- static int TIFFStartStrip(TIFF* tif, uint32 strip);
-@@ -51,6 +48,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m
- #define THRESHOLD_MULTIPLIER 10
- #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
- 
-+#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF)
-+
- /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
-  * Returns 1 in case of success, 0 otherwise. */
- static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
-@@ -735,23 +734,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
- 		return ((tmsize_t)(-1));
- 	}
- 	bytecount = td->td_stripbytecount[strip];
--	if ((int64)bytecount <= 0) {
--#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
--		TIFFErrorExt(tif->tif_clientdata, module,
--			     "%I64u: Invalid strip byte count, strip %lu",
--			     (unsigned __int64) bytecount,
--			     (unsigned long) strip);
--#else
--		TIFFErrorExt(tif->tif_clientdata, module,
--			     "%llu: Invalid strip byte count, strip %lu",
--			     (unsigned long long) bytecount,
--			     (unsigned long) strip);
--#endif
--		return ((tmsize_t)(-1));
--	}
--	bytecountm = (tmsize_t)bytecount;
--	if ((uint64)bytecountm!=bytecount) {
--		TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow");
-+        bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module);
-+	if (bytecountm == 0) {
- 		return ((tmsize_t)(-1));
- 	}
- 	if (size != (tmsize_t)(-1) && size < bytecountm)
-@@ -775,7 +759,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
- 	if ((tif->tif_flags&TIFF_NOREADRAW)==0)
- 	{
- 		uint64 bytecount = td->td_stripbytecount[strip];
--		if ((int64)bytecount <= 0) {
-+		if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- 			TIFFErrorExt(tif->tif_clientdata, module,
- 				"Invalid strip byte count %I64u, strip %lu",
-@@ -802,7 +786,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
- 			    (bytecount - 4096) / 10 > (uint64)stripsize  )
- 			{
- 				uint64 newbytecount = (uint64)stripsize * 10 + 4096;
--				if( (int64)newbytecount >= 0 )
-+				if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
- 				{
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- 					TIFFWarningExt(tif->tif_clientdata, module,
-@@ -1197,10 +1181,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
- 	bytecount64 = td->td_stripbytecount[tile];
- 	if (size != (tmsize_t)(-1) && (uint64)size < bytecount64)
- 		bytecount64 = (uint64)size;
--	bytecountm = (tmsize_t)bytecount64;
--	if ((uint64)bytecountm!=bytecount64)
--	{
--		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
-+	bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
-+        if( bytecountm == 0 ) {
- 		return ((tmsize_t)(-1));
- 	}
- 	return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
-@@ -1222,7 +1204,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
- 	if ((tif->tif_flags&TIFF_NOREADRAW)==0)
- 	{
- 		uint64 bytecount = td->td_stripbytecount[tile];
--		if ((int64)bytecount <= 0) {
-+		if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- 			TIFFErrorExt(tif->tif_clientdata, module,
- 				"%I64u: Invalid tile byte count, tile %lu",
-@@ -1249,7 +1231,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
- 			    (bytecount - 4096) / 10 > (uint64)stripsize  )
- 			{
- 				uint64 newbytecount = (uint64)stripsize * 10 + 4096;
--				if( (int64)newbytecount >= 0 )
-+				if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
- 				{
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- 					TIFFWarningExt(tif->tif_clientdata, module,
-diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
-index 6e9f2ef..321ad6b 100644
---- a/libtiff/tif_strip.c
-+++ b/libtiff/tif_strip.c
-@@ -131,15 +131,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows)
- {
- 	static const char module[] = "TIFFVStripSize";
- 	uint64 m;
--	tmsize_t n;
- 	m=TIFFVStripSize64(tif,nrows);
--	n=(tmsize_t)m;
--	if ((uint64)n!=m)
--	{
--		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
--		n=0;
--	}
--	return(n);
-+        return _TIFFCastUInt64ToSSize(tif, m, module);
- }
- 
- /*
-@@ -213,15 +206,8 @@ TIFFStripSize(TIFF* tif)
- {
- 	static const char module[] = "TIFFStripSize";
- 	uint64 m;
--	tmsize_t n;
- 	m=TIFFStripSize64(tif);
--	n=(tmsize_t)m;
--	if ((uint64)n!=m)
--	{
--		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
--		n=0;
--	}
--	return(n);
-+	return _TIFFCastUInt64ToSSize(tif, m, module);
- }
- 
- /*
-@@ -332,14 +318,8 @@ TIFFScanlineSize(TIFF* tif)
- {
- 	static const char module[] = "TIFFScanlineSize";
- 	uint64 m;
--	tmsize_t n;
- 	m=TIFFScanlineSize64(tif);
--	n=(tmsize_t)m;
--	if ((uint64)n!=m) {
--		TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
--		n=0;
--	}
--	return(n);
-+	return _TIFFCastUInt64ToSSize(tif, m, module);
- }
- 
- /*
-@@ -368,15 +348,8 @@ TIFFRasterScanlineSize(TIFF* tif)
- {
- 	static const char module[] = "TIFFRasterScanlineSize";
- 	uint64 m;
--	tmsize_t n;
- 	m=TIFFRasterScanlineSize64(tif);
--	n=(tmsize_t)m;
--	if ((uint64)n!=m)
--	{
--		TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
--		n=0;
--	}
--	return(n);
-+	return _TIFFCastUInt64ToSSize(tif, m, module);
- }
- 
- /* vim: set ts=8 sts=8 sw=8 noet: */
-diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c
-index 388e168..7d05750 100644
---- a/libtiff/tif_tile.c
-+++ b/libtiff/tif_tile.c
-@@ -183,15 +183,8 @@ TIFFTileRowSize(TIFF* tif)
- {
- 	static const char module[] = "TIFFTileRowSize";
- 	uint64 m;
--	tmsize_t n;
- 	m=TIFFTileRowSize64(tif);
--	n=(tmsize_t)m;
--	if ((uint64)n!=m)
--	{
--		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
--		n=0;
--	}
--	return(n);
-+	return _TIFFCastUInt64ToSSize(tif, m, module);
- }
- 
- /*
-@@ -250,15 +243,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows)
- {
- 	static const char module[] = "TIFFVTileSize";
- 	uint64 m;
--	tmsize_t n;
- 	m=TIFFVTileSize64(tif,nrows);
--	n=(tmsize_t)m;
--	if ((uint64)n!=m)
--	{
--		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
--		n=0;
--	}
--	return(n);
-+	return _TIFFCastUInt64ToSSize(tif, m, module);
- }
- 
- /*
-@@ -274,15 +260,8 @@ TIFFTileSize(TIFF* tif)
- {
- 	static const char module[] = "TIFFTileSize";
- 	uint64 m;
--	tmsize_t n;
- 	m=TIFFTileSize64(tif);
--	n=(tmsize_t)m;
--	if ((uint64)n!=m)
--	{
--		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
--		n=0;
--	}
--	return(n);
-+	return _TIFFCastUInt64ToSSize(tif, m, module);
- }
- 
- /*
-diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
-index 08e5dc4..d4b8631 100644
---- a/libtiff/tiffiop.h
-+++ b/libtiff/tiffiop.h
-@@ -79,6 +79,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
- #define	FALSE	0
- #endif
- 
-+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
-+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
-+
- typedef struct client_info {
-     struct client_info *next;
-     void *data;
-@@ -260,7 +263,7 @@ struct tiff {
- #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3)
- #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y))
- 
--/* Safe multiply which returns zero if there is an integer overflow */
-+/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */
- #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
- 
- #define TIFFmax(A,B) ((A)>(B)?(A):(B))
-@@ -366,6 +369,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt;
- 
- extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*);
- extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*);
-+extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*);
-+extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*);
- extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*);
- extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
- 
--- 
-2.21.0
-
diff --git a/SOURCES/libtiff-CVE-2019-17546.patch b/SOURCES/libtiff-CVE-2019-17546.patch
deleted file mode 100644
index b802ce6..0000000
--- a/SOURCES/libtiff-CVE-2019-17546.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From 3d451e3f95cbb67dd771a986991b5b6107140c4e Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Thu, 15 Aug 2019 15:05:28 +0200
-Subject: [PATCH] RGBA interface: fix integer overflow potentially causing
- write heap buffer overflow, especially on 32 bit builds. Fixes
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS
- Fuzz
-
----
- libtiff/tif_getimage.c | 26 ++++++++++++++++++++------
- 1 file changed, 20 insertions(+), 6 deletions(-)
-
-diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
-index ec09fea..c6edd27 100644
---- a/libtiff/tif_getimage.c
-+++ b/libtiff/tif_getimage.c
-@@ -951,16 +951,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- 	fromskew = (w < imagewidth ? imagewidth - w : 0);
- 	for (row = 0; row < h; row += nrow)
- 	{
-+		uint32 temp;
- 		rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
- 		nrow = (row + rowstoread > h ? h - row : rowstoread);
- 		nrowsub = nrow;
- 		if ((nrowsub%subsamplingver)!=0)
- 			nrowsub+=subsamplingver-nrowsub%subsamplingver;
-+		temp = (row + img->row_offset)%rowsperstrip + nrowsub;
-+		if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
-+		{
-+			TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
-+			return 0;
-+		}
- 		if (_TIFFReadEncodedStripAndAllocBuffer(tif,
- 		    TIFFComputeStrip(tif,row+img->row_offset, 0),
- 		    (void**)(&buf),
-                     maxstripsize,
--		    ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
-+		    temp * scanline)==(tmsize_t)(-1)
- 		    && (buf == NULL || img->stoponerr))
- 		{
- 			ret = 0;
-@@ -1053,15 +1060,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- 	fromskew = (w < imagewidth ? imagewidth - w : 0);
- 	for (row = 0; row < h; row += nrow)
- 	{
-+                uint32 temp;
- 		rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
- 		nrow = (row + rowstoread > h ? h - row : rowstoread);
- 		offset_row = row + img->row_offset;
-+                temp = (row + img->row_offset)%rowsperstrip + nrow;
-+                if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
-+                {
-+                        TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
-+                        return 0;
-+                }
-                 if( buf == NULL )
-                 {
-                     if (_TIFFReadEncodedStripAndAllocBuffer(
-                             tif, TIFFComputeStrip(tif, offset_row, 0),
-                             (void**) &buf, bufsize,
--                            ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
-+                            temp * scanline)==(tmsize_t)(-1)
-                         && (buf == NULL || img->stoponerr))
-                     {
-                             ret = 0;
-@@ -1081,7 +1095,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
-                     }
-                 }
- 		else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
--		    p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
-+		    p0, temp * scanline)==(tmsize_t)(-1)
- 		    && img->stoponerr)
- 		{
- 			ret = 0;
-@@ -1089,7 +1103,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- 		}
- 		if (colorchannels > 1 
-                     && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
--                                            p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
-+                                            p1, temp * scanline) == (tmsize_t)(-1)
- 		    && img->stoponerr)
- 		{
- 			ret = 0;
-@@ -1097,7 +1111,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- 		}
- 		if (colorchannels > 1 
-                     && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
--                                            p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
-+                                            p2, temp * scanline) == (tmsize_t)(-1)
- 		    && img->stoponerr)
- 		{
- 			ret = 0;
-@@ -1106,7 +1120,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- 		if (alpha)
- 		{
- 			if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
--			    pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
-+			    pa, temp * scanline)==(tmsize_t)(-1)
- 			    && img->stoponerr)
- 			{
- 				ret = 0;
--- 
-2.21.1
-
diff --git a/SOURCES/libtiff-CVE-2020-19131.patch b/SOURCES/libtiff-CVE-2020-19131.patch
deleted file mode 100644
index 6db20cc..0000000
--- a/SOURCES/libtiff-CVE-2020-19131.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From b64713005e6110c36265750435cfa641d3a9281f Mon Sep 17 00:00:00 2001
-From: Thomas Bernard <miniupnp@free.fr>
-Date: Mon, 11 Feb 2019 23:08:25 +0100
-Subject: [PATCH] tiffcrop.c: fix invertImage() for bps 2 and 4
-
-too much bytes were processed, causing a heap buffer overrun
-    http://bugzilla.maptools.org/show_bug.cgi?id=2831
-the loop counter must be
-    for (col = 0; col < width; col += 8 / bps)
-
-Also the values were not properly calculated. It should be
-255-x, 15-x, 3-x for bps 8, 4, 2.
-
-But anyway it is easyer to invert all bits as 255-x = ~x, etc.
-(substracting from a binary number composed of all 1 is like inverting
-the bits)
----
- tools/tiffcrop.c | 37 ++++++-------------------------------
- 1 file changed, 6 insertions(+), 31 deletions(-)
-
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 3862b1c..a612914 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -9142,7 +9142,6 @@ static int
- invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 length, unsigned char *work_buff)
-   {
-   uint32   row, col;
--  unsigned char  bytebuff1, bytebuff2, bytebuff3, bytebuff4;
-   unsigned char *src;
-   uint16        *src_uint16;
-   uint32        *src_uint32;
-@@ -9172,7 +9171,7 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len
-              for (row = 0; row < length; row++)
-                for (col = 0; col < width; col++)
-                  {
--		 *src_uint32 = (uint32)0xFFFFFFFF - *src_uint32;
-+		 *src_uint32 = ~(*src_uint32);
-                   src_uint32++;
-                  }
-             break;
-@@ -9180,39 +9179,15 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len
-              for (row = 0; row < length; row++)
-                for (col = 0; col < width; col++)
-                  {
--		 *src_uint16 = (uint16)0xFFFF - *src_uint16;
-+		 *src_uint16 = ~(*src_uint16);
-                   src_uint16++;
-                  }
-             break;
--    case 8: for (row = 0; row < length; row++)
--              for (col = 0; col < width; col++)
--                {
--		*src = (uint8)255 - *src;
--                 src++;
--                }
--            break;
--    case 4: for (row = 0; row < length; row++)
--              for (col = 0; col < width; col++)
--                {
--		bytebuff1 = 16 - (uint8)(*src & 240 >> 4);
--		bytebuff2 = 16 - (*src & 15);
--		*src = bytebuff1 << 4 & bytebuff2;
--                src++;
--                }
--            break;
--    case 2: for (row = 0; row < length; row++)
--              for (col = 0; col < width; col++)
--                {
--		bytebuff1 = 4 - (uint8)(*src & 192 >> 6);
--		bytebuff2 = 4 - (uint8)(*src & 48  >> 4);
--		bytebuff3 = 4 - (uint8)(*src & 12  >> 2);
--		bytebuff4 = 4 - (uint8)(*src & 3);
--		*src = (bytebuff1 << 6) || (bytebuff2 << 4) || (bytebuff3 << 2) || bytebuff4;
--                src++;
--                }
--            break;
-+    case 8:
-+    case 4:
-+    case 2:
-     case 1: for (row = 0; row < length; row++)
--              for (col = 0; col < width; col += 8 /(spp * bps))
-+              for (col = 0; col < width; col += 8 / bps)
-                 {
-                 *src = ~(*src);
-                 src++;
--- 
-2.32.0
-
diff --git a/SOURCES/libtiff-CVE-2020-35521_CVE-2020-35522.patch b/SOURCES/libtiff-CVE-2020-35521_CVE-2020-35522.patch
deleted file mode 100644
index 83c7ae7..0000000
--- a/SOURCES/libtiff-CVE-2020-35521_CVE-2020-35522.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 1205e9800a359b4bb4f35b2a7ff5821986e74f19 Mon Sep 17 00:00:00 2001
-From: Thomas Bernard <miniupnp@free.fr>
-Date: Sun, 15 Nov 2020 17:02:51 +0100
-Subject: [PATCH 1/3] enforce (configurable) memory limit in tiff2rgba
-
-fixes #207
-fixes #209
----
- tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
- 1 file changed, 23 insertions(+), 2 deletions(-)
-
-diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
-index 4de96ae..e6de220 100644
---- a/tools/tiff2rgba.c
-+++ b/tools/tiff2rgba.c
-@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1;
- int process_by_block = 0; /* default is whole image at once */
- int no_alpha = 0;
- int bigtiff_output = 0;
-+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
-+/* malloc size limit (in bytes)
-+ * disabled when set to 0 */
-+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
- 
- 
- static int tiffcvt(TIFF* in, TIFF* out);
-@@ -70,8 +74,11 @@ main(int argc, char* argv[])
- 	extern char *optarg;
- #endif
- 
--	while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
-+	while ((c = getopt(argc, argv, "c:r:t:bn8M:")) != -1)
- 		switch (c) {
-+			case 'M':
-+				maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
-+				break;
- 			case 'b':
- 				process_by_block = 1;
- 				break;
-@@ -397,6 +404,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
- 		  (unsigned long)width, (unsigned long)height);
-         return 0;
-     }
-+    if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
-+	TIFFError(TIFFFileName(in),
-+		  "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
-+		  (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
-+        return 0;
-+    }
- 
-     rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
-     TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
-@@ -522,6 +535,13 @@ tiffcvt(TIFF* in, TIFF* out)
- 	TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
- 	CopyField(TIFFTAG_DOCUMENTNAME, stringv);
- 
-+	if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
-+	{
-+		TIFFError(TIFFFileName(in),
-+			  "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
-+			  (uint64)TIFFStripSize(in), (uint64)maxMalloc);
-+		return 0;
-+	}
-         if( process_by_block && TIFFIsTiled( in ) )
-             return( cvt_by_tile( in, out ) );
-         else if( process_by_block )
-@@ -531,7 +551,7 @@ tiffcvt(TIFF* in, TIFF* out)
- }
- 
- static char* stuff[] = {
--    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
-+    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
-     "where comp is one of the following compression algorithms:",
-     " jpeg\t\tJPEG encoding",
-     " zip\t\tZip/Deflate encoding",
-@@ -543,6 +563,7 @@ static char* stuff[] = {
-     " -b (progress by block rather than as a whole image)",
-     " -n don't emit alpha component.",
-     " -8 write BigTIFF file instead of ClassicTIFF",
-+    " -M set the memory allocation limit in MiB. 0 to disable limit",
-     NULL
- };
- 
--- 
-2.31.1
-
diff --git a/SOURCES/libtiff-CVE-2020-35523.patch b/SOURCES/libtiff-CVE-2020-35523.patch
deleted file mode 100644
index 0f2ca43..0000000
--- a/SOURCES/libtiff-CVE-2020-35523.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 058e0d9c5822a912fe75ab3bd2d24b3350f4e44d Mon Sep 17 00:00:00 2001
-From: Thomas Bernard <miniupnp@free.fr>
-Date: Tue, 10 Nov 2020 01:54:30 +0100
-Subject: [PATCH 2/3] gtTileContig(): check Tile width for overflow
-
-fixes #211
----
- libtiff/tif_getimage.c | 17 +++++++++++++----
- 1 file changed, 13 insertions(+), 4 deletions(-)
-
-diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
-index c6edd27..b1f7cc9 100644
---- a/libtiff/tif_getimage.c
-+++ b/libtiff/tif_getimage.c
-@@ -31,6 +31,7 @@
-  */
- #include "tiffiop.h"
- #include <stdio.h>
-+#include <limits.h>
- 
- static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
- static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
-@@ -647,12 +648,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
- 
-     flip = setorientation(img);
-     if (flip & FLIP_VERTICALLY) {
--	    y = h - 1;
--	    toskew = -(int32)(tw + w);
-+        if ((tw + w) > INT_MAX) {
-+            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
-+            return (0);
-+        }
-+        y = h - 1;
-+        toskew = -(int32)(tw + w);
-     }
-     else {
--	    y = 0;
--	    toskew = -(int32)(tw - w);
-+        if (tw > (INT_MAX + w)) {
-+            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
-+            return (0);
-+        }
-+        y = 0;
-+        toskew = -(int32)(tw - w);
-     }
-      
-     /*
--- 
-2.31.1
-
diff --git a/SOURCES/libtiff-CVE-2020-35524.patch b/SOURCES/libtiff-CVE-2020-35524.patch
deleted file mode 100644
index 3dda4e2..0000000
--- a/SOURCES/libtiff-CVE-2020-35524.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From f74e26a36dd32050774f1c4a9256147fb25ae595 Mon Sep 17 00:00:00 2001
-From: Thomas Bernard <miniupnp@free.fr>
-Date: Sat, 14 Nov 2020 12:53:01 +0000
-Subject: [PATCH 3/3] tiff2pdf.c: properly calculate datasize when saving to
- JPEG YCbCr
-
-fixes #220
----
- tools/tiff2pdf.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index a15a3ef..db380ec 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -2049,9 +2049,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
- #endif
- 		(void) 0;
- 	}
--	k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
--	if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
--		k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
-+#ifdef JPEG_SUPPORT
-+	if(t2p->pdf_compression == T2P_COMPRESS_JPEG
-+	   && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
-+		k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
-+	} else
-+#endif
-+	{
-+		k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
-+		if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
-+			k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
-+		}
- 	}
- 	if (k == 0) {
- 		/* Assume we had overflow inside TIFFScanlineSize */
--- 
-2.31.1
-
diff --git a/SOURCES/libtiff-am-version.patch b/SOURCES/libtiff-am-version.patch
deleted file mode 100644
index c94c2e0..0000000
--- a/SOURCES/libtiff-am-version.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Back off the minimum required automake version to 1.11.  There isn't
-anything in libtiff currently that actually requires 1.12, and changing
-this allows the package to be built on pre-F18 machines for easier testing.
-
-This patch can go away once we no longer care about testing on pre-F18.
-
-
-diff -Naur tiff-4.0.3.orig/Makefile.am tiff-4.0.3/Makefile.am
---- tiff-4.0.3.orig/Makefile.am	2012-09-20 09:22:47.000000000 -0400
-+++ tiff-4.0.3/Makefile.am	2012-10-30 11:33:30.312823564 -0400
-@@ -25,7 +25,7 @@
- 
- docdir = $(LIBTIFF_DOCDIR)
- 
--AUTOMAKE_OPTIONS = 1.12 dist-zip foreign
-+AUTOMAKE_OPTIONS = 1.11 dist-zip foreign
- ACLOCAL_AMFLAGS = -I m4
- 
- docfiles = \
-diff -Naur tiff-4.0.3.orig/test/Makefile.am tiff-4.0.3/test/Makefile.am
---- tiff-4.0.3.orig/test/Makefile.am	2012-09-20 09:22:28.000000000 -0400
-+++ tiff-4.0.3/test/Makefile.am	2012-10-30 11:33:17.109696812 -0400
-@@ -23,7 +23,7 @@
- 
- # Process this file with automake to produce Makefile.in.
- 
--AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign
-+AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign
- 
- LIBTIFF = $(top_builddir)/libtiff/libtiff.la
- 
diff --git a/SOURCES/libtiff-coverity.patch b/SOURCES/libtiff-coverity.patch
deleted file mode 100644
index 04a445a..0000000
--- a/SOURCES/libtiff-coverity.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
-index 81ffa3d..a02e865 100644
---- a/tools/ppm2tiff.c
-+++ b/tools/ppm2tiff.c
-@@ -285,6 +285,8 @@ main(int argc, char* argv[])
- 		if (TIFFWriteScanline(out, buf, row, 0) < 0)
- 			break;
- 	}
-+	if (in != stdin)
-+		fclose(in);
- 	(void) TIFFClose(out);
- 	if (buf)
- 		_TIFFfree(buf);
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index bd23c9e..a15a3ef 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -3020,6 +3020,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
-                                         "for t2p_readwrite_pdf_image_tile, %s", 
- 					(unsigned long) t2p->tiff_datasize, 
- 					TIFFFileName(input));
-+				_TIFFfree(buffer);
- 				t2p->t2p_error = T2P_ERR_ERROR;
- 				return(0);
- 			}
-@@ -3747,11 +3748,11 @@ t2p_sample_rgbaa_to_rgb(tdata_t data, uint32 samplecount)
- {
- 	uint32 i;
- 	
--    /* For the 3 first samples, there is overlapping between souce and
--       destination, so use memmove().
--       See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */
--    for(i = 0; i < 3 && i < samplecount; i++)
--        memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
-+	/* For the 3 first samples, there is overlapping between souce and
-+	   destination, so use memmove().
-+	   See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */
-+	for(i = 0; i < 3 && i < samplecount; i++)
-+		memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
- 	for(; i < samplecount; i++)
- 		memcpy((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
- 
diff --git a/SOURCES/libtiff-make-check.patch b/SOURCES/libtiff-make-check.patch
deleted file mode 100644
index e79dc94..0000000
--- a/SOURCES/libtiff-make-check.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/html/man/Makefile.am b/html/man/Makefile.am
-index 587296c..696005e 100644
---- a/html/man/Makefile.am
-+++ b/html/man/Makefile.am
-@@ -92,7 +92,6 @@ docfiles = \
- 	tiffcrop.1.html \
- 	tiffdither.1.html \
- 	tiffdump.1.html \
--	tiffgt.1.html \
- 	tiffinfo.1.html \
- 	tiffmedian.1.html \
- 	tiffset.1.html \
diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec
index 5ea5d20..5e51860 100644
--- a/SPECS/libtiff.spec
+++ b/SPECS/libtiff.spec
@@ -1,32 +1,46 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.0.9
-Release:       21%{?dist}
+Release:       23%{?dist}
 License:       libtiff
 Group:         System Environment/Libraries
 URL:           http://www.simplesystems.org/libtiff/
 
 Source:        ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz
 
-Patch0:        libtiff-am-version.patch
-Patch1:        libtiff-make-check.patch
-Patch2:        libtiff-CVE-2018-5784.patch
-Patch3:        libtiff-CVE-2018-7456.patch
-Patch4:        libtiff-CVE-2017-9935.patch
-Patch5:        libtiff-CVE-2017-18013.patch
-Patch6:        libtiff-CVE-2018-8905.patch
-Patch7:        libtiff-CVE-2018-10963.patch
-Patch8:        libtiff-CVE-2018-17100.patch
-Patch9:        libtiff-coverity.patch
-Patch10:       libtiff-CVE-2018-18557.patch
-Patch11:       libtiff-CVE-2018-18661.patch
-Patch12:       libtiff-CVE-2018-12900.patch
-Patch13:       libtiff-CVE-2019-14973.patch
-Patch14:       libtiff-CVE-2019-17546.patch
-Patch15:       libtiff-CVE-2020-35521_CVE-2020-35522.patch
-Patch16:       libtiff-CVE-2020-35523.patch
-Patch17:       libtiff-CVE-2020-35524.patch
-Patch18:       libtiff-CVE-2020-19131.patch
+
+# Patches generated from https://gitlab.cee.redhat.com/mmuzila/libtiff/-/tree/rhel-8.7.0
+# Patches were generated by: git format-patch -N ...
+Patch0001: 0001-Back-off-the-minimum-required-automake-version-to-1..patch
+Patch0002: 0002-Fix-Makefile.patch
+Patch0003: 0003-CVE-2018-5784-Fix-for-bug-2772.patch
+Patch0004: 0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch
+Patch0005: 0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch
+Patch0006: 0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch
+Patch0007: 0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch
+Patch0008: 0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch
+Patch0009: 0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch
+Patch0010: 0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch
+Patch0011: 0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch
+Patch0012: 0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch
+Patch0013: 0013-bz1602597-Fix-two-resource-leaks.patch
+Patch0014: 0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch
+Patch0015: 0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch
+Patch0016: 0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch
+Patch0017: 0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch
+Patch0018: 0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch
+Patch0019: 0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch
+Patch0020: 0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch
+Patch0021: 0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch
+Patch0022: 0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch
+Patch0023: 0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch
+Patch0024: 0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch
+Patch0025: 0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch
+Patch0026: 0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch
+Patch0027: 0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch
+Patch0028: 0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch
+Patch0029: 0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch
+
 
 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
@@ -76,27 +90,7 @@ This package contains command-line programs for manipulating TIFF format
 image files using the libtiff library.
 
 %prep
-%setup -q -n tiff-%{version}
-
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
+%autosetup -p1 -n tiff-%{version}
 
 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@@ -200,6 +194,11 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*
 
 %changelog
+* Thu May 12 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-23
+- Fix various CVEs
+- Resolves: CVE-2022-0561 CVE-2022-0562 CVE-2022-22844 CVE-2022-0865
+  CVE-2022-0891 CVE-2022-0924 CVE-2022-0909 CVE-2022-0908 CVE-2022-1355
+
 * Wed Sep 29 2021 Nikola Forró <nforro@redhat.com> - 4.0.9-21
 - Fix CVE-2020-19131 (#2006535)