diff --git a/SOURCES/libtiff-CVE-2014-8127.patch b/SOURCES/libtiff-CVE-2014-8127.patch
new file mode 100644
index 0000000..d426710
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2014-8127.patch
@@ -0,0 +1,169 @@
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 19a26e2..6667228 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -3881,6 +3881,32 @@ TIFFReadDirectory(TIFF* tif)
+ if (!TIFFSetField(tif,TIFFTAG_SAMPLESPERPIXEL,1))
+ goto bad;
+ }
++ /*
++ * SamplesPerPixel value has changed, adjust SMinSampleValue
++ * and SMaxSampleValue arrays if necessary
++ */
++ {
++ uint32 saved_flags;
++ saved_flags = tif->tif_flags;
++ tif->tif_flags &= ~TIFF_PERSAMPLE;
++ if (TIFFFieldSet(tif,FIELD_SMINSAMPLEVALUE))
++ {
++ if (!TIFFSetField(tif,TIFFTAG_SMINSAMPLEVALUE,tif->tif_dir.td_sminsamplevalue[0]))
++ {
++ tif->tif_flags = saved_flags;
++ goto bad;
++ }
++ }
++ if (TIFFFieldSet(tif,FIELD_SMAXSAMPLEVALUE))
++ {
++ if (!TIFFSetField(tif,TIFFTAG_SMAXSAMPLEVALUE,tif->tif_dir.td_smaxsamplevalue[0]))
++ {
++ tif->tif_flags = saved_flags;
++ goto bad;
++ }
++ }
++ tif->tif_flags = saved_flags;
++ }
+ }
+ }
+ /*
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index fa20609..fa68d1c 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -542,8 +542,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
+ {
+ if (!isTiled(tif))
+ {
+- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
+- goto bad;
++ /* td_stripoffset can be NULL even if td_nstrips == 1 due to OJPEG hack */
++ if (tif->tif_dir.td_stripoffset)
++ {
++ if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
++ goto bad;
++ }
+ }
+ else
+ {
+diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
+index 2ba822a..dfc5b07 100644
+--- a/libtiff/tif_read.c
++++ b/libtiff/tif_read.c
+@@ -458,7 +458,7 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
+ return ((tmsize_t)(-1));
+ }
+ bytecount = td->td_stripbytecount[strip];
+- if (bytecount <= 0) {
++ if ((int64)bytecount <= 0) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%I64u: Invalid strip byte count, strip %lu",
+@@ -498,7 +498,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
+ if ((tif->tif_flags&TIFF_NOREADRAW)==0)
+ {
+ uint64 bytecount = td->td_stripbytecount[strip];
+- if (bytecount <= 0) {
++ if ((int64)bytecount <= 0) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Invalid strip byte count %I64u, strip %lu",
+@@ -801,7 +801,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
+ if ((tif->tif_flags&TIFF_NOREADRAW)==0)
+ {
+ uint64 bytecount = td->td_stripbytecount[tile];
+- if (bytecount <= 0) {
++ if ((int64)bytecount <= 0) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%I64u: Invalid tile byte count, tile %lu",
+diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
+index b5ed30b..376f4e6 100644
+--- a/tools/bmp2tiff.c
++++ b/tools/bmp2tiff.c
+@@ -401,6 +401,24 @@ main(int argc, char* argv[])
+ return 0;
+ }
+
++ if (info_hdr.iCompression == BMPC_RLE4 && info_hdr.iBitCount != 4)
++ {
++ TIFFError(infilename,
++ "Cannot process BMP file with bit count %d and RLE 4-bit/pixel compression",
++ info_hdr.iBitCount);
++ close(fd);
++ return 0;
++ }
++
++ if (info_hdr.iCompression == BMPC_RLE8 && info_hdr.iBitCount != 8)
++ {
++ TIFFError(infilename,
++ "Cannot process BMP file with bit count %d and RLE 8-bit/pixel compression",
++ info_hdr.iBitCount);
++ close(fd);
++ return 0;
++ }
++
+ width = info_hdr.iWidth;
+ length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
+ if( width <= 0 || length <= 0 )
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index 8608aad..426bbc0 100644
+--- a/tools/pal2rgb.c
++++ b/tools/pal2rgb.c
+@@ -372,7 +372,8 @@ static struct cpTag {
+ { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
+ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
+ { TIFFTAG_INKSET, 1, TIFF_SHORT },
+- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },
++ // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
++ //{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },
+ { TIFFTAG_DOTRANGE, 2, TIFF_SHORT },
+ { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },
+ { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },
+diff --git a/tools/thumbnail.c b/tools/thumbnail.c
+index fd1cba5..06edf93 100644
+--- a/tools/thumbnail.c
++++ b/tools/thumbnail.c
+@@ -257,7 +257,8 @@ static struct cpTag {
+ { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
+ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
+ { TIFFTAG_INKSET, 1, TIFF_SHORT },
+- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },
++ // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
++ //{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },
+ { TIFFTAG_DOTRANGE, 2, TIFF_SHORT },
+ { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },
+ { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },
+@@ -585,7 +586,7 @@ generateThumbnail(TIFF* in, TIFF* out)
+ rowsize = TIFFScanlineSize(in);
+ rastersize = sh * rowsize;
+ fprintf(stderr, "rastersize=%u\n", (unsigned int)rastersize);
+- raster = (unsigned char*)_TIFFmalloc(rastersize);
++ raster = (unsigned char*)_TIFFmalloc(rastersize + 3);
+ if (!raster) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate space for raster buffer.");
+diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
+index c5dcb7c..02605df 100644
+--- a/tools/tiff2bw.c
++++ b/tools/tiff2bw.c
+@@ -171,6 +171,11 @@ main(int argc, char* argv[])
+ argv[optind], samplesperpixel);
+ return (-1);
+ }
++ if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) {
++ fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n",
++ argv[optind], samplesperpixel);
++ return (-1);
++ }
+ TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample);
+ if (bitspersample != 8) {
+ fprintf(stderr,
diff --git a/SOURCES/libtiff-CVE-2014-8129.patch b/SOURCES/libtiff-CVE-2014-8129.patch
new file mode 100644
index 0000000..9cd7bd9
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2014-8129.patch
@@ -0,0 +1,174 @@
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 8bf3ea7..f812fa2 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -160,6 +160,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ TIFFDirectory* td = &tif->tif_dir;
+ int status = 1;
+ uint32 v32, i, v;
++ double dblval;
+ char* s;
+ const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY);
+ uint32 standard_tag = tag;
+@@ -283,10 +284,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel);
+ break;
+ case TIFFTAG_XRESOLUTION:
+- td->td_xresolution = (float) va_arg(ap, double);
++ dblval = va_arg(ap, double);
++ if( dblval < 0 )
++ goto badvaluedouble;
++ td->td_xresolution = (float) dblval;
+ break;
+ case TIFFTAG_YRESOLUTION:
+- td->td_yresolution = (float) va_arg(ap, double);
++ dblval = va_arg(ap, double);
++ if( dblval < 0 )
++ goto badvaluedouble;
++ td->td_yresolution = (float) dblval;
+ break;
+ case TIFFTAG_PLANARCONFIG:
+ v = (uint16) va_arg(ap, uint16_vap);
+@@ -693,6 +700,16 @@ badvalue32:
+ va_end(ap);
+ }
+ return (0);
++badvaluedouble:
++ {
++ const TIFFField* fip=TIFFFieldWithTag(tif,tag);
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "%s: Bad value %f for \"%s\" tag",
++ tif->tif_name, dblval,
++ fip->field_name);
++ va_end(ap);
++ }
++ return (0);
+ }
+
+ /*
+diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
+index 524e127..81084ff 100644
+--- a/libtiff/tif_next.c
++++ b/libtiff/tif_next.c
+@@ -102,6 +102,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ default: {
+ uint32 npixels = 0, grey;
+ uint32 imagewidth = tif->tif_dir.td_imagewidth;
++ if( isTiled(tif) )
++ imagewidth = tif->tif_dir.td_tilewidth;
+
+ /*
+ * The scanline is composed of a sequence of constant
+@@ -139,10 +141,28 @@ bad:
+ return (0);
+ }
+
++static int
++NeXTPreDecode(TIFF* tif, uint16 s)
++{
++ static const char module[] = "NeXTPreDecode";
++ TIFFDirectory *td = &tif->tif_dir;
++ (void)s;
++
++ if( td->td_bitspersample != 2 )
++ {
++ TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d",
++ td->td_bitspersample);
++ return (0);
++ }
++ return (1);
++}
++
++
+ int
+ TIFFInitNeXT(TIFF* tif, int scheme)
+ {
+ (void) scheme;
++ tif->tif_predecode = NeXTPreDecode;
+ tif->tif_decoderow = NeXTDecode;
+ tif->tif_decodestrip = NeXTDecode;
+ tif->tif_decodetile = NeXTDecode;
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 26a1acb..2a64ec3 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -1165,6 +1165,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0)
+ && (xuint16 == PLANARCONFIG_SEPARATE ) ){
+ TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16);
++ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 )
++ {
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Invalid tile count, %s",
++ TIFFFileName(input));
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
+ t2p->tiff_tiles[i].tiles_tilecount/= xuint16;
+ }
+ if( t2p->tiff_tiles[i].tiles_tilecount > 0){
+@@ -1545,6 +1554,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ #endif
+ break;
+ case PHOTOMETRIC_CIELAB:
++ if( t2p->tiff_samplesperpixel != 3){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Unsupported samplesperpixel = %d for CIELAB",
++ t2p->tiff_samplesperpixel);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
++ if( t2p->tiff_bitspersample != 8){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Invalid bitspersample = %d for CIELAB",
++ t2p->tiff_bitspersample);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
+ t2p->pdf_labrange[0]= -127;
+ t2p->pdf_labrange[1]= 127;
+ t2p->pdf_labrange[2]= -127;
+@@ -1560,6 +1585,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ t2p->pdf_colorspace=T2P_CS_LAB;
+ break;
+ case PHOTOMETRIC_ITULAB:
++ if( t2p->tiff_samplesperpixel != 3){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Unsupported samplesperpixel = %d for ITULAB",
++ t2p->tiff_samplesperpixel);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
++ if( t2p->tiff_bitspersample != 8){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Invalid bitspersample = %d for ITULAB",
++ t2p->tiff_bitspersample);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
+ t2p->pdf_labrange[0]=-85;
+ t2p->pdf_labrange[1]=85;
+ t2p->pdf_labrange[2]=-75;
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index abeb4f6..ea4f7a1 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -1205,9 +1205,10 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
+ tsize_t tilesize = TIFFTileSize(out);
+ unsigned char *tilebuf = NULL;
+
+- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
+- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
+- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
++ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
++ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
++ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
++ return 1;
+
+ tile_buffsize = tilesize;
+ if (tilesize < (tsize_t)(tl * tile_rowsize))
diff --git a/SOURCES/libtiff-CVE-2014-8130.patch b/SOURCES/libtiff-CVE-2014-8130.patch
new file mode 100644
index 0000000..d6683c3
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2014-8130.patch
@@ -0,0 +1,26 @@
+diff --git a/libtiff/tif_unix.c b/libtiff/tif_unix.c
+index 1387558..0a3a4a8 100644
+--- a/libtiff/tif_unix.c
++++ b/libtiff/tif_unix.c
+@@ -257,6 +257,8 @@ TIFFOpenW(const wchar_t* name, const char* mode)
+ void*
+ _TIFFmalloc(tmsize_t s)
+ {
++ if ( s == 0 )
++ return ((void *) NULL);
+ return (malloc((size_t) s));
+ }
+
+diff --git a/libtiff/tif_win32.c b/libtiff/tif_win32.c
+index 2cf1de9..612a00d 100644
+--- a/libtiff/tif_win32.c
++++ b/libtiff/tif_win32.c
+@@ -329,6 +329,8 @@ TIFFOpenW(const wchar_t* name, const char* mode)
+ void*
+ _TIFFmalloc(tmsize_t s)
+ {
++ if ( s == 0 )
++ return ((tdata_t) NULL);
+ return (malloc((size_t) s));
+ }
+
diff --git a/SOURCES/libtiff-CVE-2014-9330.patch b/SOURCES/libtiff-CVE-2014-9330.patch
new file mode 100644
index 0000000..cfc83cc
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2014-9330.patch
@@ -0,0 +1,34 @@
+diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
+index c66a8d2..b5ed30b 100644
+--- a/tools/bmp2tiff.c
++++ b/tools/bmp2tiff.c
+@@ -403,6 +403,14 @@ main(int argc, char* argv[])
+
+ width = info_hdr.iWidth;
+ length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
++ if( width <= 0 || length <= 0 )
++ {
++ TIFFError(infilename,
++ "Invalid dimensions of BMP file" );
++ close(fd);
++ return -1;
++ }
++
+
+ switch (info_hdr.iBitCount)
+ {
+@@ -593,6 +601,14 @@ main(int argc, char* argv[])
+
+ compr_size = file_hdr.iSize - file_hdr.iOffBits;
+ uncompr_size = width * length;
++ /* Detect int overflow */
++ if( uncompr_size / width != length )
++ {
++ TIFFError(infilename,
++ "Invalid dimensions of BMP file" );
++ close(fd);
++ return -1;
++ }
+ comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
+ if (!comprbuf) {
+ TIFFError(infilename,
diff --git a/SOURCES/libtiff-CVE-2014-9655.patch b/SOURCES/libtiff-CVE-2014-9655.patch
new file mode 100644
index 0000000..033c627
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2014-9655.patch
@@ -0,0 +1,108 @@
+From a777efdb86da87073511e56e8fc4ef63fc111b5f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Mon, 11 Jul 2016 15:50:56 +0200
+Subject: [PATCH 1/8] Fix CVE-2014-9655
+
+---
+ libtiff/tif_getimage.c | 20 ++++++++++++++------
+ libtiff/tif_next.c | 4 +++-
+ 2 files changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index a85273c..1c1cf9e 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -842,6 +842,12 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ int32 fromskew, toskew;
+ int ret = 1, flip;
+
++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver);
++ if( subsamplingver == 0 ) {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling");
++ return (0);
++ }
++
+ buf = (unsigned char*) _TIFFmalloc(TIFFStripSize(tif));
+ if (buf == 0) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer");
+@@ -859,7 +865,7 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ }
+
+ TIFFGetFieldDefaulted(tif, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+- TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver);
++
+ scanline = TIFFScanlineSize(tif);
+ fromskew = (w < imagewidth ? imagewidth - w : 0);
+ for (row = 0; row < h; row += nrow)
+@@ -1852,7 +1858,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
+
+ (void) y;
+ fromskew = (fromskew * 10) / 4;
+- if ((h & 3) == 0 && (w & 1) == 0) {
++ if ((w & 3) == 0 && (h & 1) == 0) {
+ for (; h >= 2; h -= 2) {
+ x = w>>2;
+ do {
+@@ -1929,7 +1935,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
+ /* XXX adjust fromskew */
+ do {
+ x = w>>2;
+- do {
++ while(x>0) {
+ int32 Cb = pp[4];
+ int32 Cr = pp[5];
+
+@@ -1940,7 +1946,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
+
+ cp += 4;
+ pp += 6;
+- } while (--x);
++ x--;
++ }
+
+ if( (w&3) != 0 )
+ {
+@@ -2031,7 +2038,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
+ fromskew = (fromskew * 4) / 2;
+ do {
+ x = w>>1;
+- do {
++ while(x>0) {
+ int32 Cb = pp[2];
+ int32 Cr = pp[3];
+
+@@ -2040,7 +2047,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
+
+ cp += 2;
+ pp += 4;
+- } while (--x);
++ x --;
++ }
+
+ if( (w&1) != 0 )
+ {
+diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
+index 524e127..92ef6ee 100644
+--- a/libtiff/tif_next.c
++++ b/libtiff/tif_next.c
+@@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");
+ return (0);
+ }
+- for (row = buf; occ > 0; occ -= scanline, row += scanline) {
++ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
+ n = *bp++, cc--;
+ switch (n) {
+ case LITERALROW:
+@@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ * The scanline has a literal span that begins at some
+ * offset.
+ */
++ if( cc < 4 )
++ goto bad;
+ off = (bp[0] * 256) + bp[1];
+ n = (bp[2] * 256) + bp[3];
+ if (cc < 4+n || off+n > scanline)
+--
+2.7.4
+
diff --git a/SOURCES/libtiff-CVE-2015-1547_8784.patch b/SOURCES/libtiff-CVE-2015-1547_8784.patch
new file mode 100644
index 0000000..03d9b32
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2015-1547_8784.patch
@@ -0,0 +1,52 @@
+diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
+index b014685..13c0848 100644
+--- a/libtiff/tif_next.c
++++ b/libtiff/tif_next.c
+@@ -37,7 +37,7 @@
+ case 0: op[0] = (unsigned char) ((v) << 6); break; \
+ case 1: op[0] |= (v) << 4; break; \
+ case 2: op[0] |= (v) << 2; break; \
+- case 3: *op++ |= (v); break; \
++ case 3: *op++ |= (v); op_offset++; break; \
+ } \
+ }
+
+@@ -107,6 +107,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ if( isTiled(tif) )
+ imagewidth = tif->tif_dir.td_tilewidth;
+
++ tmsize_t op_offset = 0;
++
+ /*
+ * The scanline is composed of a sequence of constant
+ * color ``runs''. We shift into ``run mode'' and
+@@ -120,10 +122,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ * bounds, potentially resulting in a security
+ * issue.
+ */
+- while (n-- > 0 && npixels < imagewidth)
++ while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
+ SETPIXEL(op, grey);
+ if (npixels >= imagewidth)
+ break;
++ if (op_offset >= scanline ) {
++ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
++ (long) tif->tif_row);
++ return (0);
++ }
+ if (cc == 0)
+ goto bad;
+ n = *bp++, cc--;
+@@ -162,9 +169,9 @@ NeXTPreDecode(TIFF* tif, uint16 s)
+ TIFFInitNeXT(TIFF* tif, int scheme)
+ {
+ (void) scheme;
+- tif->tif_predecode = NeXTPreDecode;
+- tif->tif_decoderow = NeXTDecode;
+- tif->tif_decodestrip = NeXTDecode;
++ tif->tif_predecode = NeXTPreDecode;
++ tif->tif_decoderow = NeXTDecode;
++ tif->tif_decodestrip = NeXTDecode;
+ tif->tif_decodetile = NeXTDecode;
+ return (1);
+ }
diff --git a/SOURCES/libtiff-CVE-2015-7554.patch b/SOURCES/libtiff-CVE-2015-7554.patch
new file mode 100644
index 0000000..cc76047
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2015-7554.patch
@@ -0,0 +1,23 @@
+diff -pur tiff-4.0.4/tools/tiffsplit.c tiff-4.0.4_patch/tools/tiffsplit.c
+--- tiff-4.0.4/tools/tiffsplit.c 2015-05-28 15:10:26.000000000 +0200
++++ tiff-4.0.4_patch/tools/tiffsplit.c 2016-02-12 19:15:30.532005041 +0100
+@@ -179,8 +179,9 @@ tiffcp(TIFF* in, TIFF* out)
+ TIFFSetField(out, TIFFTAG_JPEGTABLES, count, table);
+ }
+ }
++ uint32 count = 0;
+ CopyField(TIFFTAG_PHOTOMETRIC, shortv);
+- CopyField(TIFFTAG_PREDICTOR, shortv);
++ CopyField2(TIFFTAG_PREDICTOR, count, shortv);
+ CopyField(TIFFTAG_THRESHHOLDING, shortv);
+ CopyField(TIFFTAG_FILLORDER, shortv);
+ CopyField(TIFFTAG_ORIENTATION, shortv);
+@@ -188,7 +189,7 @@ tiffcp(TIFF* in, TIFF* out)
+ CopyField(TIFFTAG_MAXSAMPLEVALUE, shortv);
+ CopyField(TIFFTAG_XRESOLUTION, floatv);
+ CopyField(TIFFTAG_YRESOLUTION, floatv);
+- CopyField(TIFFTAG_GROUP3OPTIONS, longv);
++ CopyField2(TIFFTAG_GROUP3OPTIONS, count, longv);
+ CopyField(TIFFTAG_GROUP4OPTIONS, longv);
+ CopyField(TIFFTAG_RESOLUTIONUNIT, shortv);
+ CopyField(TIFFTAG_PLANARCONFIG, shortv);
diff --git a/SOURCES/libtiff-CVE-2015-8668.patch b/SOURCES/libtiff-CVE-2015-8668.patch
new file mode 100644
index 0000000..436326e
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2015-8668.patch
@@ -0,0 +1,41 @@
+diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
+index 376f4e6..c747c13 100644
+--- a/tools/bmp2tiff.c
++++ b/tools/bmp2tiff.c
+@@ -614,19 +614,27 @@ main(int argc, char* argv[])
+ || info_hdr.iCompression == BMPC_RLE4 ) {
+ uint32 i, j, k, runlength;
+ uint32 compr_size, uncompr_size;
++ uint32 bits = 0;
+ unsigned char *comprbuf;
+ unsigned char *uncomprbuf;
+
+ compr_size = file_hdr.iSize - file_hdr.iOffBits;
+- uncompr_size = width * length;
+- /* Detect int overflow */
+- if( uncompr_size / width != length )
+- {
+- TIFFError(infilename,
+- "Invalid dimensions of BMP file" );
+- close(fd);
+- return -1;
+- }
++
++ bits = info_hdr.iBitCount;
++
++ if (bits > 8) // bit depth is > 8bit, adjust size
++ {
++ uncompr_size = width * length * (bits / 8);
++ /* Detect int overflow */
++ if (uncompr_size / width / (bits / 8) != length) {
++ TIFFError(infilename,
++ "Invalid dimensions of BMP file");
++ close(fd);
++ return -1;
++ }
++ }
++ else
++ uncompr_size = width * length;
+ comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
+ if (!comprbuf) {
+ TIFFError(infilename,
diff --git a/SOURCES/libtiff-CVE-2015-8683_8665.patch b/SOURCES/libtiff-CVE-2015-8683_8665.patch
new file mode 100644
index 0000000..13647d0
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2015-8683_8665.patch
@@ -0,0 +1,98 @@
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 1633325..018351b 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -182,8 +182,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
+ "Planarconfiguration", td->td_planarconfig);
+ return (0);
+ }
++ if( td->td_samplesperpixel != 3 || colorchannels != 3 )
++ {
++ sprintf(emsg,
++ "Sorry, can not handle image with %s=%d, %s=%d",
++ "Samples/pixel", td->td_samplesperpixel,
++ "colorchannels", colorchannels);
++ return 0;
++ }
+ break;
+ case PHOTOMETRIC_CIELAB:
++ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
++ {
++ sprintf(emsg,
++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
++ "Samples/pixel", td->td_samplesperpixel,
++ "colorchannels", colorchannels,
++ "Bits/sample", td->td_bitspersample);
++ return 0;
++ }
+ break;
+ default:
+ sprintf(emsg, "Sorry, can not handle image with %s=%d",
+@@ -241,6 +258,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024])
+ uint16 *red_orig, *green_orig, *blue_orig;
+ int n_color;
+
++ if( !TIFFRGBAImageOK(tif, emsg) )
++ return 0;
++
+ /* Initialize to normal values */
+ img->row_offset = 0;
+ img->col_offset = 0;
+@@ -2453,29 +2473,33 @@ PickContigCase(TIFFRGBAImage* img)
+ case PHOTOMETRIC_RGB:
+ switch (img->bitspersample) {
+ case 8:
+- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++ img->samplesperpixel >= 4)
+ img->put.contig = putRGBAAcontig8bittile;
+- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++ img->samplesperpixel >= 4)
+ {
+ if (BuildMapUaToAa(img))
+ img->put.contig = putRGBUAcontig8bittile;
+ }
+- else
++ else if( img->samplesperpixel >= 3 )
+ img->put.contig = putRGBcontig8bittile;
+ break;
+ case 16:
+- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++ img->samplesperpixel >=4 )
+ {
+ if (BuildMapBitdepth16To8(img))
+ img->put.contig = putRGBAAcontig16bittile;
+ }
+- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++ img->samplesperpixel >=4 )
+ {
+ if (BuildMapBitdepth16To8(img) &&
+ BuildMapUaToAa(img))
+ img->put.contig = putRGBUAcontig16bittile;
+ }
+- else
++ else if( img->samplesperpixel >=3 )
+ {
+ if (BuildMapBitdepth16To8(img))
+ img->put.contig = putRGBcontig16bittile;
+@@ -2484,7 +2508,7 @@ PickContigCase(TIFFRGBAImage* img)
+ }
+ break;
+ case PHOTOMETRIC_SEPARATED:
+- if (buildMap(img)) {
++ if (img->samplesperpixel >=4 && buildMap(img)) {
+ if (img->bitspersample == 8) {
+ if (!img->Map)
+ img->put.contig = putRGBcontig8bitCMYKtile;
+@@ -2580,7 +2604,7 @@ PickContigCase(TIFFRGBAImage* img)
+ }
+ break;
+ case PHOTOMETRIC_CIELAB:
+- if (buildMap(img)) {
++ if (img->samplesperpixel == 3 && buildMap(img)) {
+ if (img->bitspersample == 8)
+ img->put.contig = initCIELabConversion(img);
+ break;
diff --git a/SOURCES/libtiff-CVE-2015-8781.patch b/SOURCES/libtiff-CVE-2015-8781.patch
new file mode 100644
index 0000000..f56aa90
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2015-8781.patch
@@ -0,0 +1,159 @@
+diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
+index eba6c08..ebbd692 100644
+--- a/libtiff/tif_luv.c
++++ b/libtiff/tif_luv.c
+@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
+ tp = (int16*) op;
+ else {
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too short");
++ return (0);
++ }
+ tp = (int16*) sp->tbuf;
+ }
+ _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ cc = tif->tif_rawcc;
+ /* get each byte string */
+ for (shft = 2*8; (shft -= 8) >= 0; ) {
+- for (i = 0; i < npixels && cc > 0; )
++ for (i = 0; i < npixels && cc > 0; ) {
+ if (*bp >= 128) { /* run */
+- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
++ if ( cc < 2 )
++ break;
++ rc = *bp++ + (2-128);
+ b = (int16)(*bp++ << shft);
+ cc -= 2;
+ while (rc-- && i < npixels)
+@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ while (--cc && rc-- && i < npixels)
+ tp[i++] |= (int16)*bp++ << shft;
+ }
++ }
+ if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+ tp = (uint32 *)op;
+ else {
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too short");
++ return (0);
++ }
+ tp = (uint32 *) sp->tbuf;
+ }
+ /* copy to array of uint32 */
+ bp = (unsigned char*) tif->tif_rawcp;
+ cc = tif->tif_rawcc;
+- for (i = 0; i < npixels && cc > 0; i++) {
++ for (i = 0; i < npixels && cc >= 3; i++) {
+ tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
+ bp += 3;
+ cc -= 3;
+@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+ tp = (uint32*) op;
+ else {
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too short");
++ return (0);
++ }
+ tp = (uint32*) sp->tbuf;
+ }
+ _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ cc = tif->tif_rawcc;
+ /* get each byte string */
+ for (shft = 4*8; (shft -= 8) >= 0; ) {
+- for (i = 0; i < npixels && cc > 0; )
++ for (i = 0; i < npixels && cc > 0; ) {
+ if (*bp >= 128) { /* run */
++ if ( cc < 2 )
++ break;
+ rc = *bp++ + (2-128);
+ b = (uint32)*bp++ << shft;
+- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
++ cc -= 2;
+ while (rc-- && i < npixels)
+ tp[i++] |= b;
+ } else { /* non-run */
+@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ while (--cc && rc-- && i < npixels)
+ tp[i++] |= (uint32)*bp++ << shft;
+ }
++ }
+ if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+@@ -407,6 +425,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ static int
+ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++ static const char module [] = "LogL16Encode";
+ LogLuvState* sp = EncoderState(tif);
+ int shft;
+ tmsize_t i;
+@@ -427,7 +446,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ tp = (int16*) bp;
+ else {
+ tp = (int16*) sp->tbuf;
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too short");
++ return (0);
++ }
+ (*sp->tfunc)(sp, bp, npixels);
+ }
+ /* compress each byte string */
+@@ -500,6 +523,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ static int
+ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++ static const char module [] = "LogLuvEncode24";
+ LogLuvState* sp = EncoderState(tif);
+ tmsize_t i;
+ tmsize_t npixels;
+@@ -515,7 +539,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ tp = (uint32*) bp;
+ else {
+ tp = (uint32*) sp->tbuf;
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too short");
++ return (0);
++ }
+ (*sp->tfunc)(sp, bp, npixels);
+ }
+ /* write out encoded pixels */
+@@ -547,6 +575,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ static int
+ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++ static const char module [] = "LogLuvEncode32";
+ LogLuvState* sp = EncoderState(tif);
+ int shft;
+ tmsize_t i;
+@@ -568,7 +597,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ tp = (uint32*) bp;
+ else {
+ tp = (uint32*) sp->tbuf;
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too short");
++ return (0);
++ }
+ (*sp->tfunc)(sp, bp, npixels);
+ }
+ /* compress each byte string */
diff --git a/SOURCES/libtiff-CVE-2016-3632.patch b/SOURCES/libtiff-CVE-2016-3632.patch
new file mode 100644
index 0000000..bb0bc07
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-3632.patch
@@ -0,0 +1,26 @@
+From d3f9829a37661749b200760ad6525f77cf77d77a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Mon, 11 Jul 2016 16:04:34 +0200
+Subject: [PATCH 4/8] Fix CVE-2016-3632
+
+---
+ tools/thumbnail.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/thumbnail.c b/tools/thumbnail.c
+index fd1cba5..75e7009 100644
+--- a/tools/thumbnail.c
++++ b/tools/thumbnail.c
+@@ -253,7 +253,8 @@ static struct cpTag {
+ { TIFFTAG_WHITEPOINT, 2, TIFF_RATIONAL },
+ { TIFFTAG_PRIMARYCHROMATICITIES, (uint16) -1,TIFF_RATIONAL },
+ { TIFFTAG_HALFTONEHINTS, 2, TIFF_SHORT },
+- { TIFFTAG_BADFAXLINES, 1, TIFF_LONG },
++ // disable BADFAXLINES, CVE-2016-3632
++ //{ TIFFTAG_BADFAXLINES, 1, TIFF_LONG },
+ { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
+ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
+ { TIFFTAG_INKSET, 1, TIFF_SHORT },
+--
+2.7.4
+
diff --git a/SOURCES/libtiff-CVE-2016-3945.patch b/SOURCES/libtiff-CVE-2016-3945.patch
new file mode 100644
index 0000000..cb496a0
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-3945.patch
@@ -0,0 +1,92 @@
+From a9bb0f1406e9da35da4da13eabacb00d9cc2efcb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Mon, 11 Jul 2016 16:05:49 +0200
+Subject: [PATCH 5/8] Fix CVE-2016-3945
+
+---
+ tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index 737167c..5228966 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+@@ -145,6 +145,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
+ uint32 row, col;
+ uint32 *wrk_line;
+ int ok = 1;
++ uint32 rastersize, wrk_linesize;
+
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+@@ -161,7 +162,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
+ /*
+ * Allocate tile buffer
+ */
+- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
++ rastersize = tile_width * tile_height * sizeof (uint32);
++ if (width != (tile_width / tile_height) / sizeof( uint32))
++ {
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
++ exit(-1);
++ }
++ raster = (uint32*)_TIFFmalloc(rastersize);
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
+@@ -171,7 +178,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
+ * Allocate a scanline buffer for swapping during the vertical
+ * mirroring pass.
+ */
+- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
++ wrk_linesize = tile_width * sizeof (uint32);
++ if (wrk_linesize != tile_width / sizeof (uint32))
++ {
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
++ exit(-1);
++ }
++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+ if (!wrk_line) {
+ TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
+ ok = 0;
+@@ -247,6 +260,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
+ uint32 row;
+ uint32 *wrk_line;
+ int ok = 1;
++ uint32 rastersize, wrk_linesize;
+
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+@@ -261,7 +275,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
+ /*
+ * Allocate strip buffer
+ */
+- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
++ rastersize = width * rowsperstrip * sizeof (uint32);
++ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
++ {
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
++ exit(-1);
++ }
++ raster = (uint32*)_TIFFmalloc(rastersize);
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
+@@ -271,7 +291,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
+ * Allocate a scanline buffer for swapping during the vertical
+ * mirroring pass.
+ */
+- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
++ wrk_linesize = width * sizeof (uint32);
++ if (wrk_linesize != width / sizeof (uint32))
++ {
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
++ exit(-1);
++ }
++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+ if (!wrk_line) {
+ TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
+ ok = 0;
+--
+2.7.4
+
diff --git a/SOURCES/libtiff-CVE-2016-3990.patch b/SOURCES/libtiff-CVE-2016-3990.patch
new file mode 100644
index 0000000..c5a9e8b
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-3990.patch
@@ -0,0 +1,63 @@
+From 46d1b6c09939eef09e45ccec345c6724cabc454e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Mon, 11 Jul 2016 16:44:22 +0200
+Subject: [PATCH 6/8] Fix CVE-2016-3990
+
+---
+ libtiff/tif_pixarlog.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index 2793b22..c9f056e 100644
+--- a/libtiff/tif_pixarlog.c
++++ b/libtiff/tif_pixarlog.c
+@@ -462,6 +462,7 @@ typedef struct {
+ int state;
+ int user_datafmt;
+ int quality;
++ tsize_t tbuf_size;
+ #define PLSTATE_INIT 1
+
+ TIFFVSetMethod vgetparent; /* super-class method */
+@@ -885,6 +886,7 @@ PixarLogSetupEncode(TIFF* tif)
+ td->td_samplesperpixel : 1);
+ tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
+ td->td_rowsperstrip), sizeof(uint16));
++ sp->tbuf_size = tbuf_size;
+ if (tbuf_size == 0)
+ return (0); /* TODO: this is an error return without error report through TIFFErrorExt */
+ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+@@ -1131,8 +1133,17 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ }
+
+ llen = sp->stride * td->td_imagewidth;
+-
++ if (llen > sp->tbuf_size)
++ {
++ TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Buffer limit reached.", tif->tif_name);
++ exit (0);
++ }
+ for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
++ if (up > sp->tbuf+sp->tbuf_size)
++ {
++ TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Buffer limit reached.", tif->tif_name);
++ exit (0);
++ }
+ switch (sp->user_datafmt) {
+ case PIXARLOGDATAFMT_FLOAT:
+ horizontalDifferenceF((float *)bp, llen,
+@@ -1169,6 +1180,11 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ "ZLib cannot deal with buffers this size");
+ return (0);
+ }
++ if (sp->stream.avail_in > sp->tbuf_size)
++ {
++ TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Error within the calculation on ZLib buffer size.", tif->tif_name);
++ return (0);
++ }
+
+ do {
+ if (deflate(&sp->stream, Z_NO_FLUSH) != Z_OK) {
+--
+2.7.4
+
diff --git a/SOURCES/libtiff-CVE-2016-3991.patch b/SOURCES/libtiff-CVE-2016-3991.patch
new file mode 100644
index 0000000..0ca667d
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-3991.patch
@@ -0,0 +1,111 @@
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index ea4f7a1..f04e2eb 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
+ }
+
+ tile_buffsize = tilesize;
++ if (tilesize == 0 || tile_rowsize == 0)
++ {
++ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
++ exit(-1);
++ }
+
+ if (tilesize < (tsize_t)(tl * tile_rowsize))
+ {
+@@ -807,7 +812,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
+ tilesize, tl * tile_rowsize);
+ #endif
+ tile_buffsize = tl * tile_rowsize;
+- }
++ if (tl != (tile_buffsize / tile_rowsize))
++ {
++ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
++ exit(-1);
++ }
++ }
+
+ tilebuf = _TIFFmalloc(tile_buffsize);
+ if (tilebuf == 0)
+@@ -1210,6 +1220,12 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
+ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
+ return 1;
+
++ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
++ {
++ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
++ exit(-1);
++ }
++
+ tile_buffsize = tilesize;
+ if (tilesize < (tsize_t)(tl * tile_rowsize))
+ {
+@@ -1219,6 +1235,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
+ tilesize, tl * tile_rowsize);
+ #endif
+ tile_buffsize = tl * tile_rowsize;
++ if (tl != tile_buffsize / tile_rowsize)
++ {
++ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
++ exit(-1);
++ }
+ }
+
+ tilebuf = _TIFFmalloc(tile_buffsize);
+@@ -5931,12 +5952,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
+
+ tile_rowsize = TIFFTileRowSize(in);
++ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
++ {
++ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
++ exit(-1);
++ }
+ buffsize = tlsize * ntiles;
++ if (tlsize != (buffsize / ntiles))
++ {
++ TIFFError("loadImage", "Integer overflow when calculating buffer size");
++ exit(-1);
++ }
+
+-
+ if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
+ {
+ buffsize = ntiles * tl * tile_rowsize;
++ if (ntiles != (buffsize / tl / tile_rowsize))
++ {
++ TIFFError("loadImage", "Integer overflow when calculating buffer size");
++ exit(-1);
++ }
++
+ #ifdef DEBUG2
+ TIFFError("loadImage",
+ "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
+@@ -5955,8 +5991,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+ stsize = TIFFStripSize(in);
+ nstrips = TIFFNumberOfStrips(in);
++ if (nstrips == 0 || stsize == 0)
++ {
++ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
++ exit(-1);
++ }
++
+ buffsize = stsize * nstrips;
+-
++ if (stsize != (buffsize / nstrips))
++ {
++ TIFFError("loadImage", "Integer overflow when calculating buffer size");
++ exit(-1);
++ }
++ uint32 buffsize_check;
++ buffsize_check = ((length * width * spp * bps) + 7);
++ if (length != ((buffsize_check - 7) / width / spp / bps))
++ {
++ TIFFError("loadImage", "Integer overflow detected.");
++ exit(-1);
++ }
+ if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
+ {
+ buffsize = ((length * width * spp * bps) + 7) / 8;
diff --git a/SOURCES/libtiff-CVE-2016-5320.patch b/SOURCES/libtiff-CVE-2016-5320.patch
new file mode 100644
index 0000000..fc05ed6
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-5320.patch
@@ -0,0 +1,45 @@
+From 5f3ae40bcaf5518aae18eedc90cd9b326d7bd640 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Mon, 11 Jul 2016 16:54:49 +0200
+Subject: [PATCH 8/8] Fix CVE-2016-5320
+
+---
+ libtiff/tif_pixarlog.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index c9f056e..c961529 100644
+--- a/libtiff/tif_pixarlog.c
++++ b/libtiff/tif_pixarlog.c
+@@ -462,7 +462,7 @@ typedef struct {
+ int state;
+ int user_datafmt;
+ int quality;
+- tsize_t tbuf_size;
++ tmsize_t tbuf_size;
+ #define PLSTATE_INIT 1
+
+ TIFFVSetMethod vgetparent; /* super-class method */
+@@ -691,6 +691,7 @@ PixarLogSetupDecode(TIFF* tif)
+ if (tbuf_size == 0)
+ return (0); /* TODO: this is an error return without error report through TIFFErrorExt */
+ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
++ sp->tbuf_size = tbuf_size;
+ if (sp->tbuf == NULL)
+ return (0);
+ if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
+@@ -782,6 +783,11 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
+ return (0);
+ }
++ if (sp->stream.avail_out > sp->tbuf_size)
++ {
++ TIFFErrorExt(tif->tif_clientdata, module, "Error within the calculation of ZLib buffer size");
++ return (0);
++ }
+ do {
+ int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
+ if (state == Z_STREAM_END) {
+--
+2.7.4
+
diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec
index 9892c94..141e1ee 100644
--- a/SPECS/libtiff.spec
+++ b/SPECS/libtiff.spec
@@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
Version: 4.0.3
-Release: 14%{?dist}
+Release: 25%{?dist}
License: libtiff
Group: System Environment/Libraries
@@ -22,6 +22,21 @@ Patch9: libtiff-CVE-2013-4231.patch
Patch10: libtiff-CVE-2013-4232.patch
Patch11: libtiff-CVE-2013-4244.patch
Patch12: libtiff-CVE-2013-4243.patch
+Patch13: libtiff-CVE-2014-9330.patch
+Patch14: libtiff-CVE-2014-8127.patch
+Patch15: libtiff-CVE-2014-8129.patch
+Patch16: libtiff-CVE-2014-8130.patch
+Patch17: libtiff-CVE-2014-9655.patch
+Patch18: libtiff-CVE-2015-1547_8784.patch
+Patch19: libtiff-CVE-2015-7554.patch
+Patch20: libtiff-CVE-2015-8683_8665.patch
+Patch21: libtiff-CVE-2015-8668.patch
+Patch22: libtiff-CVE-2015-8781.patch
+Patch23: libtiff-CVE-2016-3632.patch
+Patch24: libtiff-CVE-2016-3945.patch
+Patch25: libtiff-CVE-2016-3990.patch
+Patch26: libtiff-CVE-2016-3991.patch
+Patch27: libtiff-CVE-2016-5320.patch
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
BuildRequires: libtool automake autoconf pkgconfig
@@ -85,6 +100,21 @@ image files using the libtiff library.
%patch10 -p1
%patch11 -p1
%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch25 -p1
+%patch26 -p1
+%patch27 -p1
# Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4
@@ -189,6 +219,68 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/*
%changelog
+* Wed Jul 27 2016 Nikola Forr贸 <nforro@redhat.com> - 4.0.3-25
+- Add patches for CVEs:
+ CVE-2015-7554, CVE-2015-8683, CVE-2015-8665,
+ CVE-2015-8781, CVE-2015-8782, CVE-2015-8783,
+ CVE-2015-8784
+- Related: #1299920
+
+* Tue Jul 26 2016 Nikola Forr贸 <nforro@redhat.com> - 4.0.3-24
+- Update patches for CVEs:
+ CVE-2014-8127, CVE-2014-8130
+- Related: #1299920
+
+* Tue Jul 26 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-23
+- Update patches:
+ CVE-2014-9330, CVE-2014-8127, CVE-2014-8129
+ CVE-2014-8130
+- Related: #1299920
+
+* Tue Jul 19 2016 Nikola Forr贸 <nforro@redhat.com> - 4.0.3-22
+- Update patch for CVE-2015-8668
+- Related: #1299920
+
+* Mon Jul 11 2016 Nikola Forr贸 <nforro@redhat.com> - 4.0.3-21
+- Remove patches for CVEs:
+ CVE-2014-8127, CVE-2014-8129, CVE-2014-8130,
+ CVE-2014-9330, CVE-2015-7554, CVE-2015-8665,
+ CVE-2015-8683, CVE-2015-8781, CVE-2015-8784
+- Add patches for CVEs:
+ CVE-2016-3632, CVE-2016-3945, CVE-2016-3990,
+ CVE-2016-3991, CVE-2016-5320
+- Update patches for CVEs:
+ CVE-2014-9655, CVE-2015-1547, CVE-2015-8668
+- Related: #1299920
+
+* Tue Apr 19 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-20
+- CVE-2014-8127 should contain only two fixes
+- Related: #1299920
+
+* Fri Apr 15 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-19
+- Revert previous patch CVE-2014-8127
+- Related: #1299920
+
+* Thu Mar 31 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-18
+- Fix patch CVE-2014-8127. Wrongly applied
+- Related: #1299920
+
+* Tue Mar 15 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-17
+- Fix patch CVE-2015-8668. Wrongly applied by me
+- Related: #1299920
+
+* Tue Mar 08 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-16
+- Fixed patches on preview CVEs
+- Related: #1299920
+
+* Wed Feb 03 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-15
+- This resolves several CVEs
+- CVE-2014-8127, CVE-2014-8129, CVE-2014-8130
+- CVE-2014-9330, CVE-2014-9655, CVE-2015-8781
+- CVE-2015-8784, CVE-2015-1547, CVE-2015-8683
+- CVE-2015-8665, CVE-2015-7554, CVE-2015-8668
+- Resolves: #1299920
+
* Thu Feb 13 2014 Petr Hracek <phracek@redhat.com> - 4.0.3-14
- Resolves: #996827 CVE-2013-4243 libtiff various flaws