diff --git a/SOURCES/libtiff-CVE-2014-8127.patch b/SOURCES/libtiff-CVE-2014-8127.patch
new file mode 100644
index 0000000..d426710
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2014-8127.patch
@@ -0,0 +1,169 @@
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 19a26e2..6667228 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -3881,6 +3881,32 @@ TIFFReadDirectory(TIFF* tif)
+ 				if (!TIFFSetField(tif,TIFFTAG_SAMPLESPERPIXEL,1))
+ 					goto bad;
+ 			}
++			/*
++			 * SamplesPerPixel value has changed, adjust SMinSampleValue
++			 * and SMaxSampleValue arrays if necessary
++			 */
++			{
++				uint32 saved_flags;
++				saved_flags = tif->tif_flags;
++				tif->tif_flags &= ~TIFF_PERSAMPLE;
++				if (TIFFFieldSet(tif,FIELD_SMINSAMPLEVALUE))
++				{
++					if (!TIFFSetField(tif,TIFFTAG_SMINSAMPLEVALUE,tif->tif_dir.td_sminsamplevalue[0]))
++					{
++						tif->tif_flags = saved_flags;
++						goto bad;
++					}
++				}
++				if (TIFFFieldSet(tif,FIELD_SMAXSAMPLEVALUE))
++				{
++					if (!TIFFSetField(tif,TIFFTAG_SMAXSAMPLEVALUE,tif->tif_dir.td_smaxsamplevalue[0]))
++					{
++						tif->tif_flags = saved_flags;
++						goto bad;
++					}
++				}
++				tif->tif_flags = saved_flags;
++			}
+ 		}
+ 	}
+ 	/*
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index fa20609..fa68d1c 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -542,8 +542,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
+ 			{
+ 				if (!isTiled(tif))
+ 				{
+-					if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
+-						goto bad;
++					/* td_stripoffset can be NULL even if td_nstrips == 1 due to OJPEG hack */
++					if (tif->tif_dir.td_stripoffset)
++					{
++						if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
++							goto bad;
++					}
+ 				}
+ 				else
+ 				{
+diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
+index 2ba822a..dfc5b07 100644
+--- a/libtiff/tif_read.c
++++ b/libtiff/tif_read.c
+@@ -458,7 +458,7 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
+ 		return ((tmsize_t)(-1));
+ 	}
+ 	bytecount = td->td_stripbytecount[strip];
+-	if (bytecount <= 0) {
++	if ((int64)bytecount <= 0) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 		TIFFErrorExt(tif->tif_clientdata, module,
+ 			     "%I64u: Invalid strip byte count, strip %lu",
+@@ -498,7 +498,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
+ 	if ((tif->tif_flags&TIFF_NOREADRAW)==0)
+ 	{
+ 		uint64 bytecount = td->td_stripbytecount[strip];
+-		if (bytecount <= 0) {
++		if ((int64)bytecount <= 0) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 			TIFFErrorExt(tif->tif_clientdata, module,
+ 				"Invalid strip byte count %I64u, strip %lu",
+@@ -801,7 +801,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
+ 	if ((tif->tif_flags&TIFF_NOREADRAW)==0)
+ 	{
+ 		uint64 bytecount = td->td_stripbytecount[tile];
+-		if (bytecount <= 0) {
++		if ((int64)bytecount <= 0) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 			TIFFErrorExt(tif->tif_clientdata, module,
+ 				"%I64u: Invalid tile byte count, tile %lu",
+diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
+index b5ed30b..376f4e6 100644
+--- a/tools/bmp2tiff.c
++++ b/tools/bmp2tiff.c
+@@ -401,6 +401,24 @@ main(int argc, char* argv[])
+ 		    return 0;
+ 		}
+ 
++        if (info_hdr.iCompression == BMPC_RLE4 && info_hdr.iBitCount != 4)
++        {
++            TIFFError(infilename,
++              "Cannot process BMP file with bit count %d and RLE 4-bit/pixel compression",
++              info_hdr.iBitCount);
++            close(fd);
++            return 0;
++        }
++ 
++        if (info_hdr.iCompression == BMPC_RLE8 && info_hdr.iBitCount != 8)
++        {
++            TIFFError(infilename,
++              "Cannot process BMP file with bit count %d and RLE 8-bit/pixel compression",
++              info_hdr.iBitCount);
++            close(fd);
++            return 0;
++        }
++
+ 		width = info_hdr.iWidth;
+ 		length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
+         if( width <= 0 || length <= 0 )
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index 8608aad..426bbc0 100644
+--- a/tools/pal2rgb.c
++++ b/tools/pal2rgb.c
+@@ -372,7 +372,8 @@ static struct cpTag {
+     { TIFFTAG_CLEANFAXDATA,		1, TIFF_SHORT },
+     { TIFFTAG_CONSECUTIVEBADFAXLINES,	1, TIFF_LONG },
+     { TIFFTAG_INKSET,			1, TIFF_SHORT },
+-    { TIFFTAG_INKNAMES,			1, TIFF_ASCII },
++    // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
++    //{ TIFFTAG_INKNAMES,			1, TIFF_ASCII },
+     { TIFFTAG_DOTRANGE,			2, TIFF_SHORT },
+     { TIFFTAG_TARGETPRINTER,		1, TIFF_ASCII },
+     { TIFFTAG_SAMPLEFORMAT,		1, TIFF_SHORT },
+diff --git a/tools/thumbnail.c b/tools/thumbnail.c
+index fd1cba5..06edf93 100644
+--- a/tools/thumbnail.c
++++ b/tools/thumbnail.c
+@@ -257,7 +257,8 @@ static struct cpTag {
+     { TIFFTAG_CLEANFAXDATA,		1, TIFF_SHORT },
+     { TIFFTAG_CONSECUTIVEBADFAXLINES,	1, TIFF_LONG },
+     { TIFFTAG_INKSET,			1, TIFF_SHORT },
+-    { TIFFTAG_INKNAMES,			1, TIFF_ASCII },
++    // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
++    //{ TIFFTAG_INKNAMES,			1, TIFF_ASCII },
+     { TIFFTAG_DOTRANGE,			2, TIFF_SHORT },
+     { TIFFTAG_TARGETPRINTER,		1, TIFF_ASCII },
+     { TIFFTAG_SAMPLEFORMAT,		1, TIFF_SHORT },
+@@ -585,7 +586,7 @@ generateThumbnail(TIFF* in, TIFF* out)
+     rowsize = TIFFScanlineSize(in);
+     rastersize = sh * rowsize;
+     fprintf(stderr, "rastersize=%u\n", (unsigned int)rastersize);
+-    raster = (unsigned char*)_TIFFmalloc(rastersize);
++    raster = (unsigned char*)_TIFFmalloc(rastersize + 3);
+     if (!raster) {
+ 	    TIFFError(TIFFFileName(in),
+ 		      "Can't allocate space for raster buffer.");
+diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
+index c5dcb7c..02605df 100644
+--- a/tools/tiff2bw.c
++++ b/tools/tiff2bw.c
+@@ -171,6 +171,11 @@ main(int argc, char* argv[])
+ 		    argv[optind], samplesperpixel);
+ 		return (-1);
+ 	}
++	if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) {
++		fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n",
++		    argv[optind], samplesperpixel);
++		return (-1);
++	}
+ 	TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample);
+ 	if (bitspersample != 8) {
+ 		fprintf(stderr,
diff --git a/SOURCES/libtiff-CVE-2014-8129.patch b/SOURCES/libtiff-CVE-2014-8129.patch
new file mode 100644
index 0000000..9cd7bd9
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2014-8129.patch
@@ -0,0 +1,174 @@
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 8bf3ea7..f812fa2 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -160,6 +160,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ 	TIFFDirectory* td = &tif->tif_dir;
+ 	int status = 1;
+ 	uint32 v32, i, v;
++    double dblval;
+ 	char* s;
+ 	const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY);
+ 	uint32 standard_tag = tag;
+@@ -283,10 +284,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ 			setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel);
+ 		break;
+ 	case TIFFTAG_XRESOLUTION:
+-		td->td_xresolution = (float) va_arg(ap, double);
++        dblval = va_arg(ap, double);
++        if( dblval < 0 )
++            goto badvaluedouble;
++		td->td_xresolution = (float) dblval;
+ 		break;
+ 	case TIFFTAG_YRESOLUTION:
+-		td->td_yresolution = (float) va_arg(ap, double);
++        dblval = va_arg(ap, double);
++        if( dblval < 0 )
++            goto badvaluedouble;
++		td->td_yresolution = (float) dblval;
+ 		break;
+ 	case TIFFTAG_PLANARCONFIG:
+ 		v = (uint16) va_arg(ap, uint16_vap);
+@@ -693,6 +700,16 @@ badvalue32:
+ 		va_end(ap);
+         }
+ 	return (0);
++badvaluedouble:
++        {
++		const TIFFField* fip=TIFFFieldWithTag(tif,tag);
++        TIFFErrorExt(tif->tif_clientdata, module,
++             "%s: Bad value %f for \"%s\" tag",
++             tif->tif_name, dblval,
++		     fip->field_name);
++        va_end(ap);
++        }
++    return (0);
+ }
+ 
+ /*
+diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
+index 524e127..81084ff 100644
+--- a/libtiff/tif_next.c
++++ b/libtiff/tif_next.c
+@@ -102,6 +102,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ 		default: {
+ 			uint32 npixels = 0, grey;
+ 			uint32 imagewidth = tif->tif_dir.td_imagewidth;
++            if( isTiled(tif) )
++                imagewidth = tif->tif_dir.td_tilewidth;
+ 
+ 			/*
+ 			 * The scanline is composed of a sequence of constant
+@@ -139,10 +141,28 @@ bad:
+ 	return (0);
+ }
+ 
++static int
++NeXTPreDecode(TIFF* tif, uint16 s)
++{
++	static const char module[] = "NeXTPreDecode";
++	TIFFDirectory *td = &tif->tif_dir;
++	(void)s;
++
++	if( td->td_bitspersample != 2 )
++	{
++		TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d",
++					 td->td_bitspersample);
++		return (0);
++	}
++	return (1);
++}
++
++
+ int
+ TIFFInitNeXT(TIFF* tif, int scheme)
+ {
+ 	(void) scheme;
++	tif->tif_predecode = NeXTPreDecode;
+ 	tif->tif_decoderow = NeXTDecode;  
+ 	tif->tif_decodestrip = NeXTDecode;  
+ 	tif->tif_decodetile = NeXTDecode;
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 26a1acb..2a64ec3 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -1165,6 +1165,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ 		if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0)
+ 			&& (xuint16 == PLANARCONFIG_SEPARATE ) ){
+ 				TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16);
++                if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 )
++                {
++                    TIFFError(
++                        TIFF2PDF_MODULE, 
++                        "Invalid tile count, %s", 
++                        TIFFFileName(input));
++                    t2p->t2p_error = T2P_ERR_ERROR;
++                    return;
++                }
+ 				t2p->tiff_tiles[i].tiles_tilecount/= xuint16;
+ 		}
+ 		if( t2p->tiff_tiles[i].tiles_tilecount > 0){
+@@ -1545,6 +1554,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ #endif
+ 			break;
+ 		case PHOTOMETRIC_CIELAB:
++            if( t2p->tiff_samplesperpixel != 3){
++                TIFFError(
++                    TIFF2PDF_MODULE, 
++                    "Unsupported samplesperpixel = %d for CIELAB", 
++                    t2p->tiff_samplesperpixel);
++                t2p->t2p_error = T2P_ERR_ERROR;
++                return;
++            }
++            if( t2p->tiff_bitspersample != 8){
++                TIFFError(
++                    TIFF2PDF_MODULE, 
++                    "Invalid bitspersample = %d for CIELAB", 
++                    t2p->tiff_bitspersample);
++                t2p->t2p_error = T2P_ERR_ERROR;
++                return;
++            }
+ 			t2p->pdf_labrange[0]= -127;
+ 			t2p->pdf_labrange[1]= 127;
+ 			t2p->pdf_labrange[2]= -127;
+@@ -1560,6 +1585,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ 			t2p->pdf_colorspace=T2P_CS_LAB;
+ 			break;
+ 		case PHOTOMETRIC_ITULAB:
++            if( t2p->tiff_samplesperpixel != 3){
++                TIFFError(
++                    TIFF2PDF_MODULE, 
++                    "Unsupported samplesperpixel = %d for ITULAB", 
++                    t2p->tiff_samplesperpixel);
++                t2p->t2p_error = T2P_ERR_ERROR;
++                return;
++            }
++            if( t2p->tiff_bitspersample != 8){
++                TIFFError(
++                    TIFF2PDF_MODULE, 
++                    "Invalid bitspersample = %d for ITULAB", 
++                    t2p->tiff_bitspersample);
++                t2p->t2p_error = T2P_ERR_ERROR;
++                return;
++            }
+ 			t2p->pdf_labrange[0]=-85;
+ 			t2p->pdf_labrange[1]=85;
+ 			t2p->pdf_labrange[2]=-75;
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index abeb4f6..ea4f7a1 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -1205,9 +1205,10 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
+   tsize_t tilesize = TIFFTileSize(out);
+   unsigned char *tilebuf = NULL;
+ 
+-  TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
+-  TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
+-  TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
++  if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
++      !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
++      !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
++      return 1;
+ 
+   tile_buffsize = tilesize;
+   if (tilesize < (tsize_t)(tl * tile_rowsize))
diff --git a/SOURCES/libtiff-CVE-2014-8130.patch b/SOURCES/libtiff-CVE-2014-8130.patch
new file mode 100644
index 0000000..d6683c3
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2014-8130.patch
@@ -0,0 +1,26 @@
+diff --git a/libtiff/tif_unix.c b/libtiff/tif_unix.c
+index 1387558..0a3a4a8 100644
+--- a/libtiff/tif_unix.c
++++ b/libtiff/tif_unix.c
+@@ -257,6 +257,8 @@ TIFFOpenW(const wchar_t* name, const char* mode)
+ void*
+ _TIFFmalloc(tmsize_t s)
+ {
++    if ( s == 0 )
++        return ((void *) NULL);
+ 	return (malloc((size_t) s));
+ }
+ 
+diff --git a/libtiff/tif_win32.c b/libtiff/tif_win32.c
+index 2cf1de9..612a00d 100644
+--- a/libtiff/tif_win32.c
++++ b/libtiff/tif_win32.c
+@@ -329,6 +329,8 @@ TIFFOpenW(const wchar_t* name, const char* mode)
+ void*
+ _TIFFmalloc(tmsize_t s)
+ {
++    if ( s == 0 )
++        return ((tdata_t) NULL);
+ 	return (malloc((size_t) s));
+ }
+ 
diff --git a/SOURCES/libtiff-CVE-2014-9330.patch b/SOURCES/libtiff-CVE-2014-9330.patch
new file mode 100644
index 0000000..cfc83cc
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2014-9330.patch
@@ -0,0 +1,34 @@
+diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
+index c66a8d2..b5ed30b 100644
+--- a/tools/bmp2tiff.c
++++ b/tools/bmp2tiff.c
+@@ -403,6 +403,14 @@ main(int argc, char* argv[])
+ 
+ 		width = info_hdr.iWidth;
+ 		length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
++        if( width <= 0 || length <= 0 )
++        {
++            TIFFError(infilename,
++                  "Invalid dimensions of BMP file" );
++            close(fd);
++            return -1;
++        }
++ 
+ 
+ 		switch (info_hdr.iBitCount)
+ 		{
+@@ -593,6 +601,14 @@ main(int argc, char* argv[])
+ 
+ 			compr_size = file_hdr.iSize - file_hdr.iOffBits;
+ 			uncompr_size = width * length;
++            /* Detect int overflow */
++            if( uncompr_size / width != length )
++            {
++                TIFFError(infilename,
++                    "Invalid dimensions of BMP file" );
++                close(fd);
++                return -1;
++            }
+ 			comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
+ 			if (!comprbuf) {
+ 				TIFFError(infilename,
diff --git a/SOURCES/libtiff-CVE-2014-9655.patch b/SOURCES/libtiff-CVE-2014-9655.patch
new file mode 100644
index 0000000..033c627
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2014-9655.patch
@@ -0,0 +1,108 @@
+From a777efdb86da87073511e56e8fc4ef63fc111b5f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Mon, 11 Jul 2016 15:50:56 +0200
+Subject: [PATCH 1/8] Fix CVE-2014-9655
+
+---
+ libtiff/tif_getimage.c | 20 ++++++++++++++------
+ libtiff/tif_next.c     |  4 +++-
+ 2 files changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index a85273c..1c1cf9e 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -842,6 +842,12 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 	int32 fromskew, toskew;
+ 	int ret = 1, flip;
+ 
++	TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver);
++	if( subsamplingver == 0 ) {
++		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling");
++		return (0);
++	}
++
+ 	buf = (unsigned char*) _TIFFmalloc(TIFFStripSize(tif));
+ 	if (buf == 0) {
+ 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer");
+@@ -859,7 +865,7 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 	}
+ 
+ 	TIFFGetFieldDefaulted(tif, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+-	TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver);
++
+ 	scanline = TIFFScanlineSize(tif);
+ 	fromskew = (w < imagewidth ? imagewidth - w : 0);
+ 	for (row = 0; row < h; row += nrow)
+@@ -1852,7 +1858,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
+ 
+     (void) y;
+     fromskew = (fromskew * 10) / 4;
+-    if ((h & 3) == 0 && (w & 1) == 0) {
++    if ((w & 3) == 0 && (h & 1) == 0) {
+         for (; h >= 2; h -= 2) {
+             x = w>>2;
+             do {
+@@ -1929,7 +1935,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
+     /* XXX adjust fromskew */
+     do {
+ 	x = w>>2;
+-	do {
++	while(x>0) {
+ 	    int32 Cb = pp[4];
+ 	    int32 Cr = pp[5];
+ 
+@@ -1940,7 +1946,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
+ 
+ 	    cp += 4;
+ 	    pp += 6;
+-	} while (--x);
++		x--;
++	}
+ 
+         if( (w&3) != 0 )
+         {
+@@ -2031,7 +2038,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
+ 	fromskew = (fromskew * 4) / 2;
+ 	do {
+ 		x = w>>1;
+-		do {
++		while(x>0) {
+ 			int32 Cb = pp[2];
+ 			int32 Cr = pp[3];
+ 
+@@ -2040,7 +2047,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
+ 
+ 			cp += 2;
+ 			pp += 4;
+-		} while (--x);
++			x --;
++		}
+ 
+ 		if( (w&1) != 0 )
+ 		{
+diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
+index 524e127..92ef6ee 100644
+--- a/libtiff/tif_next.c
++++ b/libtiff/tif_next.c
+@@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ 		TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");
+ 		return (0);
+ 	}
+-	for (row = buf; occ > 0; occ -= scanline, row += scanline) {
++	for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
+ 		n = *bp++, cc--;
+ 		switch (n) {
+ 		case LITERALROW:
+@@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ 			 * The scanline has a literal span that begins at some
+ 			 * offset.
+ 			 */
++			if( cc < 4 )
++				goto bad;
+ 			off = (bp[0] * 256) + bp[1];
+ 			n = (bp[2] * 256) + bp[3];
+ 			if (cc < 4+n || off+n > scanline)
+-- 
+2.7.4
+
diff --git a/SOURCES/libtiff-CVE-2015-1547_8784.patch b/SOURCES/libtiff-CVE-2015-1547_8784.patch
new file mode 100644
index 0000000..03d9b32
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2015-1547_8784.patch
@@ -0,0 +1,52 @@
+diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
+index b014685..13c0848 100644
+--- a/libtiff/tif_next.c
++++ b/libtiff/tif_next.c
+@@ -37,7 +37,7 @@
+ 	case 0:	op[0]  = (unsigned char) ((v) << 6); break;	\
+ 	case 1:	op[0] |= (v) << 4; break;	\
+ 	case 2:	op[0] |= (v) << 2; break;	\
+-	case 3:	*op++ |= (v);	   break;	\
++	case 3:	*op++ |= (v); op_offset++;   break;	\
+ 	}					\
+ }
+ 
+@@ -107,6 +107,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+             if( isTiled(tif) )
+                 imagewidth = tif->tif_dir.td_tilewidth;
+ 
++            tmsize_t op_offset = 0;
++
+ 			/*
+ 			 * The scanline is composed of a sequence of constant
+ 			 * color ``runs''.  We shift into ``run mode'' and
+@@ -120,10 +122,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ 				 * bounds, potentially resulting in a security
+ 				 * issue.
+ 				 */
+-				while (n-- > 0 && npixels < imagewidth)
++				while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
+ 					SETPIXEL(op, grey);
+ 				if (npixels >= imagewidth)
+ 					break;
++                if (op_offset >= scanline ) {
++                    TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
++                            (long) tif->tif_row);
++                    return (0);
++                }
+ 				if (cc == 0)
+ 					goto bad;
+ 				n = *bp++, cc--;
+@@ -162,9 +169,9 @@ NeXTPreDecode(TIFF* tif, uint16 s)
+ TIFFInitNeXT(TIFF* tif, int scheme)
+ {
+ 	(void) scheme;
+-	tif->tif_predecode = NeXTPreDecode;
+-	tif->tif_decoderow = NeXTDecode;  
+-	tif->tif_decodestrip = NeXTDecode;  
++	tif->tif_predecode = NeXTPreDecode;
++	tif->tif_decoderow = NeXTDecode;
++	tif->tif_decodestrip = NeXTDecode;
+ 	tif->tif_decodetile = NeXTDecode;
+ 	return (1);
+ }
diff --git a/SOURCES/libtiff-CVE-2015-7554.patch b/SOURCES/libtiff-CVE-2015-7554.patch
new file mode 100644
index 0000000..cc76047
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2015-7554.patch
@@ -0,0 +1,23 @@
+diff -pur tiff-4.0.4/tools/tiffsplit.c tiff-4.0.4_patch/tools/tiffsplit.c
+--- tiff-4.0.4/tools/tiffsplit.c	2015-05-28 15:10:26.000000000 +0200
++++ tiff-4.0.4_patch/tools/tiffsplit.c	2016-02-12 19:15:30.532005041 +0100
+@@ -179,8 +179,9 @@ tiffcp(TIFF* in, TIFF* out)
+ 		    TIFFSetField(out, TIFFTAG_JPEGTABLES, count, table);
+ 		}
+ 	}
++	uint32 count = 0;
+         CopyField(TIFFTAG_PHOTOMETRIC, shortv);
+-	CopyField(TIFFTAG_PREDICTOR, shortv);
++	CopyField2(TIFFTAG_PREDICTOR, count, shortv);
+ 	CopyField(TIFFTAG_THRESHHOLDING, shortv);
+ 	CopyField(TIFFTAG_FILLORDER, shortv);
+ 	CopyField(TIFFTAG_ORIENTATION, shortv);
+@@ -188,7 +189,7 @@ tiffcp(TIFF* in, TIFF* out)
+ 	CopyField(TIFFTAG_MAXSAMPLEVALUE, shortv);
+ 	CopyField(TIFFTAG_XRESOLUTION, floatv);
+ 	CopyField(TIFFTAG_YRESOLUTION, floatv);
+-	CopyField(TIFFTAG_GROUP3OPTIONS, longv);
++	CopyField2(TIFFTAG_GROUP3OPTIONS, count, longv);
+ 	CopyField(TIFFTAG_GROUP4OPTIONS, longv);
+ 	CopyField(TIFFTAG_RESOLUTIONUNIT, shortv);
+ 	CopyField(TIFFTAG_PLANARCONFIG, shortv);
diff --git a/SOURCES/libtiff-CVE-2015-8668.patch b/SOURCES/libtiff-CVE-2015-8668.patch
new file mode 100644
index 0000000..436326e
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2015-8668.patch
@@ -0,0 +1,41 @@
+diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
+index 376f4e6..c747c13 100644
+--- a/tools/bmp2tiff.c
++++ b/tools/bmp2tiff.c
+@@ -614,19 +614,27 @@ main(int argc, char* argv[])
+ 			    || info_hdr.iCompression == BMPC_RLE4 ) {
+ 			uint32		i, j, k, runlength;
+ 			uint32		compr_size, uncompr_size;
++			uint32      bits = 0;
+ 			unsigned char   *comprbuf;
+ 			unsigned char   *uncomprbuf;
+ 
+ 			compr_size = file_hdr.iSize - file_hdr.iOffBits;
+-			uncompr_size = width * length;
+-            /* Detect int overflow */
+-            if( uncompr_size / width != length )
+-            {
+-                TIFFError(infilename,
+-                    "Invalid dimensions of BMP file" );
+-                close(fd);
+-                return -1;
+-            }
++
++			bits = info_hdr.iBitCount;
++
++			if (bits > 8) // bit depth is > 8bit, adjust size
++			{
++				uncompr_size = width * length * (bits / 8);
++				/* Detect int overflow */
++				if (uncompr_size / width / (bits / 8) != length) {
++					TIFFError(infilename,
++							   "Invalid dimensions of BMP file");
++					close(fd);
++					return -1;
++				}
++			}
++			else
++				uncompr_size = width * length;
+ 			comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
+ 			if (!comprbuf) {
+ 				TIFFError(infilename,
diff --git a/SOURCES/libtiff-CVE-2015-8683_8665.patch b/SOURCES/libtiff-CVE-2015-8683_8665.patch
new file mode 100644
index 0000000..13647d0
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2015-8683_8665.patch
@@ -0,0 +1,98 @@
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 1633325..018351b 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -182,8 +182,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
+ 				    "Planarconfiguration", td->td_planarconfig);
+ 				return (0);
+ 			}
++			if( td->td_samplesperpixel != 3 || colorchannels != 3 )
++            {
++                 sprintf(emsg,
++                        "Sorry, can not handle image with %s=%d, %s=%d",
++                        "Samples/pixel", td->td_samplesperpixel,
++                        "colorchannels", colorchannels);
++                 return 0;
++             }
+ 			break;
+ 		case PHOTOMETRIC_CIELAB:
++            if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
++             {
++                 sprintf(emsg,
++                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
++                         "Samples/pixel", td->td_samplesperpixel,
++                         "colorchannels", colorchannels,
++                         "Bits/sample", td->td_bitspersample);
++                 return 0;
++             }
+ 			break;
+ 		default:
+ 			sprintf(emsg, "Sorry, can not handle image with %s=%d",
+@@ -241,6 +258,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024])
+ 	uint16 *red_orig, *green_orig, *blue_orig;
+ 	int n_color;
+ 
++	if( !TIFFRGBAImageOK(tif, emsg) )
++		return 0;
++
+ 	/* Initialize to normal values */
+ 	img->row_offset = 0;
+ 	img->col_offset = 0;
+@@ -2453,29 +2473,33 @@ PickContigCase(TIFFRGBAImage* img)
+ 		case PHOTOMETRIC_RGB:
+ 			switch (img->bitspersample) {
+ 				case 8:
+-					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++						img->samplesperpixel >= 4)
+ 						img->put.contig = putRGBAAcontig8bittile;
+-					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++							 img->samplesperpixel >= 4)
+ 					{
+ 						if (BuildMapUaToAa(img))
+ 							img->put.contig = putRGBUAcontig8bittile;
+ 					}
+-					else
++					else if( img->samplesperpixel >= 3 )
+ 						img->put.contig = putRGBcontig8bittile;
+ 					break;
+ 				case 16:
+-					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++						img->samplesperpixel >=4 )
+ 					{
+ 						if (BuildMapBitdepth16To8(img))
+ 							img->put.contig = putRGBAAcontig16bittile;
+ 					}
+-					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++							 img->samplesperpixel >=4 )
+ 					{
+ 						if (BuildMapBitdepth16To8(img) &&
+ 						    BuildMapUaToAa(img))
+ 							img->put.contig = putRGBUAcontig16bittile;
+ 					}
+-					else
++					else if( img->samplesperpixel >=3 )
+ 					{
+ 						if (BuildMapBitdepth16To8(img))
+ 							img->put.contig = putRGBcontig16bittile;
+@@ -2484,7 +2508,7 @@ PickContigCase(TIFFRGBAImage* img)
+ 			}
+ 			break;
+ 		case PHOTOMETRIC_SEPARATED:
+-			if (buildMap(img)) {
++			if (img->samplesperpixel >=4 && buildMap(img)) {
+ 				if (img->bitspersample == 8) {
+ 					if (!img->Map)
+ 						img->put.contig = putRGBcontig8bitCMYKtile;
+@@ -2580,7 +2604,7 @@ PickContigCase(TIFFRGBAImage* img)
+ 			}
+ 			break;
+ 		case PHOTOMETRIC_CIELAB:
+-			if (buildMap(img)) {
++			if (img->samplesperpixel == 3 && buildMap(img)) {
+ 				if (img->bitspersample == 8)
+ 					img->put.contig = initCIELabConversion(img);
+ 				break;
diff --git a/SOURCES/libtiff-CVE-2015-8781.patch b/SOURCES/libtiff-CVE-2015-8781.patch
new file mode 100644
index 0000000..f56aa90
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2015-8781.patch
@@ -0,0 +1,159 @@
+diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
+index eba6c08..ebbd692 100644
+--- a/libtiff/tif_luv.c
++++ b/libtiff/tif_luv.c
+@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ 	if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
+ 		tp = (int16*) op;
+ 	else {
+-		assert(sp->tbuflen >= npixels);
++		if(sp->tbuflen < npixels) {
++            TIFFErrorExt(tif->tif_clientdata, module,
++                    "Translation buffer too short");
++            return (0);
++        }
+ 		tp = (int16*) sp->tbuf;
+ 	}
+ 	_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ 	cc = tif->tif_rawcc;
+ 	/* get each byte string */
+ 	for (shft = 2*8; (shft -= 8) >= 0; ) {
+-		for (i = 0; i < npixels && cc > 0; )
++		for (i = 0; i < npixels && cc > 0; ) {
+ 			if (*bp >= 128) {		/* run */
+-				rc = *bp++ + (2-128);   /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
++                if ( cc < 2 )
++                    break;
++				rc = *bp++ + (2-128);
+ 				b = (int16)(*bp++ << shft);
+ 				cc -= 2;
+ 				while (rc-- && i < npixels)
+@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ 				while (--cc && rc-- && i < npixels)
+ 					tp[i++] |= (int16)*bp++ << shft;
+ 			}
++        }
+ 		if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 			TIFFErrorExt(tif->tif_clientdata, module,
+@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ 	if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+ 		tp = (uint32 *)op;
+ 	else {
+-		assert(sp->tbuflen >= npixels);
++		if(sp->tbuflen < npixels) {
++            TIFFErrorExt(tif->tif_clientdata, module,
++                    "Translation buffer too short");
++            return (0);
++        }
+ 		tp = (uint32 *) sp->tbuf;
+ 	}
+ 	/* copy to array of uint32 */
+ 	bp = (unsigned char*) tif->tif_rawcp;
+ 	cc = tif->tif_rawcc;
+-	for (i = 0; i < npixels && cc > 0; i++) {
++	for (i = 0; i < npixels && cc >= 3; i++) {
+ 		tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
+ 		bp += 3;
+ 		cc -= 3;
+@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ 	if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+ 		tp = (uint32*) op;
+ 	else {
+-		assert(sp->tbuflen >= npixels);
++		if(sp->tbuflen < npixels) {
++            TIFFErrorExt(tif->tif_clientdata, module,
++                    "Translation buffer too short");
++            return (0);
++        }
+ 		tp = (uint32*) sp->tbuf;
+ 	}
+ 	_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ 	cc = tif->tif_rawcc;
+ 	/* get each byte string */
+ 	for (shft = 4*8; (shft -= 8) >= 0; ) {
+-		for (i = 0; i < npixels && cc > 0; )
++		for (i = 0; i < npixels && cc > 0; ) {
+ 			if (*bp >= 128) {		/* run */
++                if ( cc < 2 )
++                    break;
+ 				rc = *bp++ + (2-128);
+ 				b = (uint32)*bp++ << shft;
+-				cc -= 2;                /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
++				cc -= 2;
+ 				while (rc-- && i < npixels)
+ 					tp[i++] |= b;
+ 			} else {			/* non-run */
+@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ 				while (--cc && rc-- && i < npixels)
+ 					tp[i++] |= (uint32)*bp++ << shft;
+ 			}
++        }
+ 		if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 			TIFFErrorExt(tif->tif_clientdata, module,
+@@ -407,6 +425,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ static int
+ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++    static const char module [] = "LogL16Encode";
+ 	LogLuvState* sp = EncoderState(tif);
+ 	int shft;
+ 	tmsize_t i;
+@@ -427,7 +446,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ 		tp = (int16*) bp;
+ 	else {
+ 		tp = (int16*) sp->tbuf;
+-		assert(sp->tbuflen >= npixels);
++		if(sp->tbuflen < npixels) {
++            TIFFErrorExt(tif->tif_clientdata, module,
++                    "Translation buffer too short");
++            return (0);
++        }
+ 		(*sp->tfunc)(sp, bp, npixels);
+ 	}
+ 	/* compress each byte string */
+@@ -500,6 +523,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ static int
+ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++    static const char module [] = "LogLuvEncode24";
+ 	LogLuvState* sp = EncoderState(tif);
+ 	tmsize_t i;
+ 	tmsize_t npixels;
+@@ -515,7 +539,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ 		tp = (uint32*) bp;
+ 	else {
+ 		tp = (uint32*) sp->tbuf;
+-		assert(sp->tbuflen >= npixels);
++		if(sp->tbuflen < npixels) {
++            TIFFErrorExt(tif->tif_clientdata, module,
++                    "Translation buffer too short");
++            return (0);
++        }
+ 		(*sp->tfunc)(sp, bp, npixels);
+ 	}
+ 	/* write out encoded pixels */
+@@ -547,6 +575,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ static int
+ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++    static const char module [] = "LogLuvEncode32";
+ 	LogLuvState* sp = EncoderState(tif);
+ 	int shft;
+ 	tmsize_t i;
+@@ -568,7 +597,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ 		tp = (uint32*) bp;
+ 	else {
+ 		tp = (uint32*) sp->tbuf;
+-		assert(sp->tbuflen >= npixels);
++		if(sp->tbuflen < npixels) {
++            TIFFErrorExt(tif->tif_clientdata, module,
++                    "Translation buffer too short");
++            return (0);
++        }
+ 		(*sp->tfunc)(sp, bp, npixels);
+ 	}
+ 	/* compress each byte string */
diff --git a/SOURCES/libtiff-CVE-2016-3632.patch b/SOURCES/libtiff-CVE-2016-3632.patch
new file mode 100644
index 0000000..bb0bc07
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-3632.patch
@@ -0,0 +1,26 @@
+From d3f9829a37661749b200760ad6525f77cf77d77a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Mon, 11 Jul 2016 16:04:34 +0200
+Subject: [PATCH 4/8] Fix CVE-2016-3632
+
+---
+ tools/thumbnail.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/thumbnail.c b/tools/thumbnail.c
+index fd1cba5..75e7009 100644
+--- a/tools/thumbnail.c
++++ b/tools/thumbnail.c
+@@ -253,7 +253,8 @@ static struct cpTag {
+     { TIFFTAG_WHITEPOINT,		2, TIFF_RATIONAL },
+     { TIFFTAG_PRIMARYCHROMATICITIES,	(uint16) -1,TIFF_RATIONAL },
+     { TIFFTAG_HALFTONEHINTS,		2, TIFF_SHORT },
+-    { TIFFTAG_BADFAXLINES,		1, TIFF_LONG },
++    // disable BADFAXLINES, CVE-2016-3632
++    //{ TIFFTAG_BADFAXLINES,		1, TIFF_LONG },
+     { TIFFTAG_CLEANFAXDATA,		1, TIFF_SHORT },
+     { TIFFTAG_CONSECUTIVEBADFAXLINES,	1, TIFF_LONG },
+     { TIFFTAG_INKSET,			1, TIFF_SHORT },
+-- 
+2.7.4
+
diff --git a/SOURCES/libtiff-CVE-2016-3945.patch b/SOURCES/libtiff-CVE-2016-3945.patch
new file mode 100644
index 0000000..cb496a0
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-3945.patch
@@ -0,0 +1,92 @@
+From a9bb0f1406e9da35da4da13eabacb00d9cc2efcb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Mon, 11 Jul 2016 16:05:49 +0200
+Subject: [PATCH 5/8] Fix CVE-2016-3945
+
+---
+ tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index 737167c..5228966 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+@@ -145,6 +145,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
+     uint32  row, col;
+     uint32  *wrk_line;
+     int	    ok = 1;
++    uint32  rastersize, wrk_linesize;
+ 
+     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+@@ -161,7 +162,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
+     /*
+      * Allocate tile buffer
+      */
+-    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
++    rastersize = tile_width * tile_height * sizeof (uint32);
++    if (width != (tile_width / tile_height) / sizeof( uint32))
++    {
++	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
++	exit(-1);
++    }
++    raster = (uint32*)_TIFFmalloc(rastersize);
+     if (raster == 0) {
+         TIFFError(TIFFFileName(in), "No space for raster buffer");
+         return (0);
+@@ -171,7 +178,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
+      * Allocate a scanline buffer for swapping during the vertical
+      * mirroring pass.
+      */
+-    wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
++    wrk_linesize = tile_width * sizeof (uint32);
++    if (wrk_linesize != tile_width / sizeof (uint32))
++    {
++        TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
++	exit(-1);
++    }
++    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+     if (!wrk_line) {
+         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
+         ok = 0;
+@@ -247,6 +260,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
+     uint32  row;
+     uint32  *wrk_line;
+     int	    ok = 1;
++    uint32  rastersize, wrk_linesize;
+ 
+     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+@@ -261,7 +275,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
+     /*
+      * Allocate strip buffer
+      */
+-    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
++    rastersize = width * rowsperstrip * sizeof (uint32);
++    if (width != (rastersize / rowsperstrip) / sizeof( uint32))
++    {
++	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
++	exit(-1);
++    }
++    raster = (uint32*)_TIFFmalloc(rastersize);
+     if (raster == 0) {
+         TIFFError(TIFFFileName(in), "No space for raster buffer");
+         return (0);
+@@ -271,7 +291,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
+      * Allocate a scanline buffer for swapping during the vertical
+      * mirroring pass.
+      */
+-    wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
++    wrk_linesize = width * sizeof (uint32);
++    if (wrk_linesize != width / sizeof (uint32))
++    {
++        TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
++	exit(-1);
++    }
++    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+     if (!wrk_line) {
+         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
+         ok = 0;
+-- 
+2.7.4
+
diff --git a/SOURCES/libtiff-CVE-2016-3990.patch b/SOURCES/libtiff-CVE-2016-3990.patch
new file mode 100644
index 0000000..c5a9e8b
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-3990.patch
@@ -0,0 +1,63 @@
+From 46d1b6c09939eef09e45ccec345c6724cabc454e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Mon, 11 Jul 2016 16:44:22 +0200
+Subject: [PATCH 6/8] Fix CVE-2016-3990
+
+---
+ libtiff/tif_pixarlog.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index 2793b22..c9f056e 100644
+--- a/libtiff/tif_pixarlog.c
++++ b/libtiff/tif_pixarlog.c
+@@ -462,6 +462,7 @@ typedef	struct {
+ 	int			state;
+ 	int			user_datafmt;
+ 	int			quality;
++	tsize_t			tbuf_size;
+ #define PLSTATE_INIT 1
+ 
+ 	TIFFVSetMethod		vgetparent;	/* super-class method */
+@@ -885,6 +886,7 @@ PixarLogSetupEncode(TIFF* tif)
+ 	    td->td_samplesperpixel : 1);
+ 	tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
+ 				      td->td_rowsperstrip), sizeof(uint16));
++	sp->tbuf_size = tbuf_size;
+ 	if (tbuf_size == 0)
+ 		return (0);  /* TODO: this is an error return without error report through TIFFErrorExt */
+ 	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+@@ -1131,8 +1133,17 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ 	}
+ 
+ 	llen = sp->stride * td->td_imagewidth;
+-
++	if (llen > sp->tbuf_size)	
++	{
++		TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Buffer limit reached.", tif->tif_name);
++		exit (0);
++	}
+ 	for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
++		if (up > sp->tbuf+sp->tbuf_size)
++		{
++			TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Buffer limit reached.", tif->tif_name);
++			exit (0);
++		}
+ 		switch (sp->user_datafmt)  {
+ 		case PIXARLOGDATAFMT_FLOAT:
+ 			horizontalDifferenceF((float *)bp, llen, 
+@@ -1169,6 +1180,11 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ 			     "ZLib cannot deal with buffers this size");
+ 		return (0);
+ 	}
++	if (sp->stream.avail_in > sp->tbuf_size)
++	{
++		TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Error within the calculation on ZLib buffer size.", tif->tif_name);
++		return (0);
++	}
+ 
+ 	do {
+ 		if (deflate(&sp->stream, Z_NO_FLUSH) != Z_OK) {
+-- 
+2.7.4
+
diff --git a/SOURCES/libtiff-CVE-2016-3991.patch b/SOURCES/libtiff-CVE-2016-3991.patch
new file mode 100644
index 0000000..0ca667d
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-3991.patch
@@ -0,0 +1,111 @@
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index ea4f7a1..f04e2eb 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
+     }
+ 
+   tile_buffsize = tilesize;
++  if (tilesize == 0 || tile_rowsize == 0)
++  {
++     TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
++     exit(-1);
++  }
+ 
+   if (tilesize < (tsize_t)(tl * tile_rowsize))
+     {
+@@ -807,7 +812,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
+               tilesize, tl * tile_rowsize);
+ #endif
+     tile_buffsize = tl * tile_rowsize;
+-    } 
++    if (tl != (tile_buffsize / tile_rowsize))
++    {
++    	TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
++        exit(-1);
++    }
++    }
+ 
+   tilebuf = _TIFFmalloc(tile_buffsize);
+   if (tilebuf == 0)
+@@ -1210,6 +1220,12 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
+       !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
+       return 1;
+ 
++  if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
++  {
++    TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
++    exit(-1);
++  }
++  
+   tile_buffsize = tilesize;
+   if (tilesize < (tsize_t)(tl * tile_rowsize))
+     {
+@@ -1219,6 +1235,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
+               tilesize, tl * tile_rowsize);
+ #endif
+     tile_buffsize = tl * tile_rowsize;
++    if (tl != tile_buffsize / tile_rowsize)
++    {
++	TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
++	exit(-1);
++    }
+     }
+ 
+   tilebuf = _TIFFmalloc(tile_buffsize);
+@@ -5931,12 +5952,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+     TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
+ 
+     tile_rowsize  = TIFFTileRowSize(in);      
++    if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
++    {
++	TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
++	exit(-1);
++    }
+     buffsize = tlsize * ntiles;
++    if (tlsize != (buffsize / ntiles))
++    {
++	TIFFError("loadImage", "Integer overflow when calculating buffer size");
++	exit(-1);
++    }
+ 
+-        
+     if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
+       {
+       buffsize = ntiles * tl * tile_rowsize;
++      if (ntiles != (buffsize / tl / tile_rowsize))
++      {
++	TIFFError("loadImage", "Integer overflow when calculating buffer size");
++	exit(-1);
++      }
++      
+ #ifdef DEBUG2
+       TIFFError("loadImage",
+ 	        "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
+@@ -5955,8 +5991,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+     TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+     stsize = TIFFStripSize(in);
+     nstrips = TIFFNumberOfStrips(in);
++    if (nstrips == 0 || stsize == 0)
++    {
++	TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
++	exit(-1);
++    }
++
+     buffsize = stsize * nstrips;
+-    
++    if (stsize != (buffsize / nstrips))
++    {
++	TIFFError("loadImage", "Integer overflow when calculating buffer size");
++	exit(-1);
++    }
++    uint32 buffsize_check;
++    buffsize_check = ((length * width * spp * bps) + 7);
++    if (length != ((buffsize_check - 7) / width / spp / bps))
++    {
++	TIFFError("loadImage", "Integer overflow detected.");
++	exit(-1);
++    }
+     if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
+       {
+       buffsize =  ((length * width * spp * bps) + 7) / 8;
diff --git a/SOURCES/libtiff-CVE-2016-5320.patch b/SOURCES/libtiff-CVE-2016-5320.patch
new file mode 100644
index 0000000..fc05ed6
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-5320.patch
@@ -0,0 +1,45 @@
+From 5f3ae40bcaf5518aae18eedc90cd9b326d7bd640 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Mon, 11 Jul 2016 16:54:49 +0200
+Subject: [PATCH 8/8] Fix CVE-2016-5320
+
+---
+ libtiff/tif_pixarlog.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index c9f056e..c961529 100644
+--- a/libtiff/tif_pixarlog.c
++++ b/libtiff/tif_pixarlog.c
+@@ -462,7 +462,7 @@ typedef	struct {
+ 	int			state;
+ 	int			user_datafmt;
+ 	int			quality;
+-	tsize_t			tbuf_size;
++	tmsize_t	tbuf_size;
+ #define PLSTATE_INIT 1
+ 
+ 	TIFFVSetMethod		vgetparent;	/* super-class method */
+@@ -691,6 +691,7 @@ PixarLogSetupDecode(TIFF* tif)
+ 	if (tbuf_size == 0)
+ 		return (0);   /* TODO: this is an error return without error report through TIFFErrorExt */
+ 	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
++	sp->tbuf_size = tbuf_size;
+ 	if (sp->tbuf == NULL)
+ 		return (0);
+ 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
+@@ -782,6 +783,11 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ 		TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
+ 		return (0);
+ 	}
++	if (sp->stream.avail_out > sp->tbuf_size)
++	{
++		TIFFErrorExt(tif->tif_clientdata, module, "Error within the calculation of ZLib buffer size");
++		return (0);
++	}
+ 	do {
+ 		int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
+ 		if (state == Z_STREAM_END) {
+-- 
+2.7.4
+
diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec
index 9892c94..141e1ee 100644
--- a/SPECS/libtiff.spec
+++ b/SPECS/libtiff.spec
@@ -1,7 +1,7 @@
 Summary: Library of functions for manipulating TIFF format image files
 Name: libtiff
 Version: 4.0.3
-Release: 14%{?dist}
+Release: 25%{?dist}
 
 License: libtiff
 Group: System Environment/Libraries
@@ -22,6 +22,21 @@ Patch9: libtiff-CVE-2013-4231.patch
 Patch10: libtiff-CVE-2013-4232.patch
 Patch11: libtiff-CVE-2013-4244.patch
 Patch12: libtiff-CVE-2013-4243.patch
+Patch13: libtiff-CVE-2014-9330.patch
+Patch14: libtiff-CVE-2014-8127.patch
+Patch15: libtiff-CVE-2014-8129.patch
+Patch16: libtiff-CVE-2014-8130.patch
+Patch17: libtiff-CVE-2014-9655.patch
+Patch18: libtiff-CVE-2015-1547_8784.patch
+Patch19: libtiff-CVE-2015-7554.patch
+Patch20: libtiff-CVE-2015-8683_8665.patch
+Patch21: libtiff-CVE-2015-8668.patch
+Patch22: libtiff-CVE-2015-8781.patch
+Patch23: libtiff-CVE-2016-3632.patch
+Patch24: libtiff-CVE-2016-3945.patch
+Patch25: libtiff-CVE-2016-3990.patch
+Patch26: libtiff-CVE-2016-3991.patch
+Patch27: libtiff-CVE-2016-5320.patch
 
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
 BuildRequires: libtool automake autoconf pkgconfig
@@ -85,6 +100,21 @@ image files using the libtiff library.
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch25 -p1
+%patch26 -p1
+%patch27 -p1
 
 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@@ -189,6 +219,68 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*
 
 %changelog
+* Wed Jul 27 2016 Nikola Forr贸 <nforro@redhat.com> - 4.0.3-25
+- Add patches for CVEs:
+  CVE-2015-7554, CVE-2015-8683, CVE-2015-8665,
+  CVE-2015-8781, CVE-2015-8782, CVE-2015-8783,
+  CVE-2015-8784
+- Related: #1299920
+
+* Tue Jul 26 2016 Nikola Forr贸 <nforro@redhat.com> - 4.0.3-24
+- Update patches for CVEs:
+  CVE-2014-8127, CVE-2014-8130
+- Related: #1299920
+
+* Tue Jul 26 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-23
+- Update patches:
+  CVE-2014-9330, CVE-2014-8127, CVE-2014-8129
+  CVE-2014-8130
+- Related: #1299920
+
+* Tue Jul 19 2016 Nikola Forr贸 <nforro@redhat.com> - 4.0.3-22
+- Update patch for CVE-2015-8668
+- Related: #1299920
+
+* Mon Jul 11 2016 Nikola Forr贸 <nforro@redhat.com> - 4.0.3-21
+- Remove patches for CVEs:
+  CVE-2014-8127, CVE-2014-8129, CVE-2014-8130,
+  CVE-2014-9330, CVE-2015-7554, CVE-2015-8665,
+  CVE-2015-8683, CVE-2015-8781, CVE-2015-8784
+- Add patches for CVEs:
+  CVE-2016-3632, CVE-2016-3945, CVE-2016-3990,
+  CVE-2016-3991, CVE-2016-5320
+- Update patches for CVEs:
+  CVE-2014-9655, CVE-2015-1547, CVE-2015-8668
+- Related: #1299920
+
+* Tue Apr 19 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-20
+- CVE-2014-8127 should contain only two fixes
+- Related: #1299920
+
+* Fri Apr 15 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-19
+- Revert previous patch CVE-2014-8127
+- Related: #1299920
+
+* Thu Mar 31 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-18
+- Fix patch CVE-2014-8127. Wrongly applied
+- Related: #1299920
+
+* Tue Mar 15 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-17
+- Fix patch CVE-2015-8668. Wrongly applied by me
+- Related: #1299920
+
+* Tue Mar 08 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-16
+- Fixed patches on preview CVEs
+- Related: #1299920
+
+* Wed Feb 03 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-15
+- This resolves several CVEs
+- CVE-2014-8127, CVE-2014-8129, CVE-2014-8130
+- CVE-2014-9330, CVE-2014-9655, CVE-2015-8781
+- CVE-2015-8784, CVE-2015-1547, CVE-2015-8683
+- CVE-2015-8665, CVE-2015-7554, CVE-2015-8668
+- Resolves: #1299920
+
 * Thu Feb 13 2014 Petr Hracek <phracek@redhat.com> - 4.0.3-14
 - Resolves: #996827 CVE-2013-4243 libtiff various flaws