diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..03c7f11
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/tiff-4.0.3.tar.gz
diff --git a/.libtiff.metadata b/.libtiff.metadata
new file mode 100644
index 0000000..344cab8
--- /dev/null
+++ b/.libtiff.metadata
@@ -0,0 +1 @@
+652e97b78f1444237a82cbcfe014310e776eb6f0 SOURCES/tiff-4.0.3.tar.gz
diff --git a/SOURCES/libtiff-CVE-2012-4447.patch b/SOURCES/libtiff-CVE-2012-4447.patch
new file mode 100644
index 0000000..ebf9a00
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2012-4447.patch
@@ -0,0 +1,40 @@
+Upstream patch for CVE-2012-4447.
+
+
+diff -Naur tiff-4.0.3.orig/libtiff/tif_pixarlog.c tiff-4.0.3/libtiff/tif_pixarlog.c
+--- tiff-4.0.3.orig/libtiff/tif_pixarlog.c 2012-07-04 15:26:31.000000000 -0400
++++ tiff-4.0.3/libtiff/tif_pixarlog.c 2012-12-12 16:43:18.931315699 -0500
+@@ -644,6 +644,20 @@
+ return bytes;
+ }
+
++static tmsize_t
++add_ms(tmsize_t m1, tmsize_t m2)
++{
++ tmsize_t bytes = m1 + m2;
++
++ /* if either input is zero, assume overflow already occurred */
++ if (m1 == 0 || m2 == 0)
++ bytes = 0;
++ else if (bytes <= m1 || bytes <= m2)
++ bytes = 0;
++
++ return bytes;
++}
++
+ static int
+ PixarLogFixupTags(TIFF* tif)
+ {
+@@ -671,9 +685,11 @@
+ td->td_samplesperpixel : 1);
+ tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
+ td->td_rowsperstrip), sizeof(uint16));
++ /* add one more stride in case input ends mid-stride */
++ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
+ if (tbuf_size == 0)
+ return (0); /* TODO: this is an error return without error report through TIFFErrorExt */
+- sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);
++ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+ if (sp->tbuf == NULL)
+ return (0);
+ if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
diff --git a/SOURCES/libtiff-CVE-2012-4564.patch b/SOURCES/libtiff-CVE-2012-4564.patch
new file mode 100644
index 0000000..3d7946c
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2012-4564.patch
@@ -0,0 +1,86 @@
+Upstream patch for CVE-2012-4564.
+
+
+diff -Naur tiff-4.0.3.orig/tools/ppm2tiff.c tiff-4.0.3/tools/ppm2tiff.c
+--- tiff-4.0.3.orig/tools/ppm2tiff.c 2010-04-10 15:22:34.000000000 -0400
++++ tiff-4.0.3/tools/ppm2tiff.c 2012-12-12 16:43:18.932315708 -0500
+@@ -72,6 +72,17 @@
+ exit(-2);
+ }
+
++static tmsize_t
++multiply_ms(tmsize_t m1, tmsize_t m2)
++{
++ tmsize_t bytes = m1 * m2;
++
++ if (m1 && bytes / m1 != m2)
++ bytes = 0;
++
++ return bytes;
++}
++
+ int
+ main(int argc, char* argv[])
+ {
+@@ -79,7 +90,7 @@
+ uint32 rowsperstrip = (uint32) -1;
+ double resolution = -1;
+ unsigned char *buf = NULL;
+- tsize_t linebytes = 0;
++ tmsize_t linebytes = 0;
+ uint16 spp = 1;
+ uint16 bpp = 8;
+ TIFF *out;
+@@ -89,6 +100,7 @@
+ int c;
+ extern int optind;
+ extern char* optarg;
++ tmsize_t scanline_size;
+
+ if (argc < 2) {
+ fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -221,7 +233,8 @@
+ }
+ switch (bpp) {
+ case 1:
+- linebytes = (spp * w + (8 - 1)) / 8;
++ /* if round-up overflows, result will be zero, OK */
++ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
+ if (rowsperstrip == (uint32) -1) {
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
+ } else {
+@@ -230,15 +243,31 @@
+ }
+ break;
+ case 8:
+- linebytes = spp * w;
++ linebytes = multiply_ms(spp, w);
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
+ TIFFDefaultStripSize(out, rowsperstrip));
+ break;
+ }
+- if (TIFFScanlineSize(out) > linebytes)
++ if (linebytes == 0) {
++ fprintf(stderr, "%s: scanline size overflow\n", infile);
++ (void) TIFFClose(out);
++ exit(-2);
++ }
++ scanline_size = TIFFScanlineSize(out);
++ if (scanline_size == 0) {
++ /* overflow - TIFFScanlineSize already printed a message */
++ (void) TIFFClose(out);
++ exit(-2);
++ }
++ if (scanline_size < linebytes)
+ buf = (unsigned char *)_TIFFmalloc(linebytes);
+ else
+- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++ buf = (unsigned char *)_TIFFmalloc(scanline_size);
++ if (buf == NULL) {
++ fprintf(stderr, "%s: Not enough memory\n", infile);
++ (void) TIFFClose(out);
++ exit(-2);
++ }
+ if (resolution > 0) {
+ TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+ TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff --git a/SOURCES/libtiff-CVE-2013-1960.patch b/SOURCES/libtiff-CVE-2013-1960.patch
new file mode 100644
index 0000000..1c8dfb7
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2013-1960.patch
@@ -0,0 +1,145 @@
+diff -Naur tiff-4.0.3.orig/tools/tiff2pdf.c tiff-4.0.3/tools/tiff2pdf.c
+--- tiff-4.0.3.orig/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400
++++ tiff-4.0.3/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400
+@@ -3341,33 +3341,56 @@
+ uint32 height){
+
+ tsize_t i=0;
+- uint16 ri =0;
+- uint16 v_samp=1;
+- uint16 h_samp=1;
+- int j=0;
+-
+- i++;
+-
+- while(i<(*striplength)){
++
++ while (i < *striplength) {
++ tsize_t datalen;
++ uint16 ri;
++ uint16 v_samp;
++ uint16 h_samp;
++ int j;
++ int ncomp;
++
++ /* marker header: one or more FFs */
++ if (strip[i] != 0xff)
++ return(0);
++ i++;
++ while (i < *striplength && strip[i] == 0xff)
++ i++;
++ if (i >= *striplength)
++ return(0);
++ /* SOI is the only pre-SOS marker without a length word */
++ if (strip[i] == 0xd8)
++ datalen = 0;
++ else {
++ if ((*striplength - i) <= 2)
++ return(0);
++ datalen = (strip[i+1] << 8) | strip[i+2];
++ if (datalen < 2 || datalen >= (*striplength - i))
++ return(0);
++ }
+ switch( strip[i] ){
+- case 0xd8:
+- /* SOI - start of image */
++ case 0xd8: /* SOI - start of image */
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
+ *bufferoffset+=2;
+- i+=2;
+ break;
+- case 0xc0:
+- case 0xc1:
+- case 0xc3:
+- case 0xc9:
+- case 0xca:
++ case 0xc0: /* SOF0 */
++ case 0xc1: /* SOF1 */
++ case 0xc3: /* SOF3 */
++ case 0xc9: /* SOF9 */
++ case 0xca: /* SOF10 */
+ if(no==0){
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+- for(j=0;j<buffer[*bufferoffset+9];j++){
+- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp)
+- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
+- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp)
+- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++ ncomp = buffer[*bufferoffset+9];
++ if (ncomp < 1 || ncomp > 4)
++ return(0);
++ v_samp=1;
++ h_samp=1;
++ for(j=0;j<ncomp;j++){
++ uint16 samp = buffer[*bufferoffset+11+(3*j)];
++ if( (samp>>4) > h_samp)
++ h_samp = (samp>>4);
++ if( (samp & 0x0f) > v_samp)
++ v_samp = (samp & 0x0f);
+ }
+ v_samp*=8;
+ h_samp*=8;
+@@ -3381,45 +3404,43 @@
+ (unsigned char) ((height>>8) & 0xff);
+ buffer[*bufferoffset+6]=
+ (unsigned char) (height & 0xff);
+- *bufferoffset+=strip[i+2]+2;
+- i+=strip[i+2]+2;
+-
++ *bufferoffset+=datalen+2;
++ /* insert a DRI marker */
+ buffer[(*bufferoffset)++]=0xff;
+ buffer[(*bufferoffset)++]=0xdd;
+ buffer[(*bufferoffset)++]=0x00;
+ buffer[(*bufferoffset)++]=0x04;
+ buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
+ buffer[(*bufferoffset)++]= ri & 0xff;
+- } else {
+- i+=strip[i+2]+2;
+ }
+ break;
+- case 0xc4:
+- case 0xdb:
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+- *bufferoffset+=strip[i+2]+2;
+- i+=strip[i+2]+2;
++ case 0xc4: /* DHT */
++ case 0xdb: /* DQT */
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++ *bufferoffset+=datalen+2;
+ break;
+- case 0xda:
++ case 0xda: /* SOS */
+ if(no==0){
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+- *bufferoffset+=strip[i+2]+2;
+- i+=strip[i+2]+2;
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++ *bufferoffset+=datalen+2;
+ } else {
+ buffer[(*bufferoffset)++]=0xff;
+ buffer[(*bufferoffset)++]=
+ (unsigned char)(0xd0 | ((no-1)%8));
+- i+=strip[i+2]+2;
+ }
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
+- *bufferoffset+=(*striplength)-i-1;
++ i += datalen + 1;
++ /* copy remainder of strip */
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
++ *bufferoffset+= *striplength - i;
+ return(1);
+ default:
+- i+=strip[i+2]+2;
++ /* ignore any other marker */
++ break;
+ }
++ i += datalen + 1;
+ }
+-
+
++ /* failed to find SOS marker */
+ return(0);
+ }
+ #endif
diff --git a/SOURCES/libtiff-CVE-2013-1961.patch b/SOURCES/libtiff-CVE-2013-1961.patch
new file mode 100644
index 0000000..0ea9b52
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2013-1961.patch
@@ -0,0 +1,759 @@
+diff -Naur tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c tiff-4.0.3/contrib/dbs/xtiff/xtiff.c
+--- tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c 2010-06-08 14:55:15.000000000 -0400
++++ tiff-4.0.3/contrib/dbs/xtiff/xtiff.c 2013-05-02 12:02:42.782287939 -0400
+@@ -512,9 +512,9 @@
+ Arg args[1];
+
+ if (tfMultiPage)
+- sprintf(buffer, "%s - page %d", fileName, tfDirectory);
++ snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory);
+ else
+- strcpy(buffer, fileName);
++ snprintf(buffer, sizeof(buffer), "%s", fileName);
+ XtSetArg(args[0], XtNlabel, buffer);
+ XtSetValues(labelWidget, args, 1);
+ }
+diff -Naur tiff-4.0.3.orig/libtiff/tif_codec.c tiff-4.0.3/libtiff/tif_codec.c
+--- tiff-4.0.3.orig/libtiff/tif_codec.c 2010-12-14 09:18:28.000000000 -0500
++++ tiff-4.0.3/libtiff/tif_codec.c 2013-05-02 12:02:42.783287946 -0400
+@@ -108,7 +108,8 @@
+ const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression);
+ char compression_code[20];
+
+- sprintf( compression_code, "%d", tif->tif_dir.td_compression );
++ snprintf(compression_code, sizeof(compression_code), "%d",
++ tif->tif_dir.td_compression );
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "%s compression support is not configured",
+ c ? c->name : compression_code );
+diff -Naur tiff-4.0.3.orig/libtiff/tif_dirinfo.c tiff-4.0.3/libtiff/tif_dirinfo.c
+--- tiff-4.0.3.orig/libtiff/tif_dirinfo.c 2012-08-19 12:56:34.000000000 -0400
++++ tiff-4.0.3/libtiff/tif_dirinfo.c 2013-05-02 12:02:42.784287953 -0400
+@@ -711,7 +711,7 @@
+ * note that this name is a special sign to TIFFClose() and
+ * _TIFFSetupFields() to free the field
+ */
+- sprintf(fld->field_name, "Tag %d", (int) tag);
++ snprintf(fld->field_name, 32, "Tag %d", (int) tag);
+
+ return fld;
+ }
+diff -Naur tiff-4.0.3.orig/tools/rgb2ycbcr.c tiff-4.0.3/tools/rgb2ycbcr.c
+--- tiff-4.0.3.orig/tools/rgb2ycbcr.c 2011-05-31 13:03:16.000000000 -0400
++++ tiff-4.0.3/tools/rgb2ycbcr.c 2013-05-02 12:02:42.785287961 -0400
+@@ -332,7 +332,8 @@
+ TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);
+ { char buf[2048];
+ char *cp = strrchr(TIFFFileName(in), '/');
+- sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in));
++ snprintf(buf, sizeof(buf), "YCbCr conversion of %s",
++ cp ? cp+1 : TIFFFileName(in));
+ TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf);
+ }
+ TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
+diff -Naur tiff-4.0.3.orig/tools/tiff2bw.c tiff-4.0.3/tools/tiff2bw.c
+--- tiff-4.0.3.orig/tools/tiff2bw.c 2010-07-08 12:10:24.000000000 -0400
++++ tiff-4.0.3/tools/tiff2bw.c 2013-05-02 12:02:42.785287961 -0400
+@@ -205,7 +205,7 @@
+ }
+ }
+ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK);
+- sprintf(thing, "B&W version of %s", argv[optind]);
++ snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]);
+ TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
+ TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
+ outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+diff -Naur tiff-4.0.3.orig/tools/tiff2pdf.c tiff-4.0.3/tools/tiff2pdf.c
+--- tiff-4.0.3.orig/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400
++++ tiff-4.0.3/tools/tiff2pdf.c 2013-05-02 12:02:42.788287983 -0400
+@@ -3609,7 +3609,9 @@
+ char buffer[16];
+ int buflen=0;
+
+- buflen=sprintf(buffer, "%%PDF-%u.%u ", t2p->pdf_majorversion&0xff, t2p->pdf_minorversion&0xff);
++ buflen = snprintf(buffer, sizeof(buffer), "%%PDF-%u.%u ",
++ t2p->pdf_majorversion&0xff,
++ t2p->pdf_minorversion&0xff);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t)"\n%\342\343\317\323\n", 7);
+
+@@ -3623,10 +3625,10 @@
+ tsize_t t2p_write_pdf_obj_start(uint32 number, TIFF* output){
+
+ tsize_t written=0;
+- char buffer[16];
++ char buffer[32];
+ int buflen=0;
+
+- buflen=sprintf(buffer, "%lu", (unsigned long)number);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen );
+ written += t2pWriteFile(output, (tdata_t) " 0 obj\n", 7);
+
+@@ -3665,13 +3667,13 @@
+ written += t2pWriteFile(output, (tdata_t) "/", 1);
+ for (i=0;i<namelen;i++){
+ if ( ((unsigned char)name[i]) < 0x21){
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ nextchar=1;
+ }
+ if ( ((unsigned char)name[i]) > 0x7E){
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ nextchar=1;
+@@ -3679,57 +3681,57 @@
+ if (nextchar==0){
+ switch (name[i]){
+ case 0x23:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x25:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x28:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x29:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x2F:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x3C:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x3E:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x5B:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x5D:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x7B:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x7D:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+@@ -3844,14 +3846,14 @@
+ tsize_t t2p_write_pdf_stream_dict(tsize_t len, uint32 number, TIFF* output){
+
+ tsize_t written=0;
+- char buffer[16];
++ char buffer[32];
+ int buflen=0;
+
+ written += t2pWriteFile(output, (tdata_t) "/Length ", 8);
+ if(len!=0){
+ written += t2p_write_pdf_stream_length(len, output);
+ } else {
+- buflen=sprintf(buffer, "%lu", (unsigned long)number);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
+ }
+@@ -3892,10 +3894,10 @@
+ tsize_t t2p_write_pdf_stream_length(tsize_t len, TIFF* output){
+
+ tsize_t written=0;
+- char buffer[16];
++ char buffer[32];
+ int buflen=0;
+
+- buflen=sprintf(buffer, "%lu", (unsigned long)len);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)len);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "\n", 1);
+
+@@ -3909,7 +3911,7 @@
+ tsize_t t2p_write_pdf_catalog(T2P* t2p, TIFF* output)
+ {
+ tsize_t written = 0;
+- char buffer[16];
++ char buffer[32];
+ int buflen = 0;
+
+ written += t2pWriteFile(output,
+@@ -3948,7 +3950,6 @@
+ written += t2p_write_pdf_string(t2p->pdf_datetime, output);
+ }
+ written += t2pWriteFile(output, (tdata_t) "\n/Producer ", 11);
+- _TIFFmemset((tdata_t)buffer, 0x00, sizeof(buffer));
+ snprintf(buffer, sizeof(buffer), "libtiff / tiff2pdf - %d", TIFFLIB_VERSION);
+ written += t2p_write_pdf_string(buffer, output);
+ written += t2pWriteFile(output, (tdata_t) "\n", 1);
+@@ -4089,7 +4090,7 @@
+ {
+ tsize_t written=0;
+ tdir_t i=0;
+- char buffer[16];
++ char buffer[32];
+ int buflen=0;
+
+ int page=0;
+@@ -4097,7 +4098,7 @@
+ (tdata_t) "<< \n/Type /Pages \n/Kids [ ", 26);
+ page = t2p->pdf_pages+1;
+ for (i=0;i<t2p->tiff_pagecount;i++){
+- buflen=sprintf(buffer, "%d", page);
++ buflen=snprintf(buffer, sizeof(buffer), "%d", page);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
+ if ( ((i+1)%8)==0 ) {
+@@ -4112,8 +4113,7 @@
+ }
+ }
+ written += t2pWriteFile(output, (tdata_t) "] \n/Count ", 10);
+- _TIFFmemset(buffer, 0x00, 16);
+- buflen=sprintf(buffer, "%d", t2p->tiff_pagecount);
++ buflen=snprintf(buffer, sizeof(buffer), "%d", t2p->tiff_pagecount);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " \n>> \n", 6);
+
+@@ -4128,28 +4128,28 @@
+
+ unsigned int i=0;
+ tsize_t written=0;
+- char buffer[16];
++ char buffer[256];
+ int buflen=0;
+
+ written += t2pWriteFile(output, (tdata_t) "<<\n/Type /Page \n/Parent ", 24);
+- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_pages);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
+ written += t2pWriteFile(output, (tdata_t) "/MediaBox [", 11);
+- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x1);
++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x1);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " ", 1);
+- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y1);
++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y1);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " ", 1);
+- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x2);
++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x2);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " ", 1);
+- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2);
++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y2);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "] \n", 3);
+ written += t2pWriteFile(output, (tdata_t) "/Contents ", 10);
+- buflen=sprintf(buffer, "%lu", (unsigned long)(object + 1));
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 1));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
+ written += t2pWriteFile(output, (tdata_t) "/Resources << \n", 15);
+@@ -4157,15 +4157,13 @@
+ written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12);
+ for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount;i++){
+ written += t2pWriteFile(output, (tdata_t) "/Im", 3);
+- buflen = sprintf(buffer, "%u", t2p->pdf_page+1);
++ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "_", 1);
+- buflen = sprintf(buffer, "%u", i+1);
++ buflen = snprintf(buffer, sizeof(buffer), "%u", i+1);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " ", 1);
+- buflen = sprintf(
+- buffer,
+- "%lu",
++ buflen = snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
+@@ -4177,12 +4175,10 @@
+ } else {
+ written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12);
+ written += t2pWriteFile(output, (tdata_t) "/Im", 3);
+- buflen = sprintf(buffer, "%u", t2p->pdf_page+1);
++ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " ", 1);
+- buflen = sprintf(
+- buffer,
+- "%lu",
++ buflen = snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
+@@ -4191,9 +4187,7 @@
+ if(t2p->tiff_transferfunctioncount != 0) {
+ written += t2pWriteFile(output, (tdata_t) "/ExtGState <<", 13);
+ t2pWriteFile(output, (tdata_t) "/GS1 ", 5);
+- buflen = sprintf(
+- buffer,
+- "%lu",
++ buflen = snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)(object + 3));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
+@@ -4566,7 +4560,7 @@
+ if(t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount>0){
+ for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount; i++){
+ box=t2p->tiff_tiles[t2p->pdf_page].tiles_tiles[i].tile_box;
+- buflen=sprintf(buffer,
++ buflen=snprintf(buffer, sizeof(buffer),
+ "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d_%ld Do Q\n",
+ t2p->tiff_transferfunctioncount?"/GS1 gs ":"",
+ box.mat[0],
+@@ -4581,7 +4575,7 @@
+ }
+ } else {
+ box=t2p->pdf_imagebox;
+- buflen=sprintf(buffer,
++ buflen=snprintf(buffer, sizeof(buffer),
+ "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d Do Q\n",
+ t2p->tiff_transferfunctioncount?"/GS1 gs ":"",
+ box.mat[0],
+@@ -4606,59 +4600,48 @@
+ TIFF* output){
+
+ tsize_t written=0;
+- char buffer[16];
++ char buffer[32];
+ int buflen=0;
+
+ written += t2p_write_pdf_stream_dict(0, t2p->pdf_xrefcount+1, output);
+ written += t2pWriteFile(output,
+ (tdata_t) "/Type /XObject \n/Subtype /Image \n/Name /Im",
+ 42);
+- buflen=sprintf(buffer, "%u", t2p->pdf_page+1);
++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ if(tile != 0){
+ written += t2pWriteFile(output, (tdata_t) "_", 1);
+- buflen=sprintf(buffer, "%lu", (unsigned long)tile);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)tile);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ }
+ written += t2pWriteFile(output, (tdata_t) "\n/Width ", 8);
+- _TIFFmemset((tdata_t)buffer, 0x00, 16);
+ if(tile==0){
+- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_width);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width);
+ } else {
+ if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){
+- buflen=sprintf(
+- buffer,
+- "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth);
+ } else {
+- buflen=sprintf(
+- buffer,
+- "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);
+ }
+ }
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "\n/Height ", 9);
+- _TIFFmemset((tdata_t)buffer, 0x00, 16);
+ if(tile==0){
+- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_length);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length);
+ } else {
+ if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){
+- buflen=sprintf(
+- buffer,
+- "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);
+ } else {
+- buflen=sprintf(
+- buffer,
+- "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);
+ }
+ }
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "\n/BitsPerComponent ", 19);
+- _TIFFmemset((tdata_t)buffer, 0x00, 16);
+- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample);
++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "\n/ColorSpace ", 13);
+ written += t2p_write_pdf_xobject_cs(t2p, output);
+@@ -4702,11 +4685,10 @@
+ t2p->pdf_colorspace ^= T2P_CS_PALETTE;
+ written += t2p_write_pdf_xobject_cs(t2p, output);
+ t2p->pdf_colorspace |= T2P_CS_PALETTE;
+- buflen=sprintf(buffer, "%u", (0x0001 << t2p->tiff_bitspersample)-1 );
++ buflen=snprintf(buffer, sizeof(buffer), "%u", (0x0001 << t2p->tiff_bitspersample)-1 );
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " ", 1);
+- _TIFFmemset(buffer, 0x00, 16);
+- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_palettecs );
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_palettecs );
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R ]\n", 7);
+ return(written);
+@@ -4740,10 +4722,10 @@
+ X_W /= Y_W;
+ Z_W /= Y_W;
+ Y_W = 1.0F;
+- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "/Range ", 7);
+- buflen=sprintf(buffer, "[%d %d %d %d] \n",
++ buflen=snprintf(buffer, sizeof(buffer), "[%d %d %d %d] \n",
+ t2p->pdf_labrange[0],
+ t2p->pdf_labrange[1],
+ t2p->pdf_labrange[2],
+@@ -4759,26 +4741,26 @@
+ tsize_t t2p_write_pdf_transfer(T2P* t2p, TIFF* output){
+
+ tsize_t written=0;
+- char buffer[16];
++ char buffer[32];
+ int buflen=0;
+
+ written += t2pWriteFile(output, (tdata_t) "<< /Type /ExtGState \n/TR ", 25);
+ if(t2p->tiff_transferfunctioncount == 1){
+- buflen=sprintf(buffer, "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)(t2p->pdf_xrefcount + 1));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
+ } else {
+ written += t2pWriteFile(output, (tdata_t) "[ ", 2);
+- buflen=sprintf(buffer, "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)(t2p->pdf_xrefcount + 1));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
+- buflen=sprintf(buffer, "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)(t2p->pdf_xrefcount + 2));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
+- buflen=sprintf(buffer, "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)(t2p->pdf_xrefcount + 3));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
+@@ -4800,7 +4782,7 @@
+ written += t2pWriteFile(output, (tdata_t) "/FunctionType 0 \n", 17);
+ written += t2pWriteFile(output, (tdata_t) "/Domain [0.0 1.0] \n", 19);
+ written += t2pWriteFile(output, (tdata_t) "/Range [0.0 1.0] \n", 18);
+- buflen=sprintf(buffer, "/Size [%u] \n", (1<<t2p->tiff_bitspersample));
++ buflen=snprintf(buffer, sizeof(buffer), "/Size [%u] \n", (1<<t2p->tiff_bitspersample));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "/BitsPerSample 16 \n", 19);
+ written += t2p_write_pdf_stream_dict(((tsize_t)1)<<(t2p->tiff_bitspersample+1), 0, output);
+@@ -4827,7 +4809,7 @@
+ tsize_t t2p_write_pdf_xobject_calcs(T2P* t2p, TIFF* output){
+
+ tsize_t written=0;
+- char buffer[128];
++ char buffer[256];
+ int buflen=0;
+
+ float X_W=0.0;
+@@ -4895,16 +4877,16 @@
+ written += t2pWriteFile(output, (tdata_t) "<< \n", 4);
+ if(t2p->pdf_colorspace & T2P_CS_CALGRAY){
+ written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12);
+- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "/Gamma 2.2 \n", 12);
+ }
+ if(t2p->pdf_colorspace & T2P_CS_CALRGB){
+ written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12);
+- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "/Matrix ", 8);
+- buflen=sprintf(buffer, "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n",
++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n",
+ X_R, Y_R, Z_R,
+ X_G, Y_G, Z_G,
+ X_B, Y_B, Z_B);
+@@ -4923,11 +4905,11 @@
+ tsize_t t2p_write_pdf_xobject_icccs(T2P* t2p, TIFF* output){
+
+ tsize_t written=0;
+- char buffer[16];
++ char buffer[32];
+ int buflen=0;
+
+ written += t2pWriteFile(output, (tdata_t) "[/ICCBased ", 11);
+- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_icccs);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_icccs);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R] \n", 7);
+
+@@ -4937,11 +4919,11 @@
+ tsize_t t2p_write_pdf_xobject_icccs_dict(T2P* t2p, TIFF* output){
+
+ tsize_t written=0;
+- char buffer[16];
++ char buffer[32];
+ int buflen=0;
+
+ written += t2pWriteFile(output, (tdata_t) "/N ", 3);
+- buflen=sprintf(buffer, "%u \n", t2p->tiff_samplesperpixel);
++ buflen=snprintf(buffer, sizeof(buffer), "%u \n", t2p->tiff_samplesperpixel);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "/Alternate ", 11);
+ t2p->pdf_colorspace ^= T2P_CS_ICCBASED;
+@@ -5006,7 +4988,7 @@
+ tsize_t t2p_write_pdf_xobject_stream_filter(ttile_t tile, T2P* t2p, TIFF* output){
+
+ tsize_t written=0;
+- char buffer[16];
++ char buffer[32];
+ int buflen=0;
+
+ if(t2p->pdf_compression==T2P_COMPRESS_NONE){
+@@ -5021,41 +5003,33 @@
+ written += t2pWriteFile(output, (tdata_t) "<< /K -1 ", 9);
+ if(tile==0){
+ written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
+- buflen=sprintf(buffer, "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_width);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
+- buflen=sprintf(buffer, "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_length);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ } else {
+ if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){
+ written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
+- buflen=sprintf(
+- buffer,
+- "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ } else {
+ written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
+- buflen=sprintf(
+- buffer,
+- "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ }
+ if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){
+ written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
+- buflen=sprintf(
+- buffer,
+- "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ } else {
+ written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
+- buflen=sprintf(
+- buffer,
+- "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ }
+@@ -5082,21 +5056,17 @@
+ if(t2p->pdf_compressionquality%100){
+ written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13);
+ written += t2pWriteFile(output, (tdata_t) "<< /Predictor ", 14);
+- _TIFFmemset(buffer, 0x00, 16);
+- buflen=sprintf(buffer, "%u", t2p->pdf_compressionquality%100);
++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_compressionquality%100);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " /Columns ", 10);
+- _TIFFmemset(buffer, 0x00, 16);
+- buflen = sprintf(buffer, "%lu",
++ buflen = snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_width);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " /Colors ", 9);
+- _TIFFmemset(buffer, 0x00, 16);
+- buflen=sprintf(buffer, "%u", t2p->tiff_samplesperpixel);
++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_samplesperpixel);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " /BitsPerComponent ", 19);
+- _TIFFmemset(buffer, 0x00, 16);
+- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample);
++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) ">>\n", 3);
+ }
+@@ -5116,16 +5086,16 @@
+ tsize_t t2p_write_pdf_xreftable(T2P* t2p, TIFF* output){
+
+ tsize_t written=0;
+- char buffer[21];
++ char buffer[64];
+ int buflen=0;
+ uint32 i=0;
+
+ written += t2pWriteFile(output, (tdata_t) "xref\n0 ", 7);
+- buflen=sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount + 1));
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " \n0000000000 65535 f \n", 22);
+ for (i=0;i<t2p->pdf_xrefcount;i++){
+- sprintf(buffer, "%.10lu 00000 n \n",
++ snprintf(buffer, sizeof(buffer), "%.10lu 00000 n \n",
+ (unsigned long)t2p->pdf_xrefoffsets[i]);
+ written += t2pWriteFile(output, (tdata_t) buffer, 20);
+ }
+@@ -5149,17 +5119,14 @@
+ snprintf(t2p->pdf_fileid + i, 9, "%.8X", rand());
+
+ written += t2pWriteFile(output, (tdata_t) "trailer\n<<\n/Size ", 17);
+- buflen = sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount+1));
++ buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount+1));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+- _TIFFmemset(buffer, 0x00, 32);
+ written += t2pWriteFile(output, (tdata_t) "\n/Root ", 7);
+- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_catalog);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_catalog);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+- _TIFFmemset(buffer, 0x00, 32);
+ written += t2pWriteFile(output, (tdata_t) " 0 R \n/Info ", 12);
+- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_info);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_info);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+- _TIFFmemset(buffer, 0x00, 32);
+ written += t2pWriteFile(output, (tdata_t) " 0 R \n/ID[<", 11);
+ written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid,
+ sizeof(t2p->pdf_fileid) - 1);
+@@ -5167,9 +5134,8 @@
+ written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid,
+ sizeof(t2p->pdf_fileid) - 1);
+ written += t2pWriteFile(output, (tdata_t) ">]\n>>\nstartxref\n", 16);
+- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_startxref);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_startxref);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+- _TIFFmemset(buffer, 0x00, 32);
+ written += t2pWriteFile(output, (tdata_t) "\n%%EOF\n", 7);
+
+ return(written);
+diff -Naur tiff-4.0.3.orig/tools/tiff2ps.c tiff-4.0.3/tools/tiff2ps.c
+--- tiff-4.0.3.orig/tools/tiff2ps.c 2011-05-31 13:10:18.000000000 -0400
++++ tiff-4.0.3/tools/tiff2ps.c 2013-05-02 12:02:42.789287990 -0400
+@@ -1781,8 +1781,8 @@
+ imageOp = "imagemask";
+
+ (void)strcpy(im_x, "0");
+- (void)sprintf(im_y, "%lu", (long) h);
+- (void)sprintf(im_h, "%lu", (long) h);
++ (void)snprintf(im_y, sizeof(im_y), "%lu", (long) h);
++ (void)snprintf(im_h, sizeof(im_h), "%lu", (long) h);
+ tile_width = w;
+ tile_height = h;
+ if (TIFFIsTiled(tif)) {
+@@ -1803,7 +1803,7 @@
+ }
+ if (tile_height < h) {
+ fputs("/im_y 0 def\n", fd);
+- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h);
++ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h);
+ }
+ } else {
+ repeat_count = tf_numberstrips;
+@@ -1815,7 +1815,7 @@
+ fprintf(fd, "/im_h %lu def\n",
+ (unsigned long) tile_height);
+ (void)strcpy(im_h, "im_h");
+- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h);
++ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h);
+ }
+ }
+
+diff -Naur tiff-4.0.3.orig/tools/tiffcrop.c tiff-4.0.3/tools/tiffcrop.c
+--- tiff-4.0.3.orig/tools/tiffcrop.c 2010-12-14 09:18:28.000000000 -0500
++++ tiff-4.0.3/tools/tiffcrop.c 2013-05-02 12:02:42.791288005 -0400
+@@ -2077,7 +2077,7 @@
+ return 1;
+ }
+
+- sprintf (filenum, "-%03d%s", findex, export_ext);
++ snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext);
+ filenum[14] = '\0';
+ strncat (exportname, filenum, 15);
+ }
+@@ -2230,8 +2230,8 @@
+
+ /* dump.infilename is guaranteed to be NUL termimated and have 20 bytes
+ fewer than PATH_MAX */
+- memset (temp_filename, '\0', PATH_MAX + 1);
+- sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images,
++ snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s",
++ dump.infilename, dump_images,
+ (dump.format == DUMP_TEXT) ? "txt" : "raw");
+ if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL)
+ {
+@@ -2249,8 +2249,8 @@
+
+ /* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes
+ fewer than PATH_MAX */
+- memset (temp_filename, '\0', PATH_MAX + 1);
+- sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images,
++ snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s",
++ dump.outfilename, dump_images,
+ (dump.format == DUMP_TEXT) ? "txt" : "raw");
+ if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL)
+ {
+diff -Naur tiff-4.0.3.orig/tools/tiffdither.c tiff-4.0.3/tools/tiffdither.c
+--- tiff-4.0.3.orig/tools/tiffdither.c 2010-03-10 13:56:50.000000000 -0500
++++ tiff-4.0.3/tools/tiffdither.c 2013-05-02 12:02:42.792288013 -0400
+@@ -260,7 +260,7 @@
+ TIFFSetField(out, TIFFTAG_FILLORDER, fillorder);
+ else
+ CopyField(TIFFTAG_FILLORDER, shortv);
+- sprintf(thing, "Dithered B&W version of %s", argv[optind]);
++ snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]);
+ TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
+ CopyField(TIFFTAG_PHOTOMETRIC, shortv);
+ CopyField(TIFFTAG_ORIENTATION, shortv);
diff --git a/SOURCES/libtiff-CVE-2013-4231.patch b/SOURCES/libtiff-CVE-2013-4231.patch
new file mode 100644
index 0000000..8ae1e12
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2013-4231.patch
@@ -0,0 +1,15 @@
+diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c
+index 17f7a19..375b152 100644
+--- a/tools/gif2tiff.c
++++ b/tools/gif2tiff.c
+@@ -333,6 +333,10 @@ readraster(void)
+ int status = 1;
+
+ datasize = getc(infile);
++
++ if (datasize > 12)
++ return 0;
++
+ clear = 1 << datasize;
+ eoi = clear + 1;
+ avail = clear + 2;
diff --git a/SOURCES/libtiff-CVE-2013-4232.patch b/SOURCES/libtiff-CVE-2013-4232.patch
new file mode 100644
index 0000000..5e8612c
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2013-4232.patch
@@ -0,0 +1,12 @@
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 92a1a3d..26a1acb 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -2462,6 +2462,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
+ TIFFFileName(input));
+ t2p->t2p_error = T2P_ERR_ERROR;
+ _TIFFfree(buffer);
++ return(0);
+ } else {
+ buffer=samplebuffer;
+ t2p->tiff_datasize *= t2p->tiff_samplesperpixel;
diff --git a/SOURCES/libtiff-CVE-2013-4243.patch b/SOURCES/libtiff-CVE-2013-4243.patch
new file mode 100644
index 0000000..3ffc207
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2013-4243.patch
@@ -0,0 +1,37 @@
+diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c
+index 2731273..1e9b4b9 100644
+--- a/tools/gif2tiff.c
++++ b/tools/gif2tiff.c
+@@ -280,6 +280,10 @@ readgifimage(char* mode)
+ fprintf(stderr, "no colormap present for image\n");
+ return (0);
+ }
++ if (width == 0 || height == 0) {
++ fprintf(stderr, "Invalid value of width or height\n");
++ return(0);
++ }
+ if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
+ fprintf(stderr, "not enough memory for image\n");
+ return (0);
+@@ -406,6 +410,10 @@ process(register int code, unsigned char** fill)
+ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
+ return 0;
+ }
++ if (*fill >= raster + width*height) {
++ fprintf(stderr, "raster full before eoi code\n");
++ return 0;
++ }
+ *(*fill)++ = suffix[code];
+ firstchar = oldcode = code;
+ return 1;
+@@ -436,6 +444,10 @@ process(register int code, unsigned char** fill)
+ }
+ oldcode = incode;
+ do {
++ if (*fill >= raster + width*height) {
++ fprintf(stderr, "raster full before eoi code\n");
++ return 0;
++ }
+ *(*fill)++ = *--stackp;
+ } while (stackp > stack);
+ return 1;
diff --git a/SOURCES/libtiff-CVE-2013-4244.patch b/SOURCES/libtiff-CVE-2013-4244.patch
new file mode 100644
index 0000000..792e076
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2013-4244.patch
@@ -0,0 +1,15 @@
+diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c
+index 375b152..2731273 100644
+--- a/tools/gif2tiff.c
++++ b/tools/gif2tiff.c
+@@ -402,6 +402,10 @@ process(register int code, unsigned char** fill)
+ }
+
+ if (oldcode == -1) {
++ if (code >= clear) {
++ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
++ return 0;
++ }
+ *(*fill)++ = suffix[code];
+ firstchar = oldcode = code;
+ return 1;
diff --git a/SOURCES/libtiff-CVE-2014-8127.patch b/SOURCES/libtiff-CVE-2014-8127.patch
new file mode 100644
index 0000000..d426710
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2014-8127.patch
@@ -0,0 +1,169 @@
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 19a26e2..6667228 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -3881,6 +3881,32 @@ TIFFReadDirectory(TIFF* tif)
+ if (!TIFFSetField(tif,TIFFTAG_SAMPLESPERPIXEL,1))
+ goto bad;
+ }
++ /*
++ * SamplesPerPixel value has changed, adjust SMinSampleValue
++ * and SMaxSampleValue arrays if necessary
++ */
++ {
++ uint32 saved_flags;
++ saved_flags = tif->tif_flags;
++ tif->tif_flags &= ~TIFF_PERSAMPLE;
++ if (TIFFFieldSet(tif,FIELD_SMINSAMPLEVALUE))
++ {
++ if (!TIFFSetField(tif,TIFFTAG_SMINSAMPLEVALUE,tif->tif_dir.td_sminsamplevalue[0]))
++ {
++ tif->tif_flags = saved_flags;
++ goto bad;
++ }
++ }
++ if (TIFFFieldSet(tif,FIELD_SMAXSAMPLEVALUE))
++ {
++ if (!TIFFSetField(tif,TIFFTAG_SMAXSAMPLEVALUE,tif->tif_dir.td_smaxsamplevalue[0]))
++ {
++ tif->tif_flags = saved_flags;
++ goto bad;
++ }
++ }
++ tif->tif_flags = saved_flags;
++ }
+ }
+ }
+ /*
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index fa20609..fa68d1c 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -542,8 +542,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
+ {
+ if (!isTiled(tif))
+ {
+- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
+- goto bad;
++ /* td_stripoffset can be NULL even if td_nstrips == 1 due to OJPEG hack */
++ if (tif->tif_dir.td_stripoffset)
++ {
++ if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
++ goto bad;
++ }
+ }
+ else
+ {
+diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
+index 2ba822a..dfc5b07 100644
+--- a/libtiff/tif_read.c
++++ b/libtiff/tif_read.c
+@@ -458,7 +458,7 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
+ return ((tmsize_t)(-1));
+ }
+ bytecount = td->td_stripbytecount[strip];
+- if (bytecount <= 0) {
++ if ((int64)bytecount <= 0) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%I64u: Invalid strip byte count, strip %lu",
+@@ -498,7 +498,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
+ if ((tif->tif_flags&TIFF_NOREADRAW)==0)
+ {
+ uint64 bytecount = td->td_stripbytecount[strip];
+- if (bytecount <= 0) {
++ if ((int64)bytecount <= 0) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Invalid strip byte count %I64u, strip %lu",
+@@ -801,7 +801,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
+ if ((tif->tif_flags&TIFF_NOREADRAW)==0)
+ {
+ uint64 bytecount = td->td_stripbytecount[tile];
+- if (bytecount <= 0) {
++ if ((int64)bytecount <= 0) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%I64u: Invalid tile byte count, tile %lu",
+diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
+index b5ed30b..376f4e6 100644
+--- a/tools/bmp2tiff.c
++++ b/tools/bmp2tiff.c
+@@ -401,6 +401,24 @@ main(int argc, char* argv[])
+ return 0;
+ }
+
++ if (info_hdr.iCompression == BMPC_RLE4 && info_hdr.iBitCount != 4)
++ {
++ TIFFError(infilename,
++ "Cannot process BMP file with bit count %d and RLE 4-bit/pixel compression",
++ info_hdr.iBitCount);
++ close(fd);
++ return 0;
++ }
++
++ if (info_hdr.iCompression == BMPC_RLE8 && info_hdr.iBitCount != 8)
++ {
++ TIFFError(infilename,
++ "Cannot process BMP file with bit count %d and RLE 8-bit/pixel compression",
++ info_hdr.iBitCount);
++ close(fd);
++ return 0;
++ }
++
+ width = info_hdr.iWidth;
+ length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
+ if( width <= 0 || length <= 0 )
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index 8608aad..426bbc0 100644
+--- a/tools/pal2rgb.c
++++ b/tools/pal2rgb.c
+@@ -372,7 +372,8 @@ static struct cpTag {
+ { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
+ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
+ { TIFFTAG_INKSET, 1, TIFF_SHORT },
+- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },
++ // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
++ //{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },
+ { TIFFTAG_DOTRANGE, 2, TIFF_SHORT },
+ { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },
+ { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },
+diff --git a/tools/thumbnail.c b/tools/thumbnail.c
+index fd1cba5..06edf93 100644
+--- a/tools/thumbnail.c
++++ b/tools/thumbnail.c
+@@ -257,7 +257,8 @@ static struct cpTag {
+ { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
+ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
+ { TIFFTAG_INKSET, 1, TIFF_SHORT },
+- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },
++ // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
++ //{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },
+ { TIFFTAG_DOTRANGE, 2, TIFF_SHORT },
+ { TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },
+ { TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },
+@@ -585,7 +586,7 @@ generateThumbnail(TIFF* in, TIFF* out)
+ rowsize = TIFFScanlineSize(in);
+ rastersize = sh * rowsize;
+ fprintf(stderr, "rastersize=%u\n", (unsigned int)rastersize);
+- raster = (unsigned char*)_TIFFmalloc(rastersize);
++ raster = (unsigned char*)_TIFFmalloc(rastersize + 3);
+ if (!raster) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate space for raster buffer.");
+diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
+index c5dcb7c..02605df 100644
+--- a/tools/tiff2bw.c
++++ b/tools/tiff2bw.c
+@@ -171,6 +171,11 @@ main(int argc, char* argv[])
+ argv[optind], samplesperpixel);
+ return (-1);
+ }
++ if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) {
++ fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n",
++ argv[optind], samplesperpixel);
++ return (-1);
++ }
+ TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample);
+ if (bitspersample != 8) {
+ fprintf(stderr,
diff --git a/SOURCES/libtiff-CVE-2014-8129.patch b/SOURCES/libtiff-CVE-2014-8129.patch
new file mode 100644
index 0000000..9cd7bd9
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2014-8129.patch
@@ -0,0 +1,174 @@
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 8bf3ea7..f812fa2 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -160,6 +160,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ TIFFDirectory* td = &tif->tif_dir;
+ int status = 1;
+ uint32 v32, i, v;
++ double dblval;
+ char* s;
+ const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY);
+ uint32 standard_tag = tag;
+@@ -283,10 +284,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel);
+ break;
+ case TIFFTAG_XRESOLUTION:
+- td->td_xresolution = (float) va_arg(ap, double);
++ dblval = va_arg(ap, double);
++ if( dblval < 0 )
++ goto badvaluedouble;
++ td->td_xresolution = (float) dblval;
+ break;
+ case TIFFTAG_YRESOLUTION:
+- td->td_yresolution = (float) va_arg(ap, double);
++ dblval = va_arg(ap, double);
++ if( dblval < 0 )
++ goto badvaluedouble;
++ td->td_yresolution = (float) dblval;
+ break;
+ case TIFFTAG_PLANARCONFIG:
+ v = (uint16) va_arg(ap, uint16_vap);
+@@ -693,6 +700,16 @@ badvalue32:
+ va_end(ap);
+ }
+ return (0);
++badvaluedouble:
++ {
++ const TIFFField* fip=TIFFFieldWithTag(tif,tag);
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "%s: Bad value %f for \"%s\" tag",
++ tif->tif_name, dblval,
++ fip->field_name);
++ va_end(ap);
++ }
++ return (0);
+ }
+
+ /*
+diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
+index 524e127..81084ff 100644
+--- a/libtiff/tif_next.c
++++ b/libtiff/tif_next.c
+@@ -102,6 +102,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ default: {
+ uint32 npixels = 0, grey;
+ uint32 imagewidth = tif->tif_dir.td_imagewidth;
++ if( isTiled(tif) )
++ imagewidth = tif->tif_dir.td_tilewidth;
+
+ /*
+ * The scanline is composed of a sequence of constant
+@@ -139,10 +141,28 @@ bad:
+ return (0);
+ }
+
++static int
++NeXTPreDecode(TIFF* tif, uint16 s)
++{
++ static const char module[] = "NeXTPreDecode";
++ TIFFDirectory *td = &tif->tif_dir;
++ (void)s;
++
++ if( td->td_bitspersample != 2 )
++ {
++ TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d",
++ td->td_bitspersample);
++ return (0);
++ }
++ return (1);
++}
++
++
+ int
+ TIFFInitNeXT(TIFF* tif, int scheme)
+ {
+ (void) scheme;
++ tif->tif_predecode = NeXTPreDecode;
+ tif->tif_decoderow = NeXTDecode;
+ tif->tif_decodestrip = NeXTDecode;
+ tif->tif_decodetile = NeXTDecode;
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 26a1acb..2a64ec3 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -1165,6 +1165,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
+ if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0)
+ && (xuint16 == PLANARCONFIG_SEPARATE ) ){
+ TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16);
++ if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 )
++ {
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Invalid tile count, %s",
++ TIFFFileName(input));
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
+ t2p->tiff_tiles[i].tiles_tilecount/= xuint16;
+ }
+ if( t2p->tiff_tiles[i].tiles_tilecount > 0){
+@@ -1545,6 +1554,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ #endif
+ break;
+ case PHOTOMETRIC_CIELAB:
++ if( t2p->tiff_samplesperpixel != 3){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Unsupported samplesperpixel = %d for CIELAB",
++ t2p->tiff_samplesperpixel);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
++ if( t2p->tiff_bitspersample != 8){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Invalid bitspersample = %d for CIELAB",
++ t2p->tiff_bitspersample);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
+ t2p->pdf_labrange[0]= -127;
+ t2p->pdf_labrange[1]= 127;
+ t2p->pdf_labrange[2]= -127;
+@@ -1560,6 +1585,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
+ t2p->pdf_colorspace=T2P_CS_LAB;
+ break;
+ case PHOTOMETRIC_ITULAB:
++ if( t2p->tiff_samplesperpixel != 3){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Unsupported samplesperpixel = %d for ITULAB",
++ t2p->tiff_samplesperpixel);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
++ if( t2p->tiff_bitspersample != 8){
++ TIFFError(
++ TIFF2PDF_MODULE,
++ "Invalid bitspersample = %d for ITULAB",
++ t2p->tiff_bitspersample);
++ t2p->t2p_error = T2P_ERR_ERROR;
++ return;
++ }
+ t2p->pdf_labrange[0]=-85;
+ t2p->pdf_labrange[1]=85;
+ t2p->pdf_labrange[2]=-75;
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index abeb4f6..ea4f7a1 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -1205,9 +1205,10 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
+ tsize_t tilesize = TIFFTileSize(out);
+ unsigned char *tilebuf = NULL;
+
+- TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
+- TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
+- TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
++ if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
++ !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
++ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
++ return 1;
+
+ tile_buffsize = tilesize;
+ if (tilesize < (tsize_t)(tl * tile_rowsize))
diff --git a/SOURCES/libtiff-CVE-2014-8130.patch b/SOURCES/libtiff-CVE-2014-8130.patch
new file mode 100644
index 0000000..d6683c3
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2014-8130.patch
@@ -0,0 +1,26 @@
+diff --git a/libtiff/tif_unix.c b/libtiff/tif_unix.c
+index 1387558..0a3a4a8 100644
+--- a/libtiff/tif_unix.c
++++ b/libtiff/tif_unix.c
+@@ -257,6 +257,8 @@ TIFFOpenW(const wchar_t* name, const char* mode)
+ void*
+ _TIFFmalloc(tmsize_t s)
+ {
++ if ( s == 0 )
++ return ((void *) NULL);
+ return (malloc((size_t) s));
+ }
+
+diff --git a/libtiff/tif_win32.c b/libtiff/tif_win32.c
+index 2cf1de9..612a00d 100644
+--- a/libtiff/tif_win32.c
++++ b/libtiff/tif_win32.c
+@@ -329,6 +329,8 @@ TIFFOpenW(const wchar_t* name, const char* mode)
+ void*
+ _TIFFmalloc(tmsize_t s)
+ {
++ if ( s == 0 )
++ return ((tdata_t) NULL);
+ return (malloc((size_t) s));
+ }
+
diff --git a/SOURCES/libtiff-CVE-2014-9330.patch b/SOURCES/libtiff-CVE-2014-9330.patch
new file mode 100644
index 0000000..cfc83cc
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2014-9330.patch
@@ -0,0 +1,34 @@
+diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
+index c66a8d2..b5ed30b 100644
+--- a/tools/bmp2tiff.c
++++ b/tools/bmp2tiff.c
+@@ -403,6 +403,14 @@ main(int argc, char* argv[])
+
+ width = info_hdr.iWidth;
+ length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
++ if( width <= 0 || length <= 0 )
++ {
++ TIFFError(infilename,
++ "Invalid dimensions of BMP file" );
++ close(fd);
++ return -1;
++ }
++
+
+ switch (info_hdr.iBitCount)
+ {
+@@ -593,6 +601,14 @@ main(int argc, char* argv[])
+
+ compr_size = file_hdr.iSize - file_hdr.iOffBits;
+ uncompr_size = width * length;
++ /* Detect int overflow */
++ if( uncompr_size / width != length )
++ {
++ TIFFError(infilename,
++ "Invalid dimensions of BMP file" );
++ close(fd);
++ return -1;
++ }
+ comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
+ if (!comprbuf) {
+ TIFFError(infilename,
diff --git a/SOURCES/libtiff-CVE-2014-9655.patch b/SOURCES/libtiff-CVE-2014-9655.patch
new file mode 100644
index 0000000..033c627
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2014-9655.patch
@@ -0,0 +1,108 @@
+From a777efdb86da87073511e56e8fc4ef63fc111b5f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Mon, 11 Jul 2016 15:50:56 +0200
+Subject: [PATCH 1/8] Fix CVE-2014-9655
+
+---
+ libtiff/tif_getimage.c | 20 ++++++++++++++------
+ libtiff/tif_next.c | 4 +++-
+ 2 files changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index a85273c..1c1cf9e 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -842,6 +842,12 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ int32 fromskew, toskew;
+ int ret = 1, flip;
+
++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver);
++ if( subsamplingver == 0 ) {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Invalid vertical YCbCr subsampling");
++ return (0);
++ }
++
+ buf = (unsigned char*) _TIFFmalloc(TIFFStripSize(tif));
+ if (buf == 0) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for strip buffer");
+@@ -859,7 +865,7 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ }
+
+ TIFFGetFieldDefaulted(tif, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+- TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, &subsamplinghor, &subsamplingver);
++
+ scanline = TIFFScanlineSize(tif);
+ fromskew = (w < imagewidth ? imagewidth - w : 0);
+ for (row = 0; row < h; row += nrow)
+@@ -1852,7 +1858,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
+
+ (void) y;
+ fromskew = (fromskew * 10) / 4;
+- if ((h & 3) == 0 && (w & 1) == 0) {
++ if ((w & 3) == 0 && (h & 1) == 0) {
+ for (; h >= 2; h -= 2) {
+ x = w>>2;
+ do {
+@@ -1929,7 +1935,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
+ /* XXX adjust fromskew */
+ do {
+ x = w>>2;
+- do {
++ while(x>0) {
+ int32 Cb = pp[4];
+ int32 Cr = pp[5];
+
+@@ -1940,7 +1946,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
+
+ cp += 4;
+ pp += 6;
+- } while (--x);
++ x--;
++ }
+
+ if( (w&3) != 0 )
+ {
+@@ -2031,7 +2038,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
+ fromskew = (fromskew * 4) / 2;
+ do {
+ x = w>>1;
+- do {
++ while(x>0) {
+ int32 Cb = pp[2];
+ int32 Cr = pp[3];
+
+@@ -2040,7 +2047,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
+
+ cp += 2;
+ pp += 4;
+- } while (--x);
++ x --;
++ }
+
+ if( (w&1) != 0 )
+ {
+diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
+index 524e127..92ef6ee 100644
+--- a/libtiff/tif_next.c
++++ b/libtiff/tif_next.c
+@@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");
+ return (0);
+ }
+- for (row = buf; occ > 0; occ -= scanline, row += scanline) {
++ for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
+ n = *bp++, cc--;
+ switch (n) {
+ case LITERALROW:
+@@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ * The scanline has a literal span that begins at some
+ * offset.
+ */
++ if( cc < 4 )
++ goto bad;
+ off = (bp[0] * 256) + bp[1];
+ n = (bp[2] * 256) + bp[3];
+ if (cc < 4+n || off+n > scanline)
+--
+2.7.4
+
diff --git a/SOURCES/libtiff-CVE-2015-1547_8784.patch b/SOURCES/libtiff-CVE-2015-1547_8784.patch
new file mode 100644
index 0000000..03d9b32
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2015-1547_8784.patch
@@ -0,0 +1,52 @@
+diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
+index b014685..13c0848 100644
+--- a/libtiff/tif_next.c
++++ b/libtiff/tif_next.c
+@@ -37,7 +37,7 @@
+ case 0: op[0] = (unsigned char) ((v) << 6); break; \
+ case 1: op[0] |= (v) << 4; break; \
+ case 2: op[0] |= (v) << 2; break; \
+- case 3: *op++ |= (v); break; \
++ case 3: *op++ |= (v); op_offset++; break; \
+ } \
+ }
+
+@@ -107,6 +107,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ if( isTiled(tif) )
+ imagewidth = tif->tif_dir.td_tilewidth;
+
++ tmsize_t op_offset = 0;
++
+ /*
+ * The scanline is composed of a sequence of constant
+ * color ``runs''. We shift into ``run mode'' and
+@@ -120,10 +122,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
+ * bounds, potentially resulting in a security
+ * issue.
+ */
+- while (n-- > 0 && npixels < imagewidth)
++ while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
+ SETPIXEL(op, grey);
+ if (npixels >= imagewidth)
+ break;
++ if (op_offset >= scanline ) {
++ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
++ (long) tif->tif_row);
++ return (0);
++ }
+ if (cc == 0)
+ goto bad;
+ n = *bp++, cc--;
+@@ -162,9 +169,9 @@ NeXTPreDecode(TIFF* tif, uint16 s)
+ TIFFInitNeXT(TIFF* tif, int scheme)
+ {
+ (void) scheme;
+- tif->tif_predecode = NeXTPreDecode;
+- tif->tif_decoderow = NeXTDecode;
+- tif->tif_decodestrip = NeXTDecode;
++ tif->tif_predecode = NeXTPreDecode;
++ tif->tif_decoderow = NeXTDecode;
++ tif->tif_decodestrip = NeXTDecode;
+ tif->tif_decodetile = NeXTDecode;
+ return (1);
+ }
diff --git a/SOURCES/libtiff-CVE-2015-7554.patch b/SOURCES/libtiff-CVE-2015-7554.patch
new file mode 100644
index 0000000..cc76047
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2015-7554.patch
@@ -0,0 +1,23 @@
+diff -pur tiff-4.0.4/tools/tiffsplit.c tiff-4.0.4_patch/tools/tiffsplit.c
+--- tiff-4.0.4/tools/tiffsplit.c 2015-05-28 15:10:26.000000000 +0200
++++ tiff-4.0.4_patch/tools/tiffsplit.c 2016-02-12 19:15:30.532005041 +0100
+@@ -179,8 +179,9 @@ tiffcp(TIFF* in, TIFF* out)
+ TIFFSetField(out, TIFFTAG_JPEGTABLES, count, table);
+ }
+ }
++ uint32 count = 0;
+ CopyField(TIFFTAG_PHOTOMETRIC, shortv);
+- CopyField(TIFFTAG_PREDICTOR, shortv);
++ CopyField2(TIFFTAG_PREDICTOR, count, shortv);
+ CopyField(TIFFTAG_THRESHHOLDING, shortv);
+ CopyField(TIFFTAG_FILLORDER, shortv);
+ CopyField(TIFFTAG_ORIENTATION, shortv);
+@@ -188,7 +189,7 @@ tiffcp(TIFF* in, TIFF* out)
+ CopyField(TIFFTAG_MAXSAMPLEVALUE, shortv);
+ CopyField(TIFFTAG_XRESOLUTION, floatv);
+ CopyField(TIFFTAG_YRESOLUTION, floatv);
+- CopyField(TIFFTAG_GROUP3OPTIONS, longv);
++ CopyField2(TIFFTAG_GROUP3OPTIONS, count, longv);
+ CopyField(TIFFTAG_GROUP4OPTIONS, longv);
+ CopyField(TIFFTAG_RESOLUTIONUNIT, shortv);
+ CopyField(TIFFTAG_PLANARCONFIG, shortv);
diff --git a/SOURCES/libtiff-CVE-2015-8668.patch b/SOURCES/libtiff-CVE-2015-8668.patch
new file mode 100644
index 0000000..436326e
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2015-8668.patch
@@ -0,0 +1,41 @@
+diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
+index 376f4e6..c747c13 100644
+--- a/tools/bmp2tiff.c
++++ b/tools/bmp2tiff.c
+@@ -614,19 +614,27 @@ main(int argc, char* argv[])
+ || info_hdr.iCompression == BMPC_RLE4 ) {
+ uint32 i, j, k, runlength;
+ uint32 compr_size, uncompr_size;
++ uint32 bits = 0;
+ unsigned char *comprbuf;
+ unsigned char *uncomprbuf;
+
+ compr_size = file_hdr.iSize - file_hdr.iOffBits;
+- uncompr_size = width * length;
+- /* Detect int overflow */
+- if( uncompr_size / width != length )
+- {
+- TIFFError(infilename,
+- "Invalid dimensions of BMP file" );
+- close(fd);
+- return -1;
+- }
++
++ bits = info_hdr.iBitCount;
++
++ if (bits > 8) // bit depth is > 8bit, adjust size
++ {
++ uncompr_size = width * length * (bits / 8);
++ /* Detect int overflow */
++ if (uncompr_size / width / (bits / 8) != length) {
++ TIFFError(infilename,
++ "Invalid dimensions of BMP file");
++ close(fd);
++ return -1;
++ }
++ }
++ else
++ uncompr_size = width * length;
+ comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
+ if (!comprbuf) {
+ TIFFError(infilename,
diff --git a/SOURCES/libtiff-CVE-2015-8683_8665.patch b/SOURCES/libtiff-CVE-2015-8683_8665.patch
new file mode 100644
index 0000000..13647d0
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2015-8683_8665.patch
@@ -0,0 +1,98 @@
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 1633325..018351b 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -182,8 +182,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
+ "Planarconfiguration", td->td_planarconfig);
+ return (0);
+ }
++ if( td->td_samplesperpixel != 3 || colorchannels != 3 )
++ {
++ sprintf(emsg,
++ "Sorry, can not handle image with %s=%d, %s=%d",
++ "Samples/pixel", td->td_samplesperpixel,
++ "colorchannels", colorchannels);
++ return 0;
++ }
+ break;
+ case PHOTOMETRIC_CIELAB:
++ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
++ {
++ sprintf(emsg,
++ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
++ "Samples/pixel", td->td_samplesperpixel,
++ "colorchannels", colorchannels,
++ "Bits/sample", td->td_bitspersample);
++ return 0;
++ }
+ break;
+ default:
+ sprintf(emsg, "Sorry, can not handle image with %s=%d",
+@@ -241,6 +258,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024])
+ uint16 *red_orig, *green_orig, *blue_orig;
+ int n_color;
+
++ if( !TIFFRGBAImageOK(tif, emsg) )
++ return 0;
++
+ /* Initialize to normal values */
+ img->row_offset = 0;
+ img->col_offset = 0;
+@@ -2453,29 +2473,33 @@ PickContigCase(TIFFRGBAImage* img)
+ case PHOTOMETRIC_RGB:
+ switch (img->bitspersample) {
+ case 8:
+- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++ img->samplesperpixel >= 4)
+ img->put.contig = putRGBAAcontig8bittile;
+- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++ img->samplesperpixel >= 4)
+ {
+ if (BuildMapUaToAa(img))
+ img->put.contig = putRGBUAcontig8bittile;
+ }
+- else
++ else if( img->samplesperpixel >= 3 )
+ img->put.contig = putRGBcontig8bittile;
+ break;
+ case 16:
+- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
++ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
++ img->samplesperpixel >=4 )
+ {
+ if (BuildMapBitdepth16To8(img))
+ img->put.contig = putRGBAAcontig16bittile;
+ }
+- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
++ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
++ img->samplesperpixel >=4 )
+ {
+ if (BuildMapBitdepth16To8(img) &&
+ BuildMapUaToAa(img))
+ img->put.contig = putRGBUAcontig16bittile;
+ }
+- else
++ else if( img->samplesperpixel >=3 )
+ {
+ if (BuildMapBitdepth16To8(img))
+ img->put.contig = putRGBcontig16bittile;
+@@ -2484,7 +2508,7 @@ PickContigCase(TIFFRGBAImage* img)
+ }
+ break;
+ case PHOTOMETRIC_SEPARATED:
+- if (buildMap(img)) {
++ if (img->samplesperpixel >=4 && buildMap(img)) {
+ if (img->bitspersample == 8) {
+ if (!img->Map)
+ img->put.contig = putRGBcontig8bitCMYKtile;
+@@ -2580,7 +2604,7 @@ PickContigCase(TIFFRGBAImage* img)
+ }
+ break;
+ case PHOTOMETRIC_CIELAB:
+- if (buildMap(img)) {
++ if (img->samplesperpixel == 3 && buildMap(img)) {
+ if (img->bitspersample == 8)
+ img->put.contig = initCIELabConversion(img);
+ break;
diff --git a/SOURCES/libtiff-CVE-2015-8781.patch b/SOURCES/libtiff-CVE-2015-8781.patch
new file mode 100644
index 0000000..f56aa90
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2015-8781.patch
@@ -0,0 +1,159 @@
+diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
+index eba6c08..ebbd692 100644
+--- a/libtiff/tif_luv.c
++++ b/libtiff/tif_luv.c
+@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
+ tp = (int16*) op;
+ else {
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too short");
++ return (0);
++ }
+ tp = (int16*) sp->tbuf;
+ }
+ _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ cc = tif->tif_rawcc;
+ /* get each byte string */
+ for (shft = 2*8; (shft -= 8) >= 0; ) {
+- for (i = 0; i < npixels && cc > 0; )
++ for (i = 0; i < npixels && cc > 0; ) {
+ if (*bp >= 128) { /* run */
+- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
++ if ( cc < 2 )
++ break;
++ rc = *bp++ + (2-128);
+ b = (int16)(*bp++ << shft);
+ cc -= 2;
+ while (rc-- && i < npixels)
+@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ while (--cc && rc-- && i < npixels)
+ tp[i++] |= (int16)*bp++ << shft;
+ }
++ }
+ if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+ tp = (uint32 *)op;
+ else {
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too short");
++ return (0);
++ }
+ tp = (uint32 *) sp->tbuf;
+ }
+ /* copy to array of uint32 */
+ bp = (unsigned char*) tif->tif_rawcp;
+ cc = tif->tif_rawcc;
+- for (i = 0; i < npixels && cc > 0; i++) {
++ for (i = 0; i < npixels && cc >= 3; i++) {
+ tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
+ bp += 3;
+ cc -= 3;
+@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ if (sp->user_datafmt == SGILOGDATAFMT_RAW)
+ tp = (uint32*) op;
+ else {
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too short");
++ return (0);
++ }
+ tp = (uint32*) sp->tbuf;
+ }
+ _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
+@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ cc = tif->tif_rawcc;
+ /* get each byte string */
+ for (shft = 4*8; (shft -= 8) >= 0; ) {
+- for (i = 0; i < npixels && cc > 0; )
++ for (i = 0; i < npixels && cc > 0; ) {
+ if (*bp >= 128) { /* run */
++ if ( cc < 2 )
++ break;
+ rc = *bp++ + (2-128);
+ b = (uint32)*bp++ << shft;
+- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
++ cc -= 2;
+ while (rc-- && i < npixels)
+ tp[i++] |= b;
+ } else { /* non-run */
+@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ while (--cc && rc-- && i < npixels)
+ tp[i++] |= (uint32)*bp++ << shft;
+ }
++ }
+ if (i != npixels) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ TIFFErrorExt(tif->tif_clientdata, module,
+@@ -407,6 +425,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ static int
+ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++ static const char module [] = "LogL16Encode";
+ LogLuvState* sp = EncoderState(tif);
+ int shft;
+ tmsize_t i;
+@@ -427,7 +446,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ tp = (int16*) bp;
+ else {
+ tp = (int16*) sp->tbuf;
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too short");
++ return (0);
++ }
+ (*sp->tfunc)(sp, bp, npixels);
+ }
+ /* compress each byte string */
+@@ -500,6 +523,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ static int
+ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++ static const char module [] = "LogLuvEncode24";
+ LogLuvState* sp = EncoderState(tif);
+ tmsize_t i;
+ tmsize_t npixels;
+@@ -515,7 +539,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ tp = (uint32*) bp;
+ else {
+ tp = (uint32*) sp->tbuf;
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too short");
++ return (0);
++ }
+ (*sp->tfunc)(sp, bp, npixels);
+ }
+ /* write out encoded pixels */
+@@ -547,6 +575,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ static int
+ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ {
++ static const char module [] = "LogLuvEncode32";
+ LogLuvState* sp = EncoderState(tif);
+ int shft;
+ tmsize_t i;
+@@ -568,7 +597,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ tp = (uint32*) bp;
+ else {
+ tp = (uint32*) sp->tbuf;
+- assert(sp->tbuflen >= npixels);
++ if(sp->tbuflen < npixels) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Translation buffer too short");
++ return (0);
++ }
+ (*sp->tfunc)(sp, bp, npixels);
+ }
+ /* compress each byte string */
diff --git a/SOURCES/libtiff-CVE-2015-8870.patch b/SOURCES/libtiff-CVE-2015-8870.patch
new file mode 100644
index 0000000..f83d10f
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2015-8870.patch
@@ -0,0 +1,33 @@
+From fb0bc75826b860609c59848d85daa43beb7838d6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Thu, 12 Jan 2017 15:34:59 +0100
+Subject: [PATCH 5/5] Fix CVE-2015-8870
+
+---
+ tools/bmp2tiff.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c
+index c747c13..384cf96 100644
+--- a/tools/bmp2tiff.c
++++ b/tools/bmp2tiff.c
+@@ -634,7 +634,16 @@ main(int argc, char* argv[])
+ }
+ }
+ else
++ {
+ uncompr_size = width * length;
++ /* Detect int overflow */
++ if (uncompr_size / width != length) {
++ TIFFError(infilename,
++ "Invalid dimensions of BMP file");
++ close(fd);
++ return -1;
++ }
++ }
+ comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
+ if (!comprbuf) {
+ TIFFError(infilename,
+--
+2.7.4
+
diff --git a/SOURCES/libtiff-CVE-2016-3186.patch b/SOURCES/libtiff-CVE-2016-3186.patch
new file mode 100644
index 0000000..303f446
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-3186.patch
@@ -0,0 +1,25 @@
+From 4c5f309925e568f3ccd4bacc1907c082401c13cd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Thu, 6 Dec 2018 14:42:00 +0100
+Subject: [PATCH 01/10] Fix CVE-2016-3186
+
+---
+ tools/gif2tiff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c
+index 1e9b4b9..e89ac5b 100644
+--- a/tools/gif2tiff.c
++++ b/tools/gif2tiff.c
+@@ -316,7 +316,7 @@ readextension(void)
+ char buf[255];
+
+ (void) getc(infile);
+- while ((count = getc(infile)))
++ while ((count = getc(infile)) && count >= 0 && count <= 255)
+ fread(buf, 1, count, infile);
+ }
+
+--
+2.17.2
+
diff --git a/SOURCES/libtiff-CVE-2016-3632.patch b/SOURCES/libtiff-CVE-2016-3632.patch
new file mode 100644
index 0000000..bb0bc07
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-3632.patch
@@ -0,0 +1,26 @@
+From d3f9829a37661749b200760ad6525f77cf77d77a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Mon, 11 Jul 2016 16:04:34 +0200
+Subject: [PATCH 4/8] Fix CVE-2016-3632
+
+---
+ tools/thumbnail.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/thumbnail.c b/tools/thumbnail.c
+index fd1cba5..75e7009 100644
+--- a/tools/thumbnail.c
++++ b/tools/thumbnail.c
+@@ -253,7 +253,8 @@ static struct cpTag {
+ { TIFFTAG_WHITEPOINT, 2, TIFF_RATIONAL },
+ { TIFFTAG_PRIMARYCHROMATICITIES, (uint16) -1,TIFF_RATIONAL },
+ { TIFFTAG_HALFTONEHINTS, 2, TIFF_SHORT },
+- { TIFFTAG_BADFAXLINES, 1, TIFF_LONG },
++ // disable BADFAXLINES, CVE-2016-3632
++ //{ TIFFTAG_BADFAXLINES, 1, TIFF_LONG },
+ { TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },
+ { TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },
+ { TIFFTAG_INKSET, 1, TIFF_SHORT },
+--
+2.7.4
+
diff --git a/SOURCES/libtiff-CVE-2016-3945.patch b/SOURCES/libtiff-CVE-2016-3945.patch
new file mode 100644
index 0000000..cb496a0
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-3945.patch
@@ -0,0 +1,92 @@
+From a9bb0f1406e9da35da4da13eabacb00d9cc2efcb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Mon, 11 Jul 2016 16:05:49 +0200
+Subject: [PATCH 5/8] Fix CVE-2016-3945
+
+---
+ tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index 737167c..5228966 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+@@ -145,6 +145,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
+ uint32 row, col;
+ uint32 *wrk_line;
+ int ok = 1;
++ uint32 rastersize, wrk_linesize;
+
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+@@ -161,7 +162,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
+ /*
+ * Allocate tile buffer
+ */
+- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
++ rastersize = tile_width * tile_height * sizeof (uint32);
++ if (width != (tile_width / tile_height) / sizeof( uint32))
++ {
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
++ exit(-1);
++ }
++ raster = (uint32*)_TIFFmalloc(rastersize);
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
+@@ -171,7 +178,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
+ * Allocate a scanline buffer for swapping during the vertical
+ * mirroring pass.
+ */
+- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
++ wrk_linesize = tile_width * sizeof (uint32);
++ if (wrk_linesize != tile_width / sizeof (uint32))
++ {
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
++ exit(-1);
++ }
++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+ if (!wrk_line) {
+ TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
+ ok = 0;
+@@ -247,6 +260,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
+ uint32 row;
+ uint32 *wrk_line;
+ int ok = 1;
++ uint32 rastersize, wrk_linesize;
+
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
+@@ -261,7 +275,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
+ /*
+ * Allocate strip buffer
+ */
+- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
++ rastersize = width * rowsperstrip * sizeof (uint32);
++ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
++ {
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
++ exit(-1);
++ }
++ raster = (uint32*)_TIFFmalloc(rastersize);
+ if (raster == 0) {
+ TIFFError(TIFFFileName(in), "No space for raster buffer");
+ return (0);
+@@ -271,7 +291,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
+ * Allocate a scanline buffer for swapping during the vertical
+ * mirroring pass.
+ */
+- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
++ wrk_linesize = width * sizeof (uint32);
++ if (wrk_linesize != width / sizeof (uint32))
++ {
++ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
++ exit(-1);
++ }
++ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
+ if (!wrk_line) {
+ TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
+ ok = 0;
+--
+2.7.4
+
diff --git a/SOURCES/libtiff-CVE-2016-3990.patch b/SOURCES/libtiff-CVE-2016-3990.patch
new file mode 100644
index 0000000..c5a9e8b
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-3990.patch
@@ -0,0 +1,63 @@
+From 46d1b6c09939eef09e45ccec345c6724cabc454e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Mon, 11 Jul 2016 16:44:22 +0200
+Subject: [PATCH 6/8] Fix CVE-2016-3990
+
+---
+ libtiff/tif_pixarlog.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index 2793b22..c9f056e 100644
+--- a/libtiff/tif_pixarlog.c
++++ b/libtiff/tif_pixarlog.c
+@@ -462,6 +462,7 @@ typedef struct {
+ int state;
+ int user_datafmt;
+ int quality;
++ tsize_t tbuf_size;
+ #define PLSTATE_INIT 1
+
+ TIFFVSetMethod vgetparent; /* super-class method */
+@@ -885,6 +886,7 @@ PixarLogSetupEncode(TIFF* tif)
+ td->td_samplesperpixel : 1);
+ tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
+ td->td_rowsperstrip), sizeof(uint16));
++ sp->tbuf_size = tbuf_size;
+ if (tbuf_size == 0)
+ return (0); /* TODO: this is an error return without error report through TIFFErrorExt */
+ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+@@ -1131,8 +1133,17 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ }
+
+ llen = sp->stride * td->td_imagewidth;
+-
++ if (llen > sp->tbuf_size)
++ {
++ TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Buffer limit reached.", tif->tif_name);
++ exit (0);
++ }
+ for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
++ if (up > sp->tbuf+sp->tbuf_size)
++ {
++ TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Buffer limit reached.", tif->tif_name);
++ exit (0);
++ }
+ switch (sp->user_datafmt) {
+ case PIXARLOGDATAFMT_FLOAT:
+ horizontalDifferenceF((float *)bp, llen,
+@@ -1169,6 +1180,11 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ "ZLib cannot deal with buffers this size");
+ return (0);
+ }
++ if (sp->stream.avail_in > sp->tbuf_size)
++ {
++ TIFFErrorExt(tif->tif_clientdata, module, "%s: Encoder error: Error within the calculation on ZLib buffer size.", tif->tif_name);
++ return (0);
++ }
+
+ do {
+ if (deflate(&sp->stream, Z_NO_FLUSH) != Z_OK) {
+--
+2.7.4
+
diff --git a/SOURCES/libtiff-CVE-2016-3991.patch b/SOURCES/libtiff-CVE-2016-3991.patch
new file mode 100644
index 0000000..0ca667d
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-3991.patch
@@ -0,0 +1,111 @@
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index ea4f7a1..f04e2eb 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
+ }
+
+ tile_buffsize = tilesize;
++ if (tilesize == 0 || tile_rowsize == 0)
++ {
++ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
++ exit(-1);
++ }
+
+ if (tilesize < (tsize_t)(tl * tile_rowsize))
+ {
+@@ -807,7 +812,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
+ tilesize, tl * tile_rowsize);
+ #endif
+ tile_buffsize = tl * tile_rowsize;
+- }
++ if (tl != (tile_buffsize / tile_rowsize))
++ {
++ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
++ exit(-1);
++ }
++ }
+
+ tilebuf = _TIFFmalloc(tile_buffsize);
+ if (tilebuf == 0)
+@@ -1210,6 +1220,12 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
+ !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
+ return 1;
+
++ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
++ {
++ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
++ exit(-1);
++ }
++
+ tile_buffsize = tilesize;
+ if (tilesize < (tsize_t)(tl * tile_rowsize))
+ {
+@@ -1219,6 +1235,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
+ tilesize, tl * tile_rowsize);
+ #endif
+ tile_buffsize = tl * tile_rowsize;
++ if (tl != tile_buffsize / tile_rowsize)
++ {
++ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
++ exit(-1);
++ }
+ }
+
+ tilebuf = _TIFFmalloc(tile_buffsize);
+@@ -5931,12 +5952,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
+
+ tile_rowsize = TIFFTileRowSize(in);
++ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
++ {
++ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
++ exit(-1);
++ }
+ buffsize = tlsize * ntiles;
++ if (tlsize != (buffsize / ntiles))
++ {
++ TIFFError("loadImage", "Integer overflow when calculating buffer size");
++ exit(-1);
++ }
+
+-
+ if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
+ {
+ buffsize = ntiles * tl * tile_rowsize;
++ if (ntiles != (buffsize / tl / tile_rowsize))
++ {
++ TIFFError("loadImage", "Integer overflow when calculating buffer size");
++ exit(-1);
++ }
++
+ #ifdef DEBUG2
+ TIFFError("loadImage",
+ "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
+@@ -5955,8 +5991,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+ stsize = TIFFStripSize(in);
+ nstrips = TIFFNumberOfStrips(in);
++ if (nstrips == 0 || stsize == 0)
++ {
++ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
++ exit(-1);
++ }
++
+ buffsize = stsize * nstrips;
+-
++ if (stsize != (buffsize / nstrips))
++ {
++ TIFFError("loadImage", "Integer overflow when calculating buffer size");
++ exit(-1);
++ }
++ uint32 buffsize_check;
++ buffsize_check = ((length * width * spp * bps) + 7);
++ if (length != ((buffsize_check - 7) / width / spp / bps))
++ {
++ TIFFError("loadImage", "Integer overflow detected.");
++ exit(-1);
++ }
+ if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
+ {
+ buffsize = ((length * width * spp * bps) + 7) / 8;
diff --git a/SOURCES/libtiff-CVE-2016-5320.patch b/SOURCES/libtiff-CVE-2016-5320.patch
new file mode 100644
index 0000000..fc05ed6
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-5320.patch
@@ -0,0 +1,45 @@
+From 5f3ae40bcaf5518aae18eedc90cd9b326d7bd640 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Mon, 11 Jul 2016 16:54:49 +0200
+Subject: [PATCH 8/8] Fix CVE-2016-5320
+
+---
+ libtiff/tif_pixarlog.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index c9f056e..c961529 100644
+--- a/libtiff/tif_pixarlog.c
++++ b/libtiff/tif_pixarlog.c
+@@ -462,7 +462,7 @@ typedef struct {
+ int state;
+ int user_datafmt;
+ int quality;
+- tsize_t tbuf_size;
++ tmsize_t tbuf_size;
+ #define PLSTATE_INIT 1
+
+ TIFFVSetMethod vgetparent; /* super-class method */
+@@ -691,6 +691,7 @@ PixarLogSetupDecode(TIFF* tif)
+ if (tbuf_size == 0)
+ return (0); /* TODO: this is an error return without error report through TIFFErrorExt */
+ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
++ sp->tbuf_size = tbuf_size;
+ if (sp->tbuf == NULL)
+ return (0);
+ if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
+@@ -782,6 +783,11 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
+ return (0);
+ }
++ if (sp->stream.avail_out > sp->tbuf_size)
++ {
++ TIFFErrorExt(tif->tif_clientdata, module, "Error within the calculation of ZLib buffer size");
++ return (0);
++ }
+ do {
+ int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
+ if (state == Z_STREAM_END) {
+--
+2.7.4
+
diff --git a/SOURCES/libtiff-CVE-2016-5652.patch b/SOURCES/libtiff-CVE-2016-5652.patch
new file mode 100644
index 0000000..a50d1e6
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-5652.patch
@@ -0,0 +1,48 @@
+From bb2505b3d099104a296823fc3a456680417475b0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Thu, 12 Jan 2017 11:30:40 +0100
+Subject: [PATCH 4/5] Fix CVE-2016-5652
+
+---
+ tools/tiff2pdf.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index fbca305..9df5b16 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -2826,21 +2826,24 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
+ return(0);
+ }
+ if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
+- if (count > 0) {
+- _TIFFmemcpy(buffer, jpt, count);
++ if (count >= 4) {
++ /* Ignore EOI marker of JpegTables */
++ _TIFFmemcpy(buffer, jpt, count - 2);
+ bufferoffset += count - 2;
++ /* Store last 2 bytes of the JpegTables */
+ table_end[0] = buffer[bufferoffset-2];
+ table_end[1] = buffer[bufferoffset-1];
+- }
+- if (count > 0) {
+ xuint32 = bufferoffset;
++ bufferoffset -= 2;
+ bufferoffset += TIFFReadRawTile(
+ input,
+ tile,
+- (tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]),
++ (tdata_t) &(((unsigned char*)buffer)[bufferoffset]),
+ -1);
+- buffer[xuint32-2]=table_end[0];
+- buffer[xuint32-1]=table_end[1];
++ /* Overwrite SOI marker of image scan with previously */
++ /* saved end of JpegTables */
++ buffer[xuint32-2]=table_end[0];
++ buffer[xuint32-1]=table_end[1];
+ } else {
+ bufferoffset += TIFFReadRawTile(
+ input,
+--
+2.7.4
+
diff --git a/SOURCES/libtiff-CVE-2016-9533_9534_9536_9537.patch b/SOURCES/libtiff-CVE-2016-9533_9534_9536_9537.patch
new file mode 100644
index 0000000..445f5ad
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-9533_9534_9536_9537.patch
@@ -0,0 +1,300 @@
+From 6c4480d2980dc61f3fcd4f43a499e69764133f1a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Wed, 11 Jan 2017 12:50:33 +0100
+Subject: [PATCH 1/5] Fix CVE-2016-9533, CVE-2016-9534, CVE-2016-9536,
+ CVE-2016-9537
+
+---
+ libtiff/tif_pixarlog.c | 55 +++++++++++++++++++++-----------------------------
+ libtiff/tif_write.c | 7 +++++++
+ tools/thumbnail.c | 7 ++++++-
+ tools/tiff2pdf.c | 22 ++++++++++++++++++--
+ tools/tiffcrop.c | 31 ++++++++++++++++++++++++----
+ 5 files changed, 83 insertions(+), 39 deletions(-)
+
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index c961529..6128f2f 100644
+--- a/libtiff/tif_pixarlog.c
++++ b/libtiff/tif_pixarlog.c
+@@ -981,17 +981,14 @@ horizontalDifferenceF(float *ip, int n, int stride, uint16 *wp, uint16 *FromLT2)
+ a1 = (int32) CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1;
+ }
+ } else {
+- ip += n - 1; /* point to last one */
+- wp += n - 1; /* point to last one */
+- n -= stride;
+- while (n > 0) {
+- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]);
+- wp[stride] -= wp[0];
+- wp[stride] &= mask;
+- wp--; ip--)
+- n -= stride;
+- }
+- REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--)
++ REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++)
++ n -= stride;
++ while (n > 0) {
++ REPEAT(stride,
++ wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask);
++ wp++; ip++)
++ n -= stride;
++ }
+ }
+ }
+ }
+@@ -1034,17 +1031,14 @@ horizontalDifference16(unsigned short *ip, int n, int stride,
+ a1 = CLAMP(ip[3]); wp[3] = (a1-a2) & mask; a2 = a1;
+ }
+ } else {
+- ip += n - 1; /* point to last one */
+- wp += n - 1; /* point to last one */
++ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
+ n -= stride;
+ while (n > 0) {
+- REPEAT(stride, wp[0] = CLAMP(ip[0]);
+- wp[stride] -= wp[0];
+- wp[stride] &= mask;
+- wp--; ip--)
+- n -= stride;
+- }
+- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
++ REPEAT(stride,
++ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
++ wp++; ip++)
++ n -= stride;
++ }
+ }
+ }
+ }
+@@ -1087,18 +1081,15 @@ horizontalDifference8(unsigned char *ip, int n, int stride,
+ ip += 4;
+ }
+ } else {
+- wp += n + stride - 1; /* point to last one */
+- ip += n + stride - 1; /* point to last one */
+- n -= stride;
+- while (n > 0) {
+- REPEAT(stride, wp[0] = CLAMP(ip[0]);
+- wp[stride] -= wp[0];
+- wp[stride] &= mask;
+- wp--; ip--)
+- n -= stride;
+- }
+- REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
+- }
++ REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
++ n -= stride;
++ while (n > 0) {
++ REPEAT(stride,
++ wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
++ wp++; ip++)
++ n -= stride;
++ }
++ }
+ }
+ }
+
+diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
+index 8792123..ce671af 100644
+--- a/libtiff/tif_write.c
++++ b/libtiff/tif_write.c
+@@ -742,7 +742,14 @@ TIFFFlushData1(TIFF* tif)
+ if (!TIFFAppendToStrip(tif,
+ isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip,
+ tif->tif_rawdata, tif->tif_rawcc))
++ {
++ /* We update those variables even in case of error since there's */
++ /* code that doesn't really check the return code of this */
++ /* function */
++ tif->tif_rawcc = 0;
++ tif->tif_rawcp = tif->tif_rawdata;
+ return (0);
++ }
+ tif->tif_rawcc = 0;
+ tif->tif_rawcp = tif->tif_rawdata;
+ }
+diff --git a/tools/thumbnail.c b/tools/thumbnail.c
+index e14d290..9a9c439 100644
+--- a/tools/thumbnail.c
++++ b/tools/thumbnail.c
+@@ -587,12 +587,17 @@ generateThumbnail(TIFF* in, TIFF* out)
+ rowsize = TIFFScanlineSize(in);
+ rastersize = sh * rowsize;
+ fprintf(stderr, "rastersize=%u\n", (unsigned int)rastersize);
+- raster = (unsigned char*)_TIFFmalloc(rastersize + 3);
++ /* +3 : add a few guard bytes since setrow() can read a bit */
++ /* outside buffer */
++ raster = (unsigned char*)_TIFFmalloc(rastersize+3);
+ if (!raster) {
+ TIFFError(TIFFFileName(in),
+ "Can't allocate space for raster buffer.");
+ return 0;
+ }
++ raster[rastersize] = 0;
++ raster[rastersize+1] = 0;
++ raster[rastersize+2] = 0;
+ rp = raster;
+ for (s = 0; s < ns; s++) {
+ (void) TIFFReadEncodedStrip(in, s, rp, -1);
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 2a64ec3..fbca305 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -285,7 +285,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P*, TIFF*, TIFF*, ttile_t);
+ int t2p_process_ojpeg_tables(T2P*, TIFF*);
+ #endif
+ #ifdef JPEG_SUPPORT
+-int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32);
++int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32);
+ #endif
+ void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32);
+ void t2p_write_advance_directory(T2P*, TIFF*);
+@@ -2348,7 +2348,8 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
+ if(!t2p_process_jpeg_strip(
+ stripbuffer,
+ &striplength,
+- buffer,
++ buffer,
++ t2p->tiff_datasize,
+ &bufferoffset,
+ i,
+ t2p->tiff_length)){
+@@ -3378,6 +3379,7 @@ int t2p_process_jpeg_strip(
+ unsigned char* strip,
+ tsize_t* striplength,
+ unsigned char* buffer,
++ tsize_t buffersize,
+ tsize_t* bufferoffset,
+ tstrip_t no,
+ uint32 height){
+@@ -3412,6 +3414,8 @@ int t2p_process_jpeg_strip(
+ }
+ switch( strip[i] ){
+ case 0xd8: /* SOI - start of image */
++ if( *bufferoffset + 2 > buffersize )
++ return(0);
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
+ *bufferoffset+=2;
+ break;
+@@ -3421,12 +3425,18 @@ int t2p_process_jpeg_strip(
+ case 0xc9: /* SOF9 */
+ case 0xca: /* SOF10 */
+ if(no==0){
++ if( *bufferoffset + datalen + 2 + 6 > buffersize )
++ return(0);
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++ if( *bufferoffset + 9 >= buffersize )
++ return(0);
+ ncomp = buffer[*bufferoffset+9];
+ if (ncomp < 1 || ncomp > 4)
+ return(0);
+ v_samp=1;
+ h_samp=1;
++ if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize )
++ return(0);
+ for(j=0;j<ncomp;j++){
+ uint16 samp = buffer[*bufferoffset+11+(3*j)];
+ if( (samp>>4) > h_samp)
+@@ -3458,20 +3468,28 @@ int t2p_process_jpeg_strip(
+ break;
+ case 0xc4: /* DHT */
+ case 0xdb: /* DQT */
++ if( *bufferoffset + datalen + 2 > buffersize )
++ return(0);
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+ *bufferoffset+=datalen+2;
+ break;
+ case 0xda: /* SOS */
+ if(no==0){
++ if( *bufferoffset + datalen + 2 > buffersize )
++ return(0);
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
+ *bufferoffset+=datalen+2;
+ } else {
++ if( *bufferoffset + 2 > buffersize )
++ return(0);
+ buffer[(*bufferoffset)++]=0xff;
+ buffer[(*bufferoffset)++]=
+ (unsigned char)(0xd0 | ((no-1)%8));
+ }
+ i += datalen + 1;
+ /* copy remainder of strip */
++ if( *bufferoffset + *striplength - i > buffersize )
++ return(0);
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
+ *bufferoffset+= *striplength - i;
+ return(1);
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index f04e2eb..02c53cd 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -5744,7 +5744,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ {
+ uint32 i;
+ float xres = 0.0, yres = 0.0;
+- uint16 nstrips = 0, ntiles = 0, planar = 0;
++ uint32 nstrips = 0, ntiles = 0;
++ uint16 planar = 0;
+ uint16 bps = 0, spp = 0, res_unit = 0;
+ uint16 orientation = 0;
+ uint16 input_compression = 0, input_photometric = 0;
+@@ -6049,17 +6050,31 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ }
+
+ read_buff = *read_ptr;
++ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
++ /* outside buffer */
+ if (!read_buff)
+- read_buff = (unsigned char *)_TIFFmalloc(buffsize);
++ {
++ if( buffsize > 0xFFFFFFFFU - 3 )
++ {
++ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
++ return (-1);
++ }
++ read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
++ }
+ else
+ {
+ if (prev_readsize < buffsize)
++ {
++ if( buffsize > 0xFFFFFFFFU - 3 )
+ {
+- new_buff = _TIFFrealloc(read_buff, buffsize);
++ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
++ return (-1);
++ }
++ new_buff = _TIFFrealloc(read_buff, buffsize+3);
+ if (!new_buff)
+ {
+ free (read_buff);
+- read_buff = (unsigned char *)_TIFFmalloc(buffsize);
++ read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
+ }
+ else
+ read_buff = new_buff;
+@@ -6071,6 +6086,9 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+ return (-1);
+ }
++ read_buff[buffsize] = 0;
++ read_buff[buffsize+1] = 0;
++ read_buff[buffsize+2] = 0;
+
+ prev_readsize = buffsize;
+ *read_ptr = read_buff;
+@@ -8877,6 +8895,11 @@ reverseSamplesBytes (uint16 spp, uint16 bps, uint32 width,
+ }
+
+ bytes_per_pixel = ((bps * spp) + 7) / 8;
++ if( bytes_per_pixel > sizeof(swapbuff) )
++ {
++ TIFFError("reverseSamplesBytes","bytes_per_pixel too large");
++ return (1);
++ }
+ switch (bps / 8)
+ {
+ case 8: /* Use memcpy for multiple bytes per sample data */
+--
+2.7.4
+
diff --git a/SOURCES/libtiff-CVE-2016-9535.patch b/SOURCES/libtiff-CVE-2016-9535.patch
new file mode 100644
index 0000000..7ec32cf
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-9535.patch
@@ -0,0 +1,613 @@
+From f42765c206cc2e4a77f5e3c107a9a258d981c98e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Mon, 16 Jan 2017 18:13:13 +0100
+Subject: [PATCH 2/5] Fix CVE-2016-9535
+
+---
+ libtiff/tif_fax3.c | 3 +-
+ libtiff/tif_lzw.c | 9 +-
+ libtiff/tif_predict.c | 285 +++++++++++++++++++++++++++++++++-----------------
+ libtiff/tif_predict.h | 6 +-
+ 4 files changed, 203 insertions(+), 100 deletions(-)
+
+diff --git a/libtiff/tif_fax3.c b/libtiff/tif_fax3.c
+index 2b2dccd..777ef8f 100644
+--- a/libtiff/tif_fax3.c
++++ b/libtiff/tif_fax3.c
+@@ -442,8 +442,9 @@ _TIFFFax3fillruns(unsigned char* buf, uint32* runs, uint32* erun, uint32 lastx)
+ FILL(n, cp);
+ run &= 7;
+ }
++ /* Explicit 0xff masking to make icc -check=conversions happy */
+ if (run)
+- cp[0] |= 0xff00 >> run;
++ cp[0] = (unsigned char)((cp[0] | (0xff00 >> run))&0xff);
+ } else
+ cp[0] |= _fillmasks[run]>>bx;
+ x += runs[1];
+diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
+index fd9c7a0..d7fbe74 100644
+--- a/libtiff/tif_lzw.c
++++ b/libtiff/tif_lzw.c
+@@ -830,13 +830,15 @@ LZWPreEncode(TIFF* tif, uint16 s)
+ } else \
+ rat = (incount<<8) / outcount; \
+ }
++
++/* Explicit 0xff masking to make icc -check=conversions happy */
+ #define PutNextCode(op, c) { \
+ nextdata = (nextdata << nbits) | c; \
+ nextbits += nbits; \
+- *op++ = (unsigned char)(nextdata >> (nextbits-8)); \
++ *op++ = (unsigned char)((nextdata >> (nextbits-8))&0xff); \
+ nextbits -= 8; \
+ if (nextbits >= 8) { \
+- *op++ = (unsigned char)(nextdata >> (nextbits-8)); \
++ *op++ = (unsigned char)((nextdata >> (nextbits-8))&0xff); \
+ nextbits -= 8; \
+ } \
+ outcount += nbits; \
+@@ -1042,8 +1044,9 @@ LZWPostEncode(TIFF* tif)
+ sp->enc_oldcode = (hcode_t) -1;
+ }
+ PutNextCode(op, CODE_EOI);
++ /* Explicit 0xff masking to make icc -check=conversions happy */
+ if (nextbits > 0)
+- *op++ = (unsigned char)(nextdata << (8-nextbits));
++ *op++ = (unsigned char)((nextdata << (8-nextbits))&0xff);
+ tif->tif_rawcc = (tmsize_t)(op - tif->tif_rawdata);
+ return (1);
+ }
+diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
+index f93c664..39d764f 100644
+--- a/libtiff/tif_predict.c
++++ b/libtiff/tif_predict.c
+@@ -34,16 +34,18 @@
+
+ #define PredictorState(tif) ((TIFFPredictorState*) (tif)->tif_data)
+
+-static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
+-static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
++static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
+ static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
+ static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
+ static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s);
+@@ -207,7 +209,24 @@ PredictorSetupEncode(TIFF* tif)
+ sp->encodetile = tif->tif_encodetile;
+ tif->tif_encodetile = PredictorEncodeTile;
+ }
+- }
++
++ /*
++ * If the data is horizontally differenced 16-bit data that
++ * requires byte-swapping, then it must be byte swapped after
++ * the differenciation step. We do this with a special-purpose
++ * routine and override the normal post decoding logic that
++ * the library setup when the directory was read.
++ */
++ if (tif->tif_flags & TIFF_SWAB) {
++ if (sp->encodepfunc == horDiff16) {
++ sp->encodepfunc = swabHorDiff16;
++ tif->tif_postdecode = _TIFFNoPostDecode;
++ } else if (sp->encodepfunc == horDiff32) {
++ sp->encodepfunc = swabHorDiff32;
++ tif->tif_postdecode = _TIFFNoPostDecode;
++ }
++ }
++ }
+
+ else if (sp->predictor == 3) {
+ sp->encodepfunc = fpDiff;
+@@ -239,13 +258,25 @@ PredictorSetupEncode(TIFF* tif)
+ case 0: ; \
+ }
+
+-static void
++/* Remarks related to C standard compliance in all below functions : */
++/* - to avoid any undefined behaviour, we only operate on unsigned types */
++/* since the behaviour of "overflows" is defined (wrap over) */
++/* - when storing into the byte stream, we explicitly mask with 0xff so */
++/* as to make icc -check=conversions happy (not necessary by the standard) */
++
++static int
+ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+ tmsize_t stride = PredictorState(tif)->stride;
+
+- char* cp = (char*) cp0;
+- assert((cc%stride)==0);
++ unsigned char* cp = (unsigned char*) cp0;
++ if((cc%stride)!=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "horAcc8",
++ "%s", "(cc%stride)!=0");
++ return 0;
++ }
++
+ if (cc > stride) {
+ /*
+ * Pipeline the most common cases.
+@@ -257,9 +288,9 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
+ cc -= 3;
+ cp += 3;
+ while (cc>0) {
+- cp[0] = (char) (cr += cp[0]);
+- cp[1] = (char) (cg += cp[1]);
+- cp[2] = (char) (cb += cp[2]);
++ cp[0] = (unsigned char) ((cr += cp[0]) & 0xff);
++ cp[1] = (unsigned char) ((cg += cp[1]) & 0xff);
++ cp[2] = (unsigned char) ((cb += cp[2]) & 0xff);
+ cc -= 3;
+ cp += 3;
+ }
+@@ -271,10 +302,10 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
+ cc -= 4;
+ cp += 4;
+ while (cc>0) {
+- cp[0] = (char) (cr += cp[0]);
+- cp[1] = (char) (cg += cp[1]);
+- cp[2] = (char) (cb += cp[2]);
+- cp[3] = (char) (ca += cp[3]);
++ cp[0] = (unsigned char) ((cr += cp[0]) & 0xff);
++ cp[1] = (unsigned char) ((cg += cp[1]) & 0xff);
++ cp[2] = (unsigned char) ((cb += cp[2]) & 0xff);
++ cp[3] = (unsigned char) ((ca += cp[3]) & 0xff);
+ cc -= 4;
+ cp += 4;
+ }
+@@ -282,77 +313,71 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
+ cc -= stride;
+ do {
+ REPEAT4(stride, cp[stride] =
+- (char) (cp[stride] + *cp); cp++)
++ (unsigned char) ((cp[stride] + *cp) & 0xff); cp++)
+ cc -= stride;
+ } while (cc>0);
+ }
+ }
++ return 1;
+ }
+
+-static void
++static int
+ swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+- tmsize_t stride = PredictorState(tif)->stride;
+ uint16* wp = (uint16*) cp0;
+ tmsize_t wc = cc / 2;
+
+- assert((cc%(2*stride))==0);
+-
+- if (wc > stride) {
+- TIFFSwabArrayOfShort(wp, wc);
+- wc -= stride;
+- do {
+- REPEAT4(stride, wp[stride] += wp[0]; wp++)
+- wc -= stride;
+- } while (wc > 0);
+- }
++ TIFFSwabArrayOfShort(wp, wc);
++ return horAcc16(tif, cp0, cc);
+ }
+
+-static void
++static int
+ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+ tmsize_t stride = PredictorState(tif)->stride;
+ uint16* wp = (uint16*) cp0;
+ tmsize_t wc = cc / 2;
+
+- assert((cc%(2*stride))==0);
++ if((cc%(2*stride))!=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "horAcc16",
++ "%s", "cc%(2*stride))!=0");
++ return 0;
++ }
+
+ if (wc > stride) {
+ wc -= stride;
+ do {
+- REPEAT4(stride, wp[stride] += wp[0]; wp++)
++ REPEAT4(stride, wp[stride] = (uint16)(((unsigned int)wp[stride] + (unsigned int)wp[0]) & 0xffff); wp++)
+ wc -= stride;
+ } while (wc > 0);
+ }
++ return 1;
+ }
+
+-static void
++static int
+ swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+- tmsize_t stride = PredictorState(tif)->stride;
+ uint32* wp = (uint32*) cp0;
+ tmsize_t wc = cc / 4;
+
+- assert((cc%(4*stride))==0);
+-
+- if (wc > stride) {
+- TIFFSwabArrayOfLong(wp, wc);
+- wc -= stride;
+- do {
+- REPEAT4(stride, wp[stride] += wp[0]; wp++)
+- wc -= stride;
+- } while (wc > 0);
+- }
++ TIFFSwabArrayOfLong(wp, wc);
++ return horAcc32(tif, cp0, cc);
+ }
+
+-static void
++static int
+ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+ tmsize_t stride = PredictorState(tif)->stride;
+ uint32* wp = (uint32*) cp0;
+ tmsize_t wc = cc / 4;
+
+- assert((cc%(4*stride))==0);
++ if((cc%(4*stride))!=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "horAcc32",
++ "%s", "cc%(4*stride))!=0");
++ return 0;
++ }
+
+ if (wc > stride) {
+ wc -= stride;
+@@ -361,12 +386,13 @@ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
+ wc -= stride;
+ } while (wc > 0);
+ }
++ return 1;
+ }
+
+ /*
+ * Floating point predictor accumulation routine.
+ */
+-static void
++static int
+ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+ tmsize_t stride = PredictorState(tif)->stride;
+@@ -374,15 +400,22 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
+ tmsize_t wc = cc / bps;
+ tmsize_t count = cc;
+ uint8 *cp = (uint8 *) cp0;
+- uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
++ uint8 *tmp;
+
+- assert((cc%(bps*stride))==0);
++ if(cc%(bps*stride)!=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "fpAcc",
++ "%s", "cc%(bps*stride))!=0");
++ return 0;
++ }
+
++ tmp = (uint8 *)_TIFFmalloc(cc);
+ if (!tmp)
+- return;
++ return 0;
+
+ while (count > stride) {
+- REPEAT4(stride, cp[stride] += cp[0]; cp++)
++ REPEAT4(stride, cp[stride] =
++ (unsigned char) ((cp[stride] + cp[0]) & 0xff); cp++)
+ count -= stride;
+ }
+
+@@ -400,6 +433,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
+ }
+ }
+ _TIFFfree(tmp);
++ return 1;
+ }
+
+ /*
+@@ -415,8 +449,7 @@ PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+ assert(sp->decodepfunc != NULL);
+
+ if ((*sp->decoderow)(tif, op0, occ0, s)) {
+- (*sp->decodepfunc)(tif, op0, occ0);
+- return 1;
++ return (*sp->decodepfunc)(tif, op0, occ0);
+ } else
+ return 0;
+ }
+@@ -439,10 +472,16 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+ if ((*sp->decodetile)(tif, op0, occ0, s)) {
+ tmsize_t rowsize = sp->rowsize;
+ assert(rowsize > 0);
+- assert((occ0%rowsize)==0);
++ if((occ0%rowsize) !=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile",
++ "%s", "occ0%rowsize != 0");
++ return 0;
++ }
+ assert(sp->decodepfunc != NULL);
+ while (occ0 > 0) {
+- (*sp->decodepfunc)(tif, op0, rowsize);
++ if( !(*sp->decodepfunc)(tif, op0, rowsize) )
++ return 0;
+ occ0 -= rowsize;
+ op0 += rowsize;
+ }
+@@ -451,14 +490,19 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+ return 0;
+ }
+
+-static void
++static int
+ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+ TIFFPredictorState* sp = PredictorState(tif);
+ tmsize_t stride = sp->stride;
+- char* cp = (char*) cp0;
++ unsigned char* cp = (unsigned char*) cp0;
+
+- assert((cc%stride)==0);
++ if((cc%stride)!=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
++ "%s", "(cc%stride)!=0");
++ return 0;
++ }
+
+ if (cc > stride) {
+ cc -= stride;
+@@ -466,67 +510,92 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
+ * Pipeline the most common cases.
+ */
+ if (stride == 3) {
+- int r1, g1, b1;
+- int r2 = cp[0];
+- int g2 = cp[1];
+- int b2 = cp[2];
++ unsigned int r1, g1, b1;
++ unsigned int r2 = cp[0];
++ unsigned int g2 = cp[1];
++ unsigned int b2 = cp[2];
+ do {
+- r1 = cp[3]; cp[3] = r1-r2; r2 = r1;
+- g1 = cp[4]; cp[4] = g1-g2; g2 = g1;
+- b1 = cp[5]; cp[5] = b1-b2; b2 = b1;
++ r1 = cp[3]; cp[3] = (unsigned char)((r1-r2)&0xff); r2 = r1;
++ g1 = cp[4]; cp[4] = (unsigned char)((g1-g2)&0xff); g2 = g1;
++ b1 = cp[5]; cp[5] = (unsigned char)((b1-b2)&0xff); b2 = b1;
+ cp += 3;
+ } while ((cc -= 3) > 0);
+ } else if (stride == 4) {
+- int r1, g1, b1, a1;
+- int r2 = cp[0];
+- int g2 = cp[1];
+- int b2 = cp[2];
+- int a2 = cp[3];
++ unsigned int r1, g1, b1, a1;
++ unsigned int r2 = cp[0];
++ unsigned int g2 = cp[1];
++ unsigned int b2 = cp[2];
++ unsigned int a2 = cp[3];
+ do {
+- r1 = cp[4]; cp[4] = r1-r2; r2 = r1;
+- g1 = cp[5]; cp[5] = g1-g2; g2 = g1;
+- b1 = cp[6]; cp[6] = b1-b2; b2 = b1;
+- a1 = cp[7]; cp[7] = a1-a2; a2 = a1;
++ r1 = cp[4]; cp[4] = (unsigned char)((r1-r2)&0xff); r2 = r1;
++ g1 = cp[5]; cp[5] = (unsigned char)((g1-g2)&0xff); g2 = g1;
++ b1 = cp[6]; cp[6] = (unsigned char)((b1-b2)&0xff); b2 = b1;
++ a1 = cp[7]; cp[7] = (unsigned char)((a1-a2)&0xff); a2 = a1;
+ cp += 4;
+ } while ((cc -= 4) > 0);
+ } else {
+ cp += cc - 1;
+ do {
+- REPEAT4(stride, cp[stride] -= cp[0]; cp--)
++ REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--)
+ } while ((cc -= stride) > 0);
+ }
+ }
++ return 1;
+ }
+
+-static void
++static int
+ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+ TIFFPredictorState* sp = PredictorState(tif);
+ tmsize_t stride = sp->stride;
+- int16 *wp = (int16*) cp0;
++ uint16 *wp = (uint16*) cp0;
+ tmsize_t wc = cc/2;
+
+- assert((cc%(2*stride))==0);
++ if((cc%(2*stride))!=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "horDiff8",
++ "%s", "(cc%(2*stride))!=0");
++ return 0;
++ }
+
+ if (wc > stride) {
+ wc -= stride;
+ wp += wc - 1;
+ do {
+- REPEAT4(stride, wp[stride] -= wp[0]; wp--)
++ REPEAT4(stride, wp[stride] = (uint16)(((unsigned int)wp[stride] - (unsigned int)wp[0]) & 0xffff); wp--)
+ wc -= stride;
+ } while (wc > 0);
+ }
++ return 1;
+ }
+
+-static void
++static int
++swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
++{
++ uint16* wp = (uint16*) cp0;
++ tmsize_t wc = cc / 2;
++
++ if( !horDiff16(tif, cp0, cc) )
++ return 0;
++
++ TIFFSwabArrayOfShort(wp, wc);
++ return 1;
++}
++
++static int
+ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+ TIFFPredictorState* sp = PredictorState(tif);
+ tmsize_t stride = sp->stride;
+- int32 *wp = (int32*) cp0;
++ uint32 *wp = (uint32*) cp0;
+ tmsize_t wc = cc/4;
+
+- assert((cc%(4*stride))==0);
++ if((cc%(4*stride))!=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "horDiff32",
++ "%s", "(cc%(4*stride))!=0");
++ return 0;
++ }
+
+ if (wc > stride) {
+ wc -= stride;
+@@ -536,12 +605,26 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
+ wc -= stride;
+ } while (wc > 0);
+ }
++ return 1;
++}
++
++static int
++swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
++{
++ uint32* wp = (uint32*) cp0;
++ tmsize_t wc = cc / 4;
++
++ if( !horDiff32(tif, cp0, cc) )
++ return 0;
++
++ TIFFSwabArrayOfLong(wp, wc);
++ return 1;
+ }
+
+ /*
+ * Floating point predictor differencing routine.
+ */
+-static void
++static int
+ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
+ {
+ tmsize_t stride = PredictorState(tif)->stride;
+@@ -549,12 +632,18 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
+ tmsize_t wc = cc / bps;
+ tmsize_t count;
+ uint8 *cp = (uint8 *) cp0;
+- uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
++ uint8 *tmp;
+
+- assert((cc%(bps*stride))==0);
++ if((cc%(bps*stride))!=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "fpDiff",
++ "%s", "(cc%(bps*stride))!=0");
++ return 0;
++ }
+
++ tmp = (uint8 *)_TIFFmalloc(cc);
+ if (!tmp)
+- return;
++ return 0;
+
+ _TIFFmemcpy(tmp, cp0, cc);
+ for (count = 0; count < wc; count++) {
+@@ -573,7 +662,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
+ cp = (uint8 *) cp0;
+ cp += cc - stride - 1;
+ for (count = cc; count > stride; count -= stride)
+- REPEAT4(stride, cp[stride] -= cp[0]; cp--)
++ REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--)
++ return 1;
+ }
+
+ static int
+@@ -586,7 +676,8 @@ PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
+ assert(sp->encoderow != NULL);
+
+ /* XXX horizontal differencing alters user's data XXX */
+- (*sp->encodepfunc)(tif, bp, cc);
++ if( !(*sp->encodepfunc)(tif, bp, cc) )
++ return 0;
+ return (*sp->encoderow)(tif, bp, cc, s);
+ }
+
+@@ -621,7 +712,13 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
+
+ rowsize = sp->rowsize;
+ assert(rowsize > 0);
+- assert((cc0%rowsize)==0);
++ if((cc0%rowsize)!=0)
++ {
++ TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
++ "%s", "(cc0%rowsize)!=0");
++ _TIFFfree( working_copy );
++ return 0;
++ }
+ while (cc > 0) {
+ (*sp->encodepfunc)(tif, bp, rowsize);
+ cc -= rowsize;
+diff --git a/libtiff/tif_predict.h b/libtiff/tif_predict.h
+index dc7144c..1585a58 100644
+--- a/libtiff/tif_predict.h
++++ b/libtiff/tif_predict.h
+@@ -30,6 +30,8 @@
+ * ``Library-private'' Support for the Predictor Tag
+ */
+
++typedef int (*TIFFEncodeDecodeMethod)(TIFF* tif, uint8* buf, tmsize_t size);
++
+ /*
+ * Codecs that want to support the Predictor tag must place
+ * this structure first in their private state block so that
+@@ -43,12 +45,12 @@ typedef struct {
+ TIFFCodeMethod encoderow; /* parent codec encode/decode row */
+ TIFFCodeMethod encodestrip; /* parent codec encode/decode strip */
+ TIFFCodeMethod encodetile; /* parent codec encode/decode tile */
+- TIFFPostMethod encodepfunc; /* horizontal differencer */
++ TIFFEncodeDecodeMethod encodepfunc; /* horizontal differencer */
+
+ TIFFCodeMethod decoderow; /* parent codec encode/decode row */
+ TIFFCodeMethod decodestrip; /* parent codec encode/decode strip */
+ TIFFCodeMethod decodetile; /* parent codec encode/decode tile */
+- TIFFPostMethod decodepfunc; /* horizontal accumulator */
++ TIFFEncodeDecodeMethod decodepfunc; /* horizontal accumulator */
+
+ TIFFVGetMethod vgetparent; /* super-class method */
+ TIFFVSetMethod vsetparent; /* super-class method */
+--
+2.7.4
+
diff --git a/SOURCES/libtiff-CVE-2016-9540.patch b/SOURCES/libtiff-CVE-2016-9540.patch
new file mode 100644
index 0000000..b473d86
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2016-9540.patch
@@ -0,0 +1,34 @@
+From aa6829cda019f56ed882b2db2d1e84c994412f9d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Wed, 11 Jan 2017 12:58:22 +0100
+Subject: [PATCH 3/5] Fix CVE-2016-9540
+
+---
+ tools/tiffcp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 8c696db..2903461 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -1330,7 +1330,7 @@ DECLAREreadFunc(readContigTilesIntoBuffer)
+ uint32 colb = 0;
+ uint32 col;
+
+- for (col = 0; col < imagewidth; col += tw) {
++ for (col = 0; col < imagewidth && colb < imagew; col += tw) {
+ if (TIFFReadTile(in, tilebuf, col, row, 0, 0) < 0
+ && !ignore) {
+ TIFFError(TIFFFileName(in),
+@@ -1515,7 +1515,7 @@ DECLAREwriteFunc(writeBufferToContigTiles)
+ uint32 colb = 0;
+ uint32 col;
+
+- for (col = 0; col < imagewidth; col += tw) {
++ for (col = 0; col < imagewidth && colb < imagew; col += tw) {
+ /*
+ * Tile is clipped horizontally. Calculate
+ * visible portion and skewing factors.
+--
+2.7.4
+
diff --git a/SOURCES/libtiff-CVE-2018-10779.patch b/SOURCES/libtiff-CVE-2018-10779.patch
new file mode 100644
index 0000000..3241375
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2018-10779.patch
@@ -0,0 +1,32 @@
+From 12f57b64abecdb610aee44b70d2379c301ce5b09 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 15 Aug 2018 16:34:40 +0200
+Subject: [PATCH 04/10] TIFFSetupStrips(): avoid potential uint32 overflow on
+ 32-bit systems with large number of strips. Probably relates to
+ http://bugzilla.maptools.org/show_bug.cgi?id=2788 / CVE-2018-10779
+
+---
+ libtiff/tif_write.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
+index ce671af..c7c29a5 100644
+--- a/libtiff/tif_write.c
++++ b/libtiff/tif_write.c
+@@ -484,9 +484,11 @@ TIFFSetupStrips(TIFF* tif)
+ if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
+ td->td_stripsperimage /= td->td_samplesperpixel;
+ td->td_stripoffset = (uint64 *)
+- _TIFFmalloc(td->td_nstrips * sizeof (uint64));
++ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
++ "for \"StripOffsets\" array");
+ td->td_stripbytecount = (uint64 *)
+- _TIFFmalloc(td->td_nstrips * sizeof (uint64));
++ _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint64),
++ "for \"StripByteCounts\" array");
+ if (td->td_stripoffset == NULL || td->td_stripbytecount == NULL)
+ return (0);
+ /*
+--
+2.17.2
+
diff --git a/SOURCES/libtiff-CVE-2018-10963.patch b/SOURCES/libtiff-CVE-2018-10963.patch
new file mode 100644
index 0000000..21ff7f1
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2018-10963.patch
@@ -0,0 +1,31 @@
+From db1b2741b413714c69f67842d40d78d793ef47e8 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 12 May 2018 14:24:15 +0200
+Subject: [PATCH 05/10] TIFFWriteDirectorySec: avoid assertion. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
+
+---
+ libtiff/tif_dirwrite.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index fa68d1c..fd0d31c 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -688,8 +688,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
+ }
+ break;
+ default:
+- assert(0); /* we should never get here */
+- break;
++ TIFFErrorExt(tif->tif_clientdata,module,
++ "Cannot write tag %d (%s)",
++ TIFFFieldTag(o),
++ o->field_name ? o->field_name : "unknown");
++ goto bad;
+ }
+ }
+ }
+--
+2.17.2
+
diff --git a/SOURCES/libtiff-CVE-2018-12900.patch b/SOURCES/libtiff-CVE-2018-12900.patch
new file mode 100644
index 0000000..a437365
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2018-12900.patch
@@ -0,0 +1,29 @@
+From 38e3984b95ed5dc9820cba7af13c9a000eba9742 Mon Sep 17 00:00:00 2001
+From: pgajdos <pgajdos@suse.cz>
+Date: Tue, 13 Nov 2018 09:03:31 +0100
+Subject: [PATCH 06/10] prevent integer overflow
+
+---
+ tools/tiffcp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 2903461..754ee9f 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -1402,6 +1402,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+ status = 0;
+ goto done;
+ }
++ if (0xFFFFFFFF / tilew < spp)
++ {
++ TIFFError(TIFFFileName(in), "Error, either TileWidth (%u) or BitsPerSample (%u) is too large", tilew, bps);
++ status = 0;
++ goto done;
++ }
+ /*
+ * Tile is clipped horizontally. Calculate
+ * visible portion and skewing factors.
+--
+2.17.2
+
diff --git a/SOURCES/libtiff-CVE-2018-17100.patch b/SOURCES/libtiff-CVE-2018-17100.patch
new file mode 100644
index 0000000..524bc78
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2018-17100.patch
@@ -0,0 +1,39 @@
+From b103d539e2421a66db911f069885ffbd5760bffd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Thu, 6 Dec 2018 14:58:16 +0100
+Subject: [PATCH 07/10] Fix CVE-2018-17100
+
+---
+ tools/ppm2tiff.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
+index 8e168ad..fc97983 100644
+--- a/tools/ppm2tiff.c
++++ b/tools/ppm2tiff.c
+@@ -72,15 +72,16 @@ BadPPM(char* file)
+ exit(-2);
+ }
+
++
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
++
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+- tmsize_t bytes = m1 * m2;
+-
+- if (m1 && bytes / m1 != m2)
+- bytes = 0;
+-
+- return bytes;
++ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
++ return 0;
++ return m1 * m2;
+ }
+
+ int
+--
+2.17.2
+
diff --git a/SOURCES/libtiff-CVE-2018-17101.patch b/SOURCES/libtiff-CVE-2018-17101.patch
new file mode 100644
index 0000000..f6c0bd9
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2018-17101.patch
@@ -0,0 +1,71 @@
+From 666a205254d095947de95670f014fe30137c0014 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Thu, 6 Dec 2018 14:59:10 +0100
+Subject: [PATCH 08/10] Fix CVE-2018-17101
+
+---
+ tools/pal2rgb.c | 18 +++++++++++++++++-
+ tools/tiff2bw.c | 18 +++++++++++++++++-
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
+index 426bbc0..994757a 100644
+--- a/tools/pal2rgb.c
++++ b/tools/pal2rgb.c
+@@ -389,7 +389,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+ struct cpTag *p;
+ for (p = tags; p < &tags[NTAGS]; p++)
+- cpTag(in, out, p->tag, p->count, p->type);
++ {
++ if( p->tag == TIFFTAG_GROUP3OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX3 )
++ continue;
++ }
++ if( p->tag == TIFFTAG_GROUP4OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX4 )
++ continue;
++ }
++ cpTag(in, out, p->tag, p->count, p->type);
++ }
+ }
+ #undef NTAGS
+
+diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
+index 02605df..53067e7 100644
+--- a/tools/tiff2bw.c
++++ b/tools/tiff2bw.c
+@@ -427,7 +427,23 @@ cpTags(TIFF* in, TIFF* out)
+ {
+ struct cpTag *p;
+ for (p = tags; p < &tags[NTAGS]; p++)
+- cpTag(in, out, p->tag, p->count, p->type);
++ {
++ if( p->tag == TIFFTAG_GROUP3OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX3 )
++ continue;
++ }
++ if( p->tag == TIFFTAG_GROUP4OPTIONS )
++ {
++ uint16 compression;
++ if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
++ compression != COMPRESSION_CCITTFAX4 )
++ continue;
++ }
++ cpTag(in, out, p->tag, p->count, p->type);
++ }
+ }
+ #undef NTAGS
+
+--
+2.17.2
+
diff --git a/SOURCES/libtiff-CVE-2018-18557.patch b/SOURCES/libtiff-CVE-2018-18557.patch
new file mode 100644
index 0000000..27d476c
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2018-18557.patch
@@ -0,0 +1,89 @@
+From ac1ad5a48fe981a8a9b6911886894520bbe0c71e Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 14 Oct 2018 16:38:29 +0200
+Subject: [PATCH 09/10] JBIG: fix potential out-of-bounds write in JBIGDecode()
+
+JBIGDecode doesn't check if the user provided buffer is large enough
+to store the JBIG decoded image, which can potentially cause out-of-bounds
+write in the buffer.
+This issue was reported and analyzed by Thomas Dullien.
+
+Also fixes a (harmless) potential use of uninitialized memory when
+tif->tif_rawsize > tif->tif_rawcc
+
+And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
+that whole strip data is provided to JBIGDecode()
+---
+ libtiff/tif_jbig.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
+index 37878f6..667f3ff 100644
+--- a/libtiff/tif_jbig.c
++++ b/libtiff/tif_jbig.c
+@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
+ struct jbg_dec_state decoder;
+ int decodeStatus = 0;
+ unsigned char* pImage = NULL;
+- (void) size, (void) s;
++ unsigned long decodedSize;
++ (void) s;
+
+ if (isFillOrder(tif, tif->tif_dir.td_fillorder))
+ {
+- TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize);
++ TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc);
+ }
+
+ jbg_dec_init(&decoder);
+
+ #if defined(HAVE_JBG_NEWLEN)
+- jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize);
++ jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc);
+ /*
+ * I do not check the return status of jbg_newlen because even if this
+ * function fails it does not necessarily mean that decoding the image
+@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
+ */
+ #endif /* HAVE_JBG_NEWLEN */
+
+- decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata,
+- (size_t)tif->tif_rawdatasize, NULL);
++ decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp,
++ (size_t)tif->tif_rawcc, NULL);
+ if (JBG_EOK != decodeStatus)
+ {
+ /*
+@@ -97,9 +98,28 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
+ return 0;
+ }
+
++ decodedSize = jbg_dec_getsize(&decoder);
++ if( (tmsize_t)decodedSize < size )
++ {
++ TIFFWarningExt(tif->tif_clientdata, "JBIG",
++ "Only decoded %lu bytes, whereas %lu requested",
++ decodedSize, (unsigned long)size);
++ }
++ else if( (tmsize_t)decodedSize > size )
++ {
++ TIFFErrorExt(tif->tif_clientdata, "JBIG",
++ "Decoded %lu bytes, whereas %lu were requested",
++ decodedSize, (unsigned long)size);
++ jbg_dec_free(&decoder);
++ return 0;
++ }
+ pImage = jbg_dec_getimage(&decoder, 0);
+- _TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder));
++ _TIFFmemcpy(buffer, pImage, decodedSize);
+ jbg_dec_free(&decoder);
++
++ tif->tif_rawcp += tif->tif_rawcc;
++ tif->tif_rawcc = 0;
++
+ return 1;
+ }
+
+--
+2.17.2
+
diff --git a/SOURCES/libtiff-CVE-2018-18661.patch b/SOURCES/libtiff-CVE-2018-18661.patch
new file mode 100644
index 0000000..dc7014f
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2018-18661.patch
@@ -0,0 +1,196 @@
+From c188f95bd865b1428f88c193b895fe9b3f6767e9 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 30 Oct 2018 18:50:27 +0100
+Subject: [PATCH] tiff2bw: avoid null pointer dereference in case of out of
+ memory situation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2819 /
+ CVE-2018-18661
+
+---
+ libtiff/tiffiop.h | 1 +
+ tools/tiff2bw.c | 63 +++++++++++++++++++++++++++++++++++++++--------
+ tools/tiffcrop.c | 5 ----
+ 3 files changed, 54 insertions(+), 15 deletions(-)
+
+diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
+index 53357d8..8d1357b 100644
+--- a/libtiff/tiffiop.h
++++ b/libtiff/tiffiop.h
+@@ -66,6 +66,7 @@ extern void *lfind(const void *, const void *, size_t *, size_t,
+ #endif
+
+ #define streq(a,b) (strcmp(a,b) == 0)
++#define strneq(a,b,n) (strncmp(a,b,n) == 0)
+
+ #ifndef TRUE
+ #define TRUE 1
+diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
+index 53067e7..ad797b2 100644
+--- a/tools/tiff2bw.c
++++ b/tools/tiff2bw.c
+@@ -40,9 +40,7 @@
+ #endif
+
+ #include "tiffio.h"
+-
+-#define streq(a,b) (strcmp((a),(b)) == 0)
+-#define strneq(a,b,n) (strncmp(a,b,n) == 0)
++#include "tiffiop.h"
+
+ /* x% weighting -> fraction of full color */
+ #define PCT(x) (((x)*255+127)/100)
+@@ -130,6 +128,11 @@ main(int argc, char* argv[])
+ extern int optind;
+ extern char *optarg;
+
++ in = (TIFF *) NULL;
++ out = (TIFF *) NULL;
++ inbuf = (unsigned char *) NULL;
++ outbuf = (unsigned char *) NULL;
++
+ while ((c = getopt(argc, argv, "c:r:R:G:B:")) != -1)
+ switch (c) {
+ case 'c': /* compression scheme */
+@@ -163,24 +166,24 @@ main(int argc, char* argv[])
+ fprintf(stderr,
+ "%s: Bad photometric; can only handle RGB and Palette images.\n",
+ argv[optind]);
+- return (-1);
++ goto tiff2bw_error;
+ }
+ TIFFGetField(in, TIFFTAG_SAMPLESPERPIXEL, &samplesperpixel);
+ if (samplesperpixel != 1 && samplesperpixel != 3) {
+ fprintf(stderr, "%s: Bad samples/pixel %u.\n",
+ argv[optind], samplesperpixel);
+- return (-1);
++ goto tiff2bw_error;
+ }
+ if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) {
+ fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n",
+ argv[optind], samplesperpixel);
+- return (-1);
++ goto tiff2bw_error;
+ }
+ TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample);
+ if (bitspersample != 8) {
+ fprintf(stderr,
+ " %s: Sorry, only handle 8-bit samples.\n", argv[optind]);
+- return (-1);
++ goto tiff2bw_error;
+ }
+ TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &w);
+ TIFFGetField(in, TIFFTAG_IMAGELENGTH, &h);
+@@ -188,7 +191,7 @@ main(int argc, char* argv[])
+
+ out = TIFFOpen(argv[optind+1], "w");
+ if (out == NULL)
+- return (-1);
++ goto tiff2bw_error;
+ TIFFSetField(out, TIFFTAG_IMAGEWIDTH, w);
+ TIFFSetField(out, TIFFTAG_IMAGELENGTH, h);
+ TIFFSetField(out, TIFFTAG_BITSPERSAMPLE, 8);
+@@ -214,6 +217,11 @@ main(int argc, char* argv[])
+ TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
+ TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
+ outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++ if( !outbuf )
++ {
++ fprintf(stderr, "Out of memory\n");
++ goto tiff2bw_error;
++ }
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
+ TIFFDefaultStripSize(out, rowsperstrip));
+
+@@ -237,6 +245,11 @@ main(int argc, char* argv[])
+ #undef CVT
+ }
+ inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
++ if( !inbuf )
++ {
++ fprintf(stderr, "Out of memory\n");
++ goto tiff2bw_error;
++ }
+ for (row = 0; row < h; row++) {
+ if (TIFFReadScanline(in, inbuf, row, 0) < 0)
+ break;
+@@ -247,6 +260,11 @@ main(int argc, char* argv[])
+ break;
+ case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG):
+ inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
++ if( !inbuf )
++ {
++ fprintf(stderr, "Out of memory\n");
++ goto tiff2bw_error;
++ }
+ for (row = 0; row < h; row++) {
+ if (TIFFReadScanline(in, inbuf, row, 0) < 0)
+ break;
+@@ -256,23 +274,48 @@ main(int argc, char* argv[])
+ }
+ break;
+ case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE):
++ {
++ tmsize_t inbufsize;
+ rowsize = TIFFScanlineSize(in);
+- inbuf = (unsigned char *)_TIFFmalloc(3*rowsize);
++ inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize);
++ inbuf = (unsigned char *)_TIFFmalloc(inbufsize);
++ if( !inbuf )
++ {
++ fprintf(stderr, "Out of memory\n");
++ goto tiff2bw_error;
++ }
+ for (row = 0; row < h; row++) {
+ for (s = 0; s < 3; s++)
+ if (TIFFReadScanline(in,
+ inbuf+s*rowsize, row, s) < 0)
+- return (-1);
++ goto tiff2bw_error;
+ compresssep(outbuf,
+ inbuf, inbuf+rowsize, inbuf+2*rowsize, w);
+ if (TIFFWriteScanline(out, outbuf, row, 0) < 0)
+ break;
+ }
+ break;
++ }
+ }
+ #undef pack
++ if (inbuf)
++ _TIFFfree(inbuf);
++ if (outbuf)
++ _TIFFfree(outbuf);
++ TIFFClose(in);
+ TIFFClose(out);
+ return (0);
++
++ tiff2bw_error:
++ if (inbuf)
++ _TIFFfree(inbuf);
++ if (outbuf)
++ _TIFFfree(outbuf);
++ if (out)
++ TIFFClose(out);
++ if (in)
++ TIFFClose(in);
++ return (-1);
+ }
+
+ static int
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 02c53cd..0192f3f 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -148,11 +148,6 @@ extern int getopt(int, char**, char*);
+ #define PATH_MAX 1024
+ #endif
+
+-#ifndef streq
+-#define streq(a,b) (strcmp((a),(b)) == 0)
+-#endif
+-#define strneq(a,b,n) (strncmp((a),(b),(n)) == 0)
+-
+ #define TRUE 1
+ #define FALSE 0
+
+--
+2.17.2
+
diff --git a/SOURCES/libtiff-CVE-2018-7456.patch b/SOURCES/libtiff-CVE-2018-7456.patch
new file mode 100644
index 0000000..5ae9a50
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2018-7456.patch
@@ -0,0 +1,222 @@
+From 52dcdc1d89925fe7e362b2cc9cae699773f9618e Mon Sep 17 00:00:00 2001
+From: Hugo Lefeuvre <hle@debian.org>
+Date: Sun, 8 Apr 2018 14:07:08 -0400
+Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory
+
+The TIFFPrintDirectory function relies on the following assumptions,
+supposed to be guaranteed by the specification:
+
+(a) A Transfer Function field is only present if the TIFF file has
+ photometric type < 3.
+
+(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
+ has count SamplesPerPixel - (Color Channels) and contains
+ information about supplementary channels.
+
+While respect of (a) and (b) are essential for the well functioning of
+TIFFPrintDirectory, no checks are realized neither by the callee nor
+by TIFFPrintDirectory itself. Hence, following scenarios might happen
+and trigger the NULL pointer dereference:
+
+(1) TIFF File of photometric type 4 or more has illegal Transfer
+ Function field.
+
+(2) TIFF File has photometric type 3 or less and defines a
+ SamplesPerPixel field such that SamplesPerPixel > Color Channels
+ without defining all extra samples in the ExtraSamples fields.
+
+In this patch, we address both issues with respect of the following
+principles:
+
+(A) In the case of (1), the defined transfer table should be printed
+ safely even if it isn't 'legal'. This allows us to avoid expensive
+ checks in TIFFPrintDirectory. Also, it is quite possible that
+ an alternative photometric type would be developed (not part of the
+ standard) and would allow definition of Transfer Table. We want
+ libtiff to be able to handle this scenario out of the box.
+
+(B) In the case of (2), the transfer table should be printed at its
+ right size, that is if TIFF file has photometric type Palette
+ then the transfer table should have one row and not three, even
+ if two extra samples are declared.
+
+In order to fulfill (A) we simply add a new 'i < 3' end condition to
+the broken TIFFPrintDirectory loop. This makes sure that in any case
+where (b) would be respected but not (a), everything stays fine.
+
+(B) is fulfilled by the loop condition
+'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
+long as (b) is respected.
+
+Naturally, we also make sure (b) is respected. This is done in the
+TIFFReadDirectory function by making sure any non-color channel is
+counted in ExtraSamples.
+
+This commit addresses CVE-2018-7456.
+---
+ libtiff/tif_dirread.c | 61 +++++++++++++++++++++++++++++++++++++++++++
+ libtiff/tif_print.c | 2 +-
+ libtiff/tif_unix.c | 8 ++++++
+ libtiff/tif_win32.c | 8 ++++++
+ libtiff/tiffio.h | 1 +
+ 5 files changed, 79 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 6667228..4f07bc8 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
+ static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
+ static void ChopUpSingleUncompressedStrip(TIFF*);
+ static uint64 TIFFReadUInt64(const uint8 *value);
++static int _TIFFGetMaxColorChannels(uint16 photometric);
+
+ typedef union _UInt64Aligned_t
+ {
+@@ -3415,6 +3416,34 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c
+ }
+ }
+
++/*
++ * Return the maximum number of color channels specified for a given photometric
++ * type. 0 is returned if photometric type isn't supported or no default value
++ * is defined by the specification.
++ */
++static int _TIFFGetMaxColorChannels( uint16 photometric )
++{
++ switch (photometric) {
++ case PHOTOMETRIC_PALETTE:
++ case PHOTOMETRIC_MINISWHITE:
++ case PHOTOMETRIC_MINISBLACK:
++ return 1;
++ case PHOTOMETRIC_YCBCR:
++ case PHOTOMETRIC_RGB:
++ case PHOTOMETRIC_CIELAB:
++ return 3;
++ case PHOTOMETRIC_SEPARATED:
++ case PHOTOMETRIC_MASK:
++ return 4;
++ case PHOTOMETRIC_LOGL:
++ case PHOTOMETRIC_LOGLUV:
++ case PHOTOMETRIC_ITULAB:
++ case PHOTOMETRIC_ICCLAB:
++ default:
++ return 0;
++ }
++}
++
+ /*
+ * Read the next TIFF directory from a file and convert it to the internal
+ * format. We read directories sequentially.
+@@ -3430,6 +3459,7 @@ TIFFReadDirectory(TIFF* tif)
+ const TIFFField* fip;
+ uint32 fii=FAILED_FII;
+ toff_t nextdiroff;
++ int color_channels;
+ tif->tif_diroff=tif->tif_nextdiroff;
+ if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
+ return 0; /* last offset or bad offset (IFD looping) */
+@@ -3909,6 +3939,37 @@ TIFFReadDirectory(TIFF* tif)
+ }
+ }
+ }
++
++ /*
++ * Make sure all non-color channels are extrasamples.
++ * If it's not the case, define them as such.
++ */
++ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
++ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
++ uint16 old_extrasamples;
++ uint16 *new_sampleinfo;
++
++ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
++ "color channels and ExtraSamples doesn't match SamplesPerPixel. "
++ "Defining non-color channels as ExtraSamples.");
++
++ old_extrasamples = tif->tif_dir.td_extrasamples;
++ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
++
++ // sampleinfo should contain information relative to these new extra samples
++ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
++ if (!new_sampleinfo) {
++ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
++ "temporary new sampleinfo array (%d 16 bit elements)",
++ tif->tif_dir.td_extrasamples);
++ goto bad;
++ }
++
++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
++ _TIFFfree(new_sampleinfo);
++ }
++
+ /*
+ * Verify Palette image has a Colormap.
+ */
+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
+index b323ef1..8c075e5 100644
+--- a/libtiff/tif_print.c
++++ b/libtiff/tif_print.c
+@@ -541,7 +541,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
+ for (l = 0; l < n; l++) {
+ fprintf(fd, " %2lu: %5u",
+ l, td->td_transferfunction[0][l]);
+- for (i = 1; i < td->td_samplesperpixel; i++)
++ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)
+ fprintf(fd, " %5u",
+ td->td_transferfunction[i][l]);
+ fputc('\n', fd);
+diff --git a/libtiff/tif_unix.c b/libtiff/tif_unix.c
+index 0a3a4a8..5c00917 100644
+--- a/libtiff/tif_unix.c
++++ b/libtiff/tif_unix.c
+@@ -262,6 +262,14 @@ _TIFFmalloc(tmsize_t s)
+ return (malloc((size_t) s));
+ }
+
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++ if( nmemb == 0 || siz == 0 )
++ return ((void *) NULL);
++
++ return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
+diff --git a/libtiff/tif_win32.c b/libtiff/tif_win32.c
+index 4a2466f..ef6be08 100644
+--- a/libtiff/tif_win32.c
++++ b/libtiff/tif_win32.c
+@@ -334,6 +334,14 @@ _TIFFmalloc(tmsize_t s)
+ return (malloc((size_t) s));
+ }
+
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++ if( nmemb == 0 || siz == 0 )
++ return ((void *) NULL);
++
++ return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
+diff --git a/libtiff/tiffio.h b/libtiff/tiffio.h
+index 038b670..9b39392 100644
+--- a/libtiff/tiffio.h
++++ b/libtiff/tiffio.h
+@@ -293,6 +293,7 @@ extern TIFFCodec* TIFFGetConfiguredCODECs(void);
+ */
+
+ extern void* _TIFFmalloc(tmsize_t s);
++extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
+ extern void* _TIFFrealloc(void* p, tmsize_t s);
+ extern void _TIFFmemset(void* p, int v, tmsize_t c);
+ extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
+--
+2.17.2
+
diff --git a/SOURCES/libtiff-CVE-2018-8905.patch b/SOURCES/libtiff-CVE-2018-8905.patch
new file mode 100644
index 0000000..6b16f2b
--- /dev/null
+++ b/SOURCES/libtiff-CVE-2018-8905.patch
@@ -0,0 +1,52 @@
+From ba8ce45d1eda9c6291af38f41f09a5c9d238f707 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 12 May 2018 15:32:31 +0200
+Subject: [PATCH 03/10] LZWDecodeCompat(): fix potential index-out-of-bounds
+ write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 /
+ CVE-2018-8905
+
+The fix consists in using the similar code LZWDecode() to validate we
+don't write outside of the output buffer.
+---
+ libtiff/tif_lzw.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
+index d7fbe74..af35c2a 100644
+--- a/libtiff/tif_lzw.c
++++ b/libtiff/tif_lzw.c
+@@ -589,6 +589,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+ char *tp;
+ unsigned char *bp;
+ int code, nbits;
++ int len;
+ long nextbits, nextdata, nbitsmask;
+ code_t *codep, *free_entp, *maxcodep, *oldcodep;
+
+@@ -733,12 +734,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+ } while (--occ);
+ break;
+ }
+- assert(occ >= codep->length);
+- op += codep->length, occ -= codep->length;
+- tp = op;
++ len = codep->length;
++ tp = op + len;
+ do {
+- *--tp = codep->value;
+- } while( (codep = codep->next) != NULL );
++ int t;
++ --tp;
++ t = codep->value;
++ codep = codep->next;
++ *tp = (char)t;
++ } while (codep && tp > op);
++ assert(occ >= len);
++ op += len;
++ occ -= len;
+ } else
+ *op++ = code, occ--;
+ }
+--
+2.17.2
+
diff --git a/SOURCES/libtiff-am-version.patch b/SOURCES/libtiff-am-version.patch
new file mode 100644
index 0000000..c94c2e0
--- /dev/null
+++ b/SOURCES/libtiff-am-version.patch
@@ -0,0 +1,31 @@
+Back off the minimum required automake version to 1.11. There isn't
+anything in libtiff currently that actually requires 1.12, and changing
+this allows the package to be built on pre-F18 machines for easier testing.
+
+This patch can go away once we no longer care about testing on pre-F18.
+
+
+diff -Naur tiff-4.0.3.orig/Makefile.am tiff-4.0.3/Makefile.am
+--- tiff-4.0.3.orig/Makefile.am 2012-09-20 09:22:47.000000000 -0400
++++ tiff-4.0.3/Makefile.am 2012-10-30 11:33:30.312823564 -0400
+@@ -25,7 +25,7 @@
+
+ docdir = $(LIBTIFF_DOCDIR)
+
+-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign
++AUTOMAKE_OPTIONS = 1.11 dist-zip foreign
+ ACLOCAL_AMFLAGS = -I m4
+
+ docfiles = \
+diff -Naur tiff-4.0.3.orig/test/Makefile.am tiff-4.0.3/test/Makefile.am
+--- tiff-4.0.3.orig/test/Makefile.am 2012-09-20 09:22:28.000000000 -0400
++++ tiff-4.0.3/test/Makefile.am 2012-10-30 11:33:17.109696812 -0400
+@@ -23,7 +23,7 @@
+
+ # Process this file with automake to produce Makefile.in.
+
+-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign
++AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign
+
+ LIBTIFF = $(top_builddir)/libtiff/libtiff.la
+
diff --git a/SOURCES/libtiff-coverity.patch b/SOURCES/libtiff-coverity.patch
new file mode 100644
index 0000000..39c84e3
--- /dev/null
+++ b/SOURCES/libtiff-coverity.patch
@@ -0,0 +1,215 @@
+From f4ee7a53cc422490986225c49f92935b3ba52866 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
+Date: Thu, 13 Dec 2018 17:06:44 +0100
+Subject: [PATCH] Fix Covscan defects
+
+---
+ contrib/addtiffo/addtiffo.c | 3 ++-
+ libtiff/tif_dir.c | 2 +-
+ libtiff/tif_ojpeg.c | 7 ++++++-
+ tools/gif2tiff.c | 21 +++++++++++++++------
+ tools/ras2tiff.c | 22 +++++++++++++++++++++-
+ tools/rasterfile.h | 16 +++++++++-------
+ tools/tiffcrop.c | 4 ++++
+ 7 files changed, 58 insertions(+), 17 deletions(-)
+
+diff --git a/contrib/addtiffo/addtiffo.c b/contrib/addtiffo/addtiffo.c
+index d3920e2..47f5fa8 100644
+--- a/contrib/addtiffo/addtiffo.c
++++ b/contrib/addtiffo/addtiffo.c
+@@ -120,7 +120,8 @@ int main( int argc, char ** argv )
+ while( nOverviewCount < argc - 2 && nOverviewCount < 100 )
+ {
+ anOverviews[nOverviewCount] = atoi(argv[nOverviewCount+2]);
+- if( anOverviews[nOverviewCount] <= 0)
++ if( (anOverviews[nOverviewCount] <= 0) ||
++ ((anOverviews[nOverviewCount] > 1024)))
+ {
+ fprintf( stderr, "Incorrect parameters\n" );
+ return(1);
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index f812fa2..9c613da 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -706,7 +706,7 @@ badvaluedouble:
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%s: Bad value %f for \"%s\" tag",
+ tif->tif_name, dblval,
+- fip->field_name);
++ fip ? fip->field_name : "Unknown");
+ va_end(ap);
+ }
+ return (0);
+diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
+index 6ea3c38..1d9c77c 100644
+--- a/libtiff/tif_ojpeg.c
++++ b/libtiff/tif_ojpeg.c
+@@ -528,6 +528,8 @@ OJPEGVSetField(TIFF* tif, uint32 tag, va_list ap)
+ uint32 ma;
+ uint64* mb;
+ uint32 n;
++ const TIFFField* fip;
++
+ switch(tag)
+ {
+ case TIFFTAG_JPEGIFOFFSET:
+@@ -597,7 +599,10 @@ OJPEGVSetField(TIFF* tif, uint32 tag, va_list ap)
+ default:
+ return (*sp->vsetparent)(tif,tag,ap);
+ }
+- TIFFSetFieldBit(tif,TIFFFieldWithTag(tif,tag)->field_bit);
++ fip = TIFFFieldWithTag(tif,tag);
++ if( fip == NULL ) /* shouldn't happen */
++ return(0);
++ TIFFSetFieldBit(tif,fip->field_bit);
+ tif->tif_flags|=TIFF_DIRTYDIRECT;
+ return(1);
+ }
+diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c
+index e89ac5b..012345d 100644
+--- a/tools/gif2tiff.c
++++ b/tools/gif2tiff.c
+@@ -38,6 +38,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <errno.h>
+ #include <math.h>
+
+ #ifdef HAVE_UNISTD_H
+@@ -266,13 +267,15 @@ readgifimage(char* mode)
+ unsigned char localmap[256][3];
+ int localbits;
+ int status;
++ size_t raster_size;
+
+- if (fread(buf, 1, 9, infile) == 0) {
+- perror(filename);
++ if (fread(buf, 1, 9, infile) != 9) {
++ fprintf(stderr, "short read from file %s (%s)\n",
++ filename, strerror(errno));
+ return (0);
+ }
+- width = buf[4] + (buf[5] << 8);
+- height = buf[6] + (buf[7] << 8);
++ width = (buf[4] + (buf[5] << 8)) & 0xffff; /* 16 bit */
++ height = (buf[6] + (buf[7] << 8)) & 0xffff; /* 16 bit */
+ local = buf[8] & 0x80;
+ interleaved = buf[8] & 0x40;
+
+@@ -280,11 +283,17 @@ readgifimage(char* mode)
+ fprintf(stderr, "no colormap present for image\n");
+ return (0);
+ }
+- if (width == 0 || height == 0) {
++ if (width == 0UL || height == 0UL || (width > 2000000000UL / height)) {
+ fprintf(stderr, "Invalid value of width or height\n");
+ return(0);
+ }
+- if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
++ raster_size=width*height;
++ if ((raster_size/width) == height) {
++ raster_size += EXTRAFUDGE; /* Add elbow room */
++ } else {
++ raster_size=0;
++ }
++ if ((raster = (unsigned char*) _TIFFmalloc(raster_size)) == NULL) {
+ fprintf(stderr, "not enough memory for image\n");
+ return (0);
+ }
+diff --git a/tools/ras2tiff.c b/tools/ras2tiff.c
+index ec8a071..007dd8c 100644
+--- a/tools/ras2tiff.c
++++ b/tools/ras2tiff.c
+@@ -30,6 +30,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <ctype.h>
++#include <limits.h>
+
+ #ifdef HAVE_UNISTD_H
+ # include <unistd.h>
+@@ -122,6 +123,25 @@ main(int argc, char* argv[])
+ fclose(in);
+ return (-3);
+ }
++ if ((h.ras_width <= 0) || (h.ras_width >= INT_MAX) ||
++ (h.ras_height <= 0) || (h.ras_height >= INT_MAX) ||
++ (h.ras_depth <= 0) || (h.ras_depth >= INT_MAX) ||
++ (h.ras_length <= 0) || (h.ras_length >= INT_MAX) ||
++ (h.ras_type < 0) ||
++ (h.ras_maptype < 0) ||
++ (h.ras_maplength < 0) || (h.ras_maplength >= INT_MAX)) {
++ fprintf(stderr, "%s: Improper image header.\n", argv[optind]);
++ fclose(in);
++ return (-2);
++ }
++ if ((h.ras_depth != 1) &&
++ (h.ras_depth != 8) &&
++ (h.ras_depth != 24)) {
++ fprintf(stderr, "%s: Improper image depth (%d).\n",
++ argv[optind], h.ras_depth);
++ fclose(in);
++ return (-2);
++ }
+ out = TIFFOpen(argv[optind+1], "w");
+ if (out == NULL)
+ {
+@@ -153,7 +173,7 @@ main(int argc, char* argv[])
+ mapsize = 1<<h.ras_depth;
+ if (h.ras_maplength > mapsize*3) {
+ fprintf(stderr,
+- "%s: Huh, %ld colormap entries, should be %d?\n",
++ "%s: Huh, %d colormap entries, should be %d?\n",
+ argv[optind], h.ras_maplength, mapsize*3);
+ return (-7);
+ }
+diff --git a/tools/rasterfile.h b/tools/rasterfile.h
+index 833e095..33da707 100644
+--- a/tools/rasterfile.h
++++ b/tools/rasterfile.h
+@@ -1,17 +1,19 @@
+ /* $Header: /cvs/libtiff/tools/rasterfile.h,v 1.3 2003/11/12 19:14:33 dron Exp $ */
+
++#include "tiff.h"
++
+ /*
+ * Description of header for files containing raster images
+ */
+ struct rasterfile {
+ char ras_magic[4]; /* magic number */
+- long ras_width; /* width (pixels) of image */
+- long ras_height; /* height (pixels) of image */
+- long ras_depth; /* depth (1, 8, or 24 bits) of pixel */
+- long ras_length; /* length (bytes) of image */
+- long ras_type; /* type of file; see RT_* below */
+- long ras_maptype; /* type of colormap; see RMT_* below */
+- long ras_maplength; /* length (bytes) of following map */
++ int32 ras_width; /* width (pixels) of image */
++ int32 ras_height; /* height (pixels) of image */
++ int32 ras_depth; /* depth (1, 8, or 24 bits) of pixel */
++ int32 ras_length; /* length (bytes) of image */
++ int32 ras_type; /* type of file; see RT_* below */
++ int32 ras_maptype; /* type of colormap; see RMT_* below */
++ int32 ras_maplength; /* length (bytes) of following map */
+ /* color map follows for ras_maplength bytes, followed by image */
+ };
+ #define RAS_MAGIC "\x59\xa6\x6a\x95"
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 0192f3f..ae6ec1a 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -2029,6 +2029,10 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
+ {
+ crop_data->zones++;
+ opt_offset = strchr(opt_ptr, ':');
++ if (!opt_offset) {
++ TIFFError("Wrong parameter syntax for -Z", "tiffcrop -h");
++ exit(-1);
++ }
+ *opt_offset = '\0';
+ crop_data->zonelist[i].position = atoi(opt_ptr);
+ crop_data->zonelist[i].total = atoi(opt_offset + 1);
+--
+2.21.0
+
diff --git a/SOURCES/libtiff-jpeg-test.patch b/SOURCES/libtiff-jpeg-test.patch
new file mode 100644
index 0000000..92cff7e
--- /dev/null
+++ b/SOURCES/libtiff-jpeg-test.patch
@@ -0,0 +1,122 @@
+Back-port upstream patch to avoid assuming quite so much about what libjpeg
+will return. Needed because libjpeg-turbo with the jpeg8 API broke the
+expectations of the previous coding.
+
+
+diff -Naur tiff-4.0.3.orig/test/raw_decode.c tiff-4.0.3/test/raw_decode.c
+--- tiff-4.0.3.orig/test/raw_decode.c 2012-07-06 13:05:16.000000000 -0400
++++ tiff-4.0.3/test/raw_decode.c 2012-12-19 13:04:37.609738276 -0500
+@@ -71,33 +71,54 @@
+ return 1;
+ }
+
+-static int check_rgb_pixel( int pixel, int red, int green, int blue, unsigned char *buffer ) {
++static int check_rgb_pixel( int pixel,
++ int min_red, int max_red,
++ int min_green, int max_green,
++ int min_blue, int max_blue,
++ unsigned char *buffer ) {
+ unsigned char *rgb = buffer + 3 * pixel;
+
+- if( rgb[0] == red && rgb[1] == green && rgb[2] == blue ) {
++ if( rgb[0] >= min_red && rgb[0] <= max_red &&
++ rgb[1] >= min_green && rgb[1] <= max_green &&
++ rgb[2] >= min_blue && rgb[2] <= max_blue ) {
+ return 0;
+ }
+
+ fprintf( stderr, "Pixel %d did not match expected results.\n", pixel );
+- fprintf( stderr, "Expect: %3d %3d %3d\n", red, green, blue );
+- fprintf( stderr, " Got: %3d %3d %3d\n", rgb[0], rgb[1], rgb[2] );
++ fprintf( stderr, "Got R=%d (expected %d..%d), G=%d (expected %d..%d), B=%d (expected %d..%d)\n",
++ rgb[0], min_red, max_red,
++ rgb[1], min_green, max_green,
++ rgb[2], min_blue, max_blue );
+ return 1;
+ }
+
+-static int check_rgba_pixel( int pixel, int red, int green, int blue, int alpha, uint32 *buffer ) {
++static int check_rgba_pixel( int pixel,
++ int min_red, int max_red,
++ int min_green, int max_green,
++ int min_blue, int max_blue,
++ int min_alpha, int max_alpha,
++ uint32 *buffer ) {
+ /* RGBA images are upside down - adjust for normal ordering */
+ int adjusted_pixel = pixel % 128 + (127 - (pixel/128)) * 128;
+ uint32 rgba = buffer[adjusted_pixel];
+
+- if( TIFFGetR(rgba) == (uint32) red && TIFFGetG(rgba) == (uint32) green &&
+- TIFFGetB(rgba) == (uint32) blue && TIFFGetA(rgba) == (uint32) alpha ) {
++ if( TIFFGetR(rgba) >= (uint32) min_red &&
++ TIFFGetR(rgba) <= (uint32) max_red &&
++ TIFFGetG(rgba) >= (uint32) min_green &&
++ TIFFGetG(rgba) <= (uint32) max_green &&
++ TIFFGetB(rgba) >= (uint32) min_blue &&
++ TIFFGetB(rgba) <= (uint32) max_blue &&
++ TIFFGetA(rgba) >= (uint32) min_alpha &&
++ TIFFGetA(rgba) <= (uint32) max_alpha ) {
+ return 0;
+ }
+
+ fprintf( stderr, "Pixel %d did not match expected results.\n", pixel );
+- fprintf( stderr, "Expect: %3d %3d %3d %3d\n", red, green, blue, alpha );
+- fprintf( stderr, " Got: %3d %3d %3d %3d\n",
+- TIFFGetR(rgba), TIFFGetG(rgba), TIFFGetB(rgba), TIFFGetA(rgba) );
++ fprintf( stderr, "Got R=%d (expected %d..%d), G=%d (expected %d..%d), B=%d (expected %d..%d), A=%d (expected %d..%d)\n",
++ TIFFGetR(rgba), min_red, max_red,
++ TIFFGetG(rgba), min_green, max_green,
++ TIFFGetB(rgba), min_blue, max_blue,
++ TIFFGetA(rgba), min_alpha, max_alpha );
+ return 1;
+ }
+
+@@ -191,15 +212,17 @@
+ return 1;
+ }
+
+-#if JPEG_LIB_VERSION >= 70
+- pixel_status |= check_rgb_pixel( 0, 18, 0, 41, buffer );
+- pixel_status |= check_rgb_pixel( 64, 0, 0, 0, buffer );
+- pixel_status |= check_rgb_pixel( 512, 5, 34, 196, buffer );
+-#else
+- pixel_status |= check_rgb_pixel( 0, 15, 0, 18, buffer );
+- pixel_status |= check_rgb_pixel( 64, 0, 0, 2, buffer );
+- pixel_status |= check_rgb_pixel( 512, 6, 36, 182, buffer );
+-#endif
++ /*
++ * JPEG decoding is inherently inexact, so we can't test for exact
++ * pixel values. (Well, if we knew exactly which libjpeg version
++ * we were using, and with what settings, we could expect specific
++ * values ... but it's not worth the trouble to keep track of.)
++ * Hence, use ranges of expected values. The ranges may need to be
++ * widened over time as more versions of libjpeg appear.
++ */
++ pixel_status |= check_rgb_pixel( 0, 15, 18, 0, 0, 18, 41, buffer );
++ pixel_status |= check_rgb_pixel( 64, 0, 0, 0, 0, 0, 2, buffer );
++ pixel_status |= check_rgb_pixel( 512, 5, 6, 34, 36, 182, 196, buffer );
+
+ free( buffer );
+
+@@ -224,15 +247,12 @@
+ * accomplish it from the YCbCr subsampled buffer ourselves in which
+ * case the results may be subtly different but similar.
+ */
+-#if JPEG_LIB_VERSION >= 70
+- pixel_status |= check_rgba_pixel( 0, 18, 0, 41, 255, rgba_buffer );
+- pixel_status |= check_rgba_pixel( 64, 0, 0, 0, 255, rgba_buffer );
+- pixel_status |= check_rgba_pixel( 512, 5, 34, 196, 255, rgba_buffer );
+-#else
+- pixel_status |= check_rgba_pixel( 0, 15, 0, 18, 255, rgba_buffer );
+- pixel_status |= check_rgba_pixel( 64, 0, 0, 2, 255, rgba_buffer );
+- pixel_status |= check_rgba_pixel( 512, 6, 36, 182, 255, rgba_buffer );
+-#endif
++ pixel_status |= check_rgba_pixel( 0, 15, 18, 0, 0, 18, 41, 255, 255,
++ rgba_buffer );
++ pixel_status |= check_rgba_pixel( 64, 0, 0, 0, 0, 0, 2, 255, 255,
++ rgba_buffer );
++ pixel_status |= check_rgba_pixel( 512, 5, 6, 34, 36, 182, 196, 255, 255,
++ rgba_buffer );
+
+ free( rgba_buffer );
+ TIFFClose(tif);
diff --git a/SOURCES/libtiff-make-check.patch b/SOURCES/libtiff-make-check.patch
new file mode 100644
index 0000000..46796d4
--- /dev/null
+++ b/SOURCES/libtiff-make-check.patch
@@ -0,0 +1,26 @@
+diff --git a/html/man/Makefile.am b/html/man/Makefile.am
+index ca222de..c7421ac 100644
+--- a/html/man/Makefile.am
++++ b/html/man/Makefile.am
+@@ -85,7 +85,6 @@ docfiles = \
+ ras2tiff.1.html \
+ raw2tiff.1.html \
+ rgb2ycbcr.1.html \
+- sgi2tiff.1.html \
+ thumbnail.1.html \
+ tiff2bw.1.html \
+ tiff2pdf.1.html \
+@@ -96,12 +95,10 @@ docfiles = \
+ tiffcrop.1.html \
+ tiffdither.1.html \
+ tiffdump.1.html \
+- tiffgt.1.html \
+ tiffinfo.1.html \
+ tiffmedian.1.html \
+ tiffset.1.html \
+- tiffsplit.1.html \
+- tiffsv.1.html
++ tiffsplit.1.html
+
+ dist_doc_DATA = $(indexfile) $(docfiles)
+
diff --git a/SOURCES/libtiff-manpage-update.patch b/SOURCES/libtiff-manpage-update.patch
new file mode 100644
index 0000000..12d2aef
--- /dev/null
+++ b/SOURCES/libtiff-manpage-update.patch
@@ -0,0 +1,119 @@
+diff --git a/man/tiff2ps.1 b/man/tiff2ps.1
+index c3a9bac..a826ad7 100644
+--- a/man/tiff2ps.1
++++ b/man/tiff2ps.1
+@@ -100,6 +100,9 @@ Generate \*(Ps Level 2.
+ Generate \*(Ps Level 3. It basically allows one to use the /flateDecode
+ filter for ZIP compressed TIFF images.
+ .TP
++.B \-8
++Disable use of ASCII85 encoding with PostScript Level 2/3
++.TP
+ .B \-a
+ Generate output for all IFDs (pages) in the input file.
+ .TP
+@@ -123,6 +126,9 @@ directory to the specified directory number.
+ This option is useful for selecting individual pages in a
+ multi-page (e.g. facsimile) file.
+ .TP
++.B \-D
++Enable duplex printing (two pages per sheet of paper)
++.TP
+ .B \-e
+ Force the generation of Encapsulated \*(Ps (implies
+ .BR \-z ).
+@@ -185,6 +191,10 @@ like which are hidden using the
+ .I SubIFD
+ tag.
+ .TP
++.B \-O
++Write PostScript to specified file instead of standard output
++Set the initial
++.TP
+ .B \-p
+ Force the generation of (non-Encapsulated) \*(Ps.
+ .TP
+@@ -188,6 +188,9 @@ Set the initial
+ .B \-p
+ Force the generation of (non-Encapsulated) \*(Ps.
+ .TP
++.B \-P
++Set optional PageOrientation DSC comment to Landscape or Portrait.
++.TP
+ .B \-r 90|180|270|auto
+ Rotate image by 90, 180, 270 degrees or auto. Auto picks the best
+ fit for the image on the specified paper size (eg portrait
+@@ -197,6 +207,12 @@ counterclockwise. Auto rotates 90 degrees ccw to produce landscape.
+ .B \-s
+ Generate output for a single IFD (page) in the input file.
+ .TP
++.B \-t
++Specify the document title string
++.TP
++.B \-T
++Print pages for top edge binding
++.TP
+ .B \-w
+ Specify the horizontal size of the printed area (in inches).
+ .TP
+diff --git a/man/tiffcp.1 b/man/tiffcp.1
+index 5fdcc47..bf50130 100644
+--- a/man/tiffcp.1
++++ b/man/tiffcp.1
+@@ -60,6 +60,9 @@ in a file, but it is explicitly intended to not alter or convert
+ the image data content in any way.
+ .SH OPTIONS
+ .TP
++.BI \-a
++Append to an existing output file instead of overwriting it
++.TP
+ .BI \-b " image"
+ subtract the following monochrome image from all others
+ processed. This can be used to remove a noise bias
+@@ -179,6 +182,9 @@ overwritten and not when it is appended to.
+ .B \-M
+ Suppress the use of memory-mapped files when reading images.
+ .TP
++.BI \-o " offset"
++Set initial directory offset
++.TP
+ .B \-p
+ Specify the planar configuration to use in writing image data
+ that has one 8-bit sample per pixel.
+@@ -228,6 +228,9 @@ appear in a tile.
+ .B \-x
+ Force the output file to be written with PAGENUMBER value in sequence.
+ .TP
++.B \-8
++Write BigTIFF instead of classic TIFF format.
++.TP
+ .BI \-,= character
+ substitute
+ .I character
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 0f81b19..8c696db 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -409,6 +409,10 @@ char* stuff[] = {
+ " -s write output in strips",
+ " -t write output in tiles",
+ " -8 write BigTIFF instead of default ClassicTIFF",
++" -B write big-endian instead of native byte order",
++" -L write little-endian instead of native byte order",
++" -M disable use of memory-mapped files",
++" -C disable strip chopping",
+ " -i ignore read errors",
+ " -b file[,#] bias (dark) monochrome image to be subtracted from all others",
+ " -,=% use % rather than , to separate image #'s (per Note below)",
+diff --git a/man/tiff2ps.1 b/man/tiff2ps.1
+index b4a304a..0d672b0 100644
+--- a/man/tiff2ps.1
++++ b/man/tiff2ps.1
+@@ -149,6 +149,7 @@ be split in several pages. Options
+ and
+ .B \-W
+ are mutually exclusive.
++.TP
+ .B \-i
+ Enable/disable pixel interpolation. This option requires a
+ single numeric value: zero to disable pixel interpolation and
diff --git a/SOURCES/libtiff-printdir-width.patch b/SOURCES/libtiff-printdir-width.patch
new file mode 100644
index 0000000..f41f027
--- /dev/null
+++ b/SOURCES/libtiff-printdir-width.patch
@@ -0,0 +1,20 @@
+Back-patch upstream patch of 2012-12-12 ("Fix TIFF_VARIABLE/TIFF_VARIABLE2
+confusion in TIFFPrintDirectory").
+
+
+diff -Naur tiff-4.0.3.orig/libtiff/tif_print.c tiff-4.0.3/libtiff/tif_print.c
+--- tiff-4.0.3.orig/libtiff/tif_print.c 2012-08-19 12:56:35.000000000 -0400
++++ tiff-4.0.3/libtiff/tif_print.c 2012-12-12 16:53:05.355927641 -0500
+@@ -582,10 +582,10 @@
+ continue;
+
+ if(fip->field_passcount) {
+- if (fip->field_readcount == TIFF_VARIABLE ) {
++ if (fip->field_readcount == TIFF_VARIABLE2 ) {
+ if(TIFFGetField(tif, tag, &value_count, &raw_data) != 1)
+ continue;
+- } else if (fip->field_readcount == TIFF_VARIABLE2 ) {
++ } else if (fip->field_readcount == TIFF_VARIABLE ) {
+ uint16 small_value_count;
+ if(TIFFGetField(tif, tag, &small_value_count, &raw_data) != 1)
+ continue;
diff --git a/SPECS/libtiff.spec b/SPECS/libtiff.spec
new file mode 100644
index 0000000..59cbd7b
--- /dev/null
+++ b/SPECS/libtiff.spec
@@ -0,0 +1,789 @@
+Summary: Library of functions for manipulating TIFF format image files
+Name: libtiff
+Version: 4.0.3
+Release: 32%{?dist}
+
+License: libtiff
+Group: System Environment/Libraries
+URL: http://www.remotesensing.org/libtiff/
+
+Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz
+
+Patch0: libtiff-am-version.patch
+Patch1: libtiff-CVE-2012-4447.patch
+Patch2: libtiff-CVE-2012-4564.patch
+Patch3: libtiff-printdir-width.patch
+Patch4: libtiff-jpeg-test.patch
+Patch5: libtiff-CVE-2013-1960.patch
+Patch6: libtiff-CVE-2013-1961.patch
+Patch7: libtiff-manpage-update.patch
+Patch8: libtiff-make-check.patch
+Patch9: libtiff-CVE-2013-4231.patch
+Patch10: libtiff-CVE-2013-4232.patch
+Patch11: libtiff-CVE-2013-4244.patch
+Patch12: libtiff-CVE-2013-4243.patch
+Patch13: libtiff-CVE-2014-9330.patch
+Patch14: libtiff-CVE-2014-8127.patch
+Patch15: libtiff-CVE-2014-8129.patch
+Patch16: libtiff-CVE-2014-8130.patch
+Patch17: libtiff-CVE-2014-9655.patch
+Patch18: libtiff-CVE-2015-1547_8784.patch
+Patch19: libtiff-CVE-2015-7554.patch
+Patch20: libtiff-CVE-2015-8683_8665.patch
+Patch21: libtiff-CVE-2015-8668.patch
+Patch22: libtiff-CVE-2015-8781.patch
+Patch23: libtiff-CVE-2016-3632.patch
+Patch24: libtiff-CVE-2016-3945.patch
+Patch25: libtiff-CVE-2016-3990.patch
+Patch26: libtiff-CVE-2016-3991.patch
+Patch27: libtiff-CVE-2016-5320.patch
+Patch28: libtiff-CVE-2016-9533_9534_9536_9537.patch
+Patch29: libtiff-CVE-2016-9535.patch
+Patch30: libtiff-CVE-2016-9540.patch
+Patch31: libtiff-CVE-2016-5652.patch
+Patch32: libtiff-CVE-2015-8870.patch
+Patch33: libtiff-CVE-2016-3186.patch
+Patch34: libtiff-CVE-2018-7456.patch
+Patch35: libtiff-CVE-2018-8905.patch
+Patch36: libtiff-CVE-2018-10779.patch
+Patch37: libtiff-CVE-2018-10963.patch
+Patch38: libtiff-CVE-2018-12900.patch
+Patch39: libtiff-CVE-2018-17100.patch
+Patch40: libtiff-CVE-2018-17101.patch
+Patch41: libtiff-CVE-2018-18557.patch
+Patch42: libtiff-CVE-2018-18661.patch
+Patch43: libtiff-coverity.patch
+
+BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
+BuildRequires: libtool automake autoconf pkgconfig
+
+%description
+The libtiff package contains a library of functions for manipulating
+TIFF (Tagged Image File Format) image format files. TIFF is a widely
+used file format for bitmapped images. TIFF files usually end in the
+.tif extension and they are often quite large.
+
+The libtiff package should be installed if you need to manipulate TIFF
+format image files.
+
+%package devel
+Summary: Development tools for programs which will use the libtiff library
+Group: Development/Libraries
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: pkgconfig%{?_isa}
+
+%description devel
+This package contains the header files and documentation necessary for
+developing programs which will manipulate TIFF format image files
+using the libtiff library.
+
+If you need to develop programs which will manipulate TIFF format
+image files, you should install this package. You'll also need to
+install the libtiff package.
+
+%package static
+Summary: Static TIFF image format file library
+Group: Development/Libraries
+Requires: %{name}-devel%{?_isa} = %{version}-%{release}
+
+%description static
+The libtiff-static package contains the statically linkable version of libtiff.
+Linking to static libraries is discouraged for most applications, but it is
+necessary for some boot packages.
+
+%package tools
+Summary: Command-line utility programs for manipulating TIFF files
+Group: Development/Libraries
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description tools
+This package contains command-line programs for manipulating TIFF format
+image files using the libtiff library.
+
+%prep
+%setup -q -n tiff-%{version}
+
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch25 -p1
+%patch26 -p1
+%patch27 -p1
+%patch28 -p1
+%patch29 -p1
+%patch30 -p1
+%patch31 -p1
+%patch32 -p1
+%patch33 -p1
+%patch34 -p1
+%patch35 -p1
+%patch36 -p1
+%patch37 -p1
+%patch38 -p1
+%patch39 -p1
+%patch40 -p1
+%patch41 -p1
+%patch42 -p1
+%patch43 -p1
+
+# Use build system's libtool.m4, not the one in the package.
+rm -f libtool.m4
+
+libtoolize --force --copy
+aclocal -I . -I m4
+automake --add-missing --copy
+autoconf
+autoheader
+
+%build
+export CFLAGS="%{optflags} -fno-strict-aliasing"
+%configure --enable-ld-version-script
+make %{?_smp_mflags}
+
+%install
+make DESTDIR=$RPM_BUILD_ROOT install
+
+# remove what we didn't want installed
+rm $RPM_BUILD_ROOT%{_libdir}/*.la
+rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/
+
+# no libGL dependency, please
+rm -f $RPM_BUILD_ROOT%{_bindir}/tiffgt
+
+# no sgi2tiff or tiffsv, either
+rm -f $RPM_BUILD_ROOT%{_bindir}/sgi2tiff
+rm -f $RPM_BUILD_ROOT%{_bindir}/tiffsv
+
+rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffgt.1
+rm -f $RPM_BUILD_ROOT%{_mandir}/man1/sgi2tiff.1
+rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffsv.1
+rm -f html/man/tiffgt.1.html
+rm -f html/man/sgi2tiff.1.html
+rm -f html/man/tiffsv.1.html
+
+# multilib header hack
+# we only apply this to known Red Hat multilib arches, per bug #233091
+case `uname -i` in
+ i386 | ppc | s390 | sparc )
+ wordsize="32"
+ ;;
+ x86_64 | ppc64 | s390x | sparc64 )
+ wordsize="64"
+ ;;
+ *)
+ wordsize=""
+ ;;
+esac
+
+if test -n "$wordsize"
+then
+ mv $RPM_BUILD_ROOT%{_includedir}/tiffconf.h \
+ $RPM_BUILD_ROOT%{_includedir}/tiffconf-$wordsize.h
+
+ cat >$RPM_BUILD_ROOT%{_includedir}/tiffconf.h <<EOF
+#ifndef TIFFCONF_H_MULTILIB
+#define TIFFCONF_H_MULTILIB
+
+#include <bits/wordsize.h>
+
+#if __WORDSIZE == 32
+# include "tiffconf-32.h"
+#elif __WORDSIZE == 64
+# include "tiffconf-64.h"
+#else
+# error "unexpected value for __WORDSIZE macro"
+#endif
+
+#endif
+EOF
+
+fi
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
+
+%check
+LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check
+
+# don't include documentation Makefiles, they are a multilib hazard
+find html -name 'Makefile*' | xargs rm
+
+%files
+%doc COPYRIGHT README RELEASE-DATE VERSION
+%{_libdir}/libtiff.so.*
+%{_libdir}/libtiffxx.so.*
+
+%files devel
+%doc TODO ChangeLog html
+%{_includedir}/*
+%{_libdir}/libtiff.so
+%{_libdir}/libtiffxx.so
+%{_libdir}/pkgconfig/libtiff*.pc
+%{_mandir}/man3/*
+
+%files static
+%{_libdir}/*.a
+
+%files tools
+%{_bindir}/*
+%{_mandir}/man1/*
+
+%changelog
+* Tue Apr 30 2019 Nikola Forró <nforro@redhat.com> - 4.0.3-32
+- Fix one more Covscan defect
+- Related: #1647965
+
+* Tue Apr 30 2019 Nikola Forró <nforro@redhat.com> - 4.0.3-31
+- Fix processing of RAS files without colormap
+- Related: #1647965
+
+* Thu Dec 13 2018 Nikola Forró <nforro@redhat.com> - 4.0.3-30
+- Fix various Covscan defects
+- Related: #1647965
+
+* Thu Dec 13 2018 Nikola Forró <nforro@redhat.com> - 4.0.3-29
+- Fix compiler warning introduced by patch for CVE-2018-18661
+- Related: #1647965
+
+* Thu Dec 06 2018 Nikola Forró <nforro@redhat.com> - 4.0.3-28
+- Fix CVE-2016-3186
+- Resolves: #1319503
+- Fix CVE-2018-7456
+- Resolves: #1561318
+- Fix CVE-2018-8905
+- Resolves: #1574548
+- Fix CVE-2018-10779
+- Resolves: #1598503
+- Fix CVE-2018-10963
+- Resolves: #1598726
+- Fix CVE-2018-12900
+- Resolves: #1600430
+- Fix CVE-2018-17100
+- Resolves: #1632578
+- Fix CVE-2018-17101
+- Resolves: #1632579
+- Fix CVE-2018-18557
+- Resolves: #1647737
+- Fix CVE-2018-18661
+- Resolves: #1647965
+
+* Wed Jan 18 2017 Nikola Forró <nforro@redhat.com> - 4.0.3-27
+- Fix CWE-476 defect found by covscan
+- Related: #1412081
+
+* Wed Jan 11 2017 Nikola Forró <nforro@redhat.com> - 4.0.3-26
+- Add patches for CVEs:
+ CVE-2016-9533, CVE-2016-9534, CVE-2016-9535,
+ CVE-2016-9536, CVE-2016-9537, CVE-2016-9540,
+ CVE-2016-5652, CVE-2015-8870
+- Resolves: #1412081
+
+* Wed Jul 27 2016 Nikola Forró <nforro@redhat.com> - 4.0.3-25
+- Add patches for CVEs:
+ CVE-2015-7554, CVE-2015-8683, CVE-2015-8665,
+ CVE-2015-8781, CVE-2015-8782, CVE-2015-8783,
+ CVE-2015-8784
+- Related: #1299921
+
+* Tue Jul 26 2016 Nikola Forró <nforro@redhat.com> - 4.0.3-24
+- Update patches for CVEs:
+ CVE-2014-8127, CVE-2014-8130
+- Related: #1299921
+
+* Mon Jul 25 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-23
+- Update patches:
+ CVE-2014-9330, CVE-2014-8127, CVE-2014-8129
+ CVE-2014-8130
+- Related: #1299921
+
+* Tue Jul 19 2016 Nikola Forró <nforro@redhat.com> - 4.0.3-22
+- Update patch for CVE-2015-8668
+- Related: #1299921
+
+* Mon Jul 11 2016 Nikola Forró <nforro@redhat.com> - 4.0.3-21
+- Remove patches for CVEs:
+ CVE-2014-8127, CVE-2014-8129, CVE-2014-8130,
+ CVE-2014-9330, CVE-2015-7554, CVE-2015-8665,
+ CVE-2015-8683, CVE-2015-8781, CVE-2015-8784
+- Add patches for CVEs:
+ CVE-2016-3632, CVE-2016-3945, CVE-2016-3990,
+ CVE-2016-3991, CVE-2016-5320
+- Update patches for CVEs:
+ CVE-2014-9655, CVE-2015-1547, CVE-2015-8668
+- Related: #1299921
+
+* Tue Apr 19 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-20
+- CVE-2014-8127 should contain only two fixes
+- Related: #1299921
+
+* Fri Apr 01 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-19
+- Revert previous patch CVE-2014-8127
+- Related: #1299921
+
+* Thu Mar 31 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-18
+- Fixed wrongly applied patch CVE-2014-8127
+- Related: #1299921
+
+* Tue Mar 15 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-17
+- Fixed patch CVE-2015-8668. Wrongly applied by me
+- Related: #1299921
+
+* Tue Mar 08 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-16
+- Fixed patches on preview CVEs
+- Related: #1299921
+
+* Wed Feb 03 2016 Petr Hracek <phracek@redhat.com> - 4.0.3-15
+- This resolves several CVEs
+- CVE-2014-8127, CVE-2014-8129, CVE-2014-8130
+- CVE-2014-9330, CVE-2014-9655, CVE-2015-8781
+- CVE-2015-8784, CVE-2015-1547, CVE-2015-8683
+- CVE-2015-8665, CVE-2015-7554, CVE-2015-8668
+- Resolves: #1299921
+
+* Thu Feb 13 2014 Petr Hracek <phracek@redhat.com> - 4.0.3-14
+- Resolves: #996827 CVE-2013-4243 libtiff various flaws
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 4.0.3-13
+- Mass rebuild 2014-01-24
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 4.0.3-12
+- Mass rebuild 2013-12-27
+
+* Wed Dec 18 2013 Petr Hracek <phracek@redhat.com> - 4.0.3-11
+- Correct man page option -W
+Resolves: #510240
+
+* Thu Dec 12 2013 Petr Hracek <phracek@redhat.com> - 4.0.3-10
+- Resolves: #996827 CVE-2013-4231 CVE-2013-4232 CVE-2013-4243 CVE-2013-4244
+ libtiff various flaws
+
+* Mon Oct 21 2013 Petr Hracek <phracek@redhat.com> - 4.0.3-9
+- Resolves: #1017070 - make check moved to %check section
+
+* Tue Oct 08 2013 Petr Hracek <phracek@redhat.com> - 4.0.3-8
+- tiff2ps manual page doesn't contain help for all options
+- tiffcp options differ in program help and manual page
+Resolves: #510240
+Resolves: #510258
+
+* Mon Aug 12 2013 Jaromír Končický <jkoncick@redhat.com> - 4.0.3-7
+- man page fixing (#510240 #510258)
+
+* Thu May 2 2013 Tom Lane <tgl@redhat.com> 4.0.3-6
+- Add upstream patches for CVE-2013-1960, CVE-2013-1961
+Resolves: #958609
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Fri Jan 18 2013 Adam Tkac <atkac redhat com> - 4.0.3-4
+- rebuild due to "jpeg8-ABI" feature drop
+
+* Wed Dec 19 2012 Tom Lane <tgl@redhat.com> 4.0.3-3
+- Add upstream patch to avoid bogus self-test failure with libjpeg-turbo v8
+
+* Thu Dec 13 2012 Tom Lane <tgl@redhat.com> 4.0.3-2
+- Add upstream patches for CVE-2012-4447, CVE-2012-4564
+ (note: CVE-2012-5581 is already fixed in 4.0.3)
+Resolves: #880907
+
+* Thu Oct 4 2012 Tom Lane <tgl@redhat.com> 4.0.3-1
+- Update to libtiff 4.0.3
+
+* Fri Aug 3 2012 Tom Lane <tgl@redhat.com> 4.0.2-6
+- Remove compat subpackage; no longer needed
+- Minor specfile cleanup per suggestions from Tom Callaway
+Related: #845110
+
+* Thu Aug 2 2012 Tom Lane <tgl@redhat.com> 4.0.2-5
+- Add accessor functions for opaque type TIFFField (backport of not-yet-released
+ upstream feature addition; needed to fix freeimage)
+
+* Sun Jul 22 2012 Tom Lane <tgl@redhat.com> 4.0.2-4
+- Add patches for CVE-2012-3401
+Resolves: #841736
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Tue Jul 03 2012 Karsten Hopp <karsten@redhat.com> 4.0.2-2
+- add opensuse bigendian patch to fix raw_decode self check failure on ppc*, s390*
+
+* Thu Jun 28 2012 Tom Lane <tgl@redhat.com> 4.0.2-1
+- Update to libtiff 4.0.2, includes fix for CVE-2012-2113
+ (note that CVE-2012-2088 does not apply to 4.0.x)
+- Update libtiff-compat to 3.9.6 and add patches to it for
+ CVE-2012-2088, CVE-2012-2113
+Resolves: #832866
+
+* Fri Jun 1 2012 Tom Lane <tgl@redhat.com> 4.0.1-2
+- Enable JBIG support
+Resolves: #826240
+
+* Sun May 6 2012 Tom Lane <tgl@redhat.com> 4.0.1-1
+- Update to libtiff 4.0.1, adds BigTIFF support and other features;
+ library soname is bumped from libtiff.so.3 to libtiff.so.5
+Resolves: #782383
+- Temporarily package 3.9.5 shared library (only) in libtiff-compat subpackage
+ so that dependent packages won't be broken while rebuilding proceeds
+
+* Thu Apr 5 2012 Tom Lane <tgl@redhat.com> 3.9.5-3
+- Add fix for CVE-2012-1173
+Resolves: #CVE-2012-1173
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.9.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Tue Apr 12 2011 Tom Lane <tgl@redhat.com> 3.9.5-1
+- Update to libtiff 3.9.5, incorporating all our previous patches plus other
+ fixes, notably the fix for CVE-2009-5022
+Related: #695885
+
+* Mon Mar 21 2011 Tom Lane <tgl@redhat.com> 3.9.4-4
+- Fix incorrect fix for CVE-2011-0192
+Resolves: #684007
+Related: #688825
+- Add fix for CVE-2011-1167
+Resolves: #689574
+
+* Wed Mar 2 2011 Tom Lane <tgl@redhat.com> 3.9.4-3
+- Add patch for CVE-2011-0192
+Resolves: #681672
+- Fix non-security-critical potential SIGSEGV in gif2tiff
+Related: #648820
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.9.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Tue Jun 22 2010 Tom Lane <tgl@redhat.com> 3.9.4-1
+- Update to libtiff 3.9.4, for numerous bug fixes including fixes for
+ CVE-2010-1411, CVE-2010-2065, CVE-2010-2067
+Resolves: #554371
+Related: #460653, #588784, #601274, #599576, #592361, #603024
+- Add fixes for multiple SIGSEGV problems
+Resolves: #583081
+Related: #603081, #603699, #603703
+
+* Tue Jan 5 2010 Tom Lane <tgl@redhat.com> 3.9.2-3
+- Apply Adam Goode's fix for Warmerdam's fix
+Resolves: #552360
+Resolves: #533353
+- Add some defenses to prevent tiffcmp from crashing on downsampled JPEG
+ images; this isn't enough to make it really work correctly though
+Related: #460322
+
+* Wed Dec 16 2009 Tom Lane <tgl@redhat.com> 3.9.2-2
+- Apply Warmerdam's partial fix for bug #460322 ... better than nothing.
+Related: #460322
+
+* Thu Dec 3 2009 Tom Lane <tgl@redhat.com> 3.9.2-1
+- Update to libtiff 3.9.2; stop carrying a lot of old patches
+Resolves: #520734
+- Split command-line tools into libtiff-tools subpackage
+Resolves: #515170
+- Use build system's libtool instead of what package contains;
+ among other cleanup this gets rid of unwanted rpath specs in executables
+Related: #226049
+
+* Thu Oct 15 2009 Tom Lane <tgl@redhat.com> 3.8.2-16
+- add sparc/sparc64 to multilib header support
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.8.2-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Mon Jul 13 2009 Tom Lane <tgl@redhat.com> 3.8.2-14
+- Fix buffer overrun risks caused by unchecked integer overflow (CVE-2009-2347)
+Related: #510041
+
+* Wed Jul 1 2009 Tom Lane <tgl@redhat.com> 3.8.2-13
+- Fix some more LZW decoding vulnerabilities (CVE-2009-2285)
+Related: #507465
+- Update upstream URL
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.8.2-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Tue Aug 26 2008 Tom Lane <tgl@redhat.com> 3.8.2-11
+- Fix LZW decoding vulnerabilities (CVE-2008-2327)
+Related: #458674
+- Use -fno-strict-aliasing per rpmdiff recommendation
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 3.8.2-10
+- Autorebuild for GCC 4.3
+
+* Wed Aug 22 2007 Tom Lane <tgl@redhat.com> 3.8.2-9
+- Update License tag
+- Rebuild to fix Fedora toolchain issues
+
+* Thu Jul 19 2007 Tom Lane <tgl@redhat.com> 3.8.2-8
+- Restore static library to distribution, in a separate -static subpackage
+Resolves: #219905
+- Don't apply multilib header hack to unrecognized architectures
+Resolves: #233091
+- Remove documentation for programs we don't ship
+Resolves: #205079
+Related: #185145
+
+* Tue Jan 16 2007 Tom Lane <tgl@redhat.com> 3.8.2-7
+- Remove Makefiles from the shipped /usr/share/doc/html directories
+Resolves: bz #222729
+
+* Tue Sep 5 2006 Jindrich Novy <jnovy@redhat.com> - 3.8.2-6
+- fix CVE-2006-2193, tiff2pdf buffer overflow (#194362)
+- fix typo in man page for tiffset (#186297)
+- use %%{?dist}
+
+* Mon Jul 24 2006 Matthias Clasen <mclasen@redhat.com>
+- Fix several vulnerabilities (CVE-2006-3460 CVE-2006-3461
+ CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465)
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 3.8.2-4.1
+- rebuild
+
+* Fri Jun 2 2006 Matthias Clasen <mclasen@redhat.com> - 3.8.2-3
+- Fix multilib conflict
+
+* Thu May 25 2006 Matthias Clasen <mclasen@redhat.com> - 3.8.2-3
+- Fix overflows in tiffsplit
+
+* Wed Apr 26 2006 Matthias Clasen <mclasen@redhat.com> - 3.8.2-2
+- Drop tiffgt to get rid of the libGL dependency (#190768)
+
+* Wed Apr 26 2006 Matthias Clasen <mclasen@redhat.com> - 3.8.2-1
+- Update to 3.8.2
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 3.7.4-3.2.1
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 3.7.4-3.2
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Wed Nov 16 2005 Matthias Clasen <mclasen@redhat.com> 3.7.4-3
+- Don't ship static libs
+
+* Fri Nov 11 2005 Matthias Saou <http://freshrpms.net/> 3.7.4-2
+- Remove useless explicit dependencies.
+- Minor spec file cleanups.
+- Move make check to %%check.
+- Add _smp_mflags.
+
+* Thu Sep 29 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.4-1
+- Update to 3.7.4
+- Drop upstreamed patches
+
+* Wed Jun 29 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.2-1
+- Update to 3.7.2
+- Drop upstreamed patches
+
+* Fri May 6 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.1-6
+- Fix a stack overflow
+
+* Wed Mar 2 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.1-5
+- Don't use mktemp
+
+* Wed Mar 2 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.1-4
+- Rebuild with gcc4
+
+* Wed Jan 5 2005 Matthias Clasen <mclasen@redhat.com> - 3.7.1-3
+- Drop the largefile patch again
+- Fix a problem with the handling of alpha channels
+- Fix an integer overflow in tiffdump (#143576)
+
+* Wed Dec 22 2004 Matthias Clasen <mclasen@redhat.com> - 3.7.1-2
+- Readd the largefile patch (#143560)
+
+* Wed Dec 22 2004 Matthias Clasen <mclasen@redhat.com> - 3.7.1-1
+- Upgrade to 3.7.1
+- Remove upstreamed patches
+- Remove specfile cruft
+- make check
+
+* Thu Oct 14 2004 Matthias Clasen <mclasen@redhat.com> 3.6.1-7
+- fix some integer and buffer overflows (#134853, #134848)
+
+* Tue Oct 12 2004 Matthias Clasen <mclasen@redhat.com> 3.6.1-6
+- fix http://bugzilla.remotesensing.org/show_bug.cgi?id=483
+
+* Mon Sep 27 2004 Rik van Riel <riel@redhat.com> 3.6.1-4
+- compile using RPM_OPT_FLAGS (bz #133650)
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Thu May 20 2004 Matthias Clasen <mclasen@redhat.com> 3.6.1-2
+- Fix and use the makeflags patch
+
+* Wed May 19 2004 Matthias Clasen <mclasen@redhat.com> 3.6.1-1
+- Upgrade to 3.6.1
+- Adjust patches
+- Don't install tiffgt man page (#104864)
+
+* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Sat Feb 21 2004 Florian La Roche <Florian.LaRoche@redhat.de>
+- really add symlink to shared lib by running ldconfig at compile time
+
+* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Thu Oct 09 2003 Florian La Roche <Florian.LaRoche@redhat.de>
+- link shared lib against -lm (Jakub Jelinek)
+
+* Thu Sep 25 2003 Jeremy Katz <katzj@redhat.com> 3.5.7-13
+- rebuild to fix gzipped file md5sum (#91281)
+
+* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue Feb 11 2003 Phil Knirsch <pknirsch@redhat.com> 3.5.7-11
+- Fixed rebuild problems.
+
+* Tue Feb 04 2003 Florian La Roche <Florian.LaRoche@redhat.de>
+- add symlink to shared lib
+
+* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
+- rebuilt
+
+* Thu Dec 12 2002 Tim Powers <timp@redhat.com> 3.5.7-8
+- rebuild on all arches
+
+* Mon Aug 19 2002 Phil Knirsch <pknirsch@redhat.com> 3.5.7-7
+- Added LFS support (#71593)
+
+* Tue Jun 25 2002 Phil Knirsch <pknirsch@redhat.com> 3.5.7-6
+- Fixed wrong exit code of tiffcp app (#67240)
+
+* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Thu May 23 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Wed May 15 2002 Phil Knirsch <pknirsch@redhat.com>
+- Fixed segfault in fax2tiff tool (#64708).
+
+* Mon Feb 25 2002 Phil Knirsch <pknirsch@redhat.com>
+- Fixed problem with newer bash versions setting CDPATH (#59741)
+
+* Tue Feb 19 2002 Phil Knirsch <pknirsch@redhat.com>
+- Update to current release 3.5.7
+
+* Wed Jan 09 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Tue Aug 28 2001 Phil Knirsch <phil@redhat.de>
+- Fixed ia64 problem with tiffinfo. Was general 64 bit arch problem where s390x
+ and ia64 were missing (#52129).
+
+* Tue Jun 26 2001 Philipp Knirsch <pknirsch@redhat.de>
+- Hopefully final symlink fix
+
+* Thu Jun 21 2001 Than Ngo <than@redhat.com>
+- add missing libtiff symlink
+
+* Fri Mar 16 2001 Crutcher Dunnavant <crutcher@redhat.com>
+- killed tiff-to-ps.fpi filter
+
+* Wed Feb 28 2001 Philipp Knirsch <pknirsch@redhat.de>
+- Fixed missing devel version dependancy.
+
+* Tue Dec 19 2000 Philipp Knirsch <pknirsch@redhat.de>
+- rebuild
+
+* Mon Aug 7 2000 Crutcher Dunnavant <crutcher@redhat.com>
+- added a tiff-to-ps.fpi filter for printing
+
+* Thu Jul 13 2000 Prospector <bugzilla@redhat.com>
+- automatic rebuild
+
+* Thu Jul 13 2000 Nalin Dahyabhai <nalin@redhat.com>
+- apply Peter Skarpetis's fix for the 32-bit conversion
+
+* Mon Jul 3 2000 Nalin Dahyabhai <nalin@redhat.com>
+- make man pages non-executable (#12811)
+
+* Mon Jun 12 2000 Nalin Dahyabhai <nalin@redhat.com>
+- remove CVS repo info from data directories
+
+* Thu May 18 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix build rooting
+- fix syntax error in configure script
+- move man pages to {_mandir}
+
+* Wed May 17 2000 Nalin Dahyabhai <nalin@redhat.com>
+- rebuild for an errata release
+
+* Wed Mar 29 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 3.5.5, which integrates our fax2ps fixes and the glibc fix
+
+* Tue Mar 28 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix fax2ps swapping height and width in the bounding box
+
+* Mon Mar 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- move man pages from devel package to the regular one
+- integrate Frank Warmerdam's fixed .fax handling code (keep until next release
+ of libtiff)
+- fix fax2ps breakage (bug #8345)
+
+* Sat Feb 05 2000 Nalin Dahyabhai <nalin@redhat.com>
+- set MANDIR=man3 to make multifunction man pages friendlier
+
+* Mon Jan 31 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix URLs
+
+* Fri Jan 28 2000 Nalin Dahyabhai <nalin@redhat.com>
+- link shared library against libjpeg and libz
+
+* Tue Jan 18 2000 Nalin Dahyabhai <nalin@redhat.com>
+- enable zip and jpeg codecs
+- change defattr in normal package to 0755
+- add defattr to -devel package
+
+* Wed Dec 22 1999 Bill Nottingham <notting@redhat.com>
+- update to 3.5.4
+
+* Sun Mar 21 1999 Cristian Gafton <gafton@redhat.com>
+- auto rebuild in the new build environment (release 6)
+
+* Wed Jan 13 1999 Cristian Gafton <gafton@redhat.com>
+- build for glibc 2.1
+
+* Wed Jun 10 1998 Prospector System <bugs@redhat.com>
+- translations modified for de
+
+* Wed Jun 10 1998 Michael Fulbright <msf@redhat.com>
+- rebuilt against fixed jpeg libs (libjpeg-6b)
+
+* Thu May 07 1998 Prospector System <bugs@redhat.com>
+- translations modified for de, fr, tr
+
+* Mon Oct 13 1997 Donnie Barnes <djb@redhat.com>
+- new version to replace the one from libgr
+- patched for glibc
+- added shlib support