Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Frysinger <vapier@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: media-libs/tiff/files/, media-libs/tiff/
Date: Fri, 31 Mar 2017 03:36:11
Message-Id: 1490930987.f61e94523aef88e99d1140307b83bd518a450a14.vapier@gentoo
1 commit: f61e94523aef88e99d1140307b83bd518a450a14
2 Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
3 AuthorDate: Fri Mar 31 03:27:50 2017 +0000
4 Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
5 CommitDate: Fri Mar 31 03:29:47 2017 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f61e9452
7
8 media-libs/tiff: pull in various upstream fixes #610330 #614020 #614022 #614024 #612172
9
10 .../tiff/files/tiff-4.0.7-CVE-2016-10266.patch | 46 ++++
11 .../tiff/files/tiff-4.0.7-CVE-2016-10267.patch | 53 ++++
12 .../tiff/files/tiff-4.0.7-CVE-2017-5225.patch | 74 ++++++
13 media-libs/tiff/files/tiff-4.0.7-bug2130.patch | 112 +++++++++
14 media-libs/tiff/files/tiff-4.0.7-bug2535.patch | 54 ++++
15 media-libs/tiff/files/tiff-4.0.7-bug2594.patch | 28 +++
16 media-libs/tiff/files/tiff-4.0.7-bug2597.patch | 41 +++
17 media-libs/tiff/files/tiff-4.0.7-bug2598.patch | 31 +++
18 media-libs/tiff/files/tiff-4.0.7-bug2599.patch | 54 ++++
19 media-libs/tiff/files/tiff-4.0.7-bug2604.patch | 108 ++++++++
20 media-libs/tiff/files/tiff-4.0.7-bug2605.patch | 55 ++++
21 media-libs/tiff/files/tiff-4.0.7-bug2607.patch | 41 +++
22 media-libs/tiff/files/tiff-4.0.7-bug2608.patch | 104 ++++++++
23 media-libs/tiff/files/tiff-4.0.7-bug2610.patch | 46 ++++
24 media-libs/tiff/files/tiff-4.0.7-bug2619.patch | 46 ++++
25 media-libs/tiff/files/tiff-4.0.7-bug2620.patch | 29 +++
26 media-libs/tiff/files/tiff-4.0.7-bug2621.patch | 49 ++++
27 media-libs/tiff/files/tiff-4.0.7-bug2627.patch | 59 +++++
28 media-libs/tiff/files/tiff-4.0.7-bug2631.patch | 34 +++
29 .../tiff/files/tiff-4.0.7-bug2633-bug2634.patch | 41 +++
30 media-libs/tiff/files/tiff-4.0.7-bug2635.patch | 33 +++
31 media-libs/tiff/files/tiff-4.0.7-bug2638.patch | 29 +++
32 media-libs/tiff/files/tiff-4.0.7-bug2639.patch | 58 +++++
33 media-libs/tiff/files/tiff-4.0.7-bug2640.patch | 28 +++
34 ...iff-4.0.7-bug2642-bug2643-bug2646-bug2647.patch | 278 +++++++++++++++++++++
35 media-libs/tiff/files/tiff-4.0.7-bug2644.patch | 45 ++++
36 media-libs/tiff/files/tiff-4.0.7-bug2648.patch | 33 +++
37 media-libs/tiff/files/tiff-4.0.7-bug2650-2.patch | 26 ++
38 media-libs/tiff/files/tiff-4.0.7-bug2650.patch | 54 ++++
39 media-libs/tiff/files/tiff-4.0.7-bug2651.patch | 86 +++++++
40 media-libs/tiff/files/tiff-4.0.7-bug2653.patch | 33 +++
41 media-libs/tiff/files/tiff-4.0.7-bug2658.patch | 33 +++
42 media-libs/tiff/files/tiff-4.0.7-bug2659-2.patch | 41 +++
43 media-libs/tiff/files/tiff-4.0.7-bug2659.patch | 34 +++
44 media-libs/tiff/files/tiff-4.0.7-bug2665.patch | 43 ++++
45 .../tiff/files/tiff-4.0.7-hylafax-hack.patch | 38 +++
46 media-libs/tiff/tiff-4.0.7-r1.ebuild | 112 +++++++++
47 37 files changed, 2109 insertions(+)
48
49 diff --git a/media-libs/tiff/files/tiff-4.0.7-CVE-2016-10266.patch b/media-libs/tiff/files/tiff-4.0.7-CVE-2016-10266.patch
50 new file mode 100644
51 index 00000000000..67e0ca41c99
52 --- /dev/null
53 +++ b/media-libs/tiff/files/tiff-4.0.7-CVE-2016-10266.patch
54 @@ -0,0 +1,46 @@
55 +http://bugzilla.maptools.org/show_bug.cgi?id=2596
56 +
57 +From d7520d28685b96a28421ef01fb66cea8d1a96dfc Mon Sep 17 00:00:00 2001
58 +From: Even Rouault <even.rouault@×××××××××.com>
59 +Date: Fri, 2 Dec 2016 21:56:56 +0000
60 +Subject: [PATCH] * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow
61 + in TIFFReadEncodedStrip() that caused an integer division by zero. Reported
62 + by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596
63 +
64 +---
65 + ChangeLog | 7 +++++++
66 + libtiff/tif_read.c | 4 ++--
67 + libtiff/tiffiop.h | 6 +++++-
68 + 3 files changed, 14 insertions(+), 3 deletions(-)
69 +
70 +diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
71 +index 80035929f033..29a311db0cb7 100644
72 +--- a/libtiff/tif_read.c
73 ++++ b/libtiff/tif_read.c
74 +@@ -346,7 +346,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
75 + rowsperstrip=td->td_rowsperstrip;
76 + if (rowsperstrip>td->td_imagelength)
77 + rowsperstrip=td->td_imagelength;
78 +- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip);
79 ++ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
80 + stripinplane=(strip%stripsperplane);
81 + plane=(uint16)(strip/stripsperplane);
82 + rows=td->td_imagelength-stripinplane*rowsperstrip;
83 +diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
84 +index 8bcd0c172c08..5294ee78ffaf 100644
85 +--- a/libtiff/tiffiop.h
86 ++++ b/libtiff/tiffiop.h
87 +@@ -250,6 +250,10 @@ struct tiff {
88 + #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \
89 + ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
90 + 0U)
91 ++/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */
92 ++/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */
93 ++#define TIFFhowmany_32_maxuint_compat(x, y) \
94 ++ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0))
95 + #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
96 + #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y))
97 + #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y)))
98 +--
99 +2.12.0
100 +
101
102 diff --git a/media-libs/tiff/files/tiff-4.0.7-CVE-2016-10267.patch b/media-libs/tiff/files/tiff-4.0.7-CVE-2016-10267.patch
103 new file mode 100644
104 index 00000000000..04d9729ff73
105 --- /dev/null
106 +++ b/media-libs/tiff/files/tiff-4.0.7-CVE-2016-10267.patch
107 @@ -0,0 +1,53 @@
108 +http://bugzilla.maptools.org/show_bug.cgi?id=2611
109 +
110 +From bd06f6c97dff0b30de0f80227d782ea448c14b19 Mon Sep 17 00:00:00 2001
111 +From: Even Rouault <even.rouault@×××××××××.com>
112 +Date: Sat, 3 Dec 2016 11:15:18 +0000
113 +Subject: [PATCH] * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case
114 + of failure in OJPEGPreDecode(). This will avoid a divide by zero, and
115 + potential other issues. Reported by Agostino Sarubbo. Fixes
116 + http://bugzilla.maptools.org/show_bug.cgi?id=2611
117 +
118 +---
119 + ChangeLog | 7 +++++++
120 + libtiff/tif_ojpeg.c | 10 +++++++++-
121 + 2 files changed, 16 insertions(+), 1 deletion(-)
122 +
123 +diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
124 +index 30a1812634e0..93839d8f3e11 100644
125 +--- a/libtiff/tif_ojpeg.c
126 ++++ b/libtiff/tif_ojpeg.c
127 +@@ -244,6 +244,7 @@ typedef enum {
128 +
129 + typedef struct {
130 + TIFF* tif;
131 ++ int decoder_ok;
132 + #ifndef LIBJPEG_ENCAP_EXTERNAL
133 + JMP_BUF exit_jmpbuf;
134 + #endif
135 +@@ -722,6 +723,7 @@ OJPEGPreDecode(TIFF* tif, uint16 s)
136 + }
137 + sp->write_curstrile++;
138 + }
139 ++ sp->decoder_ok = 1;
140 + return(1);
141 + }
142 +
143 +@@ -784,8 +786,14 @@ OJPEGPreDecodeSkipScanlines(TIFF* tif)
144 + static int
145 + OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
146 + {
147 ++ static const char module[]="OJPEGDecode";
148 + OJPEGState* sp=(OJPEGState*)tif->tif_data;
149 + (void)s;
150 ++ if( !sp->decoder_ok )
151 ++ {
152 ++ TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized");
153 ++ return 0;
154 ++ }
155 + if (sp->libjpeg_jpeg_query_style==0)
156 + {
157 + if (OJPEGDecodeRaw(tif,buf,cc)==0)
158 +--
159 +2.12.0
160 +
161
162 diff --git a/media-libs/tiff/files/tiff-4.0.7-CVE-2017-5225.patch b/media-libs/tiff/files/tiff-4.0.7-CVE-2017-5225.patch
163 new file mode 100644
164 index 00000000000..7f961474ba9
165 --- /dev/null
166 +++ b/media-libs/tiff/files/tiff-4.0.7-CVE-2017-5225.patch
167 @@ -0,0 +1,74 @@
168 +https://bugs.gentoo.org/610330
169 +
170 +From 24bc05876f5a1a300a3c4eb0fa8e8cea6a256f9f Mon Sep 17 00:00:00 2001
171 +From: Even Rouault <even.rouault@×××××××××.com>
172 +Date: Wed, 11 Jan 2017 19:25:44 +0000
173 +Subject: [PATCH] * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow
174 + and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based
175 + overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
176 + http://bugzilla.maptools.org/show_bug.cgi?id=2657
177 +
178 +---
179 + ChangeLog | 7 +++++++
180 + tools/tiffcp.c | 26 +++++++++++++++++++++++---
181 + 2 files changed, 30 insertions(+), 3 deletions(-)
182 +
183 +diff --git a/tools/tiffcp.c b/tools/tiffcp.c
184 +index 49c9d37125a6..489459a7f6a4 100644
185 +--- a/tools/tiffcp.c
186 ++++ b/tools/tiffcp.c
187 +@@ -591,7 +591,7 @@ static copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);
188 + static int
189 + tiffcp(TIFF* in, TIFF* out)
190 + {
191 +- uint16 bitspersample, samplesperpixel = 1;
192 ++ uint16 bitspersample = 1, samplesperpixel = 1;
193 + uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
194 + copyFunc cf;
195 + uint32 width, length;
196 +@@ -1067,6 +1067,16 @@ DECLAREcpFunc(cpContig2SeparateByRow)
197 + register uint32 n;
198 + uint32 row;
199 + tsample_t s;
200 ++ uint16 bps = 0;
201 ++
202 ++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
203 ++ if( bps != 8 )
204 ++ {
205 ++ TIFFError(TIFFFileName(in),
206 ++ "Error, can only handle BitsPerSample=8 in %s",
207 ++ "cpContig2SeparateByRow");
208 ++ return 0;
209 ++ }
210 +
211 + inbuf = _TIFFmalloc(scanlinesizein);
212 + outbuf = _TIFFmalloc(scanlinesizeout);
213 +@@ -1120,6 +1130,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow)
214 + register uint32 n;
215 + uint32 row;
216 + tsample_t s;
217 ++ uint16 bps = 0;
218 ++
219 ++ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
220 ++ if( bps != 8 )
221 ++ {
222 ++ TIFFError(TIFFFileName(in),
223 ++ "Error, can only handle BitsPerSample=8 in %s",
224 ++ "cpSeparate2ContigByRow");
225 ++ return 0;
226 ++ }
227 +
228 + inbuf = _TIFFmalloc(scanlinesizein);
229 + outbuf = _TIFFmalloc(scanlinesizeout);
230 +@@ -1784,7 +1804,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel)
231 + uint32 w, l, tw, tl;
232 + int bychunk;
233 +
234 +- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
235 ++ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
236 + if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
237 + fprintf(stderr,
238 + "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",
239 +--
240 +2.12.0
241 +
242
243 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2130.patch b/media-libs/tiff/files/tiff-4.0.7-bug2130.patch
244 new file mode 100644
245 index 00000000000..b565fecc029
246 --- /dev/null
247 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2130.patch
248 @@ -0,0 +1,112 @@
249 +From c2faaeaa7887c24c574297e8e2f36208df9dc229 Mon Sep 17 00:00:00 2001
250 +From: Even Rouault <even.rouault@×××××××××.com>
251 +Date: Wed, 11 Jan 2017 20:33:35 +0000
252 +Subject: [PATCH] * libtiff/tif_luv.c, tif_lzw.c, tif_packbits.c: return 0 in
253 + Encode functions instead of -1 when TIFFFlushData1() fails. Fixes
254 + http://bugzilla.maptools.org/show_bug.cgi?id=2130
255 +
256 +---
257 + ChangeLog | 6 ++++++
258 + libtiff/tif_luv.c | 12 ++++++------
259 + libtiff/tif_lzw.c | 8 +++++---
260 + libtiff/tif_packbits.c | 6 +++---
261 + 4 files changed, 20 insertions(+), 12 deletions(-)
262 +
263 +diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
264 +index f42ac0131fee..1f6d8ba3ea5a 100644
265 +--- a/libtiff/tif_luv.c
266 ++++ b/libtiff/tif_luv.c
267 +@@ -473,7 +473,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
268 + tif->tif_rawcp = op;
269 + tif->tif_rawcc = tif->tif_rawdatasize - occ;
270 + if (!TIFFFlushData1(tif))
271 +- return (-1);
272 ++ return (0);
273 + op = tif->tif_rawcp;
274 + occ = tif->tif_rawdatasize - tif->tif_rawcc;
275 + }
276 +@@ -505,7 +505,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
277 + tif->tif_rawcp = op;
278 + tif->tif_rawcc = tif->tif_rawdatasize - occ;
279 + if (!TIFFFlushData1(tif))
280 +- return (-1);
281 ++ return (0);
282 + op = tif->tif_rawcp;
283 + occ = tif->tif_rawdatasize - tif->tif_rawcc;
284 + }
285 +@@ -565,7 +565,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
286 + tif->tif_rawcp = op;
287 + tif->tif_rawcc = tif->tif_rawdatasize - occ;
288 + if (!TIFFFlushData1(tif))
289 +- return (-1);
290 ++ return (0);
291 + op = tif->tif_rawcp;
292 + occ = tif->tif_rawdatasize - tif->tif_rawcc;
293 + }
294 +@@ -624,7 +624,7 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
295 + tif->tif_rawcp = op;
296 + tif->tif_rawcc = tif->tif_rawdatasize - occ;
297 + if (!TIFFFlushData1(tif))
298 +- return (-1);
299 ++ return (0);
300 + op = tif->tif_rawcp;
301 + occ = tif->tif_rawdatasize - tif->tif_rawcc;
302 + }
303 +@@ -656,7 +656,7 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
304 + tif->tif_rawcp = op;
305 + tif->tif_rawcc = tif->tif_rawdatasize - occ;
306 + if (!TIFFFlushData1(tif))
307 +- return (-1);
308 ++ return (0);
309 + op = tif->tif_rawcp;
310 + occ = tif->tif_rawdatasize - tif->tif_rawcc;
311 + }
312 +diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
313 +index 240e19c2e058..5ba35ec1305f 100644
314 +--- a/libtiff/tif_lzw.c
315 ++++ b/libtiff/tif_lzw.c
316 +@@ -969,7 +969,8 @@ LZWEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
317 + */
318 + if (op > limit) {
319 + tif->tif_rawcc = (tmsize_t)(op - tif->tif_rawdata);
320 +- TIFFFlushData1(tif);
321 ++ if( !TIFFFlushData1(tif) )
322 ++ return 0;
323 + op = tif->tif_rawdata;
324 + }
325 + PutNextCode(op, ent);
326 +@@ -1054,7 +1055,8 @@ LZWPostEncode(TIFF* tif)
327 +
328 + if (op > sp->enc_rawlimit) {
329 + tif->tif_rawcc = (tmsize_t)(op - tif->tif_rawdata);
330 +- TIFFFlushData1(tif);
331 ++ if( !TIFFFlushData1(tif) )
332 ++ return 0;
333 + op = tif->tif_rawdata;
334 + }
335 + if (sp->enc_oldcode != (hcode_t) -1) {
336 +diff --git a/libtiff/tif_packbits.c b/libtiff/tif_packbits.c
337 +index d2a0165de9dd..0495e688a6be 100644
338 +--- a/libtiff/tif_packbits.c
339 ++++ b/libtiff/tif_packbits.c
340 +@@ -99,7 +99,7 @@ PackBitsEncode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
341 + slop = (long)(op - lastliteral);
342 + tif->tif_rawcc += (tmsize_t)(lastliteral - tif->tif_rawcp);
343 + if (!TIFFFlushData1(tif))
344 +- return (-1);
345 ++ return (0);
346 + op = tif->tif_rawcp;
347 + while (slop-- > 0)
348 + *op++ = *lastliteral++;
349 +@@ -107,7 +107,7 @@ PackBitsEncode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
350 + } else {
351 + tif->tif_rawcc += (tmsize_t)(op - tif->tif_rawcp);
352 + if (!TIFFFlushData1(tif))
353 +- return (-1);
354 ++ return (0);
355 + op = tif->tif_rawcp;
356 + }
357 + }
358 +--
359 +2.12.0
360 +
361
362 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2535.patch b/media-libs/tiff/files/tiff-4.0.7-bug2535.patch
363 new file mode 100644
364 index 00000000000..c44a8f05d20
365 --- /dev/null
366 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2535.patch
367 @@ -0,0 +1,54 @@
368 +From c4e376852d82936885833441169684267983691f Mon Sep 17 00:00:00 2001
369 +From: Even Rouault <even.rouault@×××××××××.com>
370 +Date: Wed, 11 Jan 2017 12:51:59 +0000
371 +Subject: [PATCH] * libtiff/tif_dirwrite.c: in
372 + TIFFWriteDirectoryTagCheckedRational, replace assertion by runtime check to
373 + error out if passed value is strictly negative. Fixes
374 + http://bugzilla.maptools.org/show_bug.cgi?id=2535
375 +
376 +* tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that
377 +caused double free.
378 +Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535
379 +---
380 + ChangeLog | 11 +++++++++++
381 + libtiff/tif_dirwrite.c | 11 ++++++++---
382 + tools/tiffcrop.c | 3 +--
383 + 3 files changed, 20 insertions(+), 5 deletions(-)
384 +
385 +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
386 +index d34f6f611d39..055324db078f 100644
387 +--- a/libtiff/tif_dirwrite.c
388 ++++ b/libtiff/tif_dirwrite.c
389 +@@ -2094,10 +2094,15 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d
390 + static int
391 + TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, double value)
392 + {
393 ++ static const char module[] = "TIFFWriteDirectoryTagCheckedRational";
394 + uint32 m[2];
395 +- assert(value>=0.0);
396 + assert(sizeof(uint32)==4);
397 +- if (value<=0.0)
398 ++ if( value < 0 )
399 ++ {
400 ++ TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal");
401 ++ return 0;
402 ++ }
403 ++ else if (value==0.0)
404 + {
405 + m[0]=0;
406 + m[1]=1;
407 +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
408 +index 21dd08720d77..c69177e052d4 100644
409 +--- a/tools/tiffcrop.c
410 ++++ b/tools/tiffcrop.c
411 +@@ -7996,7 +7996,6 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image,
412 + if (!TIFFWriteDirectory(out))
413 + {
414 + TIFFError("","Failed to write IFD for page number %d", pagenum);
415 +- TIFFClose(out);
416 + return (-1);
417 + }
418 +
419 +--
420 +2.12.0
421 +
422
423 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2594.patch b/media-libs/tiff/files/tiff-4.0.7-bug2594.patch
424 new file mode 100644
425 index 00000000000..b2bc26e9064
426 --- /dev/null
427 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2594.patch
428 @@ -0,0 +1,28 @@
429 +From a56820e2022e23610c1ea99fbf621d73d1e36348 Mon Sep 17 00:00:00 2001
430 +From: Even Rouault <even.rouault@×××××××××.com>
431 +Date: Sat, 3 Dec 2016 14:18:48 +0000
432 +Subject: [PATCH] * tools/tiffinfo.c: fix null pointer dereference in -r mode
433 + when the image has no StripByteCount tag. Reported by Agostino Sarubbo. Fixes
434 + http://bugzilla.maptools.org/show_bug.cgi?id=2594
435 +
436 +---
437 + ChangeLog | 7 +++++++
438 + tools/tiffinfo.c | 4 ++--
439 + 2 files changed, 9 insertions(+), 2 deletions(-)
440 +
441 +diff --git a/tools/tiffinfo.c b/tools/tiffinfo.c
442 +index b02c7d46bed0..4d58055de85c 100644
443 +--- a/tools/tiffinfo.c
444 ++++ b/tools/tiffinfo.c
445 +@@ -417,7 +417,7 @@ TIFFReadRawData(TIFF* tif, int bitrev)
446 + uint64* stripbc=NULL;
447 +
448 + TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &stripbc);
449 +- if (nstrips > 0) {
450 ++ if (stripbc != NULL && nstrips > 0) {
451 + uint32 bufsize = (uint32) stripbc[0];
452 + tdata_t buf = _TIFFmalloc(bufsize);
453 + tstrip_t s;
454 +--
455 +2.12.0
456 +
457
458 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2597.patch b/media-libs/tiff/files/tiff-4.0.7-bug2597.patch
459 new file mode 100644
460 index 00000000000..9cd29cfab77
461 --- /dev/null
462 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2597.patch
463 @@ -0,0 +1,41 @@
464 +From 5ad5e64f8530a827482645986f5bb4e4613d0aa7 Mon Sep 17 00:00:00 2001
465 +From: Even Rouault <even.rouault@×××××××××.com>
466 +Date: Sat, 3 Dec 2016 14:42:40 +0000
467 +Subject: [PATCH] * tools/tiffcp.c: avoid potential division by zero is
468 + BitsPerSamples tag is missing. Reported by Agostino sarubbo. Fixes
469 + http://bugzilla.maptools.org/show_bug.cgi?id=2597
470 +
471 +---
472 + ChangeLog | 7 +++++++
473 + tools/tiffcp.c | 10 ++++++++--
474 + 2 files changed, 15 insertions(+), 2 deletions(-)
475 +
476 +diff --git a/tools/tiffcp.c b/tools/tiffcp.c
477 +index 6dfb9a91bfa9..c8e48c3c2bb3 100644
478 +--- a/tools/tiffcp.c
479 ++++ b/tools/tiffcp.c
480 +@@ -1378,7 +1378,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
481 + uint8* bufp = (uint8*) buf;
482 + uint32 tw, tl;
483 + uint32 row;
484 +- uint16 bps, bytes_per_sample;
485 ++ uint16 bps = 0, bytes_per_sample;
486 +
487 + tilebuf = _TIFFmalloc(tilesize);
488 + if (tilebuf == 0)
489 +@@ -1387,6 +1387,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
490 + (void) TIFFGetField(in, TIFFTAG_TILEWIDTH, &tw);
491 + (void) TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
492 + (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
493 ++ if( bps == 0 )
494 ++ {
495 ++ TIFFError(TIFFFileName(in), "Error, cannot read BitsPerSample");
496 ++ status = 0;
497 ++ goto done;
498 ++ }
499 + assert( bps % 8 == 0 );
500 + bytes_per_sample = bps/8;
501 +
502 +--
503 +2.12.0
504 +
505
506 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2598.patch b/media-libs/tiff/files/tiff-4.0.7-bug2598.patch
507 new file mode 100644
508 index 00000000000..c0a0d1a8db1
509 --- /dev/null
510 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2598.patch
511 @@ -0,0 +1,31 @@
512 +http://bugzilla.maptools.org/show_bug.cgi?id=2598
513 +
514 +From bc3d7392e43545c7c6375897458a7a3e8ee4d9d8 Mon Sep 17 00:00:00 2001
515 +From: Even Rouault <even.rouault@×××××××××.com>
516 +Date: Fri, 2 Dec 2016 22:13:32 +0000
517 +Subject: [PATCH] * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips
518 + that can cause various issues, such as buffer overflows in the library.
519 + Reported by Agostino Sarubbo. Fixes
520 + http://bugzilla.maptools.org/show_bug.cgi?id=2598
521 +
522 +---
523 + ChangeLog | 7 +++++++
524 + tools/tiffcp.c | 4 ++--
525 + 2 files changed, 9 insertions(+), 2 deletions(-)
526 +
527 +diff --git a/tools/tiffcp.c b/tools/tiffcp.c
528 +index 338a3d113bf8..6dfb9a91bfa9 100644
529 +--- a/tools/tiffcp.c
530 ++++ b/tools/tiffcp.c
531 +@@ -985,7 +985,7 @@ DECLAREcpFunc(cpDecodedStrips)
532 + tstrip_t s, ns = TIFFNumberOfStrips(in);
533 + uint32 row = 0;
534 + _TIFFmemset(buf, 0, stripsize);
535 +- for (s = 0; s < ns; s++) {
536 ++ for (s = 0; s < ns && row < imagelength; s++) {
537 + tsize_t cc = (row + rowsperstrip > imagelength) ?
538 + TIFFVStripSize(in, imagelength - row) : stripsize;
539 + if (TIFFReadEncodedStrip(in, s, buf, cc) < 0
540 +--
541 +2.12.0
542 +
543
544 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2599.patch b/media-libs/tiff/files/tiff-4.0.7-bug2599.patch
545 new file mode 100644
546 index 00000000000..929bb447bf7
547 --- /dev/null
548 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2599.patch
549 @@ -0,0 +1,54 @@
550 +From 9bbbe303c8e5db20d7f687ee1ca19c98fb852044 Mon Sep 17 00:00:00 2001
551 +From: Even Rouault <even.rouault@×××××××××.com>
552 +Date: Sat, 3 Dec 2016 15:30:31 +0000
553 +Subject: [PATCH] * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS,
554 + ) is called, limit the return number of inks to SamplesPerPixel, so that code
555 + that parses ink names doesn't go past the end of the buffer. Reported by
556 + Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599
557 +
558 +Reported by Agostino Sarubbo.
559 +---
560 + ChangeLog | 10 +++++++++-
561 + libtiff/tif_dir.c | 28 +++++++++++++++++++++++++++-
562 + 2 files changed, 36 insertions(+), 2 deletions(-)
563 +
564 +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
565 +index ad21655a6ee9..2574e748b3be 100644
566 +--- a/libtiff/tif_dir.c
567 ++++ b/libtiff/tif_dir.c
568 +@@ -854,6 +854,32 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
569 + if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */
570 + return 0;
571 +
572 ++ if( tag == TIFFTAG_NUMBEROFINKS )
573 ++ {
574 ++ int i;
575 ++ for (i = 0; i < td->td_customValueCount; i++) {
576 ++ uint16 val;
577 ++ TIFFTagValue *tv = td->td_customValues + i;
578 ++ if (tv->info->field_tag != tag)
579 ++ continue;
580 ++ val = *(uint16 *)tv->value;
581 ++ /* Truncate to SamplesPerPixel, since the */
582 ++ /* setting code for INKNAMES assume that there are SamplesPerPixel */
583 ++ /* inknames. */
584 ++ /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
585 ++ if( val > td->td_samplesperpixel )
586 ++ {
587 ++ TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
588 ++ "Truncating NumberOfInks from %u to %u",
589 ++ val, td->td_samplesperpixel);
590 ++ val = td->td_samplesperpixel;
591 ++ }
592 ++ *va_arg(ap, uint16*) = val;
593 ++ return 1;
594 ++ }
595 ++ return 0;
596 ++ }
597 ++
598 + /*
599 + * We want to force the custom code to be used for custom
600 + * fields even if the tag happens to match a well known
601 +--
602 +2.12.0
603 +
604
605 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2604.patch b/media-libs/tiff/files/tiff-4.0.7-bug2604.patch
606 new file mode 100644
607 index 00000000000..cc3f4cf3ce9
608 --- /dev/null
609 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2604.patch
610 @@ -0,0 +1,108 @@
611 +From ebc6029128555df725e6ad77a983134350bfc831 Mon Sep 17 00:00:00 2001
612 +From: Even Rouault <even.rouault@×××××××××.com>
613 +Date: Fri, 2 Dec 2016 23:05:51 +0000
614 +Subject: [PATCH] * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based
615 + buffer overflow on generation of PixarLog / LUV compressed files, with
616 + ColorMap, TransferFunction attached and nasty plays with bitspersample. The
617 + fix for LUV has not been tested, but suffers from the same kind of issue of
618 + PixarLog. Reported by Agostino Sarubbo. Fixes
619 + http://bugzilla.maptools.org/show_bug.cgi?id=2604
620 +
621 +---
622 + ChangeLog | 10 ++++++++++
623 + libtiff/tif_luv.c | 20 +++++++++++++++-----
624 + libtiff/tif_pixarlog.c | 19 ++++++++++++++++---
625 + 3 files changed, 41 insertions(+), 8 deletions(-)
626 +
627 +diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
628 +index ca08f30a76b6..f42ac0131fee 100644
629 +--- a/libtiff/tif_luv.c
630 ++++ b/libtiff/tif_luv.c
631 +@@ -158,6 +158,7 @@
632 + typedef struct logLuvState LogLuvState;
633 +
634 + struct logLuvState {
635 ++ int encoder_state; /* 1 if encoder correctly initialized */
636 + int user_datafmt; /* user data format */
637 + int encode_meth; /* encoding method */
638 + int pixel_size; /* bytes per pixel */
639 +@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif)
640 + td->td_photometric, "must be either LogLUV or LogL");
641 + break;
642 + }
643 ++ sp->encoder_state = 1;
644 + return (1);
645 + notsupported:
646 + TIFFErrorExt(tif->tif_clientdata, module,
647 +@@ -1563,19 +1565,27 @@ notsupported:
648 + static void
649 + LogLuvClose(TIFF* tif)
650 + {
651 ++ LogLuvState* sp = (LogLuvState*) tif->tif_data;
652 + TIFFDirectory *td = &tif->tif_dir;
653 +
654 ++ assert(sp != 0);
655 + /*
656 + * For consistency, we always want to write out the same
657 + * bitspersample and sampleformat for our TIFF file,
658 + * regardless of the data format being used by the application.
659 + * Since this routine is called after tags have been set but
660 + * before they have been recorded in the file, we reset them here.
661 ++ * Note: this is really a nasty approach. See PixarLogClose
662 + */
663 +- td->td_samplesperpixel =
664 +- (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
665 +- td->td_bitspersample = 16;
666 +- td->td_sampleformat = SAMPLEFORMAT_INT;
667 ++ if( sp->encoder_state )
668 ++ {
669 ++ /* See PixarLogClose. Might avoid issues with tags whose size depends
670 ++ * on those below, but not completely sure this is enough. */
671 ++ td->td_samplesperpixel =
672 ++ (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
673 ++ td->td_bitspersample = 16;
674 ++ td->td_sampleformat = SAMPLEFORMAT_INT;
675 ++ }
676 + }
677 +
678 + static void
679 +diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
680 +index f4af2bab7ce5..9836dce63450 100644
681 +--- a/libtiff/tif_pixarlog.c
682 ++++ b/libtiff/tif_pixarlog.c
683 +@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif)
684 + static void
685 + PixarLogClose(TIFF* tif)
686 + {
687 ++ PixarLogState* sp = (PixarLogState*) tif->tif_data;
688 + TIFFDirectory *td = &tif->tif_dir;
689 +
690 ++ assert(sp != 0);
691 + /* In a really sneaky (and really incorrect, and untruthful, and
692 + * troublesome, and error-prone) maneuver that completely goes against
693 + * the spirit of TIFF, and breaks TIFF, on close, we covertly
694 +@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif)
695 + * readers that don't know about PixarLog, or how to set
696 + * the PIXARLOGDATFMT pseudo-tag.
697 + */
698 +- td->td_bitspersample = 8;
699 +- td->td_sampleformat = SAMPLEFORMAT_UINT;
700 ++
701 ++ if (sp->state&PLSTATE_INIT) {
702 ++ /* We test the state to avoid an issue such as in
703 ++ * http://bugzilla.maptools.org/show_bug.cgi?id=2604
704 ++ * What appends in that case is that the bitspersample is 1 and
705 ++ * a TransferFunction is set. The size of the TransferFunction
706 ++ * depends on 1<<bitspersample. So if we increase it, an access
707 ++ * out of the buffer will happen at directory flushing.
708 ++ * Another option would be to clear those targs.
709 ++ */
710 ++ td->td_bitspersample = 8;
711 ++ td->td_sampleformat = SAMPLEFORMAT_UINT;
712 ++ }
713 + }
714 +
715 + static void
716 +--
717 +2.12.0
718 +
719
720 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2605.patch b/media-libs/tiff/files/tiff-4.0.7-bug2605.patch
721 new file mode 100644
722 index 00000000000..335e4348d3f
723 --- /dev/null
724 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2605.patch
725 @@ -0,0 +1,55 @@
726 +From cd4832257daf222833ae172b3923268fec5b71b9 Mon Sep 17 00:00:00 2001
727 +From: Even Rouault <even.rouault@×××××××××.com>
728 +Date: Sat, 3 Dec 2016 16:50:02 +0000
729 +Subject: [PATCH] * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non
730 + assert check. Reported by Agostino Sarubbo. Fixes
731 + http://bugzilla.maptools.org/show_bug.cgi?id=2605
732 +
733 +---
734 + ChangeLog | 6 ++++++
735 + tools/tiffcp.c | 17 +++++++++++++----
736 + 2 files changed, 19 insertions(+), 4 deletions(-)
737 +
738 +diff --git a/tools/tiffcp.c b/tools/tiffcp.c
739 +index 6d96bb89f555..49c9d37125a6 100644
740 +--- a/tools/tiffcp.c
741 ++++ b/tools/tiffcp.c
742 +@@ -45,7 +45,6 @@
743 + #include <string.h>
744 +
745 + #include <ctype.h>
746 +-#include <assert.h>
747 +
748 + #ifdef HAVE_UNISTD_H
749 + # include <unistd.h>
750 +@@ -1393,7 +1392,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
751 + status = 0;
752 + goto done;
753 + }
754 +- assert( bps % 8 == 0 );
755 ++ if( (bps % 8) != 0 )
756 ++ {
757 ++ TIFFError(TIFFFileName(in), "Error, cannot handle BitsPerSample that is not a multiple of 8");
758 ++ status = 0;
759 ++ goto done;
760 ++ }
761 + bytes_per_sample = bps/8;
762 +
763 + for (row = 0; row < imagelength; row += tl) {
764 +@@ -1584,7 +1588,12 @@ DECLAREwriteFunc(writeBufferToSeparateTiles)
765 + _TIFFfree(obuf);
766 + return 0;
767 + }
768 +- assert( bps % 8 == 0 );
769 ++ if( (bps % 8) != 0 )
770 ++ {
771 ++ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
772 ++ _TIFFfree(obuf);
773 ++ return 0;
774 ++ }
775 + bytes_per_sample = bps/8;
776 +
777 + for (row = 0; row < imagelength; row += tl) {
778 +--
779 +2.12.0
780 +
781
782 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2607.patch b/media-libs/tiff/files/tiff-4.0.7-bug2607.patch
783 new file mode 100644
784 index 00000000000..532259e91cb
785 --- /dev/null
786 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2607.patch
787 @@ -0,0 +1,41 @@
788 +From c99f44478d6f0491da5b98c8cea14f565a021e22 Mon Sep 17 00:00:00 2001
789 +From: Even Rouault <even.rouault@×××××××××.com>
790 +Date: Sat, 3 Dec 2016 15:44:15 +0000
791 +Subject: [PATCH] * tools/tiffcp.c: avoid potential division by zero is
792 + BitsPerSamples tag is missing. Reported by Agostino Sarubbo. Fixes
793 + http://bugzilla.maptools.org/show_bug.cgi?id=2607
794 +
795 +---
796 + ChangeLog | 7 +++++++
797 + tools/tiffcp.c | 10 ++++++++--
798 + 2 files changed, 15 insertions(+), 2 deletions(-)
799 +
800 +diff --git a/tools/tiffcp.c b/tools/tiffcp.c
801 +index c8e48c3c2bb3..142cbb0ecfc2 100644
802 +--- a/tools/tiffcp.c
803 ++++ b/tools/tiffcp.c
804 +@@ -1569,7 +1569,7 @@ DECLAREwriteFunc(writeBufferToSeparateTiles)
805 + uint8* bufp = (uint8*) buf;
806 + uint32 tl, tw;
807 + uint32 row;
808 +- uint16 bps, bytes_per_sample;
809 ++ uint16 bps = 0, bytes_per_sample;
810 +
811 + obuf = _TIFFmalloc(TIFFTileSize(out));
812 + if (obuf == NULL)
813 +@@ -1578,6 +1578,12 @@ DECLAREwriteFunc(writeBufferToSeparateTiles)
814 + (void) TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
815 + (void) TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
816 + (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
817 ++ if( bps == 0 )
818 ++ {
819 ++ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
820 ++ _TIFFfree(obuf);
821 ++ return 0;
822 ++ }
823 + assert( bps % 8 == 0 );
824 + bytes_per_sample = bps/8;
825 +
826 +--
827 +2.12.0
828 +
829
830 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2608.patch b/media-libs/tiff/files/tiff-4.0.7-bug2608.patch
831 new file mode 100644
832 index 00000000000..afe2c25a293
833 --- /dev/null
834 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2608.patch
835 @@ -0,0 +1,104 @@
836 +From 92adbddc283782d71d81dbccf72ed2c279f90097 Mon Sep 17 00:00:00 2001
837 +From: Even Rouault <even.rouault@×××××××××.com>
838 +Date: Sat, 3 Dec 2016 11:02:15 +0000
839 +Subject: [PATCH] * libtiff/tif_dirread.c: modify
840 + ChopUpSingleUncompressedStrip() to instanciate compute ntrips as
841 + TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on
842 + the total size of data. Which is faulty is the total size of data is not
843 + sufficient to fill the whole image, and thus results in reading outside of
844 + the StripByCounts/StripOffsets arrays when using TIFFReadScanline(). Reported
845 + by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.
846 +
847 +* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
848 +for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
849 +the above change is a better fix that makes it unnecessary.
850 +---
851 + ChangeLog | 15 +++++++++++++++
852 + libtiff/tif_dirread.c | 24 +++++++++++-------------
853 + libtiff/tif_strip.c | 11 +----------
854 + 3 files changed, 27 insertions(+), 23 deletions(-)
855 +
856 +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
857 +index 01070f2ecebd..f2905286c0d0 100644
858 +--- a/libtiff/tif_dirread.c
859 ++++ b/libtiff/tif_dirread.c
860 +@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
861 + uint64 rowblockbytes;
862 + uint64 stripbytes;
863 + uint32 strip;
864 +- uint64 nstrips64;
865 +- uint32 nstrips32;
866 ++ uint32 nstrips;
867 + uint32 rowsperstrip;
868 + uint64* newcounts;
869 + uint64* newoffsets;
870 +@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
871 + return;
872 +
873 + /*
874 +- * never increase the number of strips in an image
875 ++ * never increase the number of rows per strip
876 + */
877 + if (rowsperstrip >= td->td_rowsperstrip)
878 + return;
879 +- nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
880 +- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
881 +- return;
882 +- nstrips32 = (uint32)nstrips64;
883 ++ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
884 ++ if( nstrips == 0 )
885 ++ return;
886 +
887 +- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
888 ++ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
889 + "for chopped \"StripByteCounts\" array");
890 +- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
891 ++ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
892 + "for chopped \"StripOffsets\" array");
893 + if (newcounts == NULL || newoffsets == NULL) {
894 + /*
895 +@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
896 + * Fill the strip information arrays with new bytecounts and offsets
897 + * that reflect the broken-up format.
898 + */
899 +- for (strip = 0; strip < nstrips32; strip++) {
900 ++ for (strip = 0; strip < nstrips; strip++) {
901 + if (stripbytes > bytecount)
902 + stripbytes = bytecount;
903 + newcounts[strip] = stripbytes;
904 +- newoffsets[strip] = offset;
905 ++ newoffsets[strip] = stripbytes ? offset : 0;
906 + offset += stripbytes;
907 + bytecount -= stripbytes;
908 + }
909 + /*
910 + * Replace old single strip info with multi-strip info.
911 + */
912 +- td->td_stripsperimage = td->td_nstrips = nstrips32;
913 ++ td->td_stripsperimage = td->td_nstrips = nstrips;
914 + TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
915 +
916 + _TIFFfree(td->td_stripbytecount);
917 +diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
918 +index b6098dd31241..6e9f2ef6ddf2 100644
919 +--- a/libtiff/tif_strip.c
920 ++++ b/libtiff/tif_strip.c
921 +@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)
922 + TIFFDirectory *td = &tif->tif_dir;
923 + uint32 nstrips;
924 +
925 +- /* If the value was already computed and store in td_nstrips, then return it,
926 +- since ChopUpSingleUncompressedStrip might have altered and resized the
927 +- since the td_stripbytecount and td_stripoffset arrays to the new value
928 +- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
929 +- tif_dirread.c ~line 3612.
930 +- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
931 +- if( td->td_nstrips )
932 +- return td->td_nstrips;
933 +-
934 + nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
935 + TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
936 + if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
937 +--
938 +2.12.0
939 +
940
941 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2610.patch b/media-libs/tiff/files/tiff-4.0.7-bug2610.patch
942 new file mode 100644
943 index 00000000000..f76e83922d6
944 --- /dev/null
945 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2610.patch
946 @@ -0,0 +1,46 @@
947 +From ee00edfbe833647d59ad87cac82f1b4c0c902179 Mon Sep 17 00:00:00 2001
948 +From: Even Rouault <even.rouault@×××××××××.com>
949 +Date: Sat, 3 Dec 2016 16:40:01 +0000
950 +Subject: [PATCH] * tools/tiffcp.c: fix uint32 underflow/overflow that can
951 + cause heap-based buffer overflow. Reported by Agostino Sarubbo. Fixes
952 + http://bugzilla.maptools.org/show_bug.cgi?id=2610
953 +
954 +---
955 + ChangeLog | 7 +++++++
956 + tools/tiffcp.c | 8 ++++----
957 + 2 files changed, 11 insertions(+), 4 deletions(-)
958 +
959 +diff --git a/tools/tiffcp.c b/tools/tiffcp.c
960 +index 142cbb0ecfc2..6d96bb89f555 100644
961 +--- a/tools/tiffcp.c
962 ++++ b/tools/tiffcp.c
963 +@@ -1163,7 +1163,7 @@ bad:
964 +
965 + static void
966 + cpStripToTile(uint8* out, uint8* in,
967 +- uint32 rows, uint32 cols, int outskew, int inskew)
968 ++ uint32 rows, uint32 cols, int outskew, int64 inskew)
969 + {
970 + while (rows-- > 0) {
971 + uint32 j = cols;
972 +@@ -1320,7 +1320,7 @@ DECLAREreadFunc(readContigTilesIntoBuffer)
973 + tdata_t tilebuf;
974 + uint32 imagew = TIFFScanlineSize(in);
975 + uint32 tilew = TIFFTileRowSize(in);
976 +- int iskew = imagew - tilew;
977 ++ int64 iskew = (int64)imagew - (int64)tilew;
978 + uint8* bufp = (uint8*) buf;
979 + uint32 tw, tl;
980 + uint32 row;
981 +@@ -1348,7 +1348,7 @@ DECLAREreadFunc(readContigTilesIntoBuffer)
982 + status = 0;
983 + goto done;
984 + }
985 +- if (colb + tilew > imagew) {
986 ++ if (colb > iskew) {
987 + uint32 width = imagew - colb;
988 + uint32 oskew = tilew - width;
989 + cpStripToTile(bufp + colb,
990 +--
991 +2.12.0
992 +
993
994 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2619.patch b/media-libs/tiff/files/tiff-4.0.7-bug2619.patch
995 new file mode 100644
996 index 00000000000..0e0053883a3
997 --- /dev/null
998 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2619.patch
999 @@ -0,0 +1,46 @@
1000 +From cb840651f037c59895b67d44b46a34127bb082dd Mon Sep 17 00:00:00 2001
1001 +From: Even Rouault <even.rouault@×××××××××.com>
1002 +Date: Sat, 3 Dec 2016 13:00:03 +0000
1003 +Subject: [PATCH] * tools/tiffcrop.c: fix integer division by zero when
1004 + BitsPerSample is missing. Reported by Agostina Sarubo. Fixes
1005 + http://bugzilla.maptools.org/show_bug.cgi?id=2619
1006 +
1007 +---
1008 + ChangeLog | 6 ++++++
1009 + tools/tiffcrop.c | 8 ++++----
1010 + 2 files changed, 10 insertions(+), 4 deletions(-)
1011 +
1012 +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
1013 +index 9122aab37530..21dd08720d77 100644
1014 +--- a/tools/tiffcrop.c
1015 ++++ b/tools/tiffcrop.c
1016 +@@ -1164,7 +1164,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf,
1017 + tdata_t obuf;
1018 +
1019 + (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
1020 +- (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
1021 ++ (void) TIFFGetFieldDefaulted(out, TIFFTAG_BITSPERSAMPLE, &bps);
1022 + bytes_per_sample = (bps + 7) / 8;
1023 + if( width == 0 ||
1024 + (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width ||
1025 +@@ -4760,7 +4760,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
1026 + int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
1027 + uint32 j;
1028 + int32 bytes_read = 0;
1029 +- uint16 bps, planar;
1030 ++ uint16 bps = 0, planar;
1031 + uint32 nstrips;
1032 + uint32 strips_per_sample;
1033 + uint32 src_rowsize, dst_rowsize, rows_processed, rps;
1034 +@@ -4780,7 +4780,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
1035 + }
1036 +
1037 + memset (srcbuffs, '\0', sizeof(srcbuffs));
1038 +- TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
1039 ++ TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
1040 + TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &planar);
1041 + TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
1042 + if (rps > length)
1043 +--
1044 +2.12.0
1045 +
1046
1047 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2620.patch b/media-libs/tiff/files/tiff-4.0.7-bug2620.patch
1048 new file mode 100644
1049 index 00000000000..1b37177c5f9
1050 --- /dev/null
1051 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2620.patch
1052 @@ -0,0 +1,29 @@
1053 +From 76c4b35f114bc9614700accd22cc4a0b4b6b92d3 Mon Sep 17 00:00:00 2001
1054 +From: Even Rouault <even.rouault@×××××××××.com>
1055 +Date: Sat, 3 Dec 2016 11:35:56 +0000
1056 +Subject: [PATCH] * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i
1057 + (ignore) mode so that the output buffer is correctly incremented to avoid
1058 + write outside bounds. Reported by Agostino Sarubbo. Fixes
1059 + http://bugzilla.maptools.org/show_bug.cgi?id=2620
1060 +
1061 +---
1062 + ChangeLog | 7 +++++++
1063 + tools/tiffcrop.c | 4 ++--
1064 + 2 files changed, 9 insertions(+), 2 deletions(-)
1065 +
1066 +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
1067 +index 722b132cee6d..bdcbd63ed70b 100644
1068 +--- a/tools/tiffcrop.c
1069 ++++ b/tools/tiffcrop.c
1070 +@@ -3698,7 +3698,7 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
1071 + (unsigned long) strip, (unsigned long)rows);
1072 + return 0;
1073 + }
1074 +- bufp += bytes_read;
1075 ++ bufp += stripsize;
1076 + }
1077 +
1078 + return 1;
1079 +--
1080 +2.12.0
1081 +
1082
1083 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2621.patch b/media-libs/tiff/files/tiff-4.0.7-bug2621.patch
1084 new file mode 100644
1085 index 00000000000..7bb1d57e3e9
1086 --- /dev/null
1087 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2621.patch
1088 @@ -0,0 +1,49 @@
1089 +From d7045ed1501ec99c4e56174813bb1cb5c9a559ef Mon Sep 17 00:00:00 2001
1090 +From: Even Rouault <even.rouault@×××××××××.com>
1091 +Date: Sat, 3 Dec 2016 12:19:32 +0000
1092 +Subject: [PATCH] * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer
1093 + in readSeparateStripsIntoBuffer() to avoid read outside of heap allocated
1094 + buffer. Reported by Agostina Sarubo. Fixes
1095 + http://bugzilla.maptools.org/show_bug.cgi?id=2621
1096 +
1097 +---
1098 + ChangeLog | 7 +++++++
1099 + tools/tiffcrop.c | 14 ++++++++++++--
1100 + 2 files changed, 19 insertions(+), 2 deletions(-)
1101 +
1102 +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
1103 +index bdcbd63ed70b..9122aab37530 100644
1104 +--- a/tools/tiffcrop.c
1105 ++++ b/tools/tiffcrop.c
1106 +@@ -4815,10 +4815,17 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
1107 + nstrips = TIFFNumberOfStrips(in);
1108 + strips_per_sample = nstrips /spp;
1109 +
1110 ++ /* Add 3 padding bytes for combineSeparateSamples32bits */
1111 ++ if( (size_t) stripsize > 0xFFFFFFFFU - 3U )
1112 ++ {
1113 ++ TIFFError("readSeparateStripsIntoBuffer", "Integer overflow when calculating buffer size.");
1114 ++ exit(-1);
1115 ++ }
1116 ++
1117 + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
1118 + {
1119 + srcbuffs[s] = NULL;
1120 +- buff = _TIFFmalloc(stripsize);
1121 ++ buff = _TIFFmalloc(stripsize + 3);
1122 + if (!buff)
1123 + {
1124 + TIFFError ("readSeparateStripsIntoBuffer",
1125 +@@ -4827,6 +4834,9 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
1126 + _TIFFfree (srcbuffs[i]);
1127 + return 0;
1128 + }
1129 ++ buff[stripsize] = 0;
1130 ++ buff[stripsize+1] = 0;
1131 ++ buff[stripsize+2] = 0;
1132 + srcbuffs[s] = buff;
1133 + }
1134 +
1135 +--
1136 +2.12.0
1137 +
1138
1139 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2627.patch b/media-libs/tiff/files/tiff-4.0.7-bug2627.patch
1140 new file mode 100644
1141 index 00000000000..11a3f3cd3f5
1142 --- /dev/null
1143 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2627.patch
1144 @@ -0,0 +1,59 @@
1145 +From f88bfadb6d1fac1d0d081058216da659e1f5a628 Mon Sep 17 00:00:00 2001
1146 +From: Even Rouault <even.rouault@×××××××××.com>
1147 +Date: Sun, 18 Dec 2016 22:28:42 +0000
1148 +Subject: [PATCH] * libtiff/tif_getimage.c: fix potential memory leaks in error
1149 + code path of TIFFRGBAImageBegin(). Fixes
1150 + http://bugzilla.maptools.org/show_bug.cgi?id=2627
1151 +
1152 +---
1153 + ChangeLog | 6 ++++++
1154 + libtiff/tif_getimage.c | 21 +++++++++------------
1155 + 2 files changed, 15 insertions(+), 12 deletions(-)
1156 +
1157 +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
1158 +index c0eb6df0b09a..2ea838556732 100644
1159 +--- a/libtiff/tif_getimage.c
1160 ++++ b/libtiff/tif_getimage.c
1161 +@@ -283,6 +283,13 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024])
1162 + img->redcmap = NULL;
1163 + img->greencmap = NULL;
1164 + img->bluecmap = NULL;
1165 ++ img->Map = NULL;
1166 ++ img->BWmap = NULL;
1167 ++ img->PALmap = NULL;
1168 ++ img->ycbcr = NULL;
1169 ++ img->cielab = NULL;
1170 ++ img->UaToAa = NULL;
1171 ++ img->Bitdepth16To8 = NULL;
1172 + img->req_orientation = ORIENTATION_BOTLEFT; /* It is the default */
1173 +
1174 + img->tif = tif;
1175 +@@ -468,13 +475,6 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024])
1176 + photoTag, img->photometric);
1177 + goto fail_return;
1178 + }
1179 +- img->Map = NULL;
1180 +- img->BWmap = NULL;
1181 +- img->PALmap = NULL;
1182 +- img->ycbcr = NULL;
1183 +- img->cielab = NULL;
1184 +- img->UaToAa = NULL;
1185 +- img->Bitdepth16To8 = NULL;
1186 + TIFFGetField(tif, TIFFTAG_IMAGEWIDTH, &img->width);
1187 + TIFFGetField(tif, TIFFTAG_IMAGELENGTH, &img->height);
1188 + TIFFGetFieldDefaulted(tif, TIFFTAG_ORIENTATION, &img->orientation);
1189 +@@ -494,10 +494,7 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024])
1190 + return 1;
1191 +
1192 + fail_return:
1193 +- _TIFFfree( img->redcmap );
1194 +- _TIFFfree( img->greencmap );
1195 +- _TIFFfree( img->bluecmap );
1196 +- img->redcmap = img->greencmap = img->bluecmap = NULL;
1197 ++ TIFFRGBAImageEnd( img );
1198 + return 0;
1199 + }
1200 +
1201 +--
1202 +2.12.0
1203 +
1204
1205 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2631.patch b/media-libs/tiff/files/tiff-4.0.7-bug2631.patch
1206 new file mode 100644
1207 index 00000000000..6e1011b072d
1208 --- /dev/null
1209 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2631.patch
1210 @@ -0,0 +1,34 @@
1211 +From 101253c74cde97203dab28c4f3bd0994cea5804c Mon Sep 17 00:00:00 2001
1212 +From: Even Rouault <even.rouault@×××××××××.com>
1213 +Date: Sat, 14 Jan 2017 13:12:33 +0000
1214 +Subject: [PATCH] * tools/raw2tiff.c: avoid integer division by zero. Fixes
1215 + http://bugzilla.maptools.org/show_bug.cgi?id=2631
1216 +
1217 +---
1218 + ChangeLog | 5 +++++
1219 + tools/raw2tiff.c | 10 ++++++++--
1220 + 2 files changed, 13 insertions(+), 2 deletions(-)
1221 +
1222 +diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
1223 +index 7298e80a95c9..083e9ee73f0f 100644
1224 +--- a/tools/raw2tiff.c
1225 ++++ b/tools/raw2tiff.c
1226 +@@ -408,8 +408,14 @@ guessSize(int fd, TIFFDataType dtype, _TIFF_off_t hdr_size, uint32 nbands,
1227 + } else if (*width == 0 && *length == 0) {
1228 + unsigned int fail = 0;
1229 + fprintf(stderr, "Image width and height are not specified.\n");
1230 ++ w = (uint32) sqrt(imagesize / longt);
1231 ++ if( w == 0 )
1232 ++ {
1233 ++ fprintf(stderr, "Too small image size.\n");
1234 ++ return -1;
1235 ++ }
1236 +
1237 +- for (w = (uint32) sqrt(imagesize / longt);
1238 ++ for (;
1239 + w < sqrt(imagesize * longt);
1240 + w++) {
1241 + if (imagesize % w == 0) {
1242 +--
1243 +2.12.0
1244 +
1245
1246 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2633-bug2634.patch b/media-libs/tiff/files/tiff-4.0.7-bug2633-bug2634.patch
1247 new file mode 100644
1248 index 00000000000..d68e86ebea2
1249 --- /dev/null
1250 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2633-bug2634.patch
1251 @@ -0,0 +1,41 @@
1252 +From 95a32fbbadf54e7527c7e3b66fd603503b29dde9 Mon Sep 17 00:00:00 2001
1253 +From: Even Rouault <even.rouault@×××××××××.com>
1254 +Date: Sat, 17 Dec 2016 19:45:28 +0000
1255 +Subject: [PATCH] * tools/tiff2ps.c: fix 2 heap-based buffer overflows (in
1256 + PSDataBW and PSDataColorContig). Reported by Agostino Sarubbo. Fixes
1257 + http://bugzilla.maptools.org/show_bug.cgi?id=2633 and
1258 + http://bugzilla.maptools.org/show_bug.cgi?id=2634.
1259 +
1260 +---
1261 + ChangeLog | 7 +++++++
1262 + tools/tiff2ps.c | 9 +++++++--
1263 + 2 files changed, 14 insertions(+), 2 deletions(-)
1264 +
1265 +diff --git a/tools/tiff2ps.c b/tools/tiff2ps.c
1266 +index 82a5d84b41f5..71df4309ee0c 100644
1267 +--- a/tools/tiff2ps.c
1268 ++++ b/tools/tiff2ps.c
1269 +@@ -2440,6 +2440,11 @@ PSDataColorContig(FILE* fd, TIFF* tif, uint32 w, uint32 h, int nc)
1270 + unsigned char *cp, c;
1271 +
1272 + (void) w;
1273 ++ if( es <= 0 )
1274 ++ {
1275 ++ TIFFError(filename, "Inconsistent value of es: %d", es);
1276 ++ return;
1277 ++ }
1278 + tf_buf = (unsigned char *) _TIFFmalloc(tf_bytesperrow);
1279 + if (tf_buf == NULL) {
1280 + TIFFError(filename, "No space for scanline buffer");
1281 +@@ -2692,7 +2697,7 @@ PSDataBW(FILE* fd, TIFF* tif, uint32 w, uint32 h)
1282 +
1283 + if (alpha) {
1284 + int adjust;
1285 +- while (cc-- > 0) {
1286 ++ while (cc-- > 1) {
1287 + DOBREAK(breaklen, 1, fd);
1288 + /*
1289 + * For images with alpha, matte against
1290 +--
1291 +2.12.0
1292 +
1293
1294 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2635.patch b/media-libs/tiff/files/tiff-4.0.7-bug2635.patch
1295 new file mode 100644
1296 index 00000000000..8756115c905
1297 --- /dev/null
1298 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2635.patch
1299 @@ -0,0 +1,33 @@
1300 +From a7b470d67f2b98599b2c9cd9945db6eea735cc47 Mon Sep 17 00:00:00 2001
1301 +From: Even Rouault <even.rouault@×××××××××.com>
1302 +Date: Sun, 18 Dec 2016 10:37:59 +0000
1303 +Subject: [PATCH] * tools/tiff2pdf.c: prevent heap-based buffer overflow in -j
1304 + mode on a paletted image. Note: this fix errors out before the overflow
1305 + happens. There could probably be a better fix. Fixes
1306 + http://bugzilla.maptools.org/show_bug.cgi?id=2635
1307 +
1308 +---
1309 + ChangeLog | 7 +++++++
1310 + tools/tiff2pdf.c | 8 +++++++-
1311 + 2 files changed, 14 insertions(+), 1 deletion(-)
1312 +
1313 +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
1314 +index fe8a6ea7e101..afea414bebf6 100644
1315 +--- a/tools/tiff2pdf.c
1316 ++++ b/tools/tiff2pdf.c
1317 +@@ -3654,6 +3654,12 @@ tsize_t t2p_sample_realize_palette(T2P* t2p, unsigned char* buffer){
1318 + uint32 j=0;
1319 + sample_count=t2p->tiff_width*t2p->tiff_length;
1320 + component_count=t2p->tiff_samplesperpixel;
1321 ++ if( sample_count * component_count > t2p->tiff_datasize )
1322 ++ {
1323 ++ TIFFError(TIFF2PDF_MODULE, "Error: sample_count * component_count > t2p->tiff_datasize");
1324 ++ t2p->t2p_error = T2P_ERR_ERROR;
1325 ++ return 1;
1326 ++ }
1327 +
1328 + for(i=sample_count;i>0;i--){
1329 + palette_offset=buffer[i-1] * component_count;
1330 +--
1331 +2.12.0
1332 +
1333
1334 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2638.patch b/media-libs/tiff/files/tiff-4.0.7-bug2638.patch
1335 new file mode 100644
1336 index 00000000000..15541576c58
1337 --- /dev/null
1338 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2638.patch
1339 @@ -0,0 +1,29 @@
1340 +From 9f5536843f2ae641542bb81a3023dbc581fac184 Mon Sep 17 00:00:00 2001
1341 +From: Even Rouault <even.rouault@×××××××××.com>
1342 +Date: Tue, 20 Dec 2016 17:13:26 +0000
1343 +Subject: [PATCH] * tools/tiff2pdf.c: fix wrong usage of memcpy() that can
1344 + trigger unspecified behaviour. Fixes
1345 + http://bugzilla.maptools.org/show_bug.cgi?id=2638
1346 +
1347 +---
1348 + ChangeLog | 6 ++++++
1349 + tools/tiff2pdf.c | 5 +++--
1350 + 2 files changed, 9 insertions(+), 2 deletions(-)
1351 +
1352 +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
1353 +index afea414bebf6..78ffa77d123a 100644
1354 +--- a/tools/tiff2pdf.c
1355 ++++ b/tools/tiff2pdf.c
1356 +@@ -3593,7 +3593,8 @@ void t2p_tile_collapse_left(
1357 +
1358 + edgescanwidth = (scanwidth * edgetilewidth + (tilewidth - 1))/ tilewidth;
1359 + for(i=0;i<tilelength;i++){
1360 +- _TIFFmemcpy(
1361 ++ /* We use memmove() since there can be overlaps in src and dst buffers for the first items */
1362 ++ memmove(
1363 + &(((char*)buffer)[edgescanwidth*i]),
1364 + &(((char*)buffer)[scanwidth*i]),
1365 + edgescanwidth);
1366 +--
1367 +2.12.0
1368 +
1369
1370 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2639.patch b/media-libs/tiff/files/tiff-4.0.7-bug2639.patch
1371 new file mode 100644
1372 index 00000000000..b894775dc70
1373 --- /dev/null
1374 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2639.patch
1375 @@ -0,0 +1,58 @@
1376 +From 6a61192a98665d870dcb835452cb9c5757ccd27c Mon Sep 17 00:00:00 2001
1377 +From: Even Rouault <even.rouault@×××××××××.com>
1378 +Date: Tue, 20 Dec 2016 17:24:35 +0000
1379 +Subject: [PATCH] * tools/tiff2pdf.c: avoid potential invalid memory read in
1380 + t2p_writeproc. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639
1381 +
1382 +---
1383 + ChangeLog | 6 ++++++
1384 + tools/tiff2pdf.c | 20 +++++++++++---------
1385 + 2 files changed, 17 insertions(+), 9 deletions(-)
1386 +
1387 +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
1388 +index 78ffa77d123a..5348f1a765fe 100644
1389 +--- a/tools/tiff2pdf.c
1390 ++++ b/tools/tiff2pdf.c
1391 +@@ -2896,6 +2896,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
1392 + }
1393 + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
1394 + if (count >= 4) {
1395 ++ int retTIFFReadRawTile;
1396 + /* Ignore EOI marker of JpegTables */
1397 + _TIFFmemcpy(buffer, jpt, count - 2);
1398 + bufferoffset += count - 2;
1399 +@@ -2903,22 +2904,23 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
1400 + table_end[0] = buffer[bufferoffset-2];
1401 + table_end[1] = buffer[bufferoffset-1];
1402 + xuint32 = bufferoffset;
1403 +- bufferoffset -= 2;
1404 +- bufferoffset += TIFFReadRawTile(
1405 ++ bufferoffset -= 2;
1406 ++ retTIFFReadRawTile= TIFFReadRawTile(
1407 + input,
1408 + tile,
1409 + (tdata_t) &(((unsigned char*)buffer)[bufferoffset]),
1410 + -1);
1411 ++ if( retTIFFReadRawTile < 0 )
1412 ++ {
1413 ++ _TIFFfree(buffer);
1414 ++ t2p->t2p_error = T2P_ERR_ERROR;
1415 ++ return(0);
1416 ++ }
1417 ++ bufferoffset += retTIFFReadRawTile;
1418 + /* Overwrite SOI marker of image scan with previously */
1419 + /* saved end of JpegTables */
1420 + buffer[xuint32-2]=table_end[0];
1421 + buffer[xuint32-1]=table_end[1];
1422 +- } else {
1423 +- bufferoffset += TIFFReadRawTile(
1424 +- input,
1425 +- tile,
1426 +- (tdata_t) &(((unsigned char*)buffer)[bufferoffset]),
1427 +- -1);
1428 + }
1429 + }
1430 + t2pWriteFile(output, (tdata_t) buffer, bufferoffset);
1431 +--
1432 +2.12.0
1433 +
1434
1435 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2640.patch b/media-libs/tiff/files/tiff-4.0.7-bug2640.patch
1436 new file mode 100644
1437 index 00000000000..2569f47a54b
1438 --- /dev/null
1439 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2640.patch
1440 @@ -0,0 +1,28 @@
1441 +From 548b62fae49637b621766c721884d59a55c9a2d8 Mon Sep 17 00:00:00 2001
1442 +From: Even Rouault <even.rouault@×××××××××.com>
1443 +Date: Tue, 20 Dec 2016 17:28:17 +0000
1444 +Subject: [PATCH] * tools/tiff2pdf.c: avoid potential heap-based overflow in
1445 + t2p_readwrite_pdf_image_tile(). Fixes
1446 + http://bugzilla.maptools.org/show_bug.cgi?id=2640
1447 +
1448 +---
1449 + ChangeLog | 6 ++++++
1450 + tools/tiff2pdf.c | 4 ++--
1451 + 2 files changed, 8 insertions(+), 2 deletions(-)
1452 +
1453 +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
1454 +index 5348f1a765fe..8e4e24ef9e82 100644
1455 +--- a/tools/tiff2pdf.c
1456 ++++ b/tools/tiff2pdf.c
1457 +@@ -2895,7 +2895,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
1458 + return(0);
1459 + }
1460 + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
1461 +- if (count >= 4) {
1462 ++ if (count > 4) {
1463 + int retTIFFReadRawTile;
1464 + /* Ignore EOI marker of JpegTables */
1465 + _TIFFmemcpy(buffer, jpt, count - 2);
1466 +--
1467 +2.12.0
1468 +
1469
1470 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2642-bug2643-bug2646-bug2647.patch b/media-libs/tiff/files/tiff-4.0.7-bug2642-bug2643-bug2646-bug2647.patch
1471 new file mode 100644
1472 index 00000000000..6f01774b9d5
1473 --- /dev/null
1474 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2642-bug2643-bug2646-bug2647.patch
1475 @@ -0,0 +1,278 @@
1476 +From f049eba476a1ed60adc6534452ccf0022c2d1908 Mon Sep 17 00:00:00 2001
1477 +From: Even Rouault <even.rouault@×××××××××.com>
1478 +Date: Wed, 11 Jan 2017 16:09:02 +0000
1479 +Subject: [PATCH] * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement
1480 + various clampings of double to other data types to avoid undefined behaviour
1481 + if the output range isn't big enough to hold the input value. Fixes
1482 + http://bugzilla.maptools.org/show_bug.cgi?id=2643
1483 + http://bugzilla.maptools.org/show_bug.cgi?id=2642
1484 + http://bugzilla.maptools.org/show_bug.cgi?id=2646
1485 + http://bugzilla.maptools.org/show_bug.cgi?id=2647
1486 +
1487 +---
1488 + ChangeLog | 10 ++++++
1489 + libtiff/tif_dir.c | 20 ++++++++---
1490 + libtiff/tif_dirread.c | 12 +++++--
1491 + libtiff/tif_dirwrite.c | 92 ++++++++++++++++++++++++++++++++++++++++++++------
1492 + 4 files changed, 116 insertions(+), 18 deletions(-)
1493 +
1494 +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
1495 +index 2574e748b3be..36c7ae57641a 100644
1496 +--- a/libtiff/tif_dir.c
1497 ++++ b/libtiff/tif_dir.c
1498 +@@ -31,6 +31,7 @@
1499 + * (and also some miscellaneous stuff)
1500 + */
1501 + #include "tiffiop.h"
1502 ++#include <float.h>
1503 +
1504 + /*
1505 + * These are used in the backwards compatibility code...
1506 +@@ -154,6 +155,15 @@ bad:
1507 + return (0);
1508 + }
1509 +
1510 ++static float TIFFClampDoubleToFloat( double val )
1511 ++{
1512 ++ if( val > FLT_MAX )
1513 ++ return FLT_MAX;
1514 ++ if( val < -FLT_MAX )
1515 ++ return -FLT_MAX;
1516 ++ return (float)val;
1517 ++}
1518 ++
1519 + static int
1520 + _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
1521 + {
1522 +@@ -312,13 +322,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
1523 + dblval = va_arg(ap, double);
1524 + if( dblval < 0 )
1525 + goto badvaluedouble;
1526 +- td->td_xresolution = (float) dblval;
1527 ++ td->td_xresolution = TIFFClampDoubleToFloat( dblval );
1528 + break;
1529 + case TIFFTAG_YRESOLUTION:
1530 + dblval = va_arg(ap, double);
1531 + if( dblval < 0 )
1532 + goto badvaluedouble;
1533 +- td->td_yresolution = (float) dblval;
1534 ++ td->td_yresolution = TIFFClampDoubleToFloat( dblval );
1535 + break;
1536 + case TIFFTAG_PLANARCONFIG:
1537 + v = (uint16) va_arg(ap, uint16_vap);
1538 +@@ -327,10 +337,10 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
1539 + td->td_planarconfig = (uint16) v;
1540 + break;
1541 + case TIFFTAG_XPOSITION:
1542 +- td->td_xposition = (float) va_arg(ap, double);
1543 ++ td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
1544 + break;
1545 + case TIFFTAG_YPOSITION:
1546 +- td->td_yposition = (float) va_arg(ap, double);
1547 ++ td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
1548 + break;
1549 + case TIFFTAG_RESOLUTIONUNIT:
1550 + v = (uint16) va_arg(ap, uint16_vap);
1551 +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
1552 +index eae3430612d0..f8628fd6d5d2 100644
1553 +--- a/libtiff/tif_dirread.c
1554 ++++ b/libtiff/tif_dirread.c
1555 +@@ -40,6 +40,7 @@
1556 + */
1557 +
1558 + #include "tiffiop.h"
1559 ++#include <float.h>
1560 +
1561 + #define IGNORE 0 /* tag placeholder used below */
1562 + #define FAILED_FII ((uint32) -1)
1563 +@@ -2406,7 +2407,14 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryFloatArray(TIFF* tif, TIFFDirEnt
1564 + ma=(double*)origdata;
1565 + mb=data;
1566 + for (n=0; n<count; n++)
1567 +- *mb++=(float)(*ma++);
1568 ++ {
1569 ++ double val = *ma++;
1570 ++ if( val > FLT_MAX )
1571 ++ val = FLT_MAX;
1572 ++ else if( val < -FLT_MAX )
1573 ++ val = -FLT_MAX;
1574 ++ *mb++=(float)val;
1575 ++ }
1576 + }
1577 + break;
1578 + }
1579 +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
1580 +index 055324db078f..f7339685130d 100644
1581 +--- a/libtiff/tif_dirwrite.c
1582 ++++ b/libtiff/tif_dirwrite.c
1583 +@@ -30,6 +30,7 @@
1584 + * Directory Write Support Routines.
1585 + */
1586 + #include "tiffiop.h"
1587 ++#include <float.h>
1588 +
1589 + #ifdef HAVE_IEEEFP
1590 + #define TIFFCvtNativeToIEEEFloat(tif, n, fp)
1591 +@@ -939,6 +940,69 @@ bad:
1592 + return(0);
1593 + }
1594 +
1595 ++static float TIFFClampDoubleToFloat( double val )
1596 ++{
1597 ++ if( val > FLT_MAX )
1598 ++ return FLT_MAX;
1599 ++ if( val < -FLT_MAX )
1600 ++ return -FLT_MAX;
1601 ++ return (float)val;
1602 ++}
1603 ++
1604 ++static int8 TIFFClampDoubleToInt8( double val )
1605 ++{
1606 ++ if( val > 127 )
1607 ++ return 127;
1608 ++ if( val < -128 || val != val )
1609 ++ return -128;
1610 ++ return (int8)val;
1611 ++}
1612 ++
1613 ++static int16 TIFFClampDoubleToInt16( double val )
1614 ++{
1615 ++ if( val > 32767 )
1616 ++ return 32767;
1617 ++ if( val < -32768 || val != val )
1618 ++ return -32768;
1619 ++ return (int16)val;
1620 ++}
1621 ++
1622 ++static int32 TIFFClampDoubleToInt32( double val )
1623 ++{
1624 ++ if( val > 0x7FFFFFFF )
1625 ++ return 0x7FFFFFFF;
1626 ++ if( val < -0x7FFFFFFF-1 || val != val )
1627 ++ return -0x7FFFFFFF-1;
1628 ++ return (int32)val;
1629 ++}
1630 ++
1631 ++static uint8 TIFFClampDoubleToUInt8( double val )
1632 ++{
1633 ++ if( val < 0 )
1634 ++ return 0;
1635 ++ if( val > 255 || val != val )
1636 ++ return 255;
1637 ++ return (uint8)val;
1638 ++}
1639 ++
1640 ++static uint16 TIFFClampDoubleToUInt16( double val )
1641 ++{
1642 ++ if( val < 0 )
1643 ++ return 0;
1644 ++ if( val > 65535 || val != val )
1645 ++ return 65535;
1646 ++ return (uint16)val;
1647 ++}
1648 ++
1649 ++static uint32 TIFFClampDoubleToUInt32( double val )
1650 ++{
1651 ++ if( val < 0 )
1652 ++ return 0;
1653 ++ if( val > 0xFFFFFFFFU || val != val )
1654 ++ return 0xFFFFFFFFU;
1655 ++ return (uint32)val;
1656 ++}
1657 ++
1658 + static int
1659 + TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value)
1660 + {
1661 +@@ -959,7 +1023,7 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di
1662 + if (tif->tif_dir.td_bitspersample<=32)
1663 + {
1664 + for (i = 0; i < count; ++i)
1665 +- ((float*)conv)[i] = (float)value[i];
1666 ++ ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
1667 + ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
1668 + }
1669 + else
1670 +@@ -971,19 +1035,19 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di
1671 + if (tif->tif_dir.td_bitspersample<=8)
1672 + {
1673 + for (i = 0; i < count; ++i)
1674 +- ((int8*)conv)[i] = (int8)value[i];
1675 ++ ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]);
1676 + ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv);
1677 + }
1678 + else if (tif->tif_dir.td_bitspersample<=16)
1679 + {
1680 + for (i = 0; i < count; ++i)
1681 +- ((int16*)conv)[i] = (int16)value[i];
1682 ++ ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]);
1683 + ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv);
1684 + }
1685 + else
1686 + {
1687 + for (i = 0; i < count; ++i)
1688 +- ((int32*)conv)[i] = (int32)value[i];
1689 ++ ((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]);
1690 + ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv);
1691 + }
1692 + break;
1693 +@@ -991,19 +1055,19 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di
1694 + if (tif->tif_dir.td_bitspersample<=8)
1695 + {
1696 + for (i = 0; i < count; ++i)
1697 +- ((uint8*)conv)[i] = (uint8)value[i];
1698 ++ ((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]);
1699 + ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv);
1700 + }
1701 + else if (tif->tif_dir.td_bitspersample<=16)
1702 + {
1703 + for (i = 0; i < count; ++i)
1704 +- ((uint16*)conv)[i] = (uint16)value[i];
1705 ++ ((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]);
1706 + ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv);
1707 + }
1708 + else
1709 + {
1710 + for (i = 0; i < count; ++i)
1711 +- ((uint32*)conv)[i] = (uint32)value[i];
1712 ++ ((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]);
1713 + ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv);
1714 + }
1715 + break;
1716 +@@ -2102,12 +2166,17 @@ TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir,
1717 + TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal");
1718 + return 0;
1719 + }
1720 ++ else if( value != value )
1721 ++ {
1722 ++ TIFFErrorExt(tif->tif_clientdata,module,"Not-a-number value is illegal");
1723 ++ return 0;
1724 ++ }
1725 + else if (value==0.0)
1726 + {
1727 + m[0]=0;
1728 + m[1]=1;
1729 + }
1730 +- else if (value==(double)(uint32)value)
1731 ++ else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value)
1732 + {
1733 + m[0]=(uint32)value;
1734 + m[1]=1;
1735 +@@ -2148,12 +2217,13 @@ TIFFWriteDirectoryTagCheckedRationalArray(TIFF* tif, uint32* ndir, TIFFDirEntry*
1736 + }
1737 + for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++)
1738 + {
1739 +- if (*na<=0.0)
1740 ++ if (*na<=0.0 || *na != *na)
1741 + {
1742 + nb[0]=0;
1743 + nb[1]=1;
1744 + }
1745 +- else if (*na==(float)(uint32)(*na))
1746 ++ else if (*na >= 0 && *na <= (float)0xFFFFFFFFU &&
1747 ++ *na==(float)(uint32)(*na))
1748 + {
1749 + nb[0]=(uint32)(*na);
1750 + nb[1]=1;
1751 +--
1752 +2.12.0
1753 +
1754
1755 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2644.patch b/media-libs/tiff/files/tiff-4.0.7-bug2644.patch
1756 new file mode 100644
1757 index 00000000000..b4ec01a3217
1758 --- /dev/null
1759 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2644.patch
1760 @@ -0,0 +1,45 @@
1761 +From 699097af4e22e48fc78ae7ae02807ec37f0d31fe Mon Sep 17 00:00:00 2001
1762 +From: Even Rouault <even.rouault@×××××××××.com>
1763 +Date: Wed, 11 Jan 2017 13:28:01 +0000
1764 +Subject: [PATCH] * libtiff/tif_dirread.c: avoid division by floating point 0
1765 + in TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(),
1766 + and return 0 in that case (instead of infinity as before presumably)
1767 + Apparently some sanitizers do not like those divisions by zero. Fixes
1768 + http://bugzilla.maptools.org/show_bug.cgi?id=2644
1769 +
1770 +---
1771 + ChangeLog | 8 ++++++++
1772 + libtiff/tif_dirread.c | 12 +++++++++---
1773 + 2 files changed, 17 insertions(+), 3 deletions(-)
1774 +
1775 +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
1776 +index f2905286c0d0..eae3430612d0 100644
1777 +--- a/libtiff/tif_dirread.c
1778 ++++ b/libtiff/tif_dirread.c
1779 +@@ -2872,7 +2872,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedRational(TIFF* tif, TIFFD
1780 + m.l = direntry->tdir_offset.toff_long8;
1781 + if (tif->tif_flags&TIFF_SWAB)
1782 + TIFFSwabArrayOfLong(m.i,2);
1783 +- if (m.i[0]==0)
1784 ++ /* Not completely sure what we should do when m.i[1]==0, but some */
1785 ++ /* sanitizers do not like division by 0.0: */
1786 ++ /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
1787 ++ if (m.i[0]==0 || m.i[1]==0)
1788 + *value=0.0;
1789 + else
1790 + *value=(double)m.i[0]/(double)m.i[1];
1791 +@@ -2900,7 +2903,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedSrational(TIFF* tif, TIFF
1792 + m.l=direntry->tdir_offset.toff_long8;
1793 + if (tif->tif_flags&TIFF_SWAB)
1794 + TIFFSwabArrayOfLong(m.i,2);
1795 +- if ((int32)m.i[0]==0)
1796 ++ /* Not completely sure what we should do when m.i[1]==0, but some */
1797 ++ /* sanitizers do not like division by 0.0: */
1798 ++ /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
1799 ++ if ((int32)m.i[0]==0 || m.i[1]==0)
1800 + *value=0.0;
1801 + else
1802 + *value=(double)((int32)m.i[0])/(double)m.i[1];
1803 +--
1804 +2.12.0
1805 +
1806
1807 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2648.patch b/media-libs/tiff/files/tiff-4.0.7-bug2648.patch
1808 new file mode 100644
1809 index 00000000000..a3e2f59dc27
1810 --- /dev/null
1811 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2648.patch
1812 @@ -0,0 +1,33 @@
1813 +From 569ffefa61f3237fa2221730621c869216c465a6 Mon Sep 17 00:00:00 2001
1814 +From: Even Rouault <even.rouault@×××××××××.com>
1815 +Date: Wed, 11 Jan 2017 16:13:50 +0000
1816 +Subject: [PATCH] * libtiff/tif_jpeg.c: validate BitsPerSample in
1817 + JPEGSetupEncode() to avoid undefined behaviour caused by invalid shift
1818 + exponent. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648
1819 +
1820 +---
1821 + ChangeLog | 6 ++++++
1822 + libtiff/tif_jpeg.c | 9 ++++++++-
1823 + 2 files changed, 14 insertions(+), 1 deletion(-)
1824 +
1825 +diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c
1826 +index 09ef4949f9ee..e45e2a4e17f8 100644
1827 +--- a/libtiff/tif_jpeg.c
1828 ++++ b/libtiff/tif_jpeg.c
1829 +@@ -1632,6 +1632,13 @@ JPEGSetupEncode(TIFF* tif)
1830 + "Invalig horizontal/vertical sampling value");
1831 + return (0);
1832 + }
1833 ++ if( td->td_bitspersample > 16 )
1834 ++ {
1835 ++ TIFFErrorExt(tif->tif_clientdata, module,
1836 ++ "BitsPerSample %d not allowed for JPEG",
1837 ++ td->td_bitspersample);
1838 ++ return (0);
1839 ++ }
1840 +
1841 + /*
1842 + * A ReferenceBlackWhite field *must* be present since the
1843 +--
1844 +2.12.0
1845 +
1846
1847 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2650-2.patch b/media-libs/tiff/files/tiff-4.0.7-bug2650-2.patch
1848 new file mode 100644
1849 index 00000000000..eba5b8f50ba
1850 --- /dev/null
1851 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2650-2.patch
1852 @@ -0,0 +1,26 @@
1853 +From 08e5d199b0a1c80fc81a1cc718e5d9d019517e37 Mon Sep 17 00:00:00 2001
1854 +From: Even Rouault <even.rouault@×××××××××.com>
1855 +Date: Wed, 11 Jan 2017 17:48:11 +0000
1856 +Subject: [PATCH] Initialize variable to fix MSVC warning (caused by previous
1857 + commit)
1858 +
1859 +---
1860 + libtiff/tif_read.c | 4 ++--
1861 + 1 file changed, 2 insertions(+), 2 deletions(-)
1862 +
1863 +diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
1864 +index 8c5af6a8f5f7..b2edb029a90c 100644
1865 +--- a/libtiff/tif_read.c
1866 ++++ b/libtiff/tif_read.c
1867 +@@ -420,7 +420,7 @@ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
1868 + return ((tmsize_t)(-1));
1869 + }
1870 + } else {
1871 +- tmsize_t ma;
1872 ++ tmsize_t ma = 0;
1873 + tmsize_t n;
1874 + if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||
1875 + ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
1876 +--
1877 +2.12.0
1878 +
1879
1880 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2650.patch b/media-libs/tiff/files/tiff-4.0.7-bug2650.patch
1881 new file mode 100644
1882 index 00000000000..2aac26987d5
1883 --- /dev/null
1884 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2650.patch
1885 @@ -0,0 +1,54 @@
1886 +From 5368b55d0f88a34ede3d21782d3142b2e11e6eb9 Mon Sep 17 00:00:00 2001
1887 +From: Even Rouault <even.rouault@×××××××××.com>
1888 +Date: Wed, 11 Jan 2017 16:33:34 +0000
1889 +Subject: [PATCH] * libtiff/tif_read.c: avoid potential undefined behaviour on
1890 + signed integer addition in TIFFReadRawStrip1() in isMapped() case. Fixes
1891 + http://bugzilla.maptools.org/show_bug.cgi?id=2650
1892 +
1893 +---
1894 + ChangeLog | 6 ++++++
1895 + libtiff/tif_read.c | 29 +++++++++++++++++++----------
1896 + 2 files changed, 25 insertions(+), 10 deletions(-)
1897 +
1898 +diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
1899 +index 29a311db0cb7..8c5af6a8f5f7 100644
1900 +--- a/libtiff/tif_read.c
1901 ++++ b/libtiff/tif_read.c
1902 +@@ -420,16 +420,25 @@ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
1903 + return ((tmsize_t)(-1));
1904 + }
1905 + } else {
1906 +- tmsize_t ma,mb;
1907 ++ tmsize_t ma;
1908 + tmsize_t n;
1909 +- ma=(tmsize_t)td->td_stripoffset[strip];
1910 +- mb=ma+size;
1911 +- if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
1912 +- n=0;
1913 +- else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
1914 +- n=tif->tif_size-ma;
1915 +- else
1916 +- n=size;
1917 ++ if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||
1918 ++ ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
1919 ++ {
1920 ++ n=0;
1921 ++ }
1922 ++ else if( ma > TIFF_TMSIZE_T_MAX - size )
1923 ++ {
1924 ++ n=0;
1925 ++ }
1926 ++ else
1927 ++ {
1928 ++ tmsize_t mb=ma+size;
1929 ++ if (mb>tif->tif_size)
1930 ++ n=tif->tif_size-ma;
1931 ++ else
1932 ++ n=size;
1933 ++ }
1934 + if (n!=size) {
1935 + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
1936 + TIFFErrorExt(tif->tif_clientdata, module,
1937 +--
1938 +2.12.0
1939 +
1940
1941 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2651.patch b/media-libs/tiff/files/tiff-4.0.7-bug2651.patch
1942 new file mode 100644
1943 index 00000000000..1b800189c59
1944 --- /dev/null
1945 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2651.patch
1946 @@ -0,0 +1,86 @@
1947 +From 669faf71833c4c2e72774b2e732ca4d28b149c83 Mon Sep 17 00:00:00 2001
1948 +From: Even Rouault <even.rouault@×××××××××.com>
1949 +Date: Wed, 11 Jan 2017 19:02:49 +0000
1950 +Subject: [PATCH] * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add
1951 + _TIFFcalloc()
1952 +
1953 +* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
1954 +initialize tif_rawdata.
1955 +Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
1956 +---
1957 + ChangeLog | 8 ++++++++
1958 + libtiff/tif_read.c | 6 ++++--
1959 + libtiff/tif_unix.c | 10 +++++++++-
1960 + libtiff/tif_vms.c | 10 +++++++++-
1961 + libtiff/tif_win32.c | 10 +++++++++-
1962 + libtiff/tiffio.h | 3 ++-
1963 + 6 files changed, 41 insertions(+), 6 deletions(-)
1964 +
1965 +diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
1966 +index b2edb029a90c..6a8c7daf3dfa 100644
1967 +--- a/libtiff/tif_read.c
1968 ++++ b/libtiff/tif_read.c
1969 +@@ -985,7 +985,9 @@ TIFFReadBufferSetup(TIFF* tif, void* bp, tmsize_t size)
1970 + "Invalid buffer size");
1971 + return (0);
1972 + }
1973 +- tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
1974 ++ /* Initialize to zero to avoid uninitialized buffers in case of */
1975 ++ /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
1976 ++ tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
1977 + tif->tif_flags |= TIFF_MYBUFFER;
1978 + }
1979 + if (tif->tif_rawdata == NULL) {
1980 +diff --git a/libtiff/tif_unix.c b/libtiff/tif_unix.c
1981 +index 81e9d6653c2a..80c437cfa37a 100644
1982 +--- a/libtiff/tif_unix.c
1983 ++++ b/libtiff/tif_unix.c
1984 +@@ -316,6 +316,14 @@ _TIFFmalloc(tmsize_t s)
1985 + return (malloc((size_t) s));
1986 + }
1987 +
1988 ++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
1989 ++{
1990 ++ if( nmemb == 0 || siz == 0 )
1991 ++ return ((void *) NULL);
1992 ++
1993 ++ return calloc((size_t) nmemb, (size_t)siz);
1994 ++}
1995 ++
1996 + void
1997 + _TIFFfree(void* p)
1998 + {
1999 +diff --git a/libtiff/tif_win32.c b/libtiff/tif_win32.c
2000 +index 24b824f1bd56..090baed87135 100644
2001 +--- a/libtiff/tif_win32.c
2002 ++++ b/libtiff/tif_win32.c
2003 +@@ -360,6 +360,14 @@ _TIFFmalloc(tmsize_t s)
2004 + return (malloc((size_t) s));
2005 + }
2006 +
2007 ++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
2008 ++{
2009 ++ if( nmemb == 0 || siz == 0 )
2010 ++ return ((void *) NULL);
2011 ++
2012 ++ return calloc((size_t) nmemb, (size_t)siz);
2013 ++}
2014 ++
2015 + void
2016 + _TIFFfree(void* p)
2017 + {
2018 +diff --git a/libtiff/tiffio.h b/libtiff/tiffio.h
2019 +index 6e508181dbce..ef61b5c06a03 100644
2020 +--- a/libtiff/tiffio.h
2021 ++++ b/libtiff/tiffio.h
2022 +@@ -293,6 +293,7 @@ extern TIFFCodec* TIFFGetConfiguredCODECs(void);
2023 + */
2024 +
2025 + extern void* _TIFFmalloc(tmsize_t s);
2026 ++extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
2027 + extern void* _TIFFrealloc(void* p, tmsize_t s);
2028 + extern void _TIFFmemset(void* p, int v, tmsize_t c);
2029 + extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
2030 +--
2031 +2.12.0
2032 +
2033
2034 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2653.patch b/media-libs/tiff/files/tiff-4.0.7-bug2653.patch
2035 new file mode 100644
2036 index 00000000000..b65a94daeac
2037 --- /dev/null
2038 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2653.patch
2039 @@ -0,0 +1,33 @@
2040 +From 5083c41f3a6824f392adf3a6dce1548afded4211 Mon Sep 17 00:00:00 2001
2041 +From: Even Rouault <even.rouault@×××××××××.com>
2042 +Date: Wed, 11 Jan 2017 12:15:01 +0000
2043 +Subject: [PATCH] * libtiff/tif_jpeg.c: avoid integer division by zero in
2044 + JPEGSetupEncode() when horizontal or vertical sampling is set to 0. Fixes
2045 + http://bugzilla.maptools.org/show_bug.cgi?id=2653
2046 +
2047 +---
2048 + ChangeLog | 6 ++++++
2049 + libtiff/tif_jpeg.c | 9 ++++++++-
2050 + 2 files changed, 14 insertions(+), 1 deletion(-)
2051 +
2052 +diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c
2053 +index dc4364c821a4..09ef4949f9ee 100644
2054 +--- a/libtiff/tif_jpeg.c
2055 ++++ b/libtiff/tif_jpeg.c
2056 +@@ -1626,6 +1626,13 @@ JPEGSetupEncode(TIFF* tif)
2057 + case PHOTOMETRIC_YCBCR:
2058 + sp->h_sampling = td->td_ycbcrsubsampling[0];
2059 + sp->v_sampling = td->td_ycbcrsubsampling[1];
2060 ++ if( sp->h_sampling == 0 || sp->v_sampling == 0 )
2061 ++ {
2062 ++ TIFFErrorExt(tif->tif_clientdata, module,
2063 ++ "Invalig horizontal/vertical sampling value");
2064 ++ return (0);
2065 ++ }
2066 ++
2067 + /*
2068 + * A ReferenceBlackWhite field *must* be present since the
2069 + * default value is inappropriate for YCbCr. Fill in the
2070 +--
2071 +2.12.0
2072 +
2073
2074 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2658.patch b/media-libs/tiff/files/tiff-4.0.7-bug2658.patch
2075 new file mode 100644
2076 index 00000000000..9f2bb6a50ee
2077 --- /dev/null
2078 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2658.patch
2079 @@ -0,0 +1,33 @@
2080 +From 928f0b0b2881ac32b32d9e165e88e3c9aed0fb9c Mon Sep 17 00:00:00 2001
2081 +From: Even Rouault <even.rouault@×××××××××.com>
2082 +Date: Wed, 11 Jan 2017 16:38:26 +0000
2083 +Subject: [PATCH] =?UTF-8?q?*=20libtiff/tif=5Fgetimage.c:=20add=20explicit?=
2084 + =?UTF-8?q?=20uint32=20cast=20in=20putagreytile=20to=20avoid=20UndefinedBe?=
2085 + =?UTF-8?q?haviorSanitizer=20warning.=20Patch=20by=20Nicol=C3=A1s=20Pe?=
2086 + =?UTF-8?q?=C3=B1a.=20Fixes=20http://bugzilla.maptools.org/show=5Fbug.cgi?=
2087 + =?UTF-8?q?=3Fid=3D2658?=
2088 +MIME-Version: 1.0
2089 +Content-Type: text/plain; charset=UTF-8
2090 +Content-Transfer-Encoding: 8bit
2091 +
2092 +---
2093 + ChangeLog | 7 +++++++
2094 + libtiff/tif_getimage.c | 4 ++--
2095 + 2 files changed, 9 insertions(+), 2 deletions(-)
2096 +
2097 +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
2098 +index 2ea838556732..52a2402f7171 100644
2099 +--- a/libtiff/tif_getimage.c
2100 ++++ b/libtiff/tif_getimage.c
2101 +@@ -1302,7 +1302,7 @@ DECLAREContigPutFunc(putagreytile)
2102 + while (h-- > 0) {
2103 + for (x = w; x-- > 0;)
2104 + {
2105 +- *cp++ = BWmap[*pp][0] & (*(pp+1) << 24 | ~A1);
2106 ++ *cp++ = BWmap[*pp][0] & ((uint32)*(pp+1) << 24 | ~A1);
2107 + pp += samplesperpixel;
2108 + }
2109 + cp += toskew;
2110 +--
2111 +2.12.0
2112 +
2113
2114 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2659-2.patch b/media-libs/tiff/files/tiff-4.0.7-bug2659-2.patch
2115 new file mode 100644
2116 index 00000000000..539536fe4ff
2117 --- /dev/null
2118 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2659-2.patch
2119 @@ -0,0 +1,41 @@
2120 +From 41236c5f744eaa691e23e55f5a5dd556a65e211e Mon Sep 17 00:00:00 2001
2121 +From: Even Rouault <even.rouault@×××××××××.com>
2122 +Date: Thu, 12 Jan 2017 19:23:20 +0000
2123 +Subject: [PATCH] * libtiff/tif_ojpeg.c: fix leak in
2124 + OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable and
2125 + OJPEGReadHeaderInfoSecTablesAcTable
2126 +
2127 +---
2128 + ChangeLog | 3 ++-
2129 + libtiff/tif_ojpeg.c | 8 +++++++-
2130 + 2 files changed, 9 insertions(+), 2 deletions(-)
2131 +
2132 +diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
2133 +index ac70d1b14c4f..bd4cff5d8921 100644
2134 +--- a/libtiff/tif_ojpeg.c
2135 ++++ b/libtiff/tif_ojpeg.c
2136 +@@ -1790,7 +1790,10 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF* tif)
2137 + TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET);
2138 + p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64);
2139 + if (p!=64)
2140 ++ {
2141 ++ _TIFFfree(ob);
2142 + return(0);
2143 ++ }
2144 + sp->qtable[m]=ob;
2145 + sp->sof_tq[m]=m;
2146 + }
2147 +@@ -1854,7 +1857,10 @@ OJPEGReadHeaderInfoSecTablesDcTable(TIFF* tif)
2148 + rb[sizeof(uint32)+5+n]=o[n];
2149 + p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
2150 + if (p!=q)
2151 ++ {
2152 ++ _TIFFfree(rb);
2153 + return(0);
2154 ++ }
2155 + sp->dctable[m]=rb;
2156 + sp->sos_tda[m]=(m<<4);
2157 + }
2158 +--
2159 +2.12.0
2160 +
2161
2162 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2659.patch b/media-libs/tiff/files/tiff-4.0.7-bug2659.patch
2163 new file mode 100644
2164 index 00000000000..8afab46b888
2165 --- /dev/null
2166 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2659.patch
2167 @@ -0,0 +1,34 @@
2168 +From 7c501dbfb5315f31798f9123026210260cbe7432 Mon Sep 17 00:00:00 2001
2169 +From: Even Rouault <even.rouault@×××××××××.com>
2170 +Date: Thu, 12 Jan 2017 17:43:25 +0000
2171 +Subject: [PATCH] =?UTF-8?q?*=20libtiff/tif=5Fojpeg.c:=20fix=20leak=20in=20?=
2172 + =?UTF-8?q?OJPEGReadHeaderInfoSecTablesAcTable=20when=20read=20fails.=20Pa?=
2173 + =?UTF-8?q?tch=20by=20Nicol=C3=A1s=20Pe=C3=B1a.=20Fixes=20http://bugzilla.?=
2174 + =?UTF-8?q?maptools.org/show=5Fbug.cgi=3Fid=3D2659?=
2175 +MIME-Version: 1.0
2176 +Content-Type: text/plain; charset=UTF-8
2177 +Content-Transfer-Encoding: 8bit
2178 +
2179 +---
2180 + ChangeLog | 7 +++++++
2181 + libtiff/tif_ojpeg.c | 5 ++++-
2182 + 2 files changed, 11 insertions(+), 1 deletion(-)
2183 +
2184 +diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
2185 +index 93839d8f3e11..ac70d1b14c4f 100644
2186 +--- a/libtiff/tif_ojpeg.c
2187 ++++ b/libtiff/tif_ojpeg.c
2188 +@@ -1918,7 +1918,10 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF* tif)
2189 + rb[sizeof(uint32)+5+n]=o[n];
2190 + p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
2191 + if (p!=q)
2192 ++ {
2193 ++ _TIFFfree(rb);
2194 + return(0);
2195 ++ }
2196 + sp->actable[m]=rb;
2197 + sp->sos_tda[m]=(sp->sos_tda[m]|m);
2198 + }
2199 +--
2200 +2.12.0
2201 +
2202
2203 diff --git a/media-libs/tiff/files/tiff-4.0.7-bug2665.patch b/media-libs/tiff/files/tiff-4.0.7-bug2665.patch
2204 new file mode 100644
2205 index 00000000000..020adca8e7a
2206 --- /dev/null
2207 +++ b/media-libs/tiff/files/tiff-4.0.7-bug2665.patch
2208 @@ -0,0 +1,43 @@
2209 +From e345ce2ad81c85eb8e469b7b959067b2681957ca Mon Sep 17 00:00:00 2001
2210 +From: Even Rouault <even.rouault@×××××××××.com>
2211 +Date: Sat, 18 Feb 2017 20:30:26 +0000
2212 +Subject: [PATCH] =?UTF-8?q?*=20libtiff/tif=5Fpixarlog.c:=20fix=20memory=20?=
2213 + =?UTF-8?q?leak=20in=20error=20code=20path=20of=20PixarLogSetupDecode().?=
2214 + =?UTF-8?q?=20Patch=20by=20Nicol=C3=A1s=20Pe=C3=B1a.=20Fixes=20http://bugz?=
2215 + =?UTF-8?q?illa.maptools.org/show=5Fbug.cgi=3Fid=3D2665?=
2216 +MIME-Version: 1.0
2217 +Content-Type: text/plain; charset=UTF-8
2218 +Content-Transfer-Encoding: 8bit
2219 +
2220 +---
2221 + ChangeLog | 6 ++++++
2222 + libtiff/tif_pixarlog.c | 8 +++++++-
2223 + 2 files changed, 13 insertions(+), 1 deletion(-)
2224 +
2225 +diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
2226 +index 9836dce63450..972ee75e0324 100644
2227 +--- a/libtiff/tif_pixarlog.c
2228 ++++ b/libtiff/tif_pixarlog.c
2229 +@@ -699,6 +699,9 @@ PixarLogSetupDecode(TIFF* tif)
2230 + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
2231 + sp->user_datafmt = PixarLogGuessDataFmt(td);
2232 + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
2233 ++ _TIFFfree(sp->tbuf);
2234 ++ sp->tbuf = NULL;
2235 ++ sp->tbuf_size = 0;
2236 + TIFFErrorExt(tif->tif_clientdata, module,
2237 + "PixarLog compression can't handle bits depth/data format combination (depth: %d)",
2238 + td->td_bitspersample);
2239 +@@ -706,6 +709,9 @@ PixarLogSetupDecode(TIFF* tif)
2240 + }
2241 +
2242 + if (inflateInit(&sp->stream) != Z_OK) {
2243 ++ _TIFFfree(sp->tbuf);
2244 ++ sp->tbuf = NULL;
2245 ++ sp->tbuf_size = 0;
2246 + TIFFErrorExt(tif->tif_clientdata, module, "%s", sp->stream.msg ? sp->stream.msg : "(null)");
2247 + return (0);
2248 + } else {
2249 +--
2250 +2.12.0
2251 +
2252
2253 diff --git a/media-libs/tiff/files/tiff-4.0.7-hylafax-hack.patch b/media-libs/tiff/files/tiff-4.0.7-hylafax-hack.patch
2254 new file mode 100644
2255 index 00000000000..69158200ac7
2256 --- /dev/null
2257 +++ b/media-libs/tiff/files/tiff-4.0.7-hylafax-hack.patch
2258 @@ -0,0 +1,38 @@
2259 +https://bugs.gentoo.org/612172
2260 +
2261 +From 96bb01f5d834e0b01c0231768c43b8d309aede34 Mon Sep 17 00:00:00 2001
2262 +From: Even Rouault <even.rouault@×××××××××.com>
2263 +Date: Tue, 13 Dec 2016 18:15:48 +0000
2264 +Subject: [PATCH] * libtiff/tif_fax3.h: revert change done on 2016-01-09 that
2265 + made Param member of TIFFFaxTabEnt structure a uint16 to reduce size of the
2266 + binary. It happens that the Hylafax software uses the tables that follow this
2267 + typedef (TIFFFaxMainTable, TIFFFaxWhiteTable, TIFFFaxBlackTable), also they
2268 + are not in a public libtiff header. Raised by Lee Howard. Fixes
2269 + http://bugzilla.maptools.org/show_bug.cgi?id=2636
2270 +
2271 +---
2272 + ChangeLog | 10 ++++++++++
2273 + libtiff/tif_fax3.h | 6 ++++--
2274 + 2 files changed, 14 insertions(+), 2 deletions(-)
2275 +
2276 +diff --git a/libtiff/tif_fax3.h b/libtiff/tif_fax3.h
2277 +index e0b2ca6bfc9d..45ce43f1cf2e 100644
2278 +--- a/libtiff/tif_fax3.h
2279 ++++ b/libtiff/tif_fax3.h
2280 +@@ -81,10 +81,12 @@ extern void _TIFFFax3fillruns(unsigned char*, uint32*, uint32*, uint32);
2281 + #define S_MakeUp 11
2282 + #define S_EOL 12
2283 +
2284 ++/* WARNING: do not change the layout of this structure as the Halyfax software */
2285 ++/* really depends on it. See http://bugzilla.maptools.org/show_bug.cgi?id=2636 */
2286 + typedef struct { /* state table entry */
2287 + unsigned char State; /* see above */
2288 + unsigned char Width; /* width of code in bits */
2289 +- uint16 Param; /* unsigned 16-bit run length in bits */
2290 ++ uint32 Param; /* unsigned 32-bit run length in bits (holds on 16 bit actually, but cannot be changed. See above warning) */
2291 + } TIFFFaxTabEnt;
2292 +
2293 + extern const TIFFFaxTabEnt TIFFFaxMainTable[];
2294 +--
2295 +2.12.0
2296 +
2297
2298 diff --git a/media-libs/tiff/tiff-4.0.7-r1.ebuild b/media-libs/tiff/tiff-4.0.7-r1.ebuild
2299 new file mode 100644
2300 index 00000000000..ca37cb0af05
2301 --- /dev/null
2302 +++ b/media-libs/tiff/tiff-4.0.7-r1.ebuild
2303 @@ -0,0 +1,112 @@
2304 +# Copyright 1999-2017 Gentoo Foundation
2305 +# Distributed under the terms of the GNU General Public License v2
2306 +
2307 +EAPI="6"
2308 +inherit autotools eutils libtool multilib-minimal
2309 +
2310 +DESCRIPTION="Tag Image File Format (TIFF) library"
2311 +HOMEPAGE="http://libtiff.maptools.org"
2312 +SRC_URI="http://download.osgeo.org/libtiff/${P}.tar.gz
2313 + ftp://ftp.remotesensing.org/pub/libtiff/${P}.tar.gz"
2314 +
2315 +LICENSE="libtiff"
2316 +SLOT="0"
2317 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~x64-solaris ~x86-solaris"
2318 +IUSE="+cxx jbig jpeg lzma static-libs test zlib"
2319 +
2320 +RDEPEND="jpeg? ( >=virtual/jpeg-0-r2:0=[${MULTILIB_USEDEP}] )
2321 + jbig? ( >=media-libs/jbigkit-2.1:=[${MULTILIB_USEDEP}] )
2322 + lzma? ( >=app-arch/xz-utils-5.0.5-r1:=[${MULTILIB_USEDEP}] )
2323 + zlib? ( >=sys-libs/zlib-1.2.8-r1:=[${MULTILIB_USEDEP}] )
2324 + abi_x86_32? (
2325 + !<=app-emulation/emul-linux-x86-baselibs-20130224-r9
2326 + !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
2327 + )"
2328 +DEPEND="${RDEPEND}"
2329 +
2330 +REQUIRED_USE="test? ( jpeg )" #483132
2331 +
2332 +PATCHES=(
2333 + "${FILESDIR}"/${P}-CVE-2016-10266.patch
2334 + "${FILESDIR}"/${P}-bug2598.patch
2335 + "${FILESDIR}"/${P}-bug2604.patch
2336 + "${FILESDIR}"/${P}-bug2608.patch
2337 + "${FILESDIR}"/${P}-CVE-2016-10267.patch
2338 + "${FILESDIR}"/${P}-bug2620.patch
2339 + "${FILESDIR}"/${P}-bug2621.patch
2340 + "${FILESDIR}"/${P}-bug2619.patch
2341 + "${FILESDIR}"/${P}-bug2594.patch
2342 + "${FILESDIR}"/${P}-bug2597.patch
2343 + "${FILESDIR}"/${P}-bug2599.patch
2344 + "${FILESDIR}"/${P}-bug2607.patch
2345 + "${FILESDIR}"/${P}-bug2610.patch
2346 + "${FILESDIR}"/${P}-bug2605.patch
2347 + "${FILESDIR}"/${P}-hylafax-hack.patch #612172
2348 + "${FILESDIR}"/${P}-bug2633-bug2634.patch
2349 + "${FILESDIR}"/${P}-bug2635.patch
2350 + "${FILESDIR}"/${P}-bug2627.patch
2351 + "${FILESDIR}"/${P}-bug2638.patch
2352 + "${FILESDIR}"/${P}-bug2639.patch
2353 + "${FILESDIR}"/${P}-bug2640.patch
2354 + "${FILESDIR}"/${P}-bug2653.patch
2355 + "${FILESDIR}"/${P}-bug2535.patch
2356 + "${FILESDIR}"/${P}-bug2644.patch
2357 + "${FILESDIR}"/${P}-bug2642-bug2643-bug2646-bug2647.patch
2358 + "${FILESDIR}"/${P}-bug2648.patch
2359 + "${FILESDIR}"/${P}-bug2650.patch
2360 + "${FILESDIR}"/${P}-bug2658.patch
2361 + "${FILESDIR}"/${P}-bug2650-2.patch
2362 + "${FILESDIR}"/${P}-bug2651.patch
2363 + "${FILESDIR}"/${P}-CVE-2017-5225.patch #610330
2364 + "${FILESDIR}"/${P}-bug2130.patch
2365 + "${FILESDIR}"/${P}-bug2659.patch
2366 + "${FILESDIR}"/${P}-bug2659-2.patch
2367 + "${FILESDIR}"/${P}-bug2631.patch
2368 + "${FILESDIR}"/${P}-bug2665.patch
2369 +)
2370 +
2371 +MULTILIB_WRAPPED_HEADERS=(
2372 + /usr/include/tiffconf.h
2373 +)
2374 +
2375 +src_prepare() {
2376 + default
2377 +
2378 + # tiffcp-thumbnail.sh fails as thumbnail binary doesn't get built anymore since tiff-4.0.7
2379 + sed '/tiffcp-thumbnail\.sh/d' -i test/Makefile.am || die
2380 +
2381 + eautoreconf
2382 +}
2383 +
2384 +multilib_src_configure() {
2385 + ECONF_SOURCE="${S}" econf \
2386 + $(use_enable static-libs static) \
2387 + $(use_enable zlib) \
2388 + $(use_enable jpeg) \
2389 + $(use_enable jbig) \
2390 + $(use_enable lzma) \
2391 + $(use_enable cxx) \
2392 + --without-x
2393 +
2394 + # remove useless subdirs
2395 + if ! multilib_is_native_abi ; then
2396 + sed -i \
2397 + -e 's/ tools//' \
2398 + -e 's/ contrib//' \
2399 + -e 's/ man//' \
2400 + -e 's/ html//' \
2401 + Makefile || die
2402 + fi
2403 +}
2404 +
2405 +multilib_src_test() {
2406 + if ! multilib_is_native_abi ; then
2407 + emake -C tools
2408 + fi
2409 + emake check
2410 +}
2411 +
2412 +multilib_src_install_all() {
2413 + prune_libtool_files --all
2414 + rm -f "${ED}"/usr/share/doc/${PF}/{COPYRIGHT,README*,RELEASE-DATE,TODO,VERSION}
2415 +}
Report Message
Find on MARC Find on Google Groups