new file mode 100644

@@ -0,0 +1,45 @@

+--- a/libtiff/tif_getimage.c	2016-09-22 14:12:27.736377724 -0700

+@@ -1822,10 +1822,10 @@

+     (void) y;

+     /* adjust fromskew */

+     fromskew = (fromskew * 18) / 4;

+-    if ((h & 3) == 0 && (w & 3) == 0) {				        

++    if ((w & 3) == 0 && (h & 1) == 0) {				        

+         for (; h >= 4; h -= 4) {

+             x = w>>2;

+-            do {

++			while(x>0) {

+                 int32 Cb = pp[16];

+                 int32 Cr = pp[17];

+ 

+@@ -1848,7 +1848,8 @@

+ 

+                 cp += 4, cp1 += 4, cp2 += 4, cp3 += 4;

+                 pp += 18;

+-            } while (--x);

++           		x--;

++				}

+             cp += incr, cp1 += incr, cp2 += incr, cp3 += incr;

+             pp += fromskew;

+         }

+@@ -2094,7 +2095,7 @@

+ {

+ 	(void) y;

+ 	fromskew = (fromskew * 4) / 2;

+-	do {

++	while(x>0) {

+ 		x = w>>1;

+ 		while(x>0) {

+ 			int32 Cb = pp[2];

+@@ -2121,7 +2122,8 @@

+ 

+ 		cp += toskew;

+ 		pp += fromskew;

+-	} while (--h);

++		x --;

++	}

+ }

+ 

+ /*

+

new file mode 100644

@@ -0,0 +1,22 @@

+diff tools/tiffsplit.c tools/tiffsplit.c

+--- tiff-4.0.6/tools/tiffsplit.c	2015-08-28 15:17:08.392793517 -0700

+@@ -179,7 +179,8 @@

+ 		    TIFFSetField(out, TIFFTAG_JPEGTABLES, count, table);

+ 		}

+ 	}

+-        CopyField(TIFFTAG_PHOTOMETRIC, shortv);

++	uint32 count = 0;

++    CopyField2(TIFFTAG_PREDICTOR, count, shortv);

+ 	CopyField(TIFFTAG_PREDICTOR, shortv);

+ 	CopyField(TIFFTAG_THRESHHOLDING, shortv);

+ 	CopyField(TIFFTAG_FILLORDER, shortv);

+@@ -188,7 +189,7 @@

+ 	CopyField(TIFFTAG_MAXSAMPLEVALUE, shortv);

+ 	CopyField(TIFFTAG_XRESOLUTION, floatv);

+ 	CopyField(TIFFTAG_YRESOLUTION, floatv);

+-	CopyField(TIFFTAG_GROUP3OPTIONS, longv);

++	CopyField2(TIFFTAG_GROUP3OPTIONS, count, longv);

+ 	CopyField(TIFFTAG_GROUP4OPTIONS, longv);

+ 	CopyField(TIFFTAG_RESOLUTIONUNIT, shortv);

+ 	CopyField(TIFFTAG_PLANARCONFIG, shortv);

new file mode 100644

@@ -0,0 +1,48 @@

+diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c

+index 376f4e6..c747c13 100644

+--- a/tools/bmp2tiff.c

+@@ -648,27 +648,26 @@

+ 			    || info_hdr.iCompression == BMPC_RLE4 ) {

+ 			uint32		i, j, k, runlength;

+ 			uint32		compr_size, uncompr_size;

++			uint32      bits = 0;

+ 			unsigned char   *comprbuf;

+ 			unsigned char   *uncomprbuf;

+ 

+ 			compr_size = file_hdr.iSize - file_hdr.iOffBits;

+-			uncompr_size = width * length;

+-                        /* Detect int overflow */

+-                        if( uncompr_size / width != length ) {

+-                                TIFFError(infilename,

+-                                          "Invalid dimensions of BMP file" );

+-                                close(fd);

+-                                return -1;

+-                        }

+-                        if ( (compr_size == 0) ||

+-                             (compr_size > ((uint32) ~0) >> 1) ||

+-                             (uncompr_size == 0) ||

+-                             (uncompr_size > ((uint32) ~0) >> 1) ) {

+-                                TIFFError(infilename,

+-                                          "Invalid dimensions of BMP file" );

+-                                close(fd);

+-                                return -1;  

+-                        }

++			bits = info_hdr.iBitCount;

++

++			if (bits > 8) // bit depth is > 8bit, adjust size

++			{

++				uncompr_size = width * length * (bits / 8);

++				/* Detect int overflow */

++				if (uncompr_size / width / (bits / 8) != length) {

++					TIFFError(infilename,

++							   "Invalid dimensions of BMP file");

++					close(fd);

++					return -1;

++				}

++			}

++			else

++				uncompr_size = width * length;

+ 			comprbuf = (unsigned char *) _TIFFmalloc( compr_size );

+ 			if (!comprbuf) {

+ 				TIFFError(infilename,

new file mode 100644

@@ -0,0 +1,100 @@

+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c

+index cdeff08..261aad6 100644

+--- a/libtiff/tif_getimage.c

+@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])

+ 				    "Planarconfiguration", td->td_planarconfig);

+ 				return (0);

+ 			}

+-			if( td->td_samplesperpixel != 3 )

++			if( td->td_samplesperpixel != 3 || colorchannels != 3 )

+             {

+                 sprintf(emsg,

+-                        "Sorry, can not handle image with %s=%d",

+-                        "Samples/pixel", td->td_samplesperpixel);

++                        "Sorry, can not handle image with %s=%d, %s=%d",

++                        "Samples/pixel", td->td_samplesperpixel,

++                        "colorchannels", colorchannels);

+                 return 0;

+             }

+ 			break;

+ 		case PHOTOMETRIC_CIELAB:

+-            if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )

++            if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )

+             {

+                 sprintf(emsg,

+-                        "Sorry, can not handle image with %s=%d and %s=%d",

++                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",

+                         "Samples/pixel", td->td_samplesperpixel,

++                        "colorchannels", colorchannels,

+                         "Bits/sample", td->td_bitspersample);

+                 return 0;

+             }

+@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, TIFF* tif, int stop, char emsg[1024])

+ 	int colorchannels;

+ 	uint16 *red_orig, *green_orig, *blue_orig;

+ 	int n_color;

++	

++	if( !TIFFRGBAImageOK(tif, emsg) )

++		return 0;

+ 

+ 	/* Initialize to normal values */

+ 	img->row_offset = 0;

+@@ -2509,29 +2514,33 @@ PickContigCase(TIFFRGBAImage* img)

+ 		case PHOTOMETRIC_RGB:

+ 			switch (img->bitspersample) {

+ 				case 8:

+-					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)

++					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&

++						img->samplesperpixel >= 4)

+ 						img->put.contig = putRGBAAcontig8bittile;

+-					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)

++					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&

++							 img->samplesperpixel >= 4)

+ 					{

+ 						if (BuildMapUaToAa(img))

+ 							img->put.contig = putRGBUAcontig8bittile;

+ 					}

+-					else

++					else if( img->samplesperpixel >= 3 )

+ 						img->put.contig = putRGBcontig8bittile;

+ 					break;

+ 				case 16:

+-					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)

++					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&

++						img->samplesperpixel >=4 )

+ 					{

+ 						if (BuildMapBitdepth16To8(img))

+ 							img->put.contig = putRGBAAcontig16bittile;

+ 					}

+-					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)

++					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&

++							 img->samplesperpixel >=4 )

+ 					{

+ 						if (BuildMapBitdepth16To8(img) &&

+ 						    BuildMapUaToAa(img))

+ 							img->put.contig = putRGBUAcontig16bittile;

+ 					}

+-					else

++					else if( img->samplesperpixel >=3 )

+ 					{

+ 						if (BuildMapBitdepth16To8(img))

+ 							img->put.contig = putRGBcontig16bittile;

+@@ -2540,7 +2549,7 @@ PickContigCase(TIFFRGBAImage* img)

+ 			}

+ 			break;

+ 		case PHOTOMETRIC_SEPARATED:

+-			if (buildMap(img)) {

++			if (img->samplesperpixel >=4 && buildMap(img)) {

+ 				if (img->bitspersample == 8) {

+ 					if (!img->Map)

+ 						img->put.contig = putRGBcontig8bitCMYKtile;

+@@ -2636,7 +2645,7 @@ PickContigCase(TIFFRGBAImage* img)

+ 			}

+ 			break;

+ 		case PHOTOMETRIC_CIELAB:

+-			if (buildMap(img)) {

++			if (img->samplesperpixel == 3 && buildMap(img)) {

+ 				if (img->bitspersample == 8)

+ 					img->put.contig = initCIELabConversion(img);

+ 				break;

new file mode 100644

@@ -0,0 +1,11 @@

+--- tiff-4.0.6/tools/gif2tiff.c	2015-08-28 15:17:08.160498720 -0700

+@@ -349,7 +349,7 @@

+     int status = 1;

+ 

+     (void) getc(infile);

+-    while ((count = getc(infile)) && count <= 255)

++    while ((count = getc(infile)) && count >= 0 && count <= 255)

+         if (fread(buf, 1, count, infile) != (size_t) count) {

+             fprintf(stderr, "short read from file %s (%s)\n",

+                     filename, strerror(errno));

@@ -1,7 +1,7 @@

 Summary:	TIFF libraries and associated utilities.

 Name:		libtiff

 Version:	4.0.6

-Release:	1

+Release:	2%{?dist}

 License:	libtiff

 URL:		http://www.remotesensing.org/libtiff

 Group:		System Environment/Libraries

@@ -9,6 +9,11 @@ Vendor:		VMware, Inc.

 Distribution:	Photon

 Source0:	http://download.osgeo.org/%{name}/tiff-%{version}.tar.gz

 %define sha1 tiff=280e27704eaca5f592b82e71ac0c78b87395e2de

+Patch0:		libtiff-4.0.6-CVE-2015-8668.patch

+Patch1:		libtiff-4.0.6-CVE-2015-7554.patch

+Patch2:		libtiff-4.0.6-CVE-2015-8683+CVE-2015-8665.patch

+Patch3:     	libtiff-4.0.6-CVE-2016-3186.patch

+Patch4:     	libtiff-4.0.6-CVE-2015-1547.patch

 BuildRequires:	libjpeg-turbo-devel

 Requires:	libjpeg-turbo

 %description

@@ -22,6 +27,11 @@ It contains the libraries and header files to create applications

 %prep

 %setup -q -n tiff-%{version}

+%patch0 -p1

+%patch1 -p1

+%patch2 -p1

+%patch3 -p1

+%patch4 -p1

 %build

 ./configure \

@@ -52,5 +62,8 @@ find %{buildroot} -name '*.la' -delete

 %{_libdir}/pkgconfig/*.pc

 %changelog

+*       Thu Sep 22 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.0.6-2

+-       Fixed security issues : CVE-2015-8668, CVE-2015-7554, CVE-2015-8683+CVE-2015-8665,CVE-2016-3186

+        CVE-2015-1547

 *       Wed Jul 27 2016 Divya Thaluru <dthaluru@vmware.com> 4.0.6-1

 -       Initial version