new file mode 100644

@@ -0,0 +1,122 @@

+diff -dupr a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c

+--- a/libtiff/tif_dirread.c	2017-05-20 10:55:48.229231053 -0700

+@@ -765,6 +765,67 @@ static enum TIFFReadDirEntryErr TIFFRead

+ 	}

+ }

+ 

++#define INITIAL_THRESHOLD (1024 * 1024)

++#define THRESHOLD_MULTIPLIER 10

++#define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)

++

++static enum TIFFReadDirEntryErr TIFFReadDirEntryDataAndRealloc(

++                    TIFF* tif, uint64 offset, tmsize_t size, void** pdest)

++{

++#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8

++        tmsize_t threshold = INITIAL_THRESHOLD;

++#endif

++        tmsize_t already_read = 0;

++

++        assert( !isMapped(tif) );

++

++        if (!SeekOK(tif,offset))

++                return(TIFFReadDirEntryErrIo);

++

++        /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */

++        /* so as to avoid allocating too much memory in case the file is too */

++        /* short. We could ask for the file size, but this might be */

++        /* expensive with some I/O layers (think of reading a gzipped file) */

++        /* Restrict to 64 bit processes, so as to avoid reallocs() */

++        /* on 32 bit processes where virtual memory is scarce.  */

++        while( already_read < size )

++        {

++            void* new_dest;

++            tmsize_t bytes_read;

++            tmsize_t to_read = size - already_read;

++#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8

++            if( to_read >= threshold && threshold < MAX_THRESHOLD )

++            {

++                to_read = threshold;

++                threshold *= THRESHOLD_MULTIPLIER;

++            }

++#endif

++

++            new_dest = (uint8*) _TIFFrealloc(

++                            *pdest, already_read + to_read);

++            if( new_dest == NULL )

++            {

++                TIFFErrorExt(tif->tif_clientdata, tif->tif_name,

++                            "Failed to allocate memory for %s "

++                            "(%ld elements of %ld bytes each)",

++                            "TIFFReadDirEntryArray",

++                             (long) 1, (long) already_read + to_read);

++                return TIFFReadDirEntryErrAlloc;

++            }

++            *pdest = new_dest;

++

++            bytes_read = TIFFReadFile(tif,

++                (char*)*pdest + already_read, to_read);

++            already_read += bytes_read;

++            if (bytes_read != to_read) {

++                return TIFFReadDirEntryErrIo;

++            }

++        }

++        return TIFFReadDirEntryErrOk;

++}

++

++

++

+ static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* direntry, uint32* count, uint32 desttypesize, void** value)

+ {

+ 	int typesize;

+@@ -791,9 +852,23 @@ static enum TIFFReadDirEntryErr TIFFRead

+ 	*count=(uint32)direntry->tdir_count;

+ 	datasize=(*count)*typesize;

+ 	assert((tmsize_t)datasize>0);

+-	data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray");

+-	if (data==0)

+-		return(TIFFReadDirEntryErrAlloc);

++

++	if( isMapped(tif) && datasize > tif->tif_size )

++		return TIFFReadDirEntryErrIo;

++

++	if( !isMapped(tif) &&

++		(((tif->tif_flags&TIFF_BIGTIFF) && datasize > 8) ||

++		(!(tif->tif_flags&TIFF_BIGTIFF) && datasize > 4)) )

++	{

++		data = NULL;

++	}

++	else

++	{

++		data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray");

++		if (data==0)

++			return(TIFFReadDirEntryErrAlloc);

++	}

++

+ 	if (!(tif->tif_flags&TIFF_BIGTIFF))

+ 	{

+ 		if (datasize<=4)

+@@ -804,7 +879,10 @@ static enum TIFFReadDirEntryErr TIFFRead

+ 			uint32 offset = direntry->tdir_offset.toff_long;

+ 			if (tif->tif_flags&TIFF_SWAB)

+ 				TIFFSwabLong(&offset);

+-			err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data);

++			if( isMapped(tif) )

++				err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data);

++			else

++				err=TIFFReadDirEntryDataAndRealloc(tif,(uint64)offset,(tmsize_t)datasize,&data);

+ 			if (err!=TIFFReadDirEntryErrOk)

+ 			{

+ 				_TIFFfree(data);

+@@ -822,7 +900,10 @@ static enum TIFFReadDirEntryErr TIFFRead

+ 			uint64 offset = direntry->tdir_offset.toff_long8;

+ 			if (tif->tif_flags&TIFF_SWAB)

+ 				TIFFSwabLong8(&offset);

+-			err=TIFFReadDirEntryData(tif,offset,(tmsize_t)datasize,data);

++			if( isMapped(tif) )

++				err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data);

++			else

++				err=TIFFReadDirEntryDataAndRealloc(tif,(uint64)offset,(tmsize_t)datasize,&data);

+ 			if (err!=TIFFReadDirEntryErrOk)

+ 			{

+ 				_TIFFfree(data);

@@ -1,7 +1,7 @@

 Summary:        TIFF libraries and associated utilities.

 Name:           libtiff

 Version:        4.0.8

-Release:        4%{?dist}

+Release:        5%{?dist}

 License:        libtiff

 URL:            http://www.simplesystems.org/libtiff/

 Group:          System Environment/Libraries

@@ -15,6 +15,7 @@ Patch1:         libtiff-4.0.6-CVE-2015-1547.patch

 Patch2:         libtiff-CVE-2017-10688.patch

 Patch3:         libtiff-4.0.8-CVE-2017-9936.patch

 Patch4:         libtiff-4.0.8-CVE-2017-11335.patch

+Patch5:         libtiff-4.0.8-CVE-2017-12944.patch

 BuildRequires:  libjpeg-turbo-devel

 Requires:       libjpeg-turbo

 %description

@@ -34,6 +35,7 @@ It contains the libraries and header files to create applications

 %patch2 -p1

 %patch3 -p1

 %patch4 -p1

+%patch5 -p1

 %build

 %configure \

     --disable-static

@@ -67,6 +69,8 @@ make %{?_smp_mflags} -k check

 %{_datadir}/man/man3/*

 %changelog

+*   Mon Nov 13 2017 Dheeraj Shetty <dheerajs@vmware.com> 4.0.8-5

+-   Patch : CVE-2017-12944

 *   Fri Oct 13 2017 Alexey Makhalov <amakhalov@vmware.com> 4.0.8-4

 -   Use standard configure macros

 *   Wed Aug 09 2017 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.0.8-3