deleted file mode 100644

@@ -1,45 +0,0 @@

-+++ b/libtiff/tif_getimage.c	2016-09-22 14:36:19.730567366 -0700

-@@ -1822,10 +1822,10 @@

-     (void) y;

-     /* adjust fromskew */

-     fromskew = (fromskew * 18) / 4;

--    if ((h & 3) == 0 && (w & 3) == 0) {				        

-+    if ((w & 3) == 0 && (h & 1) == 0) {				        

-         for (; h >= 4; h -= 4) {

-             x = w>>2;

--            do {

-+			while(x>0) {

-                 int32 Cb = pp[16];

-                 int32 Cr = pp[17];

- 

-@@ -1848,7 +1848,8 @@

-                 cp2 += 4;

-                 cp3 += 4;

-                 pp += 18;

--            } while (--x);

-+           		x--;

-+				}

-             cp += incr;

-             cp1 += incr;

-             cp2 += incr;

-@@ -2094,7 +2095,7 @@

- {

- 	(void) y;

- 	fromskew = (fromskew * 4) / 2;

--	do {

-+	while(x>0) {

- 		x = w>>1;

- 		while(x>0) {

- 			int32 Cb = pp[2];

-@@ -2121,7 +2122,8 @@

- 

- 		cp += toskew;

- 		pp += fromskew;

--	} while (--h);

-+		x --;

-+	}

- }

- 

- /*

-

deleted file mode 100644

@@ -1,22 +0,0 @@

-diff tools/tiffsplit.c tools/tiffsplit.c

-+++ tiff-4.0.6/tools/tiffsplit.c	2016-09-22 12:58:54.257807814 -0700

-@@ -179,7 +179,8 @@

- 		    TIFFSetField(out, TIFFTAG_JPEGTABLES, count, table);

- 		}

- 	}

--        CopyField(TIFFTAG_PHOTOMETRIC, shortv);

-+	uint32 count = 0;

-+    CopyField2(TIFFTAG_PREDICTOR, count, shortv);

- 	CopyField(TIFFTAG_PREDICTOR, shortv);

- 	CopyField(TIFFTAG_THRESHHOLDING, shortv);

- 	CopyField(TIFFTAG_FILLORDER, shortv);

-@@ -188,7 +189,7 @@

- 	CopyField(TIFFTAG_MAXSAMPLEVALUE, shortv);

- 	CopyField(TIFFTAG_XRESOLUTION, floatv);

- 	CopyField(TIFFTAG_YRESOLUTION, floatv);

--	CopyField(TIFFTAG_GROUP3OPTIONS, longv);

-+	CopyField2(TIFFTAG_GROUP3OPTIONS, count, longv);

- 	CopyField(TIFFTAG_GROUP4OPTIONS, longv);

- 	CopyField(TIFFTAG_RESOLUTIONUNIT, shortv);

- 	CopyField(TIFFTAG_PLANARCONFIG, shortv);

deleted file mode 100644

@@ -1,18 +0,0 @@

-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c

-index db196e04..cd1e2358 100644

-+++ b/tools/tiff2pdf.c

-@@ -1737,7 +1737,12 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){

- 	    return;

- 

- 	t2p->pdf_transcode = T2P_TRANSCODE_ENCODE;

--	if(t2p->pdf_nopassthrough==0){

-+        /* It seems that T2P_TRANSCODE_RAW mode doesn't support separate->contig */

-+        /* conversion. At least t2p_read_tiff_size and t2p_read_tiff_size_tile */

-+        /* do not take into account the number of samples, and thus */

-+        /* that can cause heap buffer overflows such as in */

-+        /* http://bugzilla.maptools.org/show_bug.cgi?id=2715 */

-+	if(t2p->pdf_nopassthrough==0 && t2p->tiff_planar!=PLANARCONFIG_SEPARATE){

- #ifdef CCITT_SUPPORT

- 		if(t2p->tiff_compression==COMPRESSION_CCITTFAX4  

- 			){

deleted file mode 100644

@@ -1,122 +0,0 @@

-diff -dupr a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c

-+++ b/libtiff/tif_dirread.c	2017-11-13 17:27:30.914968448 -0800

-@@ -765,6 +765,67 @@ static enum TIFFReadDirEntryErr TIFFRead

- 	}

- }

- 

-+#define INITIAL_THRESHOLD (1024 * 1024)

-+#define THRESHOLD_MULTIPLIER 10

-+#define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)

-+

-+static enum TIFFReadDirEntryErr TIFFReadDirEntryDataAndRealloc(

-+                    TIFF* tif, uint64 offset, tmsize_t size, void** pdest)

-+{

-+#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8

-+        tmsize_t threshold = INITIAL_THRESHOLD;

-+#endif

-+        tmsize_t already_read = 0;

-+

-+        assert( !isMapped(tif) );

-+

-+        if (!SeekOK(tif,offset))

-+                return(TIFFReadDirEntryErrIo);

-+

-+        /* On 64 bit processes, read first a maximum of 1 MB, then 10 MB, etc */

-+        /* so as to avoid allocating too much memory in case the file is too */

-+        /* short. We could ask for the file size, but this might be */

-+        /* expensive with some I/O layers (think of reading a gzipped file) */

-+        /* Restrict to 64 bit processes, so as to avoid reallocs() */

-+        /* on 32 bit processes where virtual memory is scarce.  */

-+        while( already_read < size )

-+        {

-+            void* new_dest;

-+            tmsize_t bytes_read;

-+            tmsize_t to_read = size - already_read;

-+#if SIZEOF_VOIDP == 8 || SIZEOF_SIZE_T == 8

-+            if( to_read >= threshold && threshold < MAX_THRESHOLD )

-+            {

-+                to_read = threshold;

-+                threshold *= THRESHOLD_MULTIPLIER;

-+            }

-+#endif

-+

-+            new_dest = (uint8*) _TIFFrealloc(

-+                            *pdest, already_read + to_read);

-+            if( new_dest == NULL )

-+            {

-+                TIFFErrorExt(tif->tif_clientdata, tif->tif_name,

-+                            "Failed to allocate memory for %s "

-+                            "(%ld elements of %ld bytes each)",

-+                            "TIFFReadDirEntryArray",

-+                             (long) 1, (long) already_read + to_read);

-+                return TIFFReadDirEntryErrAlloc;

-+            }

-+            *pdest = new_dest;

-+

-+            bytes_read = TIFFReadFile(tif,

-+                (char*)*pdest + already_read, to_read);

-+            already_read += bytes_read;

-+            if (bytes_read != to_read) {

-+                return TIFFReadDirEntryErrIo;

-+            }

-+        }

-+        return TIFFReadDirEntryErrOk;

-+}

-+

-+

-+

- static enum TIFFReadDirEntryErr TIFFReadDirEntryArray(TIFF* tif, TIFFDirEntry* direntry, uint32* count, uint32 desttypesize, void** value)

- {

- 	int typesize;

-@@ -791,9 +852,23 @@ static enum TIFFReadDirEntryErr TIFFRead

- 	*count=(uint32)direntry->tdir_count;

- 	datasize=(*count)*typesize;

- 	assert((tmsize_t)datasize>0);

--	data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray");

--	if (data==0)

--		return(TIFFReadDirEntryErrAlloc);

-+

-+	if( isMapped(tif) && datasize > tif->tif_size )

-+		return TIFFReadDirEntryErrIo;

-+

-+	if( !isMapped(tif) &&

-+		(((tif->tif_flags&TIFF_BIGTIFF) && datasize > 8) ||

-+		(!(tif->tif_flags&TIFF_BIGTIFF) && datasize > 4)) )

-+	{

-+		data = NULL;

-+	}

-+	else

-+	{

-+		data=_TIFFCheckMalloc(tif, *count, typesize, "ReadDirEntryArray");

-+		if (data==0)

-+			return(TIFFReadDirEntryErrAlloc);

-+	}

-+

- 	if (!(tif->tif_flags&TIFF_BIGTIFF))

- 	{

- 		if (datasize<=4)

-@@ -804,7 +879,10 @@ static enum TIFFReadDirEntryErr TIFFRead

- 			uint32 offset = direntry->tdir_offset.toff_long;

- 			if (tif->tif_flags&TIFF_SWAB)

- 				TIFFSwabLong(&offset);

--			err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data);

-+			if( isMapped(tif) )

-+				err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data);

-+			else

-+				err=TIFFReadDirEntryDataAndRealloc(tif,(uint64)offset,(tmsize_t)datasize,&data);

- 			if (err!=TIFFReadDirEntryErrOk)

- 			{

- 				_TIFFfree(data);

-@@ -822,7 +900,10 @@ static enum TIFFReadDirEntryErr TIFFRead

- 			uint64 offset = direntry->tdir_offset.toff_long8;

- 			if (tif->tif_flags&TIFF_SWAB)

- 				TIFFSwabLong8(&offset);

--			err=TIFFReadDirEntryData(tif,offset,(tmsize_t)datasize,data);

-+			if( isMapped(tif) )

-+				err=TIFFReadDirEntryData(tif,(uint64)offset,(tmsize_t)datasize,data);

-+			else

-+				err=TIFFReadDirEntryDataAndRealloc(tif,(uint64)offset,(tmsize_t)datasize,&data);

- 			if (err!=TIFFReadDirEntryErrOk)

- 			{

- 				_TIFFfree(data);

deleted file mode 100644

@@ -1,25 +0,0 @@

-From f91ca83a21a6a583050e5a5755ce1441b2bf1d7e Mon Sep 17 00:00:00 2001

-From: Even Rouault <even.rouault@spatialys.com>

-Date: Wed, 23 Aug 2017 13:21:41 +0000

-Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion related to not

- finding the SubIFD tag by runtime check. Fixes

- http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337

-

-diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c

-index 38edb3fb..a85f0627 100644

-+++ b/libtiff/tif_dirwrite.c

-@@ -821,7 +821,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)

- 			TIFFDirEntry* nb;

- 			for (na=0, nb=dir; ; na++, nb++)

- 			{

--				assert(na<ndir);

-+				if( na == ndir )

-+                                {

-+                                    TIFFErrorExt(tif->tif_clientdata,module,

-+                                                 "Cannot find SubIFD tag");

-+                                    goto bad;

-+                                }

- 				if (nb->tdir_tag==TIFFTAG_SUBIFD)

- 					break;

- 			}

deleted file mode 100644

@@ -1,28 +0,0 @@

-From b6af137bf9ef852f1a48a50a5afb88f9e9da01cc Mon Sep 17 00:00:00 2001

-From: Even Rouault <even.rouault@spatialys.com>

-Date: Wed, 23 Aug 2017 13:33:42 +0000

-Subject: [PATCH] * libtiff/tif_dirwrite.c: replace assertion to tag value not

- fitting on uint32 when selecting the value of SubIFD tag by runtime check (in

- TIFFWriteDirectoryTagSubifd()). Fixes

- http://bugzilla.maptools.org/show_bug.cgi?id=2728 Reported by team OWL337

-

-diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c

-index a85f0627..cad0a498 100644

-+++ b/libtiff/tif_dirwrite.c

-@@ -1949,7 +1949,14 @@ TIFFWriteDirectoryTagSubifd(TIFF* tif, uint32* ndir, TIFFDirEntry* dir)

- 		for (p=0; p < tif->tif_dir.td_nsubifd; p++)

- 		{

-                         assert(pa != 0);

--			assert(*pa <= 0xFFFFFFFFUL);

-+

-+                        /* Could happen if an classicTIFF has a SubIFD of type LONG8 (which is illegal) */

-+                        if( *pa > 0xFFFFFFFFUL)

-+                        {

-+                            TIFFErrorExt(tif->tif_clientdata,module,"Illegal value for SubIFD tag");

-+                            _TIFFfree(o);

-+                            return(0);

-+                        }

- 			*pb++=(uint32)(*pa++);

- 		}

- 		n=TIFFWriteDirectoryTagCheckedIfdArray(tif,ndir,dir,TIFFTAG_SUBIFD,tif->tif_dir.td_nsubifd,o);

deleted file mode 100644

@@ -1,153 +0,0 @@

-From faf20bd484aece918692831da5fad236b983fa08 Mon Sep 17 00:00:00 2001

-From: Brian May <brian@linuxpenguins.xyz>

-Date: Thu, 7 Dec 2017 07:46:47 +1100

-Subject: [PATCH] Fix CVE-2017-9935

-

-Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704

-

-This vulnerability - at least for the supplied test case - is because we

-assume that a tiff will only have one transfer function that is the same

-for all pages. This is not required by the TIFF standards.

-

-We than read the transfer function for every page.  Depending on the

-transfer function, we allocate either 2 or 4 bytes to the XREF buffer.

-We allocate this memory after we read in the transfer function for the

-page.

-

-For the first exploit - POC1, this file has 3 pages. For the first page

-we allocate 2 extra extra XREF entries. Then for the next page 2 more

-entries. Then for the last page the transfer function changes and we

-allocate 4 more entries.

-

-When we read the file into memory, we assume we have 4 bytes extra for

-each and every page (as per the last transfer function we read). Which

-is not correct, we only have 2 bytes extra for the first 2 pages. As a

-result, we end up writing past the end of the buffer.

-

-There are also some related issues that this also fixes. For example,

-TIFFGetField can return uninitalized pointer values, and the logic to

-detect a N=3 vs N=1 transfer function seemed rather strange.

-

-It is also strange that we declare the transfer functions to be of type

-float, when the standard says they are unsigned 16 bit values. This is

-fixed in another patch.

-

-This patch will check to ensure that the N value for every transfer

-function is the same for every page. If this changes, we abort with an

-error. In theory, we should perhaps check that the transfer function

-itself is identical for every page, however we don't do that due to the

-confusion of the type of the data in the transfer function.

- libtiff/tif_dir.c |  3 +++

- tools/tiff2pdf.c  | 65 ++++++++++++++++++++++++++++++++++++++++++++---------------------

- 2 files changed, 47 insertions(+), 21 deletions(-)

-

-diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c

-index 2ccaf44..cbf2b69 100644

-+++ b/libtiff/tif_dir.c

-@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)

- 			if (td->td_samplesperpixel - td->td_extrasamples > 1) {

- 				*va_arg(ap, uint16**) = td->td_transferfunction[1];

- 				*va_arg(ap, uint16**) = td->td_transferfunction[2];

-+			} else {

-+				*va_arg(ap, uint16**) = NULL;

-+				*va_arg(ap, uint16**) = NULL;

- 			}

- 			break;

- 		case TIFFTAG_REFERENCEBLACKWHITE:

-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c

-index d1a9b09..c3ec074 100644

-+++ b/tools/tiff2pdf.c

-@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){

- 	uint16 pagen=0;

- 	uint16 paged=0;

- 	uint16 xuint16=0;

-+	uint16 tiff_transferfunctioncount=0;

-+	float* tiff_transferfunction[3];

- 

- 	directorycount=TIFFNumberOfDirectories(input);

- 	t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));

-@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){

-                 }

- #endif

- 		if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,

--                                 &(t2p->tiff_transferfunction[0]),

--                                 &(t2p->tiff_transferfunction[1]),

--                                 &(t2p->tiff_transferfunction[2]))) {

--			if((t2p->tiff_transferfunction[1] != (float*) NULL) &&

--                           (t2p->tiff_transferfunction[2] != (float*) NULL) &&

--                           (t2p->tiff_transferfunction[1] !=

--                            t2p->tiff_transferfunction[0])) {

--				t2p->tiff_transferfunctioncount = 3;

--				t2p->tiff_pages[i].page_extra += 4;

--				t2p->pdf_xrefcount += 4;

--			} else {

--				t2p->tiff_transferfunctioncount = 1;

--				t2p->tiff_pages[i].page_extra += 2;

--				t2p->pdf_xrefcount += 2;

--			}

--			if(t2p->pdf_minorversion < 2)

--				t2p->pdf_minorversion = 2;

-+                                 &(tiff_transferfunction[0]),

-+                                 &(tiff_transferfunction[1]),

-+                                 &(tiff_transferfunction[2]))) {

-+

-+                        if((tiff_transferfunction[1] != (float*) NULL) &&

-+                           (tiff_transferfunction[2] != (float*) NULL)

-+                          ) {

-+                            tiff_transferfunctioncount=3;

-+                        } else {

-+                            tiff_transferfunctioncount=1;

-+                        }

-                 } else {

--			t2p->tiff_transferfunctioncount=0;

-+			tiff_transferfunctioncount=0;

- 		}

-+

-+                if (i > 0){

-+                    if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){

-+                        TIFFError(

-+                            TIFF2PDF_MODULE,

-+                            "Different transfer function on page %d",

-+                            i);

-+                        t2p->t2p_error = T2P_ERR_ERROR;

-+                        return;

-+                    }

-+                }

-+

-+                t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;

-+                t2p->tiff_transferfunction[0] = tiff_transferfunction[0];

-+                t2p->tiff_transferfunction[1] = tiff_transferfunction[1];

-+                t2p->tiff_transferfunction[2] = tiff_transferfunction[2];

-+                if(tiff_transferfunctioncount == 3){

-+                        t2p->tiff_pages[i].page_extra += 4;

-+                        t2p->pdf_xrefcount += 4;

-+                        if(t2p->pdf_minorversion < 2)

-+                                t2p->pdf_minorversion = 2;

-+                } else if (tiff_transferfunctioncount == 1){

-+                        t2p->tiff_pages[i].page_extra += 2;

-+                        t2p->pdf_xrefcount += 2;

-+                        if(t2p->pdf_minorversion < 2)

-+                                t2p->pdf_minorversion = 2;

-+                }

-+

- 		if( TIFFGetField(

- 			input, 

- 			TIFFTAG_ICCPROFILE, 

-@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){

- 			 &(t2p->tiff_transferfunction[1]),

- 			 &(t2p->tiff_transferfunction[2]))) {

- 		if((t2p->tiff_transferfunction[1] != (float*) NULL) &&

--                   (t2p->tiff_transferfunction[2] != (float*) NULL) &&

--                   (t2p->tiff_transferfunction[1] !=

--                    t2p->tiff_transferfunction[0])) {

-+                   (t2p->tiff_transferfunction[2] != (float*) NULL)

-+                  ) {

- 			t2p->tiff_transferfunctioncount=3;

- 		} else {

- 			t2p->tiff_transferfunctioncount=1;

-libgit2 0.26.0

-

deleted file mode 100644

@@ -1,13 +0,0 @@

-diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c

-index 5f5f75e2..c75f31d9 100644

-+++ b/libtiff/tif_jbig.c

-@@ -94,6 +94,7 @@

- 			     jbg_strerror(decodeStatus)

- #endif

- 			     );

-+                jbg_dec_free(&decoder);

- 		return 0;

- 	}

- 

-

new file mode 100644

@@ -0,0 +1,34 @@

+From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001

+From: Even Rouault <even.rouault@spatialys.com>

+Date: Sun, 31 Dec 2017 15:09:41 +0100

+Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer dereference on corrupted file. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2770

+

+---

+ libtiff/tif_print.c | 8 ++++----

+ 1 file changed, 4 insertions(+), 4 deletions(-)

+

+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c

+index 9959d35..8deceb2 100644

+--- a/libtiff/tif_print.c

+@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)

+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))

+ 			fprintf(fd, "    %3lu: [%8I64u, %8I64u]\n",

+ 			    (unsigned long) s,

+-			    (unsigned __int64) td->td_stripoffset[s],

+-			    (unsigned __int64) td->td_stripbytecount[s]);

++			    td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,

++			    td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);

+ #else

+ 			fprintf(fd, "    %3lu: [%8llu, %8llu]\n",

+ 			    (unsigned long) s,

+-			    (unsigned long long) td->td_stripoffset[s],

+-			    (unsigned long long) td->td_stripbytecount[s]);

++			    td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,

++			    td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);

+ #endif

+ 	}

+ }

+--

+libgit2 0.26.0

+

deleted file mode 100644

@@ -1,66 +0,0 @@

-From 6173a57d39e04d68b139f8c1aa499a24dbe74ba1 Mon Sep 17 00:00:00 2001

-From: Even Rouault <even.rouault@spatialys.com>

-Date: Fri, 30 Jun 2017 17:29:44 +0000

-Subject: [PATCH] * libtiff/tif_dirwrite.c: in

- TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8

- data type, replace assertion that the file is BigTIFF, by a non-fatal error.

- Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712 Reported by team

- OWL337

-

- ChangeLog              |  8 ++++++++

- libtiff/tif_dirwrite.c | 20 ++++++++++++++++----

- 2 files changed, 24 insertions(+), 4 deletions(-)

-

-diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c

-index 2967da58..8d6686ba 100644

-+++ b/libtiff/tif_dirwrite.c

-@@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, ui

- {

- 	uint64 m;

- 	assert(sizeof(uint64)==8);

--	assert(tif->tif_flags&TIFF_BIGTIFF);

-+	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {

-+		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");

-+		return(0);

-+	}

- 	m=value;

- 	if (tif->tif_flags&TIFF_SWAB)

- 		TIFFSwabLong8(&m);

-@@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* di

- {

- 	assert(count<0x20000000);

- 	assert(sizeof(uint64)==8);

--	assert(tif->tif_flags&TIFF_BIGTIFF);

-+	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {

-+		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");

-+		return(0);

-+	}

- 	if (tif->tif_flags&TIFF_SWAB)

- 		TIFFSwabArrayOfLong8(value,count);

- 	return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));

-@@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, u

- {

- 	int64 m;

- 	assert(sizeof(int64)==8);

--	assert(tif->tif_flags&TIFF_BIGTIFF);

-+	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {

-+		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");

-+		return(0);

-+	}

- 	m=value;

- 	if (tif->tif_flags&TIFF_SWAB)

- 		TIFFSwabLong8((uint64*)(&m));

-@@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d

- {

- 	assert(count<0x20000000);

- 	assert(sizeof(int64)==8);

--	assert(tif->tif_flags&TIFF_BIGTIFF);

-+	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {

-+		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");

-+		return(0);

-+	}

- 	if (tif->tif_flags&TIFF_SWAB)

- 		TIFFSwabArrayOfLong8((uint64*)value,count);

- 	return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value));

@@ -1,24 +1,15 @@

 Summary:        TIFF libraries and associated utilities.

 Name:           libtiff

-Version:        4.0.8

-Release:        7%{?dist}

+Version:        4.0.9

+Release:        1%{?dist}

 License:        libtiff

 URL:            http://www.simplesystems.org/libtiff/

 Group:          System Environment/Libraries

 Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        http://download.osgeo.org/%{name}/tiff-%{version}.tar.gz

-%define sha1    tiff=88717c97480a7976c94d23b6d9ed4ac74715267f

-# patches:      https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/

-Patch0:         libtiff-4.0.6-CVE-2015-7554.patch

-Patch1:         libtiff-4.0.6-CVE-2015-1547.patch

-Patch2:         libtiff-CVE-2017-10688.patch

-Patch3:         libtiff-4.0.8-CVE-2017-9936.patch

-Patch4:         libtiff-4.0.8-CVE-2017-11335.patch

-Patch5:         libtiff-4.0.8-CVE-2017-12944.patch

-Patch6:         libtiff-4.0.8-CVE-2017-13726.patch

-Patch7:         libtiff-4.0.8-CVE-2017-13727.patch

-Patch8:         libtiff-4.0.8-CVE-2017-9935.patch

+%define sha1    tiff=87d4543579176cc568668617c22baceccd568296

+Patch0:         libtiff-4.0.9-CVE-2017-18013.patch

 BuildRequires:  libjpeg-turbo-devel

 Requires:       libjpeg-turbo

 %description

@@ -34,14 +25,6 @@ It contains the libraries and header files to create applications

 %prep

 %setup -q -n tiff-%{version}

 %patch0 -p1

-%patch1 -p1

-%patch2 -p1

-%patch3 -p1

-%patch4 -p1

-%patch5 -p1

-%patch6 -p1

-%patch7 -p1

-%patch8 -p1

 %build

 %configure \

     --disable-static

@@ -75,6 +58,9 @@ make %{?_smp_mflags} -k check

 %{_datadir}/man/man3/*

 %changelog

+*   Wed Jan 17 2018 Dheeraj Shetty <dheerajs@vmware.com> 4.0.9-1

+-   Updated to version 4.0.9 to fix CVE-2017-11613, CVE-2017-9937,

+-   CVE-2017-17973. Added a patch for CVE-2017-18013

 *   Mon Dec 11 2017 Xiaolin Li <xiaolinl@vmware.com> 4.0.8-7

 -   Added patch for CVE-2017-9935

 *   Mon Nov 27 2017 Xiaolin Li <xiaolinl@vmware.com> 4.0.8-6