new file mode 100644

@@ -0,0 +1,22 @@

+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c

+index 3fc0c8e..1a3259c 100644

+--- a/libtiff/tif_dirread.c

+@@ -5696,6 +5696,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)

+         if( nstrips == 0 )

+             return;

+ 

++        /* If we are going to allocate a lot of memory, make sure that the */

++        /* file is as big as needed */

++        if( tif->tif_mode == O_RDONLY &&

++            nstrips > 1000000 &&

++            (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) ||

++             tif->tif_dir.td_stripbytecount[0] >

++                    TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) )

++        {

++            return;

++        }

++

+ 	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),

+ 				"for chopped \"StripByteCounts\" array");

+ 	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),

new file mode 100644

@@ -0,0 +1,16 @@

+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c

+index 1a3259c..6baa7b3 100644

+--- a/libtiff/tif_dirread.c

+@@ -5700,9 +5700,8 @@ ChopUpSingleUncompressedStrip(TIFF* tif)

+         /* file is as big as needed */

+         if( tif->tif_mode == O_RDONLY &&

+             nstrips > 1000000 &&

+-            (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) ||

+-             tif->tif_dir.td_stripbytecount[0] >

+-                    TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) )

++            (offset >= TIFFGetFileSize(tif) ||

++             stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )

+         {

+             return;

+         }

new file mode 100644

@@ -0,0 +1,107 @@

+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c

+index 6baa7b3..af5b84a 100644

+--- a/libtiff/tif_dirread.c

+@@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin

+ static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);

+ static void ChopUpSingleUncompressedStrip(TIFF*);

+ static uint64 TIFFReadUInt64(const uint8 *value);

++static int _TIFFGetMaxColorChannels(uint16 photometric);

+ 

+ static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );

+ 

+@@ -3505,6 +3506,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c

+ }

+ 

+ /*

++ * Return the maximum number of color channels specified for a given photometric

++ * type. 0 is returned if photometric type isn't supported or no default value

++ * is defined by the specification.

++ */

++static int _TIFFGetMaxColorChannels( uint16 photometric )

++{

++    switch (photometric) {

++	case PHOTOMETRIC_PALETTE:

++	case PHOTOMETRIC_MINISWHITE:

++	case PHOTOMETRIC_MINISBLACK:

++            return 1;

++	case PHOTOMETRIC_YCBCR:

++	case PHOTOMETRIC_RGB:

++	case PHOTOMETRIC_CIELAB:

++            return 3;

++	case PHOTOMETRIC_SEPARATED:

++	case PHOTOMETRIC_MASK:

++            return 4;

++	case PHOTOMETRIC_LOGL:

++	case PHOTOMETRIC_LOGLUV:

++	case PHOTOMETRIC_CFA:

++	case PHOTOMETRIC_ITULAB:

++	case PHOTOMETRIC_ICCLAB:

++	default:

++            return 0;

++    }

++}

++

++/*

+  * Read the next TIFF directory from a file and convert it to the internal

+  * format. We read directories sequentially.

+  */

+@@ -3520,6 +3550,7 @@ TIFFReadDirectory(TIFF* tif)

+ 	uint32 fii=FAILED_FII;

+         toff_t nextdiroff;

+     int bitspersample_read = FALSE;

++        int color_channels;

+ 

+ 	tif->tif_diroff=tif->tif_nextdiroff;

+ 	if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))

+@@ -4024,6 +4055,37 @@ TIFFReadDirectory(TIFF* tif)

+ 			}

+ 		}

+ 	}

++

++	/*

++	 * Make sure all non-color channels are extrasamples.

++	 * If it's not the case, define them as such.

++	 */

++        color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);

++        if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {

++                uint16 old_extrasamples;

++                uint16 *new_sampleinfo;

++

++                TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "

++                    "color channels and ExtraSamples doesn't match SamplesPerPixel. "

++                    "Defining non-color channels as ExtraSamples.");

++

++                old_extrasamples = tif->tif_dir.td_extrasamples;

++                tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);

++

++                // sampleinfo should contain information relative to these new extra samples

++                new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));

++                if (!new_sampleinfo) {

++                    TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "

++                                "temporary new sampleinfo array (%d 16 bit elements)",

++                                tif->tif_dir.td_extrasamples);

++                    goto bad;

++                }

++

++                memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));

++                _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);

++                _TIFFfree(new_sampleinfo);

++        }

++

+ 	/*

+ 	 * Verify Palette image has a Colormap.

+ 	 */

+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c

+index 8deceb2..1d86adb 100644

+--- a/libtiff/tif_print.c

+@@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)

+ 				uint16 i;

+ 				fprintf(fd, "    %2ld: %5u",

+ 				    l, td->td_transferfunction[0][l]);

+-				for (i = 1; i < td->td_samplesperpixel; i++)

++				for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)

+ 					fprintf(fd, " %5u",

+ 					    td->td_transferfunction[i][l]);

+ 				fputc('\n', fd);

new file mode 100644

@@ -0,0 +1,128 @@

+From 473851d211cf8805a161820337ca74cc9615d6ef Mon Sep 17 00:00:00 2001

+From: Nathan Baker <nathanb@lenovo-chrome.com>

+Date: Tue, 6 Feb 2018 10:13:57 -0500

+Subject: [PATCH] Fix for bug 2772

+

+It is possible to craft a TIFF document where the IFD list is circular,

+leading to an infinite loop while traversing the chain. The libtiff

+directory reader has a failsafe that will break out of this loop after

+reading 65535 directory entries, but it will continue processing,

+consuming time and resources to process what is essentially a bogus TIFF

+document.

+

+This change fixes the above behavior by breaking out of processing when

+a TIFF document has >= 65535 directories and terminating with an error.

+---

+ contrib/addtiffo/tif_overview.c | 14 +++++++++++++-

+ tools/tiff2pdf.c                | 10 ++++++++++

+ tools/tiffcrop.c                | 13 +++++++++++--

+ 3 files changed, 34 insertions(+), 3 deletions(-)

+

+diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c

+index c61ffbb..03b3573 100644

+--- a/contrib/addtiffo/tif_overview.c

+@@ -65,6 +65,8 @@

+ #  define MAX(a,b)      ((a>b) ? a : b)

+ #endif

+ 

++#define TIFF_DIR_MAX  65534

++

+ void TIFFBuildOverviews( TIFF *, int, int *, int, const char *,

+                          int (*)(double,void*), void * );

+ 

+@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,

+ {

+     toff_t	nBaseDirOffset;

+     toff_t	nOffset;

++    tdir_t	iNumDir;

+ 

+     (void) bUseSubIFDs;

+ 

+@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,

+         return 0;

+ 

+     TIFFWriteDirectory( hTIFF );

+-    TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );

++    iNumDir = TIFFNumberOfDirectories(hTIFF);

++    if( iNumDir > TIFF_DIR_MAX )

++    {

++        TIFFErrorExt( TIFFClientdata(hTIFF),

++                      "TIFF_WriteOverview",

++                      "File `%s' has too many directories.\n",

++                      TIFFFileName(hTIFF) );

++        exit(-1);

++    }

++    TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );

+ 

+     nOffset = TIFFCurrentDirOffset( hTIFF );

+ 

+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c

+index 984ef65..832a247 100644

+--- a/tools/tiff2pdf.c

+@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);

+ 

+ #define PS_UNIT_SIZE	72.0F

+ 

++#define TIFF_DIR_MAX    65534

++

+ /* This type is of PDF color spaces. */

+ typedef enum {

+ 	T2P_CS_BILEVEL = 0x01,	/* Bilevel, black and white */

+@@ -1053,6 +1053,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){

+ 	float* tiff_transferfunction[3];

+ 

+ 	directorycount=TIFFNumberOfDirectories(input);

++	if(directorycount > TIFF_DIR_MAX) {

++		TIFFError(

++			TIFF2PDF_MODULE,

++			"TIFF contains too many directories, %s",

++			TIFFFileName(input));

++		t2p->t2p_error = T2P_ERR_ERROR;

++		return;

++	}

+ 	t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));

+ 	if(t2p->tiff_pages==NULL){

+ 		TIFFError(

+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c

+index 91a38f6..e466dae 100644

+--- a/tools/tiffcrop.c

+@@ -215,6 +215,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);

+ #define DUMP_TEXT   1

+ #define DUMP_RAW    2

+ 

++#define TIFF_DIR_MAX  65534

++

+ /* Offsets into buffer for margins and fixed width and length segments */

+ struct offset {

+   uint32  tmargin;

+@@ -2232,7 +2234,7 @@ main(int argc, char* argv[])

+     pageNum = -1;

+   else

+     total_images = 0;

+-  /* read multiple input files and write to output file(s) */

++  /* Read multiple input files and write to output file(s) */

+   while (optind < argc - 1)

+     {

+     in = TIFFOpen (argv[optind], "r");

+@@ -2240,7 +2242,14 @@ main(int argc, char* argv[])

+       return (-3);

+ 

+     /* If only one input file is specified, we can use directory count */

+-    total_images = TIFFNumberOfDirectories(in); 

++    total_images = TIFFNumberOfDirectories(in);

++    if (total_images > TIFF_DIR_MAX)

++      {

++      TIFFError (TIFFFileName(in), "File contains too many directories");

++      if (out != NULL)

++        (void) TIFFClose(out);

++      return (1);

++      }

+     if (image_count == 0)

+       {

+       dirnum = 0;

+--

+libgit2 0.27.0

+

new file mode 100644

@@ -0,0 +1,37 @@

+diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c

+index 4ccb443..94d85e3 100644

+--- a/libtiff/tif_lzw.c

+@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)

+ 	char *tp;

+ 	unsigned char *bp;

+ 	int code, nbits;

++	int len;

+ 	long nextbits, nextdata, nbitsmask;

+ 	code_t *codep, *free_entp, *maxcodep, *oldcodep;

+ 

+@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)

+ 				}  while (--occ);

+ 				break;

+ 			}

+-			assert(occ >= codep->length);

+-			op += codep->length;

+-			occ -= codep->length;

+-			tp = op;

++			len = codep->length;

++			tp = op + len;

+ 			do {

+-				*--tp = codep->value;

+-			} while( (codep = codep->next) != NULL );

++				int t;

++				--tp;

++				t = codep->value;

++				codep = codep->next;

++				*tp = (char)t;

++			} while (codep && tp > op);

++			assert(occ >= len);

++			op += len;

++			occ -= len;

+ 		} else {

+ 			*op++ = (char)code;

+ 			occ--;

@@ -1,7 +1,7 @@

 Summary:        TIFF libraries and associated utilities.

 Name:           libtiff

 Version:        4.0.9

-Release:        3%{?dist}

+Release:        4%{?dist}

 License:        libtiff

 URL:            http://www.simplesystems.org/libtiff/

 Group:          System Environment/Libraries

@@ -12,6 +12,11 @@ Source0:        http://download.osgeo.org/%{name}/tiff-%{version}.tar.gz

 Patch0:         libtiff-4.0.9-CVE-2017-18013.patch

 Patch1:         libtiff-4.0.9-CVE-2017-9935.patch

 Patch2:         libtiff-4.0.9-CVE-2017-17095.patch

+Patch3:         libtiff-4.0.9-CVE-2018-5784.patch

+Patch4:         libtiff-4.0-9-CVE-2017-11613-1.patch

+Patch5:         libtiff-4.0-9-CVE-2017-11613-2.patch

+Patch6:         libtiff-4.0-9-CVE-2018-7456.patch

+Patch7:         libtiff-4.0.9-CVE-2018-8905.patch

 BuildRequires:  libjpeg-turbo-devel

 Requires:       libjpeg-turbo

 %description

@@ -29,6 +34,11 @@ It contains the libraries and header files to create applications

 %patch0 -p1

 %patch1 -p1

 %patch2 -p1

+%patch3 -p1

+%patch4 -p1

+%patch5 -p1

+%patch6 -p1

+%patch7 -p1

 %build

 %configure \

     --disable-static

@@ -62,6 +72,8 @@ make %{?_smp_mflags} -k check

 %{_datadir}/man/man3/*

 %changelog

+*   Mon May 14 2018 Xiaolin Li <xiaolinl@vmware.com> 4.0.9-4

+-   Fix CVE-2018-7456, CVE-2018-8905, CVE-2018-5784, CVE-2017-11613

 *   Wed Feb 14 2018 Dheeraj Shetty <dheerajs@vmware.com> 4.0.9-3

 -   Patch for CVE-2017-17095

 *   Wed Jan 31 2018 Dheeraj Shetty <dheerajs@vmware.com> 4.0.9-2