new file mode 100644

@@ -0,0 +1,35 @@

+diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c

+index 1ccc3f9b..f19e8fd0 100644

+--- a/libtiff/tif_ojpeg.c

+@@ -244,6 +244,7 @@ typedef enum {

+ 

+ typedef struct {

+ 	TIFF* tif;

++        int decoder_ok;

+ 	#ifndef LIBJPEG_ENCAP_EXTERNAL

+ 	JMP_BUF exit_jmpbuf;

+ 	#endif

+@@ -722,6 +723,7 @@ OJPEGPreDecode(TIFF* tif, uint16 s)

+ 		}

+ 		sp->write_curstrile++;

+ 	}

++	sp->decoder_ok = 1;

+ 	return(1);

+ }

+ 

+@@ -784,8 +786,14 @@ OJPEGPreDecodeSkipScanlines(TIFF* tif)

+ static int

+ OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)

+ {

++        static const char module[]="OJPEGDecode";

+ 	OJPEGState* sp=(OJPEGState*)tif->tif_data;

+ 	(void)s;

++        if( !sp->decoder_ok )

++        {

++            TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized");

++            return 0;

++        }

+ 	if (sp->libjpeg_jpeg_query_style==0)

+ 	{

+ 		if (OJPEGDecodeRaw(tif,buf,cc)==0)

new file mode 100644

@@ -0,0 +1,13 @@

+diff --git a/tools/tiffcp.c b/tools/tiffcp.c

+index a99c906..f294ed1 100644

+--- a/tools/tiffcp.c

+@@ -985,7 +985,7 @@ DECLAREcpFunc(cpDecodedStrips)

+ 		tstrip_t s, ns = TIFFNumberOfStrips(in);

+ 		uint32 row = 0;

+ 		_TIFFmemset(buf, 0, stripsize);

+-		for (s = 0; s < ns; s++) {

++		for (s = 0; s < ns && row < imagelength; s++) {

+ 			tsize_t cc = (row + rowsperstrip > imagelength) ?

+ 			    TIFFVStripSize(in, imagelength - row) : stripsize;

+ 			if (TIFFReadEncodedStrip(in, s, buf, cc) < 0

new file mode 100644

@@ -0,0 +1,31 @@

+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c

+index 44c5eee8..eecde217 100644

+--- a/tools/tiffcrop.c

+@@ -1164,7 +1164,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8* buf,

+   tdata_t  obuf;

+ 

+   (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);

+-  (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);

++  (void) TIFFGetFieldDefaulted(out, TIFFTAG_BITSPERSAMPLE, &bps);

+   bytes_per_sample = (bps + 7) / 8;

+   if( width == 0 ||

+       (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width ||

+@@ -4760,7 +4760,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,

+   int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;

+   uint32 j;

+   int32  bytes_read = 0;

+-  uint16 bps, planar;

++  uint16 bps = 0, planar;

+   uint32 nstrips;

+   uint32 strips_per_sample;

+   uint32 src_rowsize, dst_rowsize, rows_processed, rps;

+@@ -4780,7 +4780,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,

+     }

+ 

+   memset (srcbuffs, '\0', sizeof(srcbuffs));

+-  TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);

++  TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);

+   TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &planar);

+   TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);

+   if (rps > length)

new file mode 100644

@@ -0,0 +1,81 @@

+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c

+index 3eec79c9..570d0c32 100644

+--- a/libtiff/tif_dirread.c

+@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif)

+ 	uint64 rowblockbytes;

+ 	uint64 stripbytes;

+ 	uint32 strip;

+-	uint64 nstrips64;

+-	uint32 nstrips32;

++	uint32 nstrips;

+ 	uint32 rowsperstrip;

+ 	uint64* newcounts;

+ 	uint64* newoffsets;

+@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)

+ 	    return;

+ 

+ 	/*

+-	 * never increase the number of strips in an image

++	 * never increase the number of rows per strip

+ 	 */

+ 	if (rowsperstrip >= td->td_rowsperstrip)

+ 		return;

+-	nstrips64 = TIFFhowmany_64(bytecount, stripbytes);

+-	if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */

+-	    return;

+-	nstrips32 = (uint32)nstrips64;

++        nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);

++        if( nstrips == 0 )

++            return;

+ 

+-	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),

++	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),

+ 				"for chopped \"StripByteCounts\" array");

+-	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),

++	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),

+ 				"for chopped \"StripOffsets\" array");

+ 	if (newcounts == NULL || newoffsets == NULL) {

+ 		/*

+@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)

+ 	 * Fill the strip information arrays with new bytecounts and offsets

+ 	 * that reflect the broken-up format.

+ 	 */

+-	for (strip = 0; strip < nstrips32; strip++) {

++	for (strip = 0; strip < nstrips; strip++) {

+ 		if (stripbytes > bytecount)

+ 			stripbytes = bytecount;

+ 		newcounts[strip] = stripbytes;

+-		newoffsets[strip] = offset;

++		newoffsets[strip] = stripbytes ? offset : 0;

+ 		offset += stripbytes;

+ 		bytecount -= stripbytes;

+ 	}

+ 	/*

+ 	 * Replace old single strip info with multi-strip info.

+ 	 */

+-	td->td_stripsperimage = td->td_nstrips = nstrips32;

++	td->td_stripsperimage = td->td_nstrips = nstrips;

+ 	TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);

+ 

+ 	_TIFFfree(td->td_stripbytecount);

+diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c

+index 4c46ecf5..1676e47d 100644

+--- a/libtiff/tif_strip.c

+@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)

+ 	TIFFDirectory *td = &tif->tif_dir;

+ 	uint32 nstrips;

+ 

+-    /* If the value was already computed and store in td_nstrips, then return it,

+-       since ChopUpSingleUncompressedStrip might have altered and resized the

+-       since the td_stripbytecount and td_stripoffset arrays to the new value

+-       after the initial affectation of td_nstrips = TIFFNumberOfStrips() in

+-       tif_dirread.c ~line 3612.

+-       See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */

+-    if( td->td_nstrips )

+-        return td->td_nstrips;

+-

+ 	nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :

+ 	     TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));

+ 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)

new file mode 100644

@@ -0,0 +1,89 @@

+diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c

+index f68a9b13..e6783db5 100644

+--- a/libtiff/tif_luv.c

+@@ -158,6 +158,7 @@

+ typedef struct logLuvState LogLuvState;

+ 

+ struct logLuvState {

++        int                     encoder_state;  /* 1 if encoder correctly initialized */

+ 	int                     user_datafmt;   /* user data format */

+ 	int                     encode_meth;    /* encoding method */

+ 	int                     pixel_size;     /* bytes per pixel */

+@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif)

+ 		    td->td_photometric, "must be either LogLUV or LogL");

+ 		break;

+ 	}

++	sp->encoder_state = 1;

+ 	return (1);

+ notsupported:

+ 	TIFFErrorExt(tif->tif_clientdata, module,

+@@ -1563,19 +1565,27 @@ LogLuvSetupEncode(TIFF* tif)

+ static void

+ LogLuvClose(TIFF* tif)

+ {

++        LogLuvState* sp = (LogLuvState*) tif->tif_data;

+ 	TIFFDirectory *td = &tif->tif_dir;

+ 

++	assert(sp != 0);

+ 	/*

+ 	 * For consistency, we always want to write out the same

+ 	 * bitspersample and sampleformat for our TIFF file,

+ 	 * regardless of the data format being used by the application.

+ 	 * Since this routine is called after tags have been set but

+ 	 * before they have been recorded in the file, we reset them here.

++         * Note: this is really a nasty approach. See PixarLogClose

+ 	 */

+-	td->td_samplesperpixel =

+-	    (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;

+-	td->td_bitspersample = 16;

+-	td->td_sampleformat = SAMPLEFORMAT_INT;

++        if( sp->encoder_state )

++        {

++            /* See PixarLogClose. Might avoid issues with tags whose size depends

++             * on those below, but not completely sure this is enough. */

++            td->td_samplesperpixel =

++                (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;

++            td->td_bitspersample = 16;

++            td->td_sampleformat = SAMPLEFORMAT_INT;

++        }

+ }

+ 

+ static void

+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c

+index d1246c3d..aa99bc92 100644

+--- a/libtiff/tif_pixarlog.c

+@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif)

+ static void

+ PixarLogClose(TIFF* tif)

+ {

++        PixarLogState* sp = (PixarLogState*) tif->tif_data;

+ 	TIFFDirectory *td = &tif->tif_dir;

+ 

++	assert(sp != 0);

+ 	/* In a really sneaky (and really incorrect, and untruthful, and

+ 	 * troublesome, and error-prone) maneuver that completely goes against

+ 	 * the spirit of TIFF, and breaks TIFF, on close, we covertly

+@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif)

+ 	 * readers that don't know about PixarLog, or how to set

+ 	 * the PIXARLOGDATFMT pseudo-tag.

+ 	 */

+-	td->td_bitspersample = 8;

+-	td->td_sampleformat = SAMPLEFORMAT_UINT;

++

++        if (sp->state&PLSTATE_INIT) {

++            /* We test the state to avoid an issue such as in

++             * http://bugzilla.maptools.org/show_bug.cgi?id=2604

++             * What appends in that case is that the bitspersample is 1 and

++             * a TransferFunction is set. The size of the TransferFunction

++             * depends on 1<<bitspersample. So if we increase it, an access

++             * out of the buffer will happen at directory flushing.

++             * Another option would be to clear those targs. 

++             */

++            td->td_bitspersample = 8;

++            td->td_sampleformat = SAMPLEFORMAT_UINT;

++        }

+ }

+ 

+ static void

@@ -1,7 +1,7 @@

 Summary:	TIFF libraries and associated utilities.

 Name:		libtiff

 Version:	4.0.7

-Release:	3%{?dist}

+Release:	4%{?dist}

 License:	libtiff

 URL:		http://www.remotesensing.org/libtiff

 Group:		System Environment/Libraries

@@ -9,12 +9,18 @@ Vendor:		VMware, Inc.

 Distribution:	Photon

 Source0:	http://download.osgeo.org/%{name}/tiff-%{version}.tar.gz

 %define sha1 tiff=2c1b64478e88f93522a42dd5271214a0e5eae648

+# patches: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/

 Patch0:		libtiff-4.0.6-CVE-2015-7554.patch

 Patch1:     	libtiff-4.0.6-CVE-2015-1547.patch

 Patch2:     	libtiff-4.0.7-CVE-2017-5225.patch

 Patch3:     	libtiff-4.0.7-CVE-2016-10092.patch

 Patch4:     	libtiff-4.0.7-CVE-2016-10093.patch

 Patch5:     	libtiff-4.0.7-CVE-2016-10094.patch

+Patch6:         libtiff-4.0.6-CVE-2016-10268.patch

+Patch7:         libtiff-heap-buffer-overflow.patch

+Patch8:		libtiff-4.0.7-CVE-2016-10269.patch

+Patch9:		libtiff-4.0.7-CVE-2016-10267.patch

+Patch10:        libtiff-2017-CVE-2016-10266.patch

 BuildRequires:	libjpeg-turbo-devel

 Requires:	libjpeg-turbo

 %description

@@ -25,7 +31,7 @@ Summary:	Header and development files

 Requires:	%{name} = %{version}-%{release}

 Requires:	libjpeg-turbo-devel

 %description	devel

-It contains the libraries and header files to create applications 

+It contains the libraries and header files to create applications

 %prep

 %setup -q -n tiff-%{version}

@@ -35,7 +41,11 @@ It contains the libraries and header files to create applications

 %patch3 -p1

 %patch4 -p1

 %patch5 -p1

-

+%patch6 -p1

+%patch7 -p1

+%patch8 -p1

+%patch9 -p1

+%patch10 -p1

 %build

 ./configure \

 	--prefix=%{_prefix} \

@@ -70,6 +80,8 @@ make %{?_smp_mflags} -k check

 %{_datadir}/man/man3/*

 %changelog

+*   Tue May 16 2017 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.0.7-4

+-   Added patch for CVE-2016-10266, CVE-2016-10268, CVE-2016-10269, CVE-2016-10267 and libtiff-heap-buffer-overflow patch

 *   Mon Apr 10 2017 Dheeraj Shetty <dheerajs@vmware.com> 4.0.7-3

 -   Patch : CVE-2016-10092, CVE-2016-10093, CVE-2016-10094

 *   Thu Jan 19 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 4.0.7-2