unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Libtiff 4.0.7 update
@ 2016-11-21 16:48 Leo Famulari
  2016-11-21 17:21 ` Marius Bakke
  0 siblings, 1 reply; 7+ messages in thread
From: Leo Famulari @ 2016-11-21 16:48 UTC (permalink / raw)
  To: guix-devel


[-- Attachment #1.1: Type: text/plain, Size: 315 bytes --]

This updates libtiff to the latest upstream version, 4.0.7. I went
through the tarball and confirmed that all the patches were contained in
it but, please, double-check :)

Also, libtiff has new source and home-page URLs. Read all about it:

http://www.asmail.be/msg0054885794.html

It will require ~1600 rebuilds.

[-- Attachment #1.2: 0001-gnu-libtiff-Update-to-4.0.7.patch --]
[-- Type: text/plain, Size: 49978 bytes --]

From 755367331d73c36c91b493a440d533a96e12a5bc Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Mon, 21 Nov 2016 11:39:49 -0500
Subject: [PATCH] gnu: libtiff: Update to 4.0.7.

* gnu/packages/image.scm (libtiff): Update to 4.0.7.
[source]: Remove obsolete patches and update URL.
[home-page]: Update URL.
* gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch,
gnu/packages/patches/libtiff-CVE-2016-3623.patch,
gnu/packages/patches/libtiff-CVE-2016-3945.patch,
gnu/packages/patches/libtiff-CVE-2016-3990.patch,
gnu/packages/patches/libtiff-CVE-2016-3991.patch,
gnu/packages/patches/libtiff-CVE-2016-5314.patch,
gnu/packages/patches/libtiff-CVE-2016-5321.patch,
gnu/packages/patches/libtiff-CVE-2016-5323.patch,
gnu/packages/patches/libtiff-CVE-2016-5652.patch,
gnu/packages/patches/libtiff-CVE-2016-9273.patch,
gnu/packages/patches/libtiff-CVE-2016-9297.patch,
gnu/packages/patches/libtiff-CVE-2016-9448.patch,
gnu/packages/patches/libtiff-oob-accesses-in-decode.patch,
gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch,
gnu/packages/patches/libtiff-uint32-overflow.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
---
 gnu/local.mk                                       |  15 --
 gnu/packages/image.scm                             |  47 +-----
 .../libtiff-CVE-2015-8665+CVE-2015-8683.patch      | 107 -------------
 gnu/packages/patches/libtiff-CVE-2016-3623.patch   |  30 ----
 gnu/packages/patches/libtiff-CVE-2016-3945.patch   |  94 -----------
 gnu/packages/patches/libtiff-CVE-2016-3990.patch   |  31 ----
 gnu/packages/patches/libtiff-CVE-2016-3991.patch   | 123 ---------------
 gnu/packages/patches/libtiff-CVE-2016-5314.patch   |  45 ------
 gnu/packages/patches/libtiff-CVE-2016-5321.patch   |  25 ---
 gnu/packages/patches/libtiff-CVE-2016-5323.patch   |  88 -----------
 gnu/packages/patches/libtiff-CVE-2016-5652.patch   |  47 ------
 gnu/packages/patches/libtiff-CVE-2016-9273.patch   |  41 -----
 gnu/packages/patches/libtiff-CVE-2016-9297.patch   |  52 -------
 gnu/packages/patches/libtiff-CVE-2016-9448.patch   |  34 ----
 .../patches/libtiff-oob-accesses-in-decode.patch   | 171 ---------------------
 .../patches/libtiff-oob-write-in-nextdecode.patch  |  49 ------
 gnu/packages/patches/libtiff-uint32-overflow.patch | 102 ------------
 17 files changed, 7 insertions(+), 1094 deletions(-)
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-3623.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-3945.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-3990.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-3991.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-5314.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-5321.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-5323.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-5652.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-9273.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-9297.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-9448.patch
 delete mode 100644 gnu/packages/patches/libtiff-oob-accesses-in-decode.patch
 delete mode 100644 gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch
 delete mode 100644 gnu/packages/patches/libtiff-uint32-overflow.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 430d05f..82e939b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -664,21 +664,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/libssh-0.6.5-CVE-2016-0739.patch		\
   %D%/packages/patches/libtar-CVE-2013-4420.patch \
   %D%/packages/patches/libtheora-config-guess.patch		\
-  %D%/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch \
-  %D%/packages/patches/libtiff-CVE-2016-3623.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-3945.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-3990.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-3991.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-5314.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-5321.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-5323.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-5652.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-9273.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-9297.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-9448.patch		\
-  %D%/packages/patches/libtiff-oob-accesses-in-decode.patch	\
-  %D%/packages/patches/libtiff-oob-write-in-nextdecode.patch	\
-  %D%/packages/patches/libtiff-uint32-overflow.patch		\
   %D%/packages/patches/libtool-skip-tests2.patch		\
   %D%/packages/patches/libunwind-CVE-2015-3239.patch		\
   %D%/packages/patches/libupnp-CVE-2016-6255.patch		\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 309c336..25de802 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -243,25 +243,14 @@ extracting icontainer icon files.")
 (define-public libtiff
   (package
    (name "libtiff")
-   (replacement libtiff/fixed)
-   (version "4.0.6")
+   (version "4.0.7")
    (source (origin
             (method url-fetch)
-            (uri (string-append "ftp://ftp.remotesensing.org/pub/libtiff/tiff-"
-                   version ".tar.gz"))
-            (sha256 (base32
-                     "136nf1rj9dp5jgv1p7z4dk0xy3wki1w0vfjbk82f645m0w4samsd"))
-            (patches (search-patches
-                      "libtiff-oob-accesses-in-decode.patch"
-                      "libtiff-oob-write-in-nextdecode.patch"
-                      "libtiff-CVE-2015-8665+CVE-2015-8683.patch"
-                      "libtiff-CVE-2016-3623.patch"
-                      "libtiff-CVE-2016-3945.patch"
-                      "libtiff-CVE-2016-3990.patch"
-                      "libtiff-CVE-2016-3991.patch"
-                      "libtiff-CVE-2016-5314.patch"
-                      "libtiff-CVE-2016-5321.patch"
-                      "libtiff-CVE-2016-5323.patch"))))
+            (uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
+                                version ".tar.gz"))
+            (sha256
+             (base32
+              "06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                           ;1.3 MiB of HTML documentation
@@ -281,29 +270,7 @@ Included are a library, libtiff, for reading and writing TIFF and a small
 collection of tools for doing simple manipulations of TIFF images.")
    (license (license:non-copyleft "file://COPYRIGHT"
                                   "See COPYRIGHT in the distribution."))
-   (home-page "http://www.remotesensing.org/libtiff/")))
-
-(define libtiff/fixed
-  (package
-    (inherit libtiff)
-    (source (origin
-              (inherit (package-source libtiff))
-              (patches (search-patches
-                         "libtiff-oob-accesses-in-decode.patch"
-                         "libtiff-oob-write-in-nextdecode.patch"
-                         "libtiff-uint32-overflow.patch"
-                         "libtiff-CVE-2015-8665+CVE-2015-8683.patch"
-                         "libtiff-CVE-2016-3623.patch"
-                         "libtiff-CVE-2016-3945.patch"
-                         "libtiff-CVE-2016-3990.patch"
-                         "libtiff-CVE-2016-3991.patch"
-                         "libtiff-CVE-2016-5314.patch"
-                         "libtiff-CVE-2016-5321.patch"
-                         "libtiff-CVE-2016-5323.patch"
-                         "libtiff-CVE-2016-5652.patch"
-                         "libtiff-CVE-2016-9273.patch"
-                         "libtiff-CVE-2016-9297.patch"
-                         "libtiff-CVE-2016-9448.patch"))))))
+   (home-page "http://www.simplesystems.org/libtiff/")))
 
 (define-public libwmf
   (package
diff --git a/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch b/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
deleted file mode 100644
index 811516d..0000000
--- a/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-2015-12-26  Even Rouault <even.rouault at spatialys.com>
-
-	* libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
-	interface in case of unsupported values of SamplesPerPixel/ExtraSamples
-	for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
-	TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
-	CVE-2015-8683 reported by zzf of Alibaba.
-
-diff -u -r1.93 -r1.94
---- libtiff/libtiff/tif_getimage.c	22 Nov 2015 15:31:03 -0000	1.93
-+++ libtiff/libtiff/tif_getimage.c	26 Dec 2015 17:32:03 -0000	1.94
-@@ -182,20 +182,22 @@
- 				    "Planarconfiguration", td->td_planarconfig);
- 				return (0);
- 			}
--			if( td->td_samplesperpixel != 3 )
-+			if( td->td_samplesperpixel != 3 || colorchannels != 3 )
-             {
-                 sprintf(emsg,
--                        "Sorry, can not handle image with %s=%d",
--                        "Samples/pixel", td->td_samplesperpixel);
-+                        "Sorry, can not handle image with %s=%d, %s=%d",
-+                        "Samples/pixel", td->td_samplesperpixel,
-+                        "colorchannels", colorchannels);
-                 return 0;
-             }
- 			break;
- 		case PHOTOMETRIC_CIELAB:
--            if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
-+            if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
-             {
-                 sprintf(emsg,
--                        "Sorry, can not handle image with %s=%d and %s=%d",
-+                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
-                         "Samples/pixel", td->td_samplesperpixel,
-+                        "colorchannels", colorchannels,
-                         "Bits/sample", td->td_bitspersample);
-                 return 0;
-             }
-@@ -255,6 +257,9 @@
- 	int colorchannels;
- 	uint16 *red_orig, *green_orig, *blue_orig;
- 	int n_color;
-+	
-+	if( !TIFFRGBAImageOK(tif, emsg) )
-+		return 0;
- 
- 	/* Initialize to normal values */
- 	img->row_offset = 0;
-@@ -2509,29 +2514,33 @@
- 		case PHOTOMETRIC_RGB:
- 			switch (img->bitspersample) {
- 				case 8:
--					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
-+					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
-+						img->samplesperpixel >= 4)
- 						img->put.contig = putRGBAAcontig8bittile;
--					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
-+					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
-+							 img->samplesperpixel >= 4)
- 					{
- 						if (BuildMapUaToAa(img))
- 							img->put.contig = putRGBUAcontig8bittile;
- 					}
--					else
-+					else if( img->samplesperpixel >= 3 )
- 						img->put.contig = putRGBcontig8bittile;
- 					break;
- 				case 16:
--					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
-+					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
-+						img->samplesperpixel >=4 )
- 					{
- 						if (BuildMapBitdepth16To8(img))
- 							img->put.contig = putRGBAAcontig16bittile;
- 					}
--					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
-+					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
-+							 img->samplesperpixel >=4 )
- 					{
- 						if (BuildMapBitdepth16To8(img) &&
- 						    BuildMapUaToAa(img))
- 							img->put.contig = putRGBUAcontig16bittile;
- 					}
--					else
-+					else if( img->samplesperpixel >=3 )
- 					{
- 						if (BuildMapBitdepth16To8(img))
- 							img->put.contig = putRGBcontig16bittile;
-@@ -2540,7 +2549,7 @@
- 			}
- 			break;
- 		case PHOTOMETRIC_SEPARATED:
--			if (buildMap(img)) {
-+			if (img->samplesperpixel >=4 && buildMap(img)) {
- 				if (img->bitspersample == 8) {
- 					if (!img->Map)
- 						img->put.contig = putRGBcontig8bitCMYKtile;
-@@ -2636,7 +2645,7 @@
- 			}
- 			break;
- 		case PHOTOMETRIC_CIELAB:
--			if (buildMap(img)) {
-+			if (img->samplesperpixel == 3 && buildMap(img)) {
- 				if (img->bitspersample == 8)
- 					img->put.contig = initCIELabConversion(img);
- 				break;
diff --git a/gnu/packages/patches/libtiff-CVE-2016-3623.patch b/gnu/packages/patches/libtiff-CVE-2016-3623.patch
deleted file mode 100644
index 0870586..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-3623.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Fix CVE-2016-3623.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3623
-http://bugzilla.maptools.org/show_bug.cgi?id=2569
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.16 -r1.17 tools/rgb2ycbcr.c
-
-Index: tools/rgb2ycbcr.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/rgb2ycbcr.c,v
-retrieving revision 1.16
-retrieving revision 1.17
-diff -u -r1.16 -r1.17
---- libtiff/tools/rgb2ycbcr.c	21 Jun 2015 01:09:10 -0000	1.16
-+++ libtiff/tools/rgb2ycbcr.c	15 Aug 2016 21:26:56 -0000	1.17
-@@ -95,9 +95,13 @@
- 			break;
- 		case 'h':
- 			horizSubSampling = atoi(optarg);
-+            if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 )
-+                usage(-1);
- 			break;
- 		case 'v':
- 			vertSubSampling = atoi(optarg);
-+            if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 )
-+                usage(-1);
- 			break;
- 		case 'r':
- 			rowsperstrip = atoi(optarg);
diff --git a/gnu/packages/patches/libtiff-CVE-2016-3945.patch b/gnu/packages/patches/libtiff-CVE-2016-3945.patch
deleted file mode 100644
index 8ec62ba..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-3945.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-Fix CVE-2016-3945 (integer overflow in size of allocated
-buffer, when -b mode is enabled, that could result in out-of-bounds
-write).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3945
-http://bugzilla.maptools.org/show_bug.cgi?id=2545
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.21 -r1.22 tools/tiff2rgba.c
-
-Index: tools/tiff2rgba.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2rgba.c,v
-retrieving revision 1.21
-retrieving revision 1.22
-diff -u -r1.21 -r1.22
---- libtiff/tools/tiff2rgba.c	21 Jun 2015 01:09:10 -0000	1.21
-+++ libtiff/tools/tiff2rgba.c	15 Aug 2016 20:06:41 -0000	1.22
-@@ -147,6 +147,7 @@
-     uint32  row, col;
-     uint32  *wrk_line;
-     int	    ok = 1;
-+    uint32  rastersize, wrk_linesize;
- 
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-@@ -163,7 +164,13 @@
-     /*
-      * Allocate tile buffer
-      */
--    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
-+    rastersize = tile_width * tile_height * sizeof (uint32);
-+    if (tile_width != (rastersize / tile_height) / sizeof( uint32))
-+    {
-+	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
-+	exit(-1);
-+    }
-+    raster = (uint32*)_TIFFmalloc(rastersize);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -173,7 +180,13 @@
-      * Allocate a scanline buffer for swapping during the vertical
-      * mirroring pass.
-      */
--    wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
-+    wrk_linesize = tile_width * sizeof (uint32);
-+    if (tile_width != wrk_linesize / sizeof (uint32))
-+    {
-+        TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
-+	exit(-1);
-+    }
-+    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
-     if (!wrk_line) {
-         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
-         ok = 0;
-@@ -249,6 +262,7 @@
-     uint32  row;
-     uint32  *wrk_line;
-     int	    ok = 1;
-+    uint32  rastersize, wrk_linesize;
- 
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-@@ -263,7 +277,13 @@
-     /*
-      * Allocate strip buffer
-      */
--    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
-+    rastersize = width * rowsperstrip * sizeof (uint32);
-+    if (width != (rastersize / rowsperstrip) / sizeof( uint32))
-+    {
-+	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
-+	exit(-1);
-+    }
-+    raster = (uint32*)_TIFFmalloc(rastersize);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -273,7 +293,13 @@
-      * Allocate a scanline buffer for swapping during the vertical
-      * mirroring pass.
-      */
--    wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
-+    wrk_linesize = width * sizeof (uint32);
-+    if (width != wrk_linesize / sizeof (uint32))
-+    {
-+        TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
-+	exit(-1);
-+    }
-+    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
-     if (!wrk_line) {
-         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
-         ok = 0;
diff --git a/gnu/packages/patches/libtiff-CVE-2016-3990.patch b/gnu/packages/patches/libtiff-CVE-2016-3990.patch
deleted file mode 100644
index 7641c30..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-3990.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Fix CVE-2016-3990 (write buffer overflow in PixarLogEncode if more input
-samples are provided than expected by PixarLogSetupEncode).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3990
-http://bugzilla.maptools.org/show_bug.cgi?id=2544
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.45 -r1.46 libtiff/tif_pixarlog.c
-
-Index: libtiff/tif_pixarlog.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v
-retrieving revision 1.45
-retrieving revision 1.46
-diff -u -r1.45 -r1.46
---- libtiff/libtiff/tif_pixarlog.c	28 Jun 2016 15:37:33 -0000	1.45
-+++ libtiff/libtiff/tif_pixarlog.c	15 Aug 2016 20:49:48 -0000	1.46
-@@ -1141,6 +1141,13 @@
- 	}
- 
- 	llen = sp->stride * td->td_imagewidth;
-+    /* Check against the number of elements (of size uint16) of sp->tbuf */
-+    if( n > td->td_rowsperstrip * llen )
-+    {
-+        TIFFErrorExt(tif->tif_clientdata, module,
-+                     "Too many input bytes provided");
-+        return 0;
-+    }
- 
- 	for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
- 		switch (sp->user_datafmt)  {
diff --git a/gnu/packages/patches/libtiff-CVE-2016-3991.patch b/gnu/packages/patches/libtiff-CVE-2016-3991.patch
deleted file mode 100644
index cb05f00..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-3991.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-Fix CVE-2016-3991 (out-of-bounds write in loadImage()).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3991
-http://bugzilla.maptools.org/show_bug.cgi?id=2543
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.37 -r1.38 tools/tiffcrop.c
-
-Index: tools/tiffcrop.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
-retrieving revision 1.37
-retrieving revision 1.38
-diff -u -r1.37 -r1.38
---- libtiff/tools/tiffcrop.c	11 Jul 2016 21:38:31 -0000	1.37
-+++ libtiff/tools/tiffcrop.c	15 Aug 2016 21:05:40 -0000	1.38
-@@ -798,6 +798,11 @@
-     }
- 
-   tile_buffsize = tilesize;
-+  if (tilesize == 0 || tile_rowsize == 0)
-+  {
-+     TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
-+     exit(-1);
-+  }
- 
-   if (tilesize < (tsize_t)(tl * tile_rowsize))
-     {
-@@ -807,7 +812,12 @@
-               tilesize, tl * tile_rowsize);
- #endif
-     tile_buffsize = tl * tile_rowsize;
--    } 
-+    if (tl != (tile_buffsize / tile_rowsize))
-+    {
-+    	TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
-+        exit(-1);
-+    }
-+    }
- 
-   tilebuf = _TIFFmalloc(tile_buffsize);
-   if (tilebuf == 0)
-@@ -1210,6 +1220,12 @@
-       !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
-       return 1;
- 
-+  if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
-+  {
-+    TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
-+    exit(-1);
-+  }
-+  
-   tile_buffsize = tilesize;
-   if (tilesize < (tsize_t)(tl * tile_rowsize))
-     {
-@@ -1219,6 +1235,11 @@
-               tilesize, tl * tile_rowsize);
- #endif
-     tile_buffsize = tl * tile_rowsize;
-+    if (tl != tile_buffsize / tile_rowsize)
-+    {
-+	TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
-+	exit(-1);
-+    }
-     }
- 
-   tilebuf = _TIFFmalloc(tile_buffsize);
-@@ -5945,12 +5966,27 @@
-     TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
- 
-     tile_rowsize  = TIFFTileRowSize(in);      
-+    if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
-+    {
-+	TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
-+	exit(-1);
-+    }
-     buffsize = tlsize * ntiles;
-+    if (tlsize != (buffsize / ntiles))
-+    {
-+	TIFFError("loadImage", "Integer overflow when calculating buffer size");
-+	exit(-1);
-+    }
- 
--        
-     if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
-       {
-       buffsize = ntiles * tl * tile_rowsize;
-+      if (ntiles != (buffsize / tl / tile_rowsize))
-+      {
-+	TIFFError("loadImage", "Integer overflow when calculating buffer size");
-+	exit(-1);
-+      }
-+      
- #ifdef DEBUG2
-       TIFFError("loadImage",
- 	        "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
-@@ -5969,8 +6005,25 @@
-     TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
-     stsize = TIFFStripSize(in);
-     nstrips = TIFFNumberOfStrips(in);
-+    if (nstrips == 0 || stsize == 0)
-+    {
-+	TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
-+	exit(-1);
-+    }
-+
-     buffsize = stsize * nstrips;
--    
-+    if (stsize != (buffsize / nstrips))
-+    {
-+	TIFFError("loadImage", "Integer overflow when calculating buffer size");
-+	exit(-1);
-+    }
-+    uint32 buffsize_check;
-+    buffsize_check = ((length * width * spp * bps) + 7);
-+    if (length != ((buffsize_check - 7) / width / spp / bps))
-+    {
-+	TIFFError("loadImage", "Integer overflow detected.");
-+	exit(-1);
-+    }
-     if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
-       {
-       buffsize =  ((length * width * spp * bps) + 7) / 8;
diff --git a/gnu/packages/patches/libtiff-CVE-2016-5314.patch b/gnu/packages/patches/libtiff-CVE-2016-5314.patch
deleted file mode 100644
index e5380f8..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-5314.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Fix CVE-2016-5314.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5314
-bugzilla.maptools.org/show_bug.cgi?id=2554
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.43 -r1.44 libtiff/tif_pixarlog.c
-
-Index: libtiff/tif_pixarlog.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v
-retrieving revision 1.43
-retrieving revision 1.44
-diff -u -r1.43 -r1.44
---- libtiff/libtiff/tif_pixarlog.c	27 Dec 2015 20:14:11 -0000	1.43
-+++ libtiff/libtiff/tif_pixarlog.c	28 Jun 2016 15:12:19 -0000	1.44
-@@ -459,6 +459,7 @@
- typedef	struct {
- 	TIFFPredictorState	predict;
- 	z_stream		stream;
-+	tmsize_t		tbuf_size; /* only set/used on reading for now */
- 	uint16			*tbuf; 
- 	uint16			stride;
- 	int			state;
-@@ -694,6 +695,7 @@
- 	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
- 	if (sp->tbuf == NULL)
- 		return (0);
-+	sp->tbuf_size = tbuf_size;
- 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
- 		sp->user_datafmt = PixarLogGuessDataFmt(td);
- 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
-@@ -783,6 +785,12 @@
- 		TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
- 		return (0);
- 	}
-+	/* Check that we will not fill more than what was allocated */
-+	if (sp->stream.avail_out > sp->tbuf_size)
-+	{
-+		TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
-+		return (0);
-+	}
- 	do {
- 		int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
- 		if (state == Z_STREAM_END) {
diff --git a/gnu/packages/patches/libtiff-CVE-2016-5321.patch b/gnu/packages/patches/libtiff-CVE-2016-5321.patch
deleted file mode 100644
index 2afca18..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-5321.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Fix CVE-2016-5321. 
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5321
-http://bugzilla.maptools.org/show_bug.cgi?id=2558
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.35 -r1.36 tools/tiffcrop.c
-
-Index: tools/tiffcrop.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
-retrieving revision 1.35
-retrieving revision 1.36
-diff -u -r1.35 -r1.36
---- libtiff/tools/tiffcrop.c	19 Aug 2015 02:31:04 -0000	1.35
-+++ libtiff/tools/tiffcrop.c	11 Jul 2016 21:26:03 -0000	1.36
-@@ -989,7 +989,7 @@
-     nrow = (row + tl > imagelength) ? imagelength - row : tl;
-     for (col = 0; col < imagewidth; col += tw)
-       {
--      for (s = 0; s < spp; s++)
-+      for (s = 0; s < spp && s < MAX_SAMPLES; s++)
-         {  /* Read each plane of a tile set into srcbuffs[s] */
- 	tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s);
-         if (tbytes < 0  && !ignore)
diff --git a/gnu/packages/patches/libtiff-CVE-2016-5323.patch b/gnu/packages/patches/libtiff-CVE-2016-5323.patch
deleted file mode 100644
index 8b2a043..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-5323.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-Fix CVE-2016-5323.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5323
-http://bugzilla.maptools.org/show_bug.cgi?id=2559
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.36  -r1.37 tools/tiffcrop.c
-
-Index: tools/tiffcrop.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
-retrieving revision 1.36
-retrieving revision 1.37
-diff -u -r1.36 -r1.37
---- libtiff/tools/tiffcrop.c	11 Jul 2016 21:26:03 -0000	1.36
-+++ libtiff/tools/tiffcrop.c	11 Jul 2016 21:38:31 -0000	1.37
-@@ -3738,7 +3738,7 @@
- 
-       matchbits = maskbits << (8 - src_bit - bps); 
-       /* load up next sample from each plane */
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
-         {
- 	src = in[s] + src_offset + src_byte;
-         buff1 = ((*src) & matchbits) << (src_bit);
-@@ -3837,7 +3837,7 @@
-       src_bit  = bit_offset % 8;
- 
-       matchbits = maskbits << (16 - src_bit - bps); 
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
-         {
- 	src = in[s] + src_offset + src_byte;
-         if (little_endian)
-@@ -3947,7 +3947,7 @@
-       src_bit  = bit_offset % 8;
- 
-       matchbits = maskbits << (32 - src_bit - bps); 
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
-         {
- 	src = in[s] + src_offset + src_byte;
-         if (little_endian)
-@@ -4073,7 +4073,7 @@
-       src_bit  = bit_offset % 8;
- 
-       matchbits = maskbits << (64 - src_bit - bps); 
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- 	{
- 	src = in[s] + src_offset + src_byte;
- 	if (little_endian)
-@@ -4263,7 +4263,7 @@
- 
-       matchbits = maskbits << (8 - src_bit - bps); 
-       /* load up next sample from each plane */
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
-         {
- 	src = in[s] + src_offset + src_byte;
-         buff1 = ((*src) & matchbits) << (src_bit);
-@@ -4362,7 +4362,7 @@
-       src_bit  = bit_offset % 8;
- 
-       matchbits = maskbits << (16 - src_bit - bps); 
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
-         {
- 	src = in[s] + src_offset + src_byte;
-         if (little_endian)
-@@ -4471,7 +4471,7 @@
-       src_bit  = bit_offset % 8;
- 
-       matchbits = maskbits << (32 - src_bit - bps); 
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
-         {
- 	src = in[s] + src_offset + src_byte;
-         if (little_endian)
-@@ -4597,7 +4597,7 @@
-       src_bit  = bit_offset % 8;
- 
-       matchbits = maskbits << (64 - src_bit - bps); 
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- 	{
- 	src = in[s] + src_offset + src_byte;
- 	if (little_endian)
diff --git a/gnu/packages/patches/libtiff-CVE-2016-5652.patch b/gnu/packages/patches/libtiff-CVE-2016-5652.patch
deleted file mode 100644
index 54b87d0..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-5652.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Fix CVE-2016-5652 (buffer overflow in t2p_readwrite_pdf_image_tile()).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652
-
-Patches exfiltrated from upstream CVS repo with:
-cvs diff -u -r 1.92 -r 1.94 tools/tiff2pdf.c
-
-Index: tools/tiff2pdf.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
-retrieving revision 1.92
-retrieving revision 1.94
-diff -u -r1.92 -r1.94
---- a/tools/tiff2pdf.c	23 Sep 2016 22:12:18 -0000	1.92
-+++ b/tools/tiff2pdf.c	9 Oct 2016 11:03:36 -0000	1.94
-@@ -2887,21 +2887,24 @@
- 				return(0);
- 			}
- 			if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
--				if (count > 0) {
--					_TIFFmemcpy(buffer, jpt, count);
-+				if (count >= 4) {
-+                    /* Ignore EOI marker of JpegTables */
-+					_TIFFmemcpy(buffer, jpt, count - 2);
- 					bufferoffset += count - 2;
-+                    /* Store last 2 bytes of the JpegTables */
- 					table_end[0] = buffer[bufferoffset-2];
- 					table_end[1] = buffer[bufferoffset-1];
--				}
--				if (count > 0) {
- 					xuint32 = bufferoffset;
-+                    bufferoffset -= 2;
- 					bufferoffset += TIFFReadRawTile(
- 						input, 
- 						tile, 
--						(tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]), 
-+						(tdata_t) &(((unsigned char*)buffer)[bufferoffset]), 
- 						-1);
--						buffer[xuint32-2]=table_end[0];
--						buffer[xuint32-1]=table_end[1];
-+                    /* Overwrite SOI marker of image scan with previously */
-+                    /* saved end of JpegTables */
-+					buffer[xuint32-2]=table_end[0];
-+					buffer[xuint32-1]=table_end[1];
- 				} else {
- 					bufferoffset += TIFFReadRawTile(
- 						input, 
diff --git a/gnu/packages/patches/libtiff-CVE-2016-9273.patch b/gnu/packages/patches/libtiff-CVE-2016-9273.patch
deleted file mode 100644
index 9cd6b3d..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-9273.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Fix CVE-2016-9273:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9273
-http://bugzilla.maptools.org/show_bug.cgi?id=2587
-
-Patch extracted from upstream CVS repo:
-
-2016-11-10 Even Rouault <even.rouault at spatialys.com>
-
-revision 1.37
-date: 2016-11-09 18:00:49 -0500;  author: erouault;  state: Exp;  lines: +10 -1;  commitid: pzKipPxDJO2dxvtz;
-* libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips
-value when it is non-zero, instead of recomputing it. This is needed in
-TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of
-array in tiffsplit (or other utilities using TIFFNumberOfStrips()).
-Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587
-
-Index: libtiff/tif_strip.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v
-retrieving revision 1.36
-retrieving revision 1.37
-diff -u -r1.36 -r1.37
---- a/libtiff/tif_strip.c	7 Jun 2015 22:35:40 -0000	1.36
-+++ b/libtiff/tif_strip.c	9 Nov 2016 23:00:49 -0000	1.37
-@@ -63,6 +63,15 @@
- 	TIFFDirectory *td = &tif->tif_dir;
- 	uint32 nstrips;
- 
-+    /* If the value was already computed and store in td_nstrips, then return it,
-+       since ChopUpSingleUncompressedStrip might have altered and resized the
-+       since the td_stripbytecount and td_stripoffset arrays to the new value
-+       after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
-+       tif_dirread.c ~line 3612.
-+       See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
-+    if( td->td_nstrips )
-+        return td->td_nstrips;
-+
- 	nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
- 	     TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
- 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
diff --git a/gnu/packages/patches/libtiff-CVE-2016-9297.patch b/gnu/packages/patches/libtiff-CVE-2016-9297.patch
deleted file mode 100644
index c9207bb..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-9297.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-Fix CVE-2016-9297:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9297
-http://bugzilla.maptools.org/show_bug.cgi?id=2590
-
-Patch copied from upstream source repository.
-
-2016-11-11 Even Rouault <even.rouault at spatialys.com>
-
-        * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that
-        values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
-        access are null terminated, to avoid potential read outside buffer
-        in _TIFFPrintField().
-        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590
-
-
-/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
-new revision: 1.1154; previous revision: 1.1153
-/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v  <-- 
-libtiff/tif_dirread.c
-new revision: 1.203; previous revision: 1.202Index: libtiff/libtiff/tif_dirread.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
-retrieving revision 1.202
-retrieving revision 1.203
-diff -u -r1.202 -r1.203
---- libtiff/libtiff/tif_dirread.c	11 Nov 2016 20:01:55 -0000	1.202
-+++ libtiff/libtiff/tif_dirread.c	11 Nov 2016 20:22:01 -0000	1.203
-@@ -5000,6 +5000,11 @@
- 					if (err==TIFFReadDirEntryErrOk)
- 					{
- 						int m;
-+                        if( data[dp->tdir_count-1] != '\0' )
-+                        {
-+                            TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
-+                            data[dp->tdir_count-1] = '\0';
-+                        }
- 						m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
- 						if (data!=0)
- 							_TIFFfree(data);
-@@ -5172,6 +5177,11 @@
- 				if (err==TIFFReadDirEntryErrOk)
- 				{
- 					int m;
-+                    if( data[dp->tdir_count-1] != '\0' )
-+                    {
-+                        TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
-+                        data[dp->tdir_count-1] = '\0';
-+                    }
- 					m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
- 					if (data!=0)
- 						_TIFFfree(data);
diff --git a/gnu/packages/patches/libtiff-CVE-2016-9448.patch b/gnu/packages/patches/libtiff-CVE-2016-9448.patch
deleted file mode 100644
index 05a3af8..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-9448.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Fix CVE-2016-9448 (regression caused by fix for CVE-2016-9297).
-
-http://bugzilla.maptools.org/show_bug.cgi?id=2593
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9448
-
-Patch copied from upstream source repository with:
-$ cvs diff -u -r 1.203 -r 1.204 libtiff/libtiff/tif_dirread.c
-
-Index: libtiff/libtiff/tif_dirread.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
-retrieving revision 1.203
-retrieving revision 1.204
-diff -u -r1.203 -r1.204
---- libtiff/libtiff/tif_dirread.c	11 Nov 2016 20:22:01 -0000	1.203
-+++ libtiff/libtiff/tif_dirread.c	16 Nov 2016 15:14:15 -0000	1.204
-@@ -5000,7 +5000,7 @@
- 					if (err==TIFFReadDirEntryErrOk)
- 					{
- 						int m;
--                        if( data[dp->tdir_count-1] != '\0' )
-+                        if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
-                         {
-                             TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
-                             data[dp->tdir_count-1] = '\0';
-@@ -5177,7 +5177,7 @@
- 				if (err==TIFFReadDirEntryErrOk)
- 				{
- 					int m;
--                    if( data[dp->tdir_count-1] != '\0' )
-+                    if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
-                     {
-                         TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
-                         data[dp->tdir_count-1] = '\0';
diff --git a/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch b/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch
deleted file mode 100644
index 3fea745..0000000
--- a/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch
+++ /dev/null
@@ -1,171 +0,0 @@
-2015-12-27  Even Rouault <even.rouault at spatialys.com>
-
-	* libtiff/tif_luv.c: fix potential out-of-bound writes in decode
-	functions in non debug builds by replacing assert()s by regular if
-	checks (bugzilla #2522).
-	Fix potential out-of-bound reads in case of short input data.
-
-diff -u -r1.40 -r1.41
---- libtiff/libtiff/tif_luv.c	21 Jun 2015 01:09:09 -0000	1.40
-+++ libtiff/libtiff/tif_luv.c	27 Dec 2015 16:25:11 -0000	1.41
-@@ -1,4 +1,4 @@
--/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */
-+/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */
- 
- /*
-  * Copyright (c) 1997 Greg Ward Larson
-@@ -202,7 +202,11 @@
- 	if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
- 		tp = (int16*) op;
- 	else {
--		assert(sp->tbuflen >= npixels);
-+		if(sp->tbuflen < npixels) {
-+			TIFFErrorExt(tif->tif_clientdata, module,
-+						 "Translation buffer too short");
-+			return (0);
-+		}
- 		tp = (int16*) sp->tbuf;
- 	}
- 	_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
-@@ -211,9 +215,11 @@
- 	cc = tif->tif_rawcc;
- 	/* get each byte string */
- 	for (shft = 2*8; (shft -= 8) >= 0; ) {
--		for (i = 0; i < npixels && cc > 0; )
-+		for (i = 0; i < npixels && cc > 0; ) {
- 			if (*bp >= 128) {		/* run */
--				rc = *bp++ + (2-128);   /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
-+				if( cc < 2 )
-+					break;
-+				rc = *bp++ + (2-128);
- 				b = (int16)(*bp++ << shft);
- 				cc -= 2;
- 				while (rc-- && i < npixels)
-@@ -223,6 +229,7 @@
- 				while (--cc && rc-- && i < npixels)
- 					tp[i++] |= (int16)*bp++ << shft;
- 			}
-+		}
- 		if (i != npixels) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- 			TIFFErrorExt(tif->tif_clientdata, module,
-@@ -268,13 +275,17 @@
- 	if (sp->user_datafmt == SGILOGDATAFMT_RAW)
- 		tp = (uint32 *)op;
- 	else {
--		assert(sp->tbuflen >= npixels);
-+		if(sp->tbuflen < npixels) {
-+			TIFFErrorExt(tif->tif_clientdata, module,
-+						 "Translation buffer too short");
-+			return (0);
-+		}
- 		tp = (uint32 *) sp->tbuf;
- 	}
- 	/* copy to array of uint32 */
- 	bp = (unsigned char*) tif->tif_rawcp;
- 	cc = tif->tif_rawcc;
--	for (i = 0; i < npixels && cc > 0; i++) {
-+	for (i = 0; i < npixels && cc >= 3; i++) {
- 		tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
- 		bp += 3;
- 		cc -= 3;
-@@ -325,7 +336,11 @@
- 	if (sp->user_datafmt == SGILOGDATAFMT_RAW)
- 		tp = (uint32*) op;
- 	else {
--		assert(sp->tbuflen >= npixels);
-+		if(sp->tbuflen < npixels) {
-+			TIFFErrorExt(tif->tif_clientdata, module,
-+						 "Translation buffer too short");
-+			return (0);
-+		}
- 		tp = (uint32*) sp->tbuf;
- 	}
- 	_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
-@@ -334,11 +349,13 @@
- 	cc = tif->tif_rawcc;
- 	/* get each byte string */
- 	for (shft = 4*8; (shft -= 8) >= 0; ) {
--		for (i = 0; i < npixels && cc > 0; )
-+		for (i = 0; i < npixels && cc > 0; ) {
- 			if (*bp >= 128) {		/* run */
-+				if( cc < 2 )
-+					break;
- 				rc = *bp++ + (2-128);
- 				b = (uint32)*bp++ << shft;
--				cc -= 2;                /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
-+				cc -= 2;
- 				while (rc-- && i < npixels)
- 					tp[i++] |= b;
- 			} else {			/* non-run */
-@@ -346,6 +363,7 @@
- 				while (--cc && rc-- && i < npixels)
- 					tp[i++] |= (uint32)*bp++ << shft;
- 			}
-+		}
- 		if (i != npixels) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- 			TIFFErrorExt(tif->tif_clientdata, module,
-@@ -413,6 +431,7 @@
- static int
- LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- {
-+	static const char module[] = "LogL16Encode";
- 	LogLuvState* sp = EncoderState(tif);
- 	int shft;
- 	tmsize_t i;
-@@ -433,7 +452,11 @@
- 		tp = (int16*) bp;
- 	else {
- 		tp = (int16*) sp->tbuf;
--		assert(sp->tbuflen >= npixels);
-+		if(sp->tbuflen < npixels) {
-+			TIFFErrorExt(tif->tif_clientdata, module,
-+						 "Translation buffer too short");
-+			return (0);
-+		}
- 		(*sp->tfunc)(sp, bp, npixels);
- 	}
- 	/* compress each byte string */
-@@ -506,6 +529,7 @@
- static int
- LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- {
-+	static const char module[] = "LogLuvEncode24";
- 	LogLuvState* sp = EncoderState(tif);
- 	tmsize_t i;
- 	tmsize_t npixels;
-@@ -521,7 +545,11 @@
- 		tp = (uint32*) bp;
- 	else {
- 		tp = (uint32*) sp->tbuf;
--		assert(sp->tbuflen >= npixels);
-+		if(sp->tbuflen < npixels) {
-+			TIFFErrorExt(tif->tif_clientdata, module,
-+						 "Translation buffer too short");
-+			return (0);
-+		}
- 		(*sp->tfunc)(sp, bp, npixels);
- 	}
- 	/* write out encoded pixels */
-@@ -553,6 +581,7 @@
- static int
- LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- {
-+	static const char module[] = "LogLuvEncode32";
- 	LogLuvState* sp = EncoderState(tif);
- 	int shft;
- 	tmsize_t i;
-@@ -574,7 +603,11 @@
- 		tp = (uint32*) bp;
- 	else {
- 		tp = (uint32*) sp->tbuf;
--		assert(sp->tbuflen >= npixels);
-+		if(sp->tbuflen < npixels) {
-+			TIFFErrorExt(tif->tif_clientdata, module,
-+						 "Translation buffer too short");
-+			return (0);
-+		}
- 		(*sp->tfunc)(sp, bp, npixels);
- 	}
- 	/* compress each byte string */
diff --git a/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch b/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch
deleted file mode 100644
index 50657b6..0000000
--- a/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-2015-12-27  Even Rouault <even.rouault at spatialys.com>
-
-	* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
-	triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
-	(bugzilla #2508)
-
-diff -u -r1.16 -r1.18
---- libtiff/libtiff/tif_next.c	29 Dec 2014 12:09:11 -0000	1.16
-+++ libtiff/libtiff/tif_next.c	27 Dec 2015 17:14:52 -0000	1.18
-@@ -1,4 +1,4 @@
--/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */
-+/* $Id: tif_next.c,v 1.18 2015-12-27 17:14:52 erouault Exp $ */
- 
- /*
-  * Copyright (c) 1988-1997 Sam Leffler
-@@ -37,7 +37,7 @@
- 	case 0:	op[0]  = (unsigned char) ((v) << 6); break;	\
- 	case 1:	op[0] |= (v) << 4; break;	\
- 	case 2:	op[0] |= (v) << 2; break;	\
--	case 3:	*op++ |= (v);	   break;	\
-+	case 3:	*op++ |= (v);	   op_offset++; break;	\
- 	}					\
- }
- 
-@@ -103,6 +103,7 @@
- 		}
- 		default: {
- 			uint32 npixels = 0, grey;
-+			tmsize_t op_offset = 0;
- 			uint32 imagewidth = tif->tif_dir.td_imagewidth;
-             if( isTiled(tif) )
-                 imagewidth = tif->tif_dir.td_tilewidth;
-@@ -122,10 +123,15 @@
- 				 * bounds, potentially resulting in a security
- 				 * issue.
- 				 */
--				while (n-- > 0 && npixels < imagewidth)
-+				while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
- 					SETPIXEL(op, grey);
- 				if (npixels >= imagewidth)
- 					break;
-+                if (op_offset >= scanline ) {
-+                    TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
-+                        (long) tif->tif_row);
-+                    return (0);
-+                }
- 				if (cc == 0)
- 					goto bad;
- 				n = *bp++, cc--;
diff --git a/gnu/packages/patches/libtiff-uint32-overflow.patch b/gnu/packages/patches/libtiff-uint32-overflow.patch
deleted file mode 100644
index c95126f..0000000
--- a/gnu/packages/patches/libtiff-uint32-overflow.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-Fix some buffer overflows:
-
-http://seclists.org/oss-sec/2016/q4/408
-http://bugzilla.maptools.org/show_bug.cgi?id=2592
-
-2016-11-11 Even Rouault <even.rouault at spatialys.com>
-
-        * tools/tiffcrop.c: fix multiple uint32 overflows in
-        writeBufferToSeparateStrips(), writeBufferToContigTiles() and
-        writeBufferToSeparateTiles() that could cause heap buffer
-overflows.
-        Reported by Henri Salo from Nixu Corporation.
-        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
-
-
-/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
-new revision: 1.1152; previous revision: 1.1151
-/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v  <--  tools/tiffcrop.c
-new revision: 1.43; previous revision: 1.42
-
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
-retrieving revision 1.42
-retrieving revision 1.43
-diff -u -r1.42 -r1.43
---- libtiff/tools/tiffcrop.c	14 Oct 2016 19:13:20 -0000	1.42
-+++ libtiff/tools/tiffcrop.c	11 Nov 2016 19:33:06 -0000	1.43
-@@ -148,6 +148,8 @@
- #define PATH_MAX 1024
- #endif
- 
-+#define TIFF_UINT32_MAX     0xFFFFFFFFU
-+
- #ifndef streq
- #define	streq(a,b)	(strcmp((a),(b)) == 0)
- #endif
-@@ -1164,7 +1166,24 @@
-   (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
-   (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
-   bytes_per_sample = (bps + 7) / 8;
--  rowsize = ((bps * spp * width) + 7) / 8; /* source has interleaved samples */
-+  if( width == 0 ||
-+      (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width ||
-+      bps * spp * width > TIFF_UINT32_MAX - 7U )
-+  {
-+      TIFFError(TIFFFileName(out),
-+            "Error, uint32 overflow when computing (bps * spp * width) + 7");
-+      return 1;
-+  }
-+  rowsize = ((bps * spp * width) + 7U) / 8; /* source has interleaved samples */
-+  if( bytes_per_sample == 0 ||
-+      rowsperstrip > TIFF_UINT32_MAX / bytes_per_sample ||
-+      rowsperstrip * bytes_per_sample > TIFF_UINT32_MAX / (width + 1) )
-+  {
-+      TIFFError(TIFFFileName(out),
-+                "Error, uint32 overflow when computing rowsperstrip * "
-+                "bytes_per_sample * (width + 1)");
-+      return 1;
-+  }
-   rowstripsize = rowsperstrip * bytes_per_sample * (width + 1); 
- 
-   obuf = _TIFFmalloc (rowstripsize);
-@@ -1251,11 +1270,19 @@
-     }
-     }
- 
-+  if( imagewidth == 0 ||
-+      (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / imagewidth ||
-+      bps * spp * imagewidth > TIFF_UINT32_MAX - 7U )
-+  {
-+      TIFFError(TIFFFileName(out),
-+            "Error, uint32 overflow when computing (imagewidth * bps * spp) + 7");
-+      return 1;
-+  }
-+  src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
-+
-   tilebuf = _TIFFmalloc(tile_buffsize);
-   if (tilebuf == 0)
-     return 1;
--
--  src_rowsize = ((imagewidth * spp * bps) + 7) / 8;
-   for (row = 0; row < imagelength; row += tl)
-     {
-     nrow = (row + tl > imagelength) ? imagelength - row : tl;
-@@ -1315,7 +1342,16 @@
-   TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
-   TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
-   TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
--  src_rowsize = ((imagewidth * spp * bps) + 7) / 8;
-+
-+  if( imagewidth == 0 ||
-+      (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / imagewidth ||
-+      bps * spp * imagewidth > TIFF_UINT32_MAX - 7 )
-+  {
-+      TIFFError(TIFFFileName(out),
-+            "Error, uint32 overflow when computing (imagewidth * bps * spp) + 7");
-+      return 1;
-+  }
-+  src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
-          
-   for (row = 0; row < imagelength; row += tl)
-     {
-- 
2.10.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply related	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2016-11-24 16:17 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-21 16:48 Libtiff 4.0.7 update Leo Famulari
2016-11-21 17:21 ` Marius Bakke
2016-11-21 18:32   ` Leo Famulari
2016-11-23 21:21     ` Ludovic Courtès
2016-11-24  3:57       ` Leo Famulari
2016-11-24 16:17         ` Ludovic Courtès
2016-11-22 17:33   ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).