From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57344)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1d70zB-0008KD-9J
	for guix-patches@gnu.org; Sat, 06 May 2017 10:47:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1d70z8-0001sS-1S
	for guix-patches@gnu.org; Sat, 06 May 2017 10:47:05 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:59982)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1d70z7-0001sO-TX
	for guix-patches@gnu.org; Sat, 06 May 2017 10:47:01 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1d70z7-00017N-NJ
	for guix-patches@gnu.org; Sat, 06 May 2017 10:47:01 -0400
Subject: bug#26804: [PATCH] gnu: libtiff: Fix CVE-2017-{7593, 7594, 7595, 7596,
	7597, 7598, 7599, 7600, 7601, 7602}.
Resent-Message-ID: <handler.26804.B.14940819984252@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57185)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kei@openmailbox.org>) id 1d70yM-0008El-EX
	for guix-patches@gnu.org; Sat, 06 May 2017 10:46:17 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kei@openmailbox.org>) id 1d70yI-0001Vs-J4
	for guix-patches@gnu.org; Sat, 06 May 2017 10:46:14 -0400
Received: from lb1.openmailbox.org ([5.79.108.160]:53911
	helo=mail.openmailbox.org)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <kei@openmailbox.org>) id 1d70yI-0001UO-4R
	for guix-patches@gnu.org; Sat, 06 May 2017 10:46:10 -0400
From: Kei Kebreau <kei@openmailbox.org>
Date: Sat,  6 May 2017 10:45:57 -0400
Message-Id: <20170506144557.28785-1-kei@openmailbox.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: 26804@debbugs.gnu.org
Cc: Kei Kebreau <kei@openmailbox.org>

* gnu/packages/patches/libtiff-CVE-2017-7593.patch: New file.
* gnu/packages/patches/libtiff-CVE-2017-7594.patch: New file.
* gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libtiff)[source]: Use them.
---
 gnu/local.mk                                       |   3 +
 gnu/packages/image.scm                             |   7 +-
 gnu/packages/patches/libtiff-CVE-2017-7593.patch   | 113 ++++++
 gnu/packages/patches/libtiff-CVE-2017-7594.patch   |  54 +++
 .../patches/libtiff-multiple-UBSAN-crashes.patch   | 449 +++++++++++++++=
++++++
 5 files changed, 624 insertions(+), 2 deletions(-)
 create mode 100644 gnu/packages/patches/libtiff-CVE-2017-7593.patch
 create mode 100644 gnu/packages/patches/libtiff-CVE-2017-7594.patch
 create mode 100644 gnu/packages/patches/libtiff-multiple-UBSAN-crashes.p=
atch

diff --git a/gnu/local.mk b/gnu/local.mk
index c93dca64c..d983d62fd 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -739,6 +739,9 @@ dist_patch_DATA =3D						\
   %D%/packages/patches/libtiff-CVE-2016-10093.patch		\
   %D%/packages/patches/libtiff-CVE-2016-10094.patch		\
   %D%/packages/patches/libtiff-CVE-2017-5225.patch		\
+  %D%/packages/patches/libtiff-CVE-2017-7593.patch		\
+  %D%/packages/patches/libtiff-CVE-2017-7594.patch		\
+  %D%/packages/patches/libtiff-multiple-UBSAN-crashes.patch	\
   %D%/packages/patches/libtiff-assertion-failure.patch		\
   %D%/packages/patches/libtiff-divide-by-zero-ojpeg.patch	\
   %D%/packages/patches/libtiff-divide-by-zero-tiffcp.patch	\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 2027395ca..a8cc837d5 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -13,7 +13,7 @@
 ;;; Copyright =C2=A9 2016 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright =C2=A9 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright =C2=A9 2016 Arun Isaac <arunisaac@systemreboot.net>
-;;; Copyright =C2=A9 2016 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright =C2=A9 2016, 2017 Kei Kebreau <kei@openmailbox.org>
 ;;; Copyright =C2=A9 2017 ng0 <contact.ng0@cryptolab.net>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -319,7 +319,10 @@ extracting icontainer icon files.")
                                      "libtiff-divide-by-zero-tiffcp.patc=
h"
                                      "libtiff-assertion-failure.patch"
                                      "libtiff-CVE-2016-10094.patch"
-                                     "libtiff-CVE-2017-5225.patch"))
+                                     "libtiff-CVE-2017-5225.patch"
+                                     "libtiff-CVE-2017-7593.patch"
+                                     "libtiff-CVE-2017-7594.patch"
+                                     "libtiff-multiple-UBSAN-crashes.pat=
ch"))
             (sha256
              (base32
               "06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz"))))
diff --git a/gnu/packages/patches/libtiff-CVE-2017-7593.patch b/gnu/packa=
ges/patches/libtiff-CVE-2017-7593.patch
new file mode 100644
index 000000000..496efb73b
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-7593.patch
@@ -0,0 +1,113 @@
+Fixes CVE-2017-7593 (Potential uninitialized-memory access from tif_rawd=
ata):
+
+http://bugzilla.maptools.org/show_bug.cgi?id=3D2651
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7593
+https://security-tracker.debian.org/tracker/CVE-2017-7593
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add
+        _TIFFcalloc()
+
+        * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() t=
o zero
+        initialize tif_rawdata.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2651
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1208; previous revision: 1.1207
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v  <--  libtiff/tif_rea=
d.c
+new revision: 1.53; previous revision: 1.52
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_unix.c,v  <--  libtiff/tif_uni=
x.c
+new revision: 1.28; previous revision: 1.27
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_vms.c,v  <--  libtiff/tif_vms.=
c
+new revision: 1.14; previous revision: 1.13
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_win32.c,v  <--  libtiff/tif_wi=
n32.c
+new revision: 1.42; previous revision: 1.41
+/cvs/maptools/cvsroot/libtiff/libtiff/tiffio.h,v  <--  libtiff/tiffio.h
+new revision: 1.94; previous revision: 1.93
+
+diff -ru tiff-4.0.7/libtiff/tiffio.h tiff-4.0.7.new/libtiff/tiffio.h
+--- tiff-4.0.7/libtiff/tiffio.h	1969-12-31 19:00:00.000000000 -0500
++++ tiff-4.0.7.new/libtiff/tiffio.h	2017-05-05 19:08:03.772999790 -0400
+@@ -1,4 +1,4 @@
+-/* $Id: tiffio.h,v 1.92 2016-01-23 21:20:34 erouault Exp $ */
++/* $Id: tiffio.h,v 1.94 2017-01-11 19:02:49 erouault Exp $ */
+=20
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -293,6 +293,7 @@
+  */
+=20
+ extern void* _TIFFmalloc(tmsize_t s);
++extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
+ extern void* _TIFFrealloc(void* p, tmsize_t s);
+ extern void _TIFFmemset(void* p, int v, tmsize_t c);
+ extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
+diff -ru tiff-4.0.7/libtiff/tif_read.c tiff-4.0.7.new/libtiff/tif_read.c
+--- tiff-4.0.7/libtiff/tif_read.c	2017-05-05 19:04:09.740966642 -0400
++++ tiff-4.0.7.new/libtiff/tif_read.c	2017-05-05 18:59:11.070709441 -040=
0
+@@ -1,4 +1,4 @@
+-/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */
++/* $Id: tif_read.c,v 1.53 2017-01-11 19:02:49 erouault Exp $ */
+=20
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -976,7 +976,9 @@
+ 				"Invalid buffer size");
+ 		    return (0);
+ 		}
+-		tif->tif_rawdata =3D (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
++		/* Initialize to zero to avoid uninitialized buffers in case of */
++		/* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=3D2651) =
*/
++		tif->tif_rawdata =3D (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
+ 		tif->tif_flags |=3D TIFF_MYBUFFER;
+ 	}
+ 	if (tif->tif_rawdata =3D=3D NULL) {
+diff -ru tiff-4.0.7/libtiff/tif_unix.c tiff-4.0.7.new/libtiff/tif_unix.c
+--- tiff-4.0.7/libtiff/tif_unix.c	1969-12-31 19:00:00.000000000 -0500
++++ tiff-4.0.7.new/libtiff/tif_unix.c	2017-05-05 19:10:48.302645187 -040=
0
+@@ -1,4 +1,4 @@
+-/* $Id: tif_unix.c,v 1.27 2015-08-19 02:31:04 bfriesen Exp $ */
++/* $Id: tif_unix.c,v 1.28 2017-01-11 19:02:49 erouault Exp $ */
+=20
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -316,6 +316,14 @@
+ 	return (malloc((size_t) s));
+ }
+=20
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++    if( nmemb =3D=3D 0 || siz =3D=3D 0 )
++        return ((void *) NULL);
++
++    return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
+diff -ru tiff-4.0.7/libtiff/tif_win32.c tiff-4.0.7.new/libtiff/tif_win32=
.c
+--- tiff-4.0.7/libtiff/tif_win32.c	1969-12-31 19:00:00.000000000 -0500
++++ tiff-4.0.7.new/libtiff/tif_win32.c	2017-05-05 19:13:06.903399627 -04=
00
+@@ -1,4 +1,4 @@
+-/* $Id: tif_win32.c,v 1.41 2015-08-23 20:12:44 bfriesen Exp $ */
++/* $Id: tif_win32.c,v 1.42 2017-01-11 19:02:49 erouault Exp $ */
+=20
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -360,6 +360,14 @@
+ 	return (malloc((size_t) s));
+ }
+=20
++void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
++{
++    if( nmemb =3D=3D 0 || siz =3D=3D 0 )
++        return ((void *) NULL);
++
++    return calloc((size_t) nmemb, (size_t)siz);
++}
++
+ void
+ _TIFFfree(void* p)
+ {
diff --git a/gnu/packages/patches/libtiff-CVE-2017-7594.patch b/gnu/packa=
ges/patches/libtiff-CVE-2017-7594.patch
new file mode 100644
index 000000000..d17997d44
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2017-7594.patch
@@ -0,0 +1,54 @@
+Fixes CVE-2017-7594 (Direct leak in tif_ojpeg.c):
+
+http://bugzilla.maptools.org/show_bug.cgi?id=3D2659
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7594
+https://security-tracker.debian.org/tracker/CVE-2017-7594
+
+2017-01-12 Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesA=
cTable
+        when read fails.
+        Patch by Nicol=C3=A1s Pe=C3=B1a.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2659
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1212; previous revision: 1.1211
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v  <--  libtiff/tif_oj=
peg.c
+new revision: 1.67; previous revision: 1.66
+
+Index: libtiff/libtiff/tif_ojpeg.c
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v
+retrieving revision 1.67
+retrieving revision 1.68
+diff -u -r1.67 -r1.68
+--- libtiff/libtiff/tif_ojpeg.c	12 Jan 2017 17:43:26 -0000	1.67
++++ libtiff/libtiff/tif_ojpeg.c	12 Jan 2017 19:23:20 -0000	1.68
+@@ -1,4 +1,4 @@
+-/* $Id: tif_ojpeg.c,v 1.66 2016-12-03 11:15:18 erouault Exp $ */
++/* $Id: tif_ojpeg.c,v 1.68 2017-01-12 19:23:20 erouault Exp $ */
+=20
+ /* WARNING: The type of JPEG encapsulation defined by the TIFF Version =
6.0
+    specification is now totally obsolete and deprecated for new applica=
tions and
+@@ -1790,7 +1790,10 @@
+ 			TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET);=20
+ 			p=3D(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64);
+ 			if (p!=3D64)
++                        {
++                                _TIFFfree(ob);
+ 				return(0);
++                        }
+ 			sp->qtable[m]=3Dob;
+ 			sp->sof_tq[m]=3Dm;
+ 		}
+@@ -1854,7 +1857,10 @@
+ 				rb[sizeof(uint32)+5+n]=3Do[n];
+ 			p=3D(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
+ 			if (p!=3Dq)
++                        {
++                                _TIFFfree(rb);
+ 				return(0);
++                        }
+ 			sp->dctable[m]=3Drb;
+ 			sp->sos_tda[m]=3D(m<<4);
+ 		}
diff --git a/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch b/=
gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch
new file mode 100644
index 000000000..2f4509f38
--- /dev/null
+++ b/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch
@@ -0,0 +1,449 @@
+Fixes CVE-2017-{7595,7596,7597,7598,7599,7600,7601,7602}:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7595
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7596
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7597
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7598
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7599
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7600
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7601
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-7602
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement va=
rious
+        clampings
+        of double to other data types to avoid undefined behaviour if th=
e
+        output range
+        isn't big enough to hold the input value.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2643
+        http://bugzilla.maptools.org/show_bug.cgi?id=3D2642
+        http://bugzilla.maptools.org/show_bug.cgi?id=3D2646
+        http://bugzilla.maptools.org/show_bug.cgi?id=3D2647
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
+new revision: 1.1204; previous revision: 1.1203
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v  <--  libtiff/tif_dir.=
c
+new revision: 1.129; previous revision: 1.128
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v  <-- libtiff/tif_d=
irread.c
+new revision: 1.207; previous revision: 1.206
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v  <-- libtiff/tif_=
dirwrite.c
+new revision: 1.85; previous revision: 1.84
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_dirread.c: avoid division by floating point 0 in
+        TIFFReadDirEntryCheckedRational() and
+        TIFFReadDirEntryCheckedSrational(),
+        and return 0 in that case (instead of infinity as before presuma=
bly)
+        Apparently some sanitizers do not like those divisions by zero.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2644
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <-- ChangeLog
+new revision: 1.1203; previous revision: 1.1202
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v  <-- libtiff/tif_d=
irread.c
+new revision: 1.206; previous revision: 1.205
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode(=
) to
+        avoid undefined behaviour caused by invalid shift exponent.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2648
+
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <-- ChangeLog
+new revision: 1.1205; previous revision: 1.1204
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_jpeg.c,v  <-- libtiff/tif_jpeg=
.c
+new revision: 1.126; previous revision: 1.125
+
+2017-01-11 Even Rouault <even.rouault at spatialys.com>
+
+        * libtiff/tif_read.c: avoid potential undefined behaviour on sig=
ned
+        integer addition in TIFFReadRawStrip1() in isMapped() case.
+        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2650
+
+/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <-- ChangeLog
+new revision: 1.1206; previous revision: 1.1205
+/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v  <-- libtiff/tif_read=
.c
+new revision: 1.51; previous revision: 1.50
+
+Index: libtiff/libtiff/tif_dir.c
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v
+retrieving revision 1.128
+retrieving revision 1.129
+diff -u -r1.128 -r1.129
+--- libtiff/libtiff/tif_dir.c	3 Dec 2016 15:30:31 -0000	1.128
++++ libtiff/libtiff/tif_dir.c	11 Jan 2017 16:09:02 -0000	1.129
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */
++/* $Id: tif_dir.c,v 1.129 2017-01-11 16:09:02 erouault Exp $ */
+=20
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -31,6 +31,7 @@
+  * (and also some miscellaneous stuff)
+  */
+ #include "tiffiop.h"
++#include <float.h>
+=20
+ /*
+  * These are used in the backwards compatibility code...
+@@ -154,6 +155,15 @@
+ 	return (0);
+ }
+=20
++static float TIFFClampDoubleToFloat( double val )
++{
++    if( val > FLT_MAX )
++        return FLT_MAX;
++    if( val < -FLT_MAX )
++        return -FLT_MAX;
++    return (float)val;
++}
++
+ static int
+ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ {
+@@ -312,13 +322,13 @@
+         dblval =3D va_arg(ap, double);
+         if( dblval < 0 )
+             goto badvaluedouble;
+-		td->td_xresolution =3D (float) dblval;
++		td->td_xresolution =3D TIFFClampDoubleToFloat( dblval );
+ 		break;
+ 	case TIFFTAG_YRESOLUTION:
+         dblval =3D va_arg(ap, double);
+         if( dblval < 0 )
+             goto badvaluedouble;
+-		td->td_yresolution =3D (float) dblval;
++		td->td_yresolution =3D TIFFClampDoubleToFloat( dblval );
+ 		break;
+ 	case TIFFTAG_PLANARCONFIG:
+ 		v =3D (uint16) va_arg(ap, uint16_vap);
+@@ -327,10 +337,10 @@
+ 		td->td_planarconfig =3D (uint16) v;
+ 		break;
+ 	case TIFFTAG_XPOSITION:
+-		td->td_xposition =3D (float) va_arg(ap, double);
++		td->td_xposition =3D TIFFClampDoubleToFloat( va_arg(ap, double) );
+ 		break;
+ 	case TIFFTAG_YPOSITION:
+-		td->td_yposition =3D (float) va_arg(ap, double);
++		td->td_yposition =3D TIFFClampDoubleToFloat( va_arg(ap, double) );
+ 		break;
+ 	case TIFFTAG_RESOLUTIONUNIT:
+ 		v =3D (uint16) va_arg(ap, uint16_vap);
+Index: libtiff/libtiff/tif_dirread.c
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
+retrieving revision 1.206
+retrieving revision 1.207
+diff -u -r1.206 -r1.207
+--- libtiff/libtiff/tif_dirread.c	11 Jan 2017 13:28:01 -0000	1.206
++++ libtiff/libtiff/tif_dirread.c	11 Jan 2017 16:09:02 -0000	1.207
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirread.c,v 1.205 2016-12-03 11:02:15 erouault Exp $ */
++/* $Id: tif_dirread.c,v 1.207 2017-01-11 16:09:02 erouault Exp $ */
+=20
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -40,6 +40,7 @@
+  */
+=20
+ #include "tiffiop.h"
++#include <float.h>
+=20
+ #define IGNORE 0          /* tag placeholder used below */
+ #define FAILED_FII    ((uint32) -1)
+@@ -2406,7 +2407,14 @@
+ 				ma=3D(double*)origdata;
+ 				mb=3Ddata;
+ 				for (n=3D0; n<count; n++)
+-					*mb++=3D(float)(*ma++);
++                                {
++                                    double val =3D *ma++;
++                                    if( val > FLT_MAX )
++                                        val =3D FLT_MAX;
++                                    else if( val < -FLT_MAX )
++                                        val =3D -FLT_MAX;
++                                    *mb++=3D(float)val;
++                                }
+ 			}
+ 			break;
+ 	}
+Index: libtiff/libtiff/tif_dirwrite.c
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v
+retrieving revision 1.84
+retrieving revision 1.85
+diff -u -r1.84 -r1.85
+--- libtiff/libtiff/tif_dirwrite.c	11 Jan 2017 12:51:59 -0000	1.84
++++ libtiff/libtiff/tif_dirwrite.c	11 Jan 2017 16:09:02 -0000	1.85
+@@ -1,4 +1,4 @@
+-/* $Id: tif_dirwrite.c,v 1.83 2016-10-25 21:35:15 erouault Exp $ */
++/* $Id: tif_dirwrite.c,v 1.85 2017-01-11 16:09:02 erouault Exp $ */
+=20
+ /*
+  * Copyright (c) 1988-1997 Sam Leffler
+@@ -30,6 +30,7 @@
+  * Directory Write Support Routines.
+  */
+ #include "tiffiop.h"
++#include <float.h>
+=20
+ #ifdef HAVE_IEEEFP
+ #define TIFFCvtNativeToIEEEFloat(tif, n, fp)
+@@ -939,6 +940,69 @@
+ 	return(0);
+ }
+=20
++static float TIFFClampDoubleToFloat( double val )
++{
++    if( val > FLT_MAX )
++        return FLT_MAX;
++    if( val < -FLT_MAX )
++        return -FLT_MAX;
++    return (float)val;
++}
++
++static int8 TIFFClampDoubleToInt8( double val )
++{
++    if( val > 127 )
++        return 127;
++    if( val < -128 || val !=3D val )
++        return -128;
++    return (int8)val;
++}
++
++static int16 TIFFClampDoubleToInt16( double val )
++{
++    if( val > 32767 )
++        return 32767;
++    if( val < -32768 || val !=3D val )
++        return -32768;
++    return (int16)val;
++}
++
++static int32 TIFFClampDoubleToInt32( double val )
++{
++    if( val > 0x7FFFFFFF )
++        return 0x7FFFFFFF;
++    if( val < -0x7FFFFFFF-1 || val !=3D val )
++        return -0x7FFFFFFF-1;
++    return (int32)val;
++}
++
++static uint8 TIFFClampDoubleToUInt8( double val )
++{
++    if( val < 0 )
++        return 0;
++    if( val > 255 || val !=3D val )
++        return 255;
++    return (uint8)val;
++}
++
++static uint16 TIFFClampDoubleToUInt16( double val )
++{
++    if( val < 0 )
++        return 0;
++    if( val > 65535 || val !=3D val )
++        return 65535;
++    return (uint16)val;
++}
++
++static uint32 TIFFClampDoubleToUInt32( double val )
++{
++    if( val < 0 )
++        return 0;
++    if( val > 0xFFFFFFFFU || val !=3D val )
++        return 0xFFFFFFFFU;
++    return (uint32)val;
++}
++
+ static int
+ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDir=
Entry* dir, uint16 tag, uint32 count, double* value)
+ {
+@@ -959,7 +1023,7 @@
+ 			if (tif->tif_dir.td_bitspersample<=3D32)
+ 			{
+ 				for (i =3D 0; i < count; ++i)
+-					((float*)conv)[i] =3D (float)value[i];
++					((float*)conv)[i] =3D TIFFClampDoubleToFloat(value[i]);
+ 				ok =3D TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(floa=
t*)conv);
+ 			}
+ 			else
+@@ -971,19 +1035,19 @@
+ 			if (tif->tif_dir.td_bitspersample<=3D8)
+ 			{
+ 				for (i =3D 0; i < count; ++i)
+-					((int8*)conv)[i] =3D (int8)value[i];
++					((int8*)conv)[i] =3D TIFFClampDoubleToInt8(value[i]);
+ 				ok =3D TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8=
*)conv);
+ 			}
+ 			else if (tif->tif_dir.td_bitspersample<=3D16)
+ 			{
+ 				for (i =3D 0; i < count; ++i)
+-					((int16*)conv)[i] =3D (int16)value[i];
++					((int16*)conv)[i] =3D TIFFClampDoubleToInt16(value[i]);
+ 				ok =3D TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int=
16*)conv);
+ 			}
+ 			else
+ 			{
+ 				for (i =3D 0; i < count; ++i)
+-					((int32*)conv)[i] =3D (int32)value[i];
++					((int32*)conv)[i] =3D TIFFClampDoubleToInt32(value[i]);
+ 				ok =3D TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int3=
2*)conv);
+ 			}
+ 			break;
+@@ -991,19 +1055,19 @@
+ 			if (tif->tif_dir.td_bitspersample<=3D8)
+ 			{
+ 				for (i =3D 0; i < count; ++i)
+-					((uint8*)conv)[i] =3D (uint8)value[i];
++					((uint8*)conv)[i] =3D TIFFClampDoubleToUInt8(value[i]);
+ 				ok =3D TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8=
*)conv);
+ 			}
+ 			else if (tif->tif_dir.td_bitspersample<=3D16)
+ 			{
+ 				for (i =3D 0; i < count; ++i)
+-					((uint16*)conv)[i] =3D (uint16)value[i];
++					((uint16*)conv)[i] =3D TIFFClampDoubleToUInt16(value[i]);
+ 				ok =3D TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint=
16*)conv);
+ 			}
+ 			else
+ 			{
+ 				for (i =3D 0; i < count; ++i)
+-					((uint32*)conv)[i] =3D (uint32)value[i];
++					((uint32*)conv)[i] =3D TIFFClampDoubleToUInt32(value[i]);
+ 				ok =3D TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint3=
2*)conv);
+ 			}
+ 			break;
+@@ -2102,7 +2102,7 @@
+ 		m[0]=3D0;
+ 		m[1]=3D1;
+ 	}
+-	else if (value=3D=3D(double)(uint32)value)
++	else if (value <=3D 0xFFFFFFFFU && value=3D=3D(double)(uint32)value)
+ 	{
+ 		m[0]=3D(uint32)value;
+ 		m[1]=3D1;
+@@ -2148,12 +2217,13 @@
+ 	}
+ 	for (na=3Dvalue, nb=3Dm, nc=3D0; nc<count; na++, nb+=3D2, nc++)
+ 	{
+-		if (*na<=3D0.0)
++		if (*na<=3D0.0 || *na !=3D *na)
+ 		{
+ 			nb[0]=3D0;
+ 			nb[1]=3D1;
+ 		}
+-		else if (*na=3D=3D(float)(uint32)(*na))
++		else if (*na >=3D 0 && *na <=3D (float)0xFFFFFFFFU &&
++                         *na=3D=3D(float)(uint32)(*na))
+ 		{
+ 			nb[0]=3D(uint32)(*na);
+ 			nb[1]=3D1;
+Index: libtiff/libtiff/tif_dirread.c
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
+retrieving revision 1.205
+retrieving revision 1.206
+diff -u -r1.205 -r1.206
+--- libtiff/libtiff/tif_dirread.c	3 Dec 2016 11:02:15 -0000	1.205
++++ libtiff/libtiff/tif_dirread.c	11 Jan 2017 13:28:01 -0000	1.206
+@@ -2872,7 +2872,10 @@
+ 		m.l =3D direntry->tdir_offset.toff_long8;
+ 	if (tif->tif_flags&TIFF_SWAB)
+ 		TIFFSwabArrayOfLong(m.i,2);
+-	if (m.i[0]=3D=3D0)
++        /* Not completely sure what we should do when m.i[1]=3D=3D0, bu=
t some */
++        /* sanitizers do not like division by 0.0: */
++        /* http://bugzilla.maptools.org/show_bug.cgi?id=3D2644 */
++	if (m.i[0]=3D=3D0 || m.i[1]=3D=3D0)
+ 		*value=3D0.0;
+ 	else
+ 		*value=3D(double)m.i[0]/(double)m.i[1];
+@@ -2900,7 +2903,10 @@
+ 		m.l=3Ddirentry->tdir_offset.toff_long8;
+ 	if (tif->tif_flags&TIFF_SWAB)
+ 		TIFFSwabArrayOfLong(m.i,2);
+-	if ((int32)m.i[0]=3D=3D0)
++        /* Not completely sure what we should do when m.i[1]=3D=3D0, bu=
t some */
++        /* sanitizers do not like division by 0.0: */
++        /* http://bugzilla.maptools.org/show_bug.cgi?id=3D2644 */
++	if ((int32)m.i[0]=3D=3D0 || m.i[1]=3D=3D0)
+ 		*value=3D0.0;
+ 	else
+ 		*value=3D(double)((int32)m.i[0])/(double)m.i[1];
+Index: libtiff/libtiff/tif_jpeg.c
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_jpeg.c,v
+retrieving revision 1.125
+retrieving revision 1.126
+diff -u -r1.125 -r1.126
+--- libtiff/libtiff/tif_jpeg.c	11 Jan 2017 12:15:01 -0000	1.125
++++ libtiff/libtiff/tif_jpeg.c	11 Jan 2017 16:13:50 -0000	1.126
+@@ -1,4 +1,4 @@
+-/* $Id: tif_jpeg.c,v 1.123 2016-01-23 21:20:34 erouault Exp $ */
++/* $Id: tif_jpeg.c,v 1.126 2017-01-11 16:13:50 erouault Exp $ */
+=20
+ /*
+  * Copyright (c) 1994-1997 Sam Leffler
+@@ -1632,6 +1632,13 @@
+                             "Invalig horizontal/vertical sampling value=
");
+                     return (0);
+                 }
++                if( td->td_bitspersample > 16 )
++                {
++                    TIFFErrorExt(tif->tif_clientdata, module,
++                                 "BitsPerSample %d not allowed for JPEG=
",
++                                 td->td_bitspersample);
++                    return (0);
++                }
+=20
+ 		/*
+ 		 * A ReferenceBlackWhite field *must* be present since the
+Index: libtiff/libtiff/tif_read.c
+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v
+retrieving revision 1.50
+retrieving revision 1.51
+diff -u -r1.50 -r1.51
+--- libtiff/libtiff/tif_read.c	2 Dec 2016 21:56:56 -0000	1.50
++++ libtiff/libtiff/tif_read.c	11 Jan 2017 16:33:34 -0000	1.51
+@@ -420,16 +420,25 @@
+ 			return ((tmsize_t)(-1));
+ 		}
+ 	} else {
+-		tmsize_t ma,mb;
++		tmsize_t ma;
+ 		tmsize_t n;
+-		ma=3D(tmsize_t)td->td_stripoffset[strip];
+-		mb=3Dma+size;
+-		if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif-=
>tif_size))
+-			n=3D0;
+-		else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
+-			n=3Dtif->tif_size-ma;
+-		else
+-			n=3Dsize;
++		if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||
++                    ((ma=3D(tmsize_t)td->td_stripoffset[strip])>tif->ti=
f_size))
++                {
++                    n=3D0;
++                }
++                else if( ma > TIFF_TMSIZE_T_MAX - size )
++                {
++                    n=3D0;
++                }
++                else
++                {
++                    tmsize_t mb=3Dma+size;
++                    if (mb>tif->tif_size)
++                            n=3Dtif->tif_size-ma;
++                    else
++                            n=3Dsize;
++                }
+ 		if (n!=3Dsize) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 			TIFFErrorExt(tif->tif_clientdata, module,
--=20
2.12.2