~alpine/aports

6

[alpine-aports] [PATCH] main/libinput: upgrade to 1.7.3

Daniel Sabogal <dsabogalcc@gmail.com>
Details
Message ID
<20170630012652.9410-1-dsabogalcc@gmail.com>
Sender timestamp
1498786006
DKIM signature
missing
Download raw message
Patch: +4 -5
---
 main/libinput/APKBUILD | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/main/libinput/APKBUILD b/main/libinput/APKBUILD
index fa56819d76..c8a4bbd771 100644
--- a/main/libinput/APKBUILD
+++ b/main/libinput/APKBUILD
@@ -1,7 +1,7 @@
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Daniel Sabogal <dsabogalcc@gmail.com>
pkgname=libinput
pkgver=1.7.2
pkgver=1.7.3
pkgrel=0
pkgdesc="Library for handling input devices"
url="http://www.freedesktop.org/wiki/Software/libinput/"
@@ -12,8 +12,8 @@ makedepends="mtdev-dev eudev-dev libevdev-dev grep"
subpackages="$pkgname-dev $pkgname-doc"
options="!check"
source="http://freedesktop.org/software/$pkgname/$pkgname-$pkgver.tar.xz"

builddir="$srcdir/$pkgname-$pkgver"

build() {
	cd "$builddir"
	./configure \
@@ -23,8 +23,7 @@ build() {
		--sysconfdir=/etc \
		--mandir=/usr/share/man \
		--localstatedir=/var \
		--disable-libwacom \
		|| return 1
		--disable-libwacom
	make
}

@@ -32,4 +31,4 @@ package() {
	make DESTDIR="$pkgdir" -C "$builddir" install
}

sha512sums="cdbd2994e954aac9538fe907c275e6e23e2bed0e9c4c65f19591bdcdbf5074131c72b92e87de87c03f75a991fcdb7f568b491a12f00031c4eba11082ca44d69f  libinput-1.7.2.tar.xz"
sha512sums="2262dc56d213a4d3ea765e870af200e2c336a166baa1bbdf5205e3ce70faefc777429ba09563c5dd79feb5442f53abc84e04a0f32a06bb622d6e120bb8ad152b  libinput-1.7.3.tar.xz"
-- 
2.13.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---

[alpine-aports] [PATCH 1/3] Revert "main/spice: upgrade to 0.13.3"

Daniel Sabogal <dsabogalcc@gmail.com>
Details
Message ID
<20170630012652.9410-2-dsabogalcc@gmail.com>
In-Reply-To
<20170630012652.9410-1-dsabogalcc@gmail.com> (view parent)
Sender timestamp
1498786007
DKIM signature
missing
Download raw message
Patch: +5 -3
This reverts commit 620f8c776e5bd52f0adadc02f351a405160e7142.

The spice 0.13.x releases are unstable.
See https://cgit.freedesktop.org/spice/spice/tree/NEWS
---
 main/spice/APKBUILD | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/main/spice/APKBUILD b/main/spice/APKBUILD
index 531c97da88..4d05087f3d 100644
--- a/main/spice/APKBUILD
+++ b/main/spice/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=spice
pkgver=0.13.3
pkgrel=1
pkgver=0.12.8
pkgrel=2
pkgdesc="Implements the SPICE protocol"
url="http://www.spice-space.org/"
arch="all"
@@ -48,4 +48,6 @@ server() {
	mv "$pkgdir"/usr/lib/*server.so.* "$subpkgdir"/usr/lib/
}

sha512sums="63496fbd3df0fd453052cef8e1fb00a3a28f0105610676fdc4a58043cbc6da571ae4407701af2b817e410d05ce727d60d5ee0c93c8897231e25229897c51d95a  spice-0.13.3.tar.bz2"
md5sums="376853d11b9921aa34a06c4dbef81874  spice-0.12.8.tar.bz2"
sha256sums="f901a5c5873d61acac84642f9eea5c4d6386fc3e525c2b68792322794e1c407d  spice-0.12.8.tar.bz2"
sha512sums="6485d3522af1cde93d2c0abad7f7ef9f2e4d3e5049314fb93b6dd4b86e33d67d353a3ff42a355c8fd991bad447bbde1e6320c083bbc6f02b576bd9cebe7269ed  spice-0.12.8.tar.bz2"
-- 
2.13.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---

[alpine-aports] [PATCH 2/3] main/spice: security fixes (CVE-2016-9577, CVE-2016-9578)

Daniel Sabogal <dsabogalcc@gmail.com>
Details
Message ID
<20170630012652.9410-3-dsabogalcc@gmail.com>
In-Reply-To
<20170630012652.9410-1-dsabogalcc@gmail.com> (view parent)
Sender timestamp
1498786008
DKIM signature
missing
Download raw message
Patch: +135 -5
---
 main/spice/APKBUILD              | 19 ++++++++++----
 main/spice/CVE-2016-9577.patch   | 28 ++++++++++++++++++++
 main/spice/CVE-2016-9578-1.patch | 55 ++++++++++++++++++++++++++++++++++++++++
 main/spice/CVE-2016-9578-2.patch | 38 +++++++++++++++++++++++++++
 4 files changed, 135 insertions(+), 5 deletions(-)
 create mode 100644 main/spice/CVE-2016-9577.patch
 create mode 100644 main/spice/CVE-2016-9578-1.patch
 create mode 100644 main/spice/CVE-2016-9578-2.patch

diff --git a/main/spice/APKBUILD b/main/spice/APKBUILD
index 4d05087f3d..6bc85302b6 100644
--- a/main/spice/APKBUILD
+++ b/main/spice/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=spice
pkgver=0.12.8
pkgrel=2
pkgrel=3
pkgdesc="Implements the SPICE protocol"
url="http://www.spice-space.org/"
arch="all"
@@ -15,9 +15,17 @@ makedepends="$depends_dev alsa-lib-dev libjpeg-turbo-dev libxrandr-dev
install=""
subpackages="$pkgname-dev $pkgname-server"
source="http://www.spice-space.org/download/releases/$pkgname-$pkgver.tar.bz2
	CVE-2016-9577.patch
	CVE-2016-9578-1.patch
	CVE-2016-9578-2.patch
	"

builddir="$srcdir"/$pkgname-$pkgver

# secfixes:
#   0.12.8-r3:
#     - CVE-2016-9577
#     - CVE-2016-9578

build() {
	cd "$builddir"
	./configure \
@@ -48,6 +56,7 @@ server() {
	mv "$pkgdir"/usr/lib/*server.so.* "$subpkgdir"/usr/lib/
}

md5sums="376853d11b9921aa34a06c4dbef81874  spice-0.12.8.tar.bz2"
sha256sums="f901a5c5873d61acac84642f9eea5c4d6386fc3e525c2b68792322794e1c407d  spice-0.12.8.tar.bz2"
sha512sums="6485d3522af1cde93d2c0abad7f7ef9f2e4d3e5049314fb93b6dd4b86e33d67d353a3ff42a355c8fd991bad447bbde1e6320c083bbc6f02b576bd9cebe7269ed  spice-0.12.8.tar.bz2"
sha512sums="6485d3522af1cde93d2c0abad7f7ef9f2e4d3e5049314fb93b6dd4b86e33d67d353a3ff42a355c8fd991bad447bbde1e6320c083bbc6f02b576bd9cebe7269ed  spice-0.12.8.tar.bz2
51c38766c9582376c95e63515d0c009f8c3e95cc03a1751c01974cab9295159eb74d35a08157e1eaa44e99a7bb5b2fdad83d9a8c7e38850741d9b5d534133bc7  CVE-2016-9577.patch
ffae544784bd98da10cd86db3f5c5753c4833aee6b16e4e671160e92103d84a3dbc4da9f132f35e3b3b71a515e09b68b689c49e5f4265363b9eef39c42d70719  CVE-2016-9578-1.patch
62ba3844fa11c65eba7d013c209962e39af051885bdf55943410f9122d99135ce30495263f34580ce959355eb60a6026125b181f6b10f0bfab19bbd4ff54f92b  CVE-2016-9578-2.patch"
diff --git a/main/spice/CVE-2016-9577.patch b/main/spice/CVE-2016-9577.patch
new file mode 100644
index 0000000000..0d0a9ae4b1
--- /dev/null
+++ b/main/spice/CVE-2016-9577.patch
@@ -0,0 +1,28 @@
From 5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 29 Nov 2016 16:46:56 +0000
Subject: [PATCH] main-channel: Prevent overflow reading messages from client

Caller is supposed the function return a buffer able to store
size bytes.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
---
 server/main_channel.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/server/main_channel.c b/server/main_channel.c
index 0ecc9df8..1fc39155 100644
--- a/server/main_channel.c
+++ b/server/main_channel.c
@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
 
     if (type == SPICE_MSGC_MAIN_AGENT_DATA) {
         return reds_get_agent_data_buffer(mcc, size);
+    } else if (size > sizeof(main_chan->recv_buf)) {
+        /* message too large, caller will log a message and close the connection */
+        return NULL;
     } else {
         return main_chan->recv_buf;
     }
diff --git a/main/spice/CVE-2016-9578-1.patch b/main/spice/CVE-2016-9578-1.patch
new file mode 100644
index 0000000000..bc289a4243
--- /dev/null
+++ b/main/spice/CVE-2016-9578-1.patch
@@ -0,0 +1,55 @@
From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 13 Dec 2016 14:39:48 +0000
Subject: [PATCH] Prevent possible DoS attempts during protocol handshake

The limit for link message is specified using a 32 bit unsigned integer.
This could cause possible DoS due to excessive memory allocations and
some possible crashes.
For instance a value >= 2^31 causes a spice_assert to be triggered in
async_read_handler (reds-stream.c) due to an integer overflow at this
line:

   int n = async->end - async->now;

This could be easily triggered with a program like

  #!/usr/bin/env python

  import socket
  import time
  from struct import pack

  server = '127.0.0.1'
  port = 5900

  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((server, port))
  data = pack('<4sIII', 'REDQ', 2, 2, 0xaaaaaaaa)
  s.send(data)

  time.sleep(1)

without requiring any authentication (the same can be done
with TLS).

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
---
 server/reds.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/reds.c b/server/reds.c
index f40b65c1..86a33d53 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque)
 
     reds->peer_minor_version = header->minor_version;
 
-    if (header->size < sizeof(SpiceLinkMess)) {
+    /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */
+    if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) {
         reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
         spice_warning("bad size %u", header->size);
         reds_link_free(link);
diff --git a/main/spice/CVE-2016-9578-2.patch b/main/spice/CVE-2016-9578-2.patch
new file mode 100644
index 0000000000..78fb1eb811
--- /dev/null
+++ b/main/spice/CVE-2016-9578-2.patch
@@ -0,0 +1,38 @@
From f66dc643635518e53dfbe5262f814a64eec54e4a Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 13 Dec 2016 14:40:10 +0000
Subject: [PATCH] Prevent integer overflows in capability checks

The limits for capabilities are specified using 32 bit unsigned integers.
This could cause possible integer overflows causing buffer overflows.
For instance the sum of num_common_caps and num_caps can be 0 avoiding
additional checks.
As the link message is now capped to 4096 and the capabilities are
contained in the link message limit the capabilities to 1024
(capabilities are expressed in number of uint32_t items).

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
---
 server/reds.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/server/reds.c b/server/reds.c
index 86a33d53..91504544 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque)
     link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps);
     link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps);
 
+    /* Prevent DoS. Currently we defined only 13 capabilities,
+     * I expect 1024 to be valid for quite a lot time */
+    if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) {
+        reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
+        reds_link_free(link);
+        return;
+    }
+
     num_caps = link_mess->num_common_caps + link_mess->num_channel_caps;
     caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset);
 
-- 
2.13.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---

[alpine-aports] [PATCH 3/3] main/spice: modernize abuild

Daniel Sabogal <dsabogalcc@gmail.com>
Details
Message ID
<20170630012652.9410-4-dsabogalcc@gmail.com>
In-Reply-To
<20170630012652.9410-1-dsabogalcc@gmail.com> (view parent)
Sender timestamp
1498786009
DKIM signature
missing
Download raw message
Patch: +10 -7
---
 main/spice/APKBUILD | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/main/spice/APKBUILD b/main/spice/APKBUILD
index 6bc85302b6..830f972cbe 100644
--- a/main/spice/APKBUILD
+++ b/main/spice/APKBUILD
@@ -12,14 +12,13 @@ depends_dev="spice-protocol pixman-dev celt051-dev libressl-dev libxinerama-dev"
makedepends="$depends_dev alsa-lib-dev libjpeg-turbo-dev libxrandr-dev
	cyrus-sasl-dev libxfixes-dev python2-dev bash cegui06-dev py-parsing
	py-six glib-dev opus-dev"
install=""
subpackages="$pkgname-dev $pkgname-server"
source="http://www.spice-space.org/download/releases/$pkgname-$pkgver.tar.bz2
	CVE-2016-9577.patch
	CVE-2016-9578-1.patch
	CVE-2016-9578-2.patch
	"
builddir="$srcdir"/$pkgname-$pkgver
builddir="$srcdir/$pkgname-$pkgver"

# secfixes:
#   0.12.8-r3:
@@ -39,15 +38,19 @@ build() {
		--enable-gui \
		--enable-client \
		--disable-smartcard \
		--enable-opus \
		|| return 1
	make -C spice-common WARN_CFLAGS='' || return 1
	make WARN_CFLAGS='' || return 1
		--enable-opus
	make -C spice-common WARN_CFLAGS=''
	make WARN_CFLAGS=''
}

check() {
	cd "$builddir"
	make check
}

package() {
	cd "$builddir"
	make DESTDIR="$pkgdir" install || return 1
	make DESTDIR="$pkgdir" install
}

server() {
-- 
2.13.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---

[alpine-aports] [PATCH] main/mosquitto: security fix (CVE-2017-9868)

Daniel Sabogal <dsabogalcc@gmail.com>
Details
Message ID
<20170630012652.9410-5-dsabogalcc@gmail.com>
In-Reply-To
<20170630012652.9410-1-dsabogalcc@gmail.com> (view parent)
Sender timestamp
1498786010
DKIM signature
missing
Download raw message
Patch: +4 -2
---
 main/mosquitto/APKBUILD | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/main/mosquitto/APKBUILD b/main/mosquitto/APKBUILD
index cd5d98838b..add554df91 100644
--- a/main/mosquitto/APKBUILD
+++ b/main/mosquitto/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=mosquitto
pkgver=1.4.12
pkgver=1.4.13
pkgrel=0
pkgdesc="An Open Source MQTT v3.1 Broker"
url="http://mosquitto.org/"
@@ -21,6 +21,8 @@ source="http://mosquitto.org/files/source/$pkgname-$pkgver.tar.gz
builddir="$srcdir/$pkgname-$pkgver"

# secfixes:
#   1.4.13-r0:
#     - CVE-2017-9868
#   1.4.12-r0:
#     - CVE-2017-7650

@@ -74,7 +76,7 @@ clients() {
	mv "$pkgdir"/usr/bin/mosquitto_[ps]ub "$subpkgdir"/usr/bin/
}

sha512sums="75e6105498869ab13265df7a0bea6052c014d59d0c0efb61162d8257d34c0153fce32130e84c28e99fd494f374949aac5e01c19f7439c2eea575b52ef1179c3c  mosquitto-1.4.12.tar.gz
sha512sums="56692caa389f7d7ca3437ba202cf03fd4602440706b3f55635dce164fca49e52b7e0b2c9b019aaf4744abfa638d02b940c2c018e8724d1850674f0571fc3e32b  mosquitto-1.4.13.tar.gz
53859b628f965b77f6e47910c0ceba2f2737b815131ed800dc64a80419e434d25b5ba0938ae645882e9aa5d475d4940c7d35cc6d56f54bc4937a66b32d7db4ad  libressl.patch
d5442373ae6ae8bc83eee59b425fbd76e80f905b9fd2bd2ed2a37a7e156fe95a9cf477c9c4dac0975c5fd90e70884de6fb8a16aefcd37b239199d5deae50b7d2  config.patch
16f96d8f7f3a8b06e2b2e04d42d7e0d89a931b52277fc017e4802f7a3bc85aff4dd290b1a0c40382ea8f5568d0ceb7319c031d9be916f346d805231a002b0433  mosquitto.initd"
-- 
2.13.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---

[alpine-aports] [PATCH 1/2] main/tiff: upgrade to 4.0.8

Daniel Sabogal <dsabogalcc@gmail.com>
Details
Message ID
<20170630012652.9410-6-dsabogalcc@gmail.com>
In-Reply-To
<20170630012652.9410-1-dsabogalcc@gmail.com> (view parent)
Sender timestamp
1498786011
DKIM signature
missing
Download raw message
Patch: +3 -1086
---
 ..._dirwrite.c-in-TIFFWriteDirectoryTagCheck.patch |  53 ----
 main/tiff/APKBUILD                                 |  38 +--
 main/tiff/CVE-2016-10266.patch                     |  43 ----
 main/tiff/CVE-2016-10267.patch                     |  50 ----
 main/tiff/CVE-2016-10268.patch                     |  25 --
 main/tiff/CVE-2016-10269.patch                     | 107 --------
 main/tiff/CVE-2016-10270.patch                     | 104 --------
 main/tiff/CVE-2017-5225.patch                      |  69 ------
 main/tiff/CVE-2017-7592.patch                      |  29 ---
 main/tiff/CVE-2017-7593.patch                      |  81 ------
 main/tiff/CVE-2017-7594-1.patch                    |  37 ---
 main/tiff/CVE-2017-7594-2.patch                    |  30 ---
 main/tiff/CVE-2017-7595.patch                      |  29 ---
 main/tiff/CVE-2017-7596.patch                      | 274 ---------------------
 main/tiff/CVE-2017-7598.patch                      |  41 ---
 main/tiff/CVE-2017-7601.patch                      |  29 ---
 main/tiff/CVE-2017-7602.patch                      |  50 ----
 17 files changed, 3 insertions(+), 1086 deletions(-)
 delete mode 100644 main/tiff/0001-libtiff-tif_dirwrite.c-in-TIFFWriteDirectoryTagCheck.patch
 delete mode 100644 main/tiff/CVE-2016-10266.patch
 delete mode 100644 main/tiff/CVE-2016-10267.patch
 delete mode 100644 main/tiff/CVE-2016-10268.patch
 delete mode 100644 main/tiff/CVE-2016-10269.patch
 delete mode 100644 main/tiff/CVE-2016-10270.patch
 delete mode 100644 main/tiff/CVE-2017-5225.patch
 delete mode 100644 main/tiff/CVE-2017-7592.patch
 delete mode 100644 main/tiff/CVE-2017-7593.patch
 delete mode 100644 main/tiff/CVE-2017-7594-1.patch
 delete mode 100644 main/tiff/CVE-2017-7594-2.patch
 delete mode 100644 main/tiff/CVE-2017-7595.patch
 delete mode 100644 main/tiff/CVE-2017-7596.patch
 delete mode 100644 main/tiff/CVE-2017-7598.patch
 delete mode 100644 main/tiff/CVE-2017-7601.patch
 delete mode 100644 main/tiff/CVE-2017-7602.patch

diff --git a/main/tiff/0001-libtiff-tif_dirwrite.c-in-TIFFWriteDirectoryTagCheck.patch b/main/tiff/0001-libtiff-tif_dirwrite.c-in-TIFFWriteDirectoryTagCheck.patch
deleted file mode 100644
index f1f8cec0c9..0000000000
--- a/main/tiff/0001-libtiff-tif_dirwrite.c-in-TIFFWriteDirectoryTagCheck.patch
@@ -1,53 +0,0 @@
From 0abd094b6e5079c4d8be733829240491cb230f3d Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Wed, 11 Jan 2017 12:51:59 +0000
Subject: [PATCH] * libtiff/tif_dirwrite.c: in
 TIFFWriteDirectoryTagCheckedRational, replace assertion by runtime check to
 error out if passed value is strictly negative. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2535

* tools/tiffcrop.c: remove extraneous TIFFClose() in error code path, that
caused double free.
Related to http://bugzilla.maptools.org/show_bug.cgi?id=2535
---
 libtiff/tif_dirwrite.c |  9 +++++++--
 tools/tiffcrop.c       |  1 -
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index 8a3341e8..c9e871be 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -2094,10 +2094,15 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* d
 static int
 TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, double value)
 {
+        static const char module[] = "TIFFWriteDirectoryTagCheckedRational";
 	uint32 m[2];
-	assert(value>=0.0);
 	assert(sizeof(uint32)==4);
-	if (value<=0.0)
+        if( value < 0 )
+        {
+            TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal");
+            return 0;
+        }
+	else if (value==0.0)
 	{
 		m[0]=0;
 		m[1]=1;
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index eecde217..648dbde9 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -7996,7 +7996,6 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image,
   if (!TIFFWriteDirectory(out))
     {
     TIFFError("","Failed to write IFD for page number %d", pagenum);
-    TIFFClose(out);
     return (-1);
     }
 
--- 
2.11.1

diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index ee9667c878..8bf35393cd 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Leonardo Arena <rnalrd@alpinelinux.org>
# Maintainer: Michael Mason <ms13sp@gmail.com>
pkgname=tiff
pkgver=4.0.7
pkgrel=3
pkgver=4.0.8
pkgrel=0
pkgdesc="Provides support for the Tag Image File Format or TIFF"
url="http://www.libtiff.org/"
arch="all"
@@ -13,22 +13,6 @@ depends_dev="zlib-dev libjpeg-turbo-dev"
makedepends="libtool autoconf automake $depends_dev"
subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
source="http://download.osgeo.org/libtiff/tiff-${pkgver}.tar.gz
	CVE-2016-10266.patch
	CVE-2016-10267.patch
	CVE-2016-10268.patch
	CVE-2016-10269.patch
	CVE-2016-10270.patch
	CVE-2017-5225.patch
	CVE-2017-7592.patch
	CVE-2017-7593.patch
	CVE-2017-7594-1.patch
	CVE-2017-7594-2.patch
	CVE-2017-7595.patch
	0001-libtiff-tif_dirwrite.c-in-TIFFWriteDirectoryTagCheck.patch
	CVE-2017-7596.patch
	CVE-2017-7598.patch
	CVE-2017-7601.patch
	CVE-2017-7602.patch
	"

# secfixes:
@@ -89,20 +73,4 @@ tools() {
	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}

sha512sums="941357bdd5f947cdca41a1d31ae14b3fadc174ae5dce7b7981dbe58f61995f575ac2e97a7cc4fcc435184012017bec0920278263490464644f2cdfad9a6c5ddc  tiff-4.0.7.tar.gz
5f7a86b6dc1c9bcf707a1fc9fc4b79cc0cfa457582d13f89cc5db1d59193db468ecc8fe976fe688ae7bb6cb451759420cd0a00d957b7c614dbe8fc762adc9734  CVE-2016-10266.patch
fccbf981daedff8e4f3b610dc86823cdb0b2f1e08be345b775bd5c7ba89ef681b3cd4e04a97832753081e9df07db0a68a0a0a38cb4f538f260c475565c204f8b  CVE-2016-10267.patch
ed173f71e159a9bb22c602d067e455843e10484173aabdc085ee718afd404f4b58f77373a3526c16ac7c91395bbb277218b7a8ca840db4e3482d715661987236  CVE-2016-10268.patch
3a807132bf751b9e3c0e5a014b6cd9c9b98f79581b2d70167af3e29797a204fe2977349052042757f9bc634faa1afbec01462a947c739fb1ee9b7249341e4879  CVE-2016-10269.patch
1db4890259028c1c29c15137e743e376e1044475b1a3bbdeb946a1b54708a85422217228aed5f5c8ddf2cf156ec75264b430d1d3aa3539b805809d69522f84b5  CVE-2016-10270.patch
001a2df978f51025771c243edee2d033c91114bdd5318a05730b910add9c70f219a848faad899f27421ca18da6ce9972013aa3ecf689cf4ea37ac5409b4b6244  CVE-2017-5225.patch
c2401f41ce4725b94159da25290270fe4029bacd934aec4d85b4468b4ee8b37fffd4f07eb12ed654863c3ad97474cd4c196db0a3a0ccf6497fc4d8e6d46a5961  CVE-2017-7592.patch
487de0b6a4cf7f09bf23b8217ec8dbac3640f7e47cd86e885f331bc41e385146fd73c6e079768952adb6fa12148b9e52a177bf67affdfe8bdf3d8205302a3f0c  CVE-2017-7593.patch
0d1639932613811ac7f9cc626e296a388ca922a2a9843d88e256e2f1249593799f98bbd353c84ad193d8e6a80f62f2d8751196169a07db1c47abd869676e83ed  CVE-2017-7594-1.patch
0c77d2ade6d307c3fa1e9e44bf546d72f5664273f1e961fbe604c409e929a695282b71af137ff060a9f6adf8e471313270babc223df36d978cdca3d6681bd5a2  CVE-2017-7594-2.patch
bfbd193adb65feab8609231334ba7867c925997940398d1155f2cef8351fabeea0f3c0840aefdcd3f648e35e503f024bfdab00d544927368256025f7e3fb5214  CVE-2017-7595.patch
e64c3753c01029f2d951ca376ab14eaeb824e8021da5038a13e3216e499fc07c82fb8d1447642b3835cf22742785f856905220d1bbde561f4fa38ebb1fecb6e0  0001-libtiff-tif_dirwrite.c-in-TIFFWriteDirectoryTagCheck.patch
88e5e1e07f295933357adba70e88d5c3537e3d0e07951da1736407d871f7a44e370011b436fa923853ea47a51322bb503f7c7d6273791a654cf0fb104acf69b5  CVE-2017-7596.patch
098ece44709233abb905ede3d4034070c91e70e9c0c237568622598871062e212f40b4e0dfdd27fc66bd8a53aa3e9250072de8a991db93140e54db902224d79c  CVE-2017-7598.patch
8264e9c82e60b33e08de53492cf0777402c1b5e54e42bf5b65360a6b1e9f54776bad496468fd4c32a31dadde760ccb1ae606d07ede36644218e2c8f30d292bd8  CVE-2017-7601.patch
12187ae305c2efbdaec2a6cfb05bd32286b9ab90bab7801a996a0f13ef8efe12951b77b51be09e9b56f7d092b7771b06109c4d1b35374fea819559b7e042135b  CVE-2017-7602.patch"
sha512sums="5d010ec4ce37aca733f7ab7db9f432987b0cd21664bd9d99452a146833c40f0d1e7309d1870b0395e947964134d5cfeb1366181e761fe353ad585803ff3d6be6  tiff-4.0.8.tar.gz"
diff --git a/main/tiff/CVE-2016-10266.patch b/main/tiff/CVE-2016-10266.patch
deleted file mode 100644
index 554f5ea8c1..0000000000
--- a/main/tiff/CVE-2016-10266.patch
@@ -1,43 +0,0 @@
From 438274f938e046d33cb0e1230b41da32ffe223e1 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Fri, 2 Dec 2016 21:56:56 +0000
Subject: [PATCH] * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow
 in TIFFReadEncodedStrip() that caused an integer division by zero. Reported
 by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596

---
 libtiff/tif_read.c | 2 +-
 libtiff/tiffiop.h  | 4 ++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
index c26c55f4..52bbf507 100644
--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
@@ -346,7 +346,7 @@ TIFFReadEncodedStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
 	rowsperstrip=td->td_rowsperstrip;
 	if (rowsperstrip>td->td_imagelength)
 		rowsperstrip=td->td_imagelength;
-	stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip);
+	stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip);
 	stripinplane=(strip%stripsperplane);
 	plane=(uint16)(strip/stripsperplane);
 	rows=td->td_imagelength-stripinplane*rowsperstrip;
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index ffbb647b..cb59460a 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -250,6 +250,10 @@ struct tiff {
 #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \
 			   ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \
 			   0U)
+/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */
+/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */
+#define TIFFhowmany_32_maxuint_compat(x, y) \
+			   (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0))
 #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3)
 #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y))
 #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y)))
--- 
2.11.0

diff --git a/main/tiff/CVE-2016-10267.patch b/main/tiff/CVE-2016-10267.patch
deleted file mode 100644
index bb4fee6a80..0000000000
--- a/main/tiff/CVE-2016-10267.patch
@@ -1,50 +0,0 @@
From 43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Sat, 3 Dec 2016 11:15:18 +0000
Subject: [PATCH] * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case
 of failure in OJPEGPreDecode(). This will avoid a divide by zero, and
 potential other issues. Reported by Agostino Sarubbo. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2611

---
 libtiff/tif_ojpeg.c | 8 ++++++++
 1 files changed, 15 insertions(+)

diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
index 1ccc3f9b..f19e8fd0 100644
--- a/libtiff/tif_ojpeg.c
+++ b/libtiff/tif_ojpeg.c
@@ -244,6 +244,7 @@ typedef enum {
 
 typedef struct {
 	TIFF* tif;
+        int decoder_ok;
 	#ifndef LIBJPEG_ENCAP_EXTERNAL
 	JMP_BUF exit_jmpbuf;
 	#endif
@@ -722,6 +723,7 @@ OJPEGPreDecode(TIFF* tif, uint16 s)
 		}
 		sp->write_curstrile++;
 	}
+	sp->decoder_ok = 1;
 	return(1);
 }
 
@@ -784,8 +786,14 @@ OJPEGPreDecodeSkipScanlines(TIFF* tif)
 static int
 OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s)
 {
+        static const char module[]="OJPEGDecode";
 	OJPEGState* sp=(OJPEGState*)tif->tif_data;
 	(void)s;
+        if( !sp->decoder_ok )
+        {
+            TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized");
+            return 0;
+        }
 	if (sp->libjpeg_jpeg_query_style==0)
 	{
 		if (OJPEGDecodeRaw(tif,buf,cc)==0)
--- 
2.11.0

diff --git a/main/tiff/CVE-2016-10268.patch b/main/tiff/CVE-2016-10268.patch
deleted file mode 100644
index 73e4552a77..0000000000
--- a/main/tiff/CVE-2016-10268.patch
@@ -1,25 +0,0 @@
From 5397a417e61258c69209904e652a1f409ec3b9df Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Fri, 2 Dec 2016 22:13:32 +0000
Subject: [PATCH] * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips
 that can cause various issues, such as buffer overflows in the library.
 Reported by Agostino Sarubbo. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2598

---
 tools/tiffcp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index a99c906..f294ed1 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -985,7 +985,7 @@ DECLAREcpFunc(cpDecodedStrips)
 		tstrip_t s, ns = TIFFNumberOfStrips(in);
 		uint32 row = 0;
 		_TIFFmemset(buf, 0, stripsize);
-		for (s = 0; s < ns; s++) {
+		for (s = 0; s < ns && row < imagelength; s++) {
 			tsize_t cc = (row + rowsperstrip > imagelength) ?
 			    TIFFVStripSize(in, imagelength - row) : stripsize;
 			if (TIFFReadEncodedStrip(in, s, buf, cc) < 0
diff --git a/main/tiff/CVE-2016-10269.patch b/main/tiff/CVE-2016-10269.patch
deleted file mode 100644
index e672032360..0000000000
--- a/main/tiff/CVE-2016-10269.patch
@@ -1,107 +0,0 @@
From 1044b43637fa7f70fb19b93593777b78bd20da86 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Fri, 2 Dec 2016 23:05:51 +0000
Subject: [PATCH] * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based
 buffer overflow on generation of PixarLog / LUV compressed files, with
 ColorMap, TransferFunction attached and nasty plays with bitspersample. The
 fix for LUV has not been tested, but suffers from the same kind of issue of
 PixarLog. Reported by Agostino Sarubbo. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2604

---
 libtiff/tif_luv.c      | 18 ++++++++++++++----
 libtiff/tif_pixarlog.c | 17 +++++++++++++++--
 2 files changed, 39 insertions(+), 6 deletions(-)

diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
index f68a9b13..e6783db5 100644
--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
@@ -158,6 +158,7 @@
 typedef struct logLuvState LogLuvState;
 
 struct logLuvState {
+        int                     encoder_state;  /* 1 if encoder correctly initialized */
 	int                     user_datafmt;   /* user data format */
 	int                     encode_meth;    /* encoding method */
 	int                     pixel_size;     /* bytes per pixel */
@@ -1552,6 +1553,7 @@ LogLuvSetupEncode(TIFF* tif)
 		    td->td_photometric, "must be either LogLUV or LogL");
 		break;
 	}
+	sp->encoder_state = 1;
 	return (1);
 notsupported:
 	TIFFErrorExt(tif->tif_clientdata, module,
@@ -1563,19 +1565,27 @@ notsupported:
 static void
 LogLuvClose(TIFF* tif)
 {
+        LogLuvState* sp = (LogLuvState*) tif->tif_data;
 	TIFFDirectory *td = &tif->tif_dir;
 
+	assert(sp != 0);
 	/*
 	 * For consistency, we always want to write out the same
 	 * bitspersample and sampleformat for our TIFF file,
 	 * regardless of the data format being used by the application.
 	 * Since this routine is called after tags have been set but
 	 * before they have been recorded in the file, we reset them here.
+         * Note: this is really a nasty approach. See PixarLogClose
 	 */
-	td->td_samplesperpixel =
-	    (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
-	td->td_bitspersample = 16;
-	td->td_sampleformat = SAMPLEFORMAT_INT;
+        if( sp->encoder_state )
+        {
+            /* See PixarLogClose. Might avoid issues with tags whose size depends
+             * on those below, but not completely sure this is enough. */
+            td->td_samplesperpixel =
+                (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3;
+            td->td_bitspersample = 16;
+            td->td_sampleformat = SAMPLEFORMAT_INT;
+        }
 }
 
 static void
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index d1246c3d..aa99bc92 100644
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -1233,8 +1233,10 @@ PixarLogPostEncode(TIFF* tif)
 static void
 PixarLogClose(TIFF* tif)
 {
+        PixarLogState* sp = (PixarLogState*) tif->tif_data;
 	TIFFDirectory *td = &tif->tif_dir;
 
+	assert(sp != 0);
 	/* In a really sneaky (and really incorrect, and untruthful, and
 	 * troublesome, and error-prone) maneuver that completely goes against
 	 * the spirit of TIFF, and breaks TIFF, on close, we covertly
@@ -1243,8 +1245,19 @@ PixarLogClose(TIFF* tif)
 	 * readers that don't know about PixarLog, or how to set
 	 * the PIXARLOGDATFMT pseudo-tag.
 	 */
-	td->td_bitspersample = 8;
-	td->td_sampleformat = SAMPLEFORMAT_UINT;
+
+        if (sp->state&PLSTATE_INIT) {
+            /* We test the state to avoid an issue such as in
+             * http://bugzilla.maptools.org/show_bug.cgi?id=2604
+             * What appends in that case is that the bitspersample is 1 and
+             * a TransferFunction is set. The size of the TransferFunction
+             * depends on 1<<bitspersample. So if we increase it, an access
+             * out of the buffer will happen at directory flushing.
+             * Another option would be to clear those targs. 
+             */
+            td->td_bitspersample = 8;
+            td->td_sampleformat = SAMPLEFORMAT_UINT;
+        }
 }
 
 static void
--- 
2.11.0

diff --git a/main/tiff/CVE-2016-10270.patch b/main/tiff/CVE-2016-10270.patch
deleted file mode 100644
index 4c419decca..0000000000
--- a/main/tiff/CVE-2016-10270.patch
@@ -1,104 +0,0 @@
From 9a72a69e035ee70ff5c41541c8c61cd97990d018 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Sat, 3 Dec 2016 11:02:15 +0000
Subject: [PATCH] * libtiff/tif_dirread.c: modify
 ChopUpSingleUncompressedStrip() to instanciate compute ntrips as
 TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on
 the total size of data. Which is faulty is the total size of data is not
 sufficient to fill the whole image, and thus results in reading outside of
 the StripByCounts/StripOffsets arrays when using TIFFReadScanline(). Reported
 by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.

* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
the above change is a better fix that makes it unnecessary.

---
 libtiff/tif_dirread.c | 22 ++++++++++------------
 libtiff/tif_strip.c   |  9 ---------
 2 files changed, 25 insertions(+), 21 deletions(-)

diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 3eec79c9..570d0c32 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -5502,8 +5502,7 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
 	uint64 rowblockbytes;
 	uint64 stripbytes;
 	uint32 strip;
-	uint64 nstrips64;
-	uint32 nstrips32;
+	uint32 nstrips;
 	uint32 rowsperstrip;
 	uint64* newcounts;
 	uint64* newoffsets;
@@ -5534,18 +5533,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
 	    return;
 
 	/*
-	 * never increase the number of strips in an image
+	 * never increase the number of rows per strip
 	 */
 	if (rowsperstrip >= td->td_rowsperstrip)
 		return;
-	nstrips64 = TIFFhowmany_64(bytecount, stripbytes);
-	if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */
-	    return;
-	nstrips32 = (uint32)nstrips64;
+        nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
+        if( nstrips == 0 )
+            return;
 
-	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
+	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
 				"for chopped \"StripByteCounts\" array");
-	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64),
+	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
 				"for chopped \"StripOffsets\" array");
 	if (newcounts == NULL || newoffsets == NULL) {
 		/*
@@ -5562,18 +5560,18 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
 	 * Fill the strip information arrays with new bytecounts and offsets
 	 * that reflect the broken-up format.
 	 */
-	for (strip = 0; strip < nstrips32; strip++) {
+	for (strip = 0; strip < nstrips; strip++) {
 		if (stripbytes > bytecount)
 			stripbytes = bytecount;
 		newcounts[strip] = stripbytes;
-		newoffsets[strip] = offset;
+		newoffsets[strip] = stripbytes ? offset : 0;
 		offset += stripbytes;
 		bytecount -= stripbytes;
 	}
 	/*
 	 * Replace old single strip info with multi-strip info.
 	 */
-	td->td_stripsperimage = td->td_nstrips = nstrips32;
+	td->td_stripsperimage = td->td_nstrips = nstrips;
 	TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
 
 	_TIFFfree(td->td_stripbytecount);
diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
index 4c46ecf5..1676e47d 100644
--- a/libtiff/tif_strip.c
+++ b/libtiff/tif_strip.c
@@ -63,15 +63,6 @@ TIFFNumberOfStrips(TIFF* tif)
 	TIFFDirectory *td = &tif->tif_dir;
 	uint32 nstrips;
 
-    /* If the value was already computed and store in td_nstrips, then return it,
-       since ChopUpSingleUncompressedStrip might have altered and resized the
-       since the td_stripbytecount and td_stripoffset arrays to the new value
-       after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
-       tif_dirread.c ~line 3612.
-       See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
-    if( td->td_nstrips )
-        return td->td_nstrips;
--
 	nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
 	     TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
--- 
2.11.0

diff --git a/main/tiff/CVE-2017-5225.patch b/main/tiff/CVE-2017-5225.patch
deleted file mode 100644
index d8d2cf11e3..0000000000
--- a/main/tiff/CVE-2017-5225.patch
@@ -1,69 +0,0 @@
Original patch was downloaded from
 https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7
 and adjusted to tiff-4.0.7

commit 5c080298d59efa53264d7248bbe3a04660db6ef7
Author: erouault <erouault>
Date:   Wed Jan 11 19:25:44 2017 +0000

    * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
    cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow.
    Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
    http://bugzilla.maptools.org/show_bug.cgi?id=2657

diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index bdf754c3..8bbcd52f 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -591,7 +591,7 @@ static	copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);
 static int
 tiffcp(TIFF* in, TIFF* out)
 {
-	uint16 bitspersample, samplesperpixel = 1;
+	uint16 bitspersample = 1, samplesperpixel = 1;
 	uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
 	copyFunc cf;
 	uint32 width, length;
@@ -1067,6 +1067,16 @@ DECLAREcpFunc(cpContig2SeparateByRow)
 	register uint32 n;
 	uint32 row;
 	tsample_t s;
+        uint16 bps = 0;
+
+        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+        if( bps != 8 )
+        {
+            TIFFError(TIFFFileName(in),
+                      "Error, can only handle BitsPerSample=8 in %s",
+                      "cpContig2SeparateByRow");
+            return 0;
+        }
 
 	inbuf = _TIFFmalloc(scanlinesizein);
 	outbuf = _TIFFmalloc(scanlinesizeout);
@@ -1120,6 +1130,16 @@ DECLAREcpFunc(cpSeparate2ContigByRow)
 	register uint32 n;
 	uint32 row;
 	tsample_t s;
+        uint16 bps = 0;
+
+        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+        if( bps != 8 )
+        {
+            TIFFError(TIFFFileName(in),
+                      "Error, can only handle BitsPerSample=8 in %s",
+                      "cpSeparate2ContigByRow");
+            return 0;
+        }
 
 	inbuf = _TIFFmalloc(scanlinesizein);
 	outbuf = _TIFFmalloc(scanlinesizeout);
@@ -1784,7 +1804,7 @@ pickCopyFunc(TIFF* in, TIFF* out, uint16 bitspersample, uint16 samplesperpixel)
 	uint32 w, l, tw, tl;
 	int bychunk;
 
-	(void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
+	(void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
 	if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
 		fprintf(stderr,
 		    "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",
diff --git a/main/tiff/CVE-2017-7592.patch b/main/tiff/CVE-2017-7592.patch
deleted file mode 100644
index c60fa8323b..0000000000
--- a/main/tiff/CVE-2017-7592.patch
@@ -1,29 +0,0 @@
From 48780b4fcc425cddc4ef8ffdf536f96a0d1b313b Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Wed, 11 Jan 2017 16:38:26 +0000
Subject: [PATCH] =?UTF-8?q?*=20libtiff/tif=5Fgetimage.c:=20add=20explicit?=
 =?UTF-8?q?=20uint32=20cast=20in=20putagreytile=20to=20avoid=20UndefinedBe?=
 =?UTF-8?q?haviorSanitizer=20warning.=20Patch=20by=20Nicol=C3=A1s=20Pe?=
 =?UTF-8?q?=C3=B1a.=20Fixes=20http://bugzilla.maptools.org/show=5Fbug.cgi?=
 =?UTF-8?q?=3Fid=3D2658?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 libtiff/tif_getimage.c | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index fed31f1..2fa1775 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -1302,7 +1302,7 @@ DECLAREContigPutFunc(putagreytile)
     while (h-- > 0) {
 	for (x = w; x-- > 0;)
         {
-            *cp++ = BWmap[*pp][0] & (*(pp+1) << 24 | ~A1);
+            *cp++ = BWmap[*pp][0] & ((uint32)*(pp+1) << 24 | ~A1);
             pp += samplesperpixel;
         }
 	cp += toskew;
diff --git a/main/tiff/CVE-2017-7593.patch b/main/tiff/CVE-2017-7593.patch
deleted file mode 100644
index fc3514229a..0000000000
--- a/main/tiff/CVE-2017-7593.patch
@@ -1,81 +0,0 @@
From d60332057b9575ada4f264489582b13e30137be1 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Wed, 11 Jan 2017 19:02:49 +0000
Subject: [PATCH] * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add
 _TIFFcalloc()

* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
initialize tif_rawdata.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651
---
 libtiff/tif_read.c  | 4 +++-
 libtiff/tif_unix.c  | 8 ++++++++
 libtiff/tif_win32.c | 8 ++++++++
 libtiff/tiffio.h    | 1 +
 6 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
index 277fdd6..4535ccb 100644
--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
@@ -985,7 +985,9 @@ TIFFReadBufferSetup(TIFF* tif, void* bp, tmsize_t size)
 				 "Invalid buffer size");
 		    return (0);
 		}
-		tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize);
+		/* Initialize to zero to avoid uninitialized buffers in case of */
+                /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */
+		tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize);
 		tif->tif_flags |= TIFF_MYBUFFER;
 	}
 	if (tif->tif_rawdata == NULL) {
diff --git a/libtiff/tif_unix.c b/libtiff/tif_unix.c
index 7c7bc96..89dd32e 100644
--- a/libtiff/tif_unix.c
+++ b/libtiff/tif_unix.c
@@ -316,6 +316,14 @@ _TIFFmalloc(tmsize_t s)
 	return (malloc((size_t) s));
 }
 
+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
+{
+    if( nmemb == 0 || siz == 0 )
+        return ((void *) NULL);
+
+    return calloc((size_t) nmemb, (size_t)siz);
+}
+
 void
 _TIFFfree(void* p)
 {
diff --git a/libtiff/tif_win32.c b/libtiff/tif_win32.c
index d730b3a..3e9001b 100644
--- a/libtiff/tif_win32.c
+++ b/libtiff/tif_win32.c
@@ -360,6 +360,14 @@ _TIFFmalloc(tmsize_t s)
 	return (malloc((size_t) s));
 }
 
+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz)
+{
+    if( nmemb == 0 || siz == 0 )
+        return ((void *) NULL);
+
+    return calloc((size_t) nmemb, (size_t)siz);
+}
+
 void
 _TIFFfree(void* p)
 {
diff --git a/libtiff/tiffio.h b/libtiff/tiffio.h
index 732da17..fbd9171 100644
--- a/libtiff/tiffio.h
+++ b/libtiff/tiffio.h
@@ -293,6 +293,7 @@ extern TIFFCodec* TIFFGetConfiguredCODECs(void);
  */
 
 extern void* _TIFFmalloc(tmsize_t s);
+extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz);
 extern void* _TIFFrealloc(void* p, tmsize_t s);
 extern void _TIFFmemset(void* p, int v, tmsize_t c);
 extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c);
diff --git a/main/tiff/CVE-2017-7594-1.patch b/main/tiff/CVE-2017-7594-1.patch
deleted file mode 100644
index 98e541c829..0000000000
--- a/main/tiff/CVE-2017-7594-1.patch
@@ -1,37 +0,0 @@
From 2ea32f7372b65c24b2816f11c04bf59b5090d05b Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Thu, 12 Jan 2017 19:23:20 +0000
Subject: [PATCH] * libtiff/tif_ojpeg.c: fix leak in
 OJPEGReadHeaderInfoSecTablesQTable, OJPEGReadHeaderInfoSecTablesDcTable and
 OJPEGReadHeaderInfoSecTablesAcTable

---
 libtiff/tif_ojpeg.c | 6 ++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
index b92f0eb..5f6c684 100644
--- a/libtiff/tif_ojpeg.c
+++ b/libtiff/tif_ojpeg.c
@@ -1790,7 +1790,10 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF* tif)
 			TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET); 
 			p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64);
 			if (p!=64)
+                        {
+                                _TIFFfree(ob);
 				return(0);
+                        }
 			sp->qtable[m]=ob;
 			sp->sof_tq[m]=m;
 		}
@@ -1854,7 +1857,10 @@ OJPEGReadHeaderInfoSecTablesDcTable(TIFF* tif)
 				rb[sizeof(uint32)+5+n]=o[n];
 			p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
 			if (p!=q)
+                        {
+                                _TIFFfree(rb);
 				return(0);
+                        }
 			sp->dctable[m]=rb;
 			sp->sos_tda[m]=(m<<4);
 		}
diff --git a/main/tiff/CVE-2017-7594-2.patch b/main/tiff/CVE-2017-7594-2.patch
deleted file mode 100644
index cd44239b1b..0000000000
--- a/main/tiff/CVE-2017-7594-2.patch
@@ -1,30 +0,0 @@
From 8283e4d1b7e53340684d12932880cbcbaf23a8c1 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Thu, 12 Jan 2017 17:43:25 +0000
Subject: [PATCH] =?UTF-8?q?*=20libtiff/tif=5Fojpeg.c:=20fix=20leak=20in=20?=
 =?UTF-8?q?OJPEGReadHeaderInfoSecTablesAcTable=20when=20read=20fails.=20Pa?=
 =?UTF-8?q?tch=20by=20Nicol=C3=A1s=20Pe=C3=B1a.=20Fixes=20http://bugzilla.?=
 =?UTF-8?q?maptools.org/show=5Fbug.cgi=3Fid=3D2659?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 libtiff/tif_ojpeg.c | 3 +++
 2 files changed, 10 insertions(+)

diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
index f19e8fd..b92f0eb 100644
--- a/libtiff/tif_ojpeg.c
+++ b/libtiff/tif_ojpeg.c
@@ -1918,7 +1918,10 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF* tif)
 				rb[sizeof(uint32)+5+n]=o[n];
 			p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q);
 			if (p!=q)
+                        {
+                                _TIFFfree(rb);
 				return(0);
+                        }
 			sp->actable[m]=rb;
 			sp->sos_tda[m]=(sp->sos_tda[m]|m);
 		}
diff --git a/main/tiff/CVE-2017-7595.patch b/main/tiff/CVE-2017-7595.patch
deleted file mode 100644
index 6b27b7c9a3..0000000000
--- a/main/tiff/CVE-2017-7595.patch
@@ -1,29 +0,0 @@
From 47f2fb61a3a64667bce1a8398a8fcb1b348ff122 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Wed, 11 Jan 2017 12:15:01 +0000
Subject: [PATCH] * libtiff/tif_jpeg.c: avoid integer division by zero in
 JPEGSetupEncode() when horizontal or vertical sampling is set to 0. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2653

---
 libtiff/tif_jpeg.c | 7 +++++++
 2 files changed, 13 insertions(+)

diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c
index 38595f9..6c17c38 100644
--- a/libtiff/tif_jpeg.c
+++ b/libtiff/tif_jpeg.c
@@ -1626,6 +1626,13 @@ JPEGSetupEncode(TIFF* tif)
 	case PHOTOMETRIC_YCBCR:
 		sp->h_sampling = td->td_ycbcrsubsampling[0];
 		sp->v_sampling = td->td_ycbcrsubsampling[1];
+                if( sp->h_sampling == 0 || sp->v_sampling == 0 )
+                {
+                    TIFFErrorExt(tif->tif_clientdata, module,
+                            "Invalig horizontal/vertical sampling value");
+                    return (0);
+                }
+
 		/*
 		 * A ReferenceBlackWhite field *must* be present since the
 		 * default value is inappropriate for YCbCr.  Fill in the
diff --git a/main/tiff/CVE-2017-7596.patch b/main/tiff/CVE-2017-7596.patch
deleted file mode 100644
index 1305067b5b..0000000000
--- a/main/tiff/CVE-2017-7596.patch
@@ -1,274 +0,0 @@
From 3144e57770c1e4d26520d8abee750f8ac8b75490 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Wed, 11 Jan 2017 16:09:02 +0000
Subject: [PATCH] * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement
 various clampings of double to other data types to avoid undefined behaviour
 if the output range isn't big enough to hold the input value. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2643
 http://bugzilla.maptools.org/show_bug.cgi?id=2642
 http://bugzilla.maptools.org/show_bug.cgi?id=2646
 http://bugzilla.maptools.org/show_bug.cgi?id=2647

---
 libtiff/tif_dir.c      | 18 +++++++---
 libtiff/tif_dirread.c  | 10 +++++-
 libtiff/tif_dirwrite.c | 90 ++++++++++++++++++++++++++++++++++++++++++++------
 4 files changed, 113 insertions(+), 15 deletions(-)

diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index 68a55af..a04d28f 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -31,6 +31,7 @@
  * (and also some miscellaneous stuff)
  */
 #include "tiffiop.h"
+#include <float.h>
 
 /*
  * These are used in the backwards compatibility code...
@@ -154,6 +155,15 @@ checkInkNamesString(TIFF* tif, uint32 slen, const char* s)
 	return (0);
 }
 
+static float TIFFClampDoubleToFloat( double val )
+{
+    if( val > FLT_MAX )
+        return FLT_MAX;
+    if( val < -FLT_MAX )
+        return -FLT_MAX;
+    return (float)val;
+}
+
 static int
 _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
 {
@@ -312,13 +322,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
         dblval = va_arg(ap, double);
         if( dblval < 0 )
             goto badvaluedouble;
-		td->td_xresolution = (float) dblval;
+		td->td_xresolution = TIFFClampDoubleToFloat( dblval );
 		break;
 	case TIFFTAG_YRESOLUTION:
         dblval = va_arg(ap, double);
         if( dblval < 0 )
             goto badvaluedouble;
-		td->td_yresolution = (float) dblval;
+		td->td_yresolution = TIFFClampDoubleToFloat( dblval );
 		break;
 	case TIFFTAG_PLANARCONFIG:
 		v = (uint16) va_arg(ap, uint16_vap);
@@ -327,10 +337,10 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
 		td->td_planarconfig = (uint16) v;
 		break;
 	case TIFFTAG_XPOSITION:
-		td->td_xposition = (float) va_arg(ap, double);
+		td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
 		break;
 	case TIFFTAG_YPOSITION:
-		td->td_yposition = (float) va_arg(ap, double);
+		td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
 		break;
 	case TIFFTAG_RESOLUTIONUNIT:
 		v = (uint16) va_arg(ap, uint16_vap);
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 8a1e42a..77b0f37 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -40,6 +40,7 @@
  */
 
 #include "tiffiop.h"
+#include <float.h>
 
 #define IGNORE 0          /* tag placeholder used below */
 #define FAILED_FII    ((uint32) -1)
@@ -2406,7 +2407,14 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryFloatArray(TIFF* tif, TIFFDirEnt
 				ma=(double*)origdata;
 				mb=data;
 				for (n=0; n<count; n++)
-					*mb++=(float)(*ma++);
+                                {
+                                    double val = *ma++;
+                                    if( val > FLT_MAX )
+                                        val = FLT_MAX;
+                                    else if( val < -FLT_MAX )
+                                        val = -FLT_MAX;
+                                    *mb++=(float)val;
+                                }
 			}
 			break;
 	}
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index c9e871b..2967da5 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -30,6 +30,7 @@
  * Directory Write Support Routines.
  */
 #include "tiffiop.h"
+#include <float.h>
 
 #ifdef HAVE_IEEEFP
 #define TIFFCvtNativeToIEEEFloat(tif, n, fp)
@@ -939,6 +940,69 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
 	return(0);
 }
 
+static float TIFFClampDoubleToFloat( double val )
+{
+    if( val > FLT_MAX )
+        return FLT_MAX;
+    if( val < -FLT_MAX )
+        return -FLT_MAX;
+    return (float)val;
+}
+
+static int8 TIFFClampDoubleToInt8( double val )
+{
+    if( val > 127 )
+        return 127;
+    if( val < -128 || val != val )
+        return -128;
+    return (int8)val;
+}
+
+static int16 TIFFClampDoubleToInt16( double val )
+{
+    if( val > 32767 )
+        return 32767;
+    if( val < -32768 || val != val )
+        return -32768;
+    return (int16)val;
+}
+
+static int32 TIFFClampDoubleToInt32( double val )
+{
+    if( val > 0x7FFFFFFF )
+        return 0x7FFFFFFF;
+    if( val < -0x7FFFFFFF-1 || val != val )
+        return -0x7FFFFFFF-1;
+    return (int32)val;
+}
+
+static uint8 TIFFClampDoubleToUInt8( double val )
+{
+    if( val < 0 )
+        return 0;
+    if( val > 255 || val != val )
+        return 255;
+    return (uint8)val;
+}
+
+static uint16 TIFFClampDoubleToUInt16( double val )
+{
+    if( val < 0 )
+        return 0;
+    if( val > 65535 || val != val )
+        return 65535;
+    return (uint16)val;
+}
+
+static uint32 TIFFClampDoubleToUInt32( double val )
+{
+    if( val < 0 )
+        return 0;
+    if( val > 0xFFFFFFFFU || val != val )
+        return 0xFFFFFFFFU;
+    return (uint32)val;
+}
+
 static int
 TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value)
 {
@@ -959,7 +1023,7 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di
 			if (tif->tif_dir.td_bitspersample<=32)
 			{
 				for (i = 0; i < count; ++i)
-					((float*)conv)[i] = (float)value[i];
+					((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
 				ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
 			}
 			else
@@ -971,19 +1035,19 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di
 			if (tif->tif_dir.td_bitspersample<=8)
 			{
 				for (i = 0; i < count; ++i)
-					((int8*)conv)[i] = (int8)value[i];
+					((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]);
 				ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv);
 			}
 			else if (tif->tif_dir.td_bitspersample<=16)
 			{
 				for (i = 0; i < count; ++i)
-					((int16*)conv)[i] = (int16)value[i];
+					((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]);
 				ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv);
 			}
 			else
 			{
 				for (i = 0; i < count; ++i)
-					((int32*)conv)[i] = (int32)value[i];
+					((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]);
 				ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv);
 			}
 			break;
@@ -991,19 +1055,19 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di
 			if (tif->tif_dir.td_bitspersample<=8)
 			{
 				for (i = 0; i < count; ++i)
-					((uint8*)conv)[i] = (uint8)value[i];
+					((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]);
 				ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv);
 			}
 			else if (tif->tif_dir.td_bitspersample<=16)
 			{
 				for (i = 0; i < count; ++i)
-					((uint16*)conv)[i] = (uint16)value[i];
+					((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]);
 				ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv);
 			}
 			else
 			{
 				for (i = 0; i < count; ++i)
-					((uint32*)conv)[i] = (uint32)value[i];
+					((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]);
 				ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv);
 			}
 			break;
@@ -2102,12 +2166,17 @@ TIFFWriteDirectoryTagCheckedRational(TIFF* tif, uint32* ndir, TIFFDirEntry* dir,
             TIFFErrorExt(tif->tif_clientdata,module,"Negative value is illegal");
             return 0;
         }
+        else if( value != value )
+        {
+            TIFFErrorExt(tif->tif_clientdata,module,"Not-a-number value is illegal");
+            return 0;
+        }
 	else if (value==0.0)
 	{
 		m[0]=0;
 		m[1]=1;
 	}
-	else if (value==(double)(uint32)value)
+	else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value)
 	{
 		m[0]=(uint32)value;
 		m[1]=1;
@@ -2148,12 +2217,13 @@ TIFFWriteDirectoryTagCheckedRationalArray(TIFF* tif, uint32* ndir, TIFFDirEntry*
 	}
 	for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++)
 	{
-		if (*na<=0.0)
+		if (*na<=0.0 || *na != *na)
 		{
 			nb[0]=0;
 			nb[1]=1;
 		}
-		else if (*na==(float)(uint32)(*na))
+		else if (*na >= 0 && *na <= (float)0xFFFFFFFFU &&
+                         *na==(float)(uint32)(*na))
 		{
 			nb[0]=(uint32)(*na);
 			nb[1]=1;
diff --git a/main/tiff/CVE-2017-7598.patch b/main/tiff/CVE-2017-7598.patch
deleted file mode 100644
index 4e6a04f42c..0000000000
--- a/main/tiff/CVE-2017-7598.patch
@@ -1,41 +0,0 @@
From 3cfd62d77c2a7e147a05bd678524c345fa9c2bb8 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Wed, 11 Jan 2017 13:28:01 +0000
Subject: [PATCH] * libtiff/tif_dirread.c: avoid division by floating point 0
 in TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(),
 and return 0 in that case (instead of infinity as before presumably)
 Apparently some sanitizers do not like those divisions by zero. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2644

---
 libtiff/tif_dirread.c | 10 ++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 570d0c3..8a1e42a 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -2872,7 +2872,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedRational(TIFF* tif, TIFFD
 		m.l = direntry->tdir_offset.toff_long8;
 	if (tif->tif_flags&TIFF_SWAB)
 		TIFFSwabArrayOfLong(m.i,2);
-	if (m.i[0]==0)
+        /* Not completely sure what we should do when m.i[1]==0, but some */
+        /* sanitizers do not like division by 0.0: */
+        /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
+	if (m.i[0]==0 || m.i[1]==0)
 		*value=0.0;
 	else
 		*value=(double)m.i[0]/(double)m.i[1];
@@ -2900,7 +2903,10 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryCheckedSrational(TIFF* tif, TIFF
 		m.l=direntry->tdir_offset.toff_long8;
 	if (tif->tif_flags&TIFF_SWAB)
 		TIFFSwabArrayOfLong(m.i,2);
-	if ((int32)m.i[0]==0)
+        /* Not completely sure what we should do when m.i[1]==0, but some */
+        /* sanitizers do not like division by 0.0: */
+        /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */
+	if ((int32)m.i[0]==0 || m.i[1]==0)
 		*value=0.0;
 	else
 		*value=(double)((int32)m.i[0])/(double)m.i[1];
diff --git a/main/tiff/CVE-2017-7601.patch b/main/tiff/CVE-2017-7601.patch
deleted file mode 100644
index b5d37bbc1c..0000000000
--- a/main/tiff/CVE-2017-7601.patch
@@ -1,29 +0,0 @@
From 0a76a8c765c7b8327c59646284fa78c3c27e5490 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Wed, 11 Jan 2017 16:13:50 +0000
Subject: [PATCH] * libtiff/tif_jpeg.c: validate BitsPerSample in
 JPEGSetupEncode() to avoid undefined behaviour caused by invalid shift
 exponent. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648

---
 libtiff/tif_jpeg.c | 7 +++++++
 2 files changed, 13 insertions(+)

diff --git a/libtiff/tif_jpeg.c b/libtiff/tif_jpeg.c
index 6c17c38..192989a 100644
--- a/libtiff/tif_jpeg.c
+++ b/libtiff/tif_jpeg.c
@@ -1632,6 +1632,13 @@ JPEGSetupEncode(TIFF* tif)
                             "Invalig horizontal/vertical sampling value");
                     return (0);
                 }
+                if( td->td_bitspersample > 16 )
+                {
+                    TIFFErrorExt(tif->tif_clientdata, module,
+                                 "BitsPerSample %d not allowed for JPEG",
+                                 td->td_bitspersample);
+                    return (0);
+                }
 
 		/*
 		 * A ReferenceBlackWhite field *must* be present since the
diff --git a/main/tiff/CVE-2017-7602.patch b/main/tiff/CVE-2017-7602.patch
deleted file mode 100644
index c0bc41ff90..0000000000
--- a/main/tiff/CVE-2017-7602.patch
@@ -1,50 +0,0 @@
From 66e7bd59520996740e4df5495a830b42fae48bc4 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Wed, 11 Jan 2017 16:33:34 +0000
Subject: [PATCH] * libtiff/tif_read.c: avoid potential undefined behaviour on
 signed integer addition in TIFFReadRawStrip1() in isMapped() case. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2650

---
 libtiff/tif_read.c | 27 ++++++++++++++++++---------
 2 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
index 52bbf50..b7aacbd 100644
--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
@@ -420,16 +420,25 @@ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
 			return ((tmsize_t)(-1));
 		}
 	} else {
-		tmsize_t ma,mb;
+		tmsize_t ma;
 		tmsize_t n;
-		ma=(tmsize_t)td->td_stripoffset[strip];
-		mb=ma+size;
-		if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
-			n=0;
-		else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
-			n=tif->tif_size-ma;
-		else
-			n=size;
+		if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||
+                    ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size))
+                {
+                    n=0;
+                }
+                else if( ma > TIFF_TMSIZE_T_MAX - size )
+                {
+                    n=0;
+                }
+                else
+                {
+                    tmsize_t mb=ma+size;
+                    if (mb>tif->tif_size)
+                            n=tif->tif_size-ma;
+                    else
+                            n=size;
+                }
 		if (n!=size) {
 #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
 			TIFFErrorExt(tif->tif_clientdata, module,
-- 
2.13.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---

[alpine-aports] [PATCH 2/2] main/tiff: modernize abuild

Daniel Sabogal <dsabogalcc@gmail.com>
Details
Message ID
<20170630012652.9410-7-dsabogalcc@gmail.com>
In-Reply-To
<20170630012652.9410-1-dsabogalcc@gmail.com> (view parent)
Sender timestamp
1498786012
DKIM signature
missing
Download raw message
Patch: +11 -15
---
 main/tiff/APKBUILD | 26 +++++++++++---------------
 1 file changed, 11 insertions(+), 15 deletions(-)

diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index 8bf35393cd..7bd9266dea 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -12,8 +12,8 @@ depends=
depends_dev="zlib-dev libjpeg-turbo-dev"
makedepends="libtool autoconf automake $depends_dev"
subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
source="http://download.osgeo.org/libtiff/tiff-${pkgver}.tar.gz
	"
source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz"
builddir="$srcdir/$pkgname-$pkgver"

# secfixes:
#   4.0.7-r3
@@ -34,22 +34,14 @@ source="http://download.osgeo.org/libtiff/tiff-${pkgver}.tar.gz
#   4.0.7-r1:
#     - CVE-2017-5225

builddir="$srcdir"/$pkgname-$pkgver

prepare() {
	local _failed=
	cd "$builddir"
	update_config_sub || return 1
	for i in $source; do
		case $i in
		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || _failed="$_failed $i";;
		esac
	done
	update_config_sub
	default_prepare
}

build() {
	cd "$builddir"

	./configure \
		--build=$CBUILD \
		--host=$CHOST \
@@ -57,9 +49,13 @@ build() {
		--sysconfdir=/etc \
		--mandir=/usr/share/man \
		--infodir=/usr/share/info \
		--disable-cxx \
		|| return 1
	make || return 1
		--disable-cxx
	make
}

check() {
	cd "$builddir"
	make check
}

package() {
-- 
2.13.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)