libtiff/tif_jpeg.c | 14 10 + 4 - 0 !
libtiff/tif_strip.c | 18 7 + 11 - 0 !
2 files changed, 17 insertions(+), 15 deletions(-)

 fix mishandling of downsampled jpeg files

libtiff/Makefile.am | 4 2 + 2 - 0 !
libtiff/Makefile.in | 4 2 + 2 - 0 !
2 files changed, 4 insertions(+), 4 deletions(-)

---

man/TIFFClose.3tiff | 2 1 + 1 - 0 !
man/raw2tiff.1 | 2 1 + 1 - 0 !
man/tiffcmp.1 | 2 1 + 1 - 0 !
man/tiffsplit.1 | 2 1 + 1 - 0 !
4 files changed, 4 insertions(+), 4 deletions(-)

---

man/TIFFReadDirectory.3tiff | 8 4 + 4 - 0 !
man/TIFFWriteDirectory.3tiff | 2 1 + 1 - 0 !
2 files changed, 5 insertions(+), 5 deletions(-)

 fix common spelling errors in manual page (lintian)

libtiff/tif_getimage.c | 10 6 + 4 - 0 !
1 file changed, 6 insertions(+), 4 deletions(-)

 fix specific tif_getimage failure on 64-bit platforms

libtiff/tif_getimage.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix crash on oob reads in putcontig8bitycbcr11tile
 Fixed upstream in CVS version 1.63.2.5 of libtiff/tif_getimage.c
Bug-Ubuntu: https://bugs.launchpad.net/bugs/591605
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=603081
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=595064

libtiff/tif_ojpeg.c | 6 6 + 0 - 0 !
tools/tiffsplit.c | 10 8 + 2 - 0 !
2 files changed, 14 insertions(+), 2 deletions(-)

 fix denial of service via invalid td_stripbytecount field

libtiff/tif_color.c | 13 9 + 4 - 0 !
1 file changed, 9 insertions(+), 4 deletions(-)

 fix denial of service via invalid referenceblackwhite values

libtiff/tif_strip.c | 18 9 + 9 - 0 !
1 file changed, 9 insertions(+), 9 deletions(-)

 fix denial of service via devide-by-zero

libtiff/tif_dirread.c | 10 6 + 4 - 0 !
1 file changed, 6 insertions(+), 4 deletions(-)

 fix denial of service via out-of-order tags

libtiff/tif_fax3.h | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 cve-2011-0192: buffer overflow in fax4decode

libtiff/tif_thunder.c | 36 30 + 6 - 0 !
1 file changed, 30 insertions(+), 6 deletions(-)

 correct buffer overflow with thunder encoded files

libtiff/tif_ojpeg.c | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

---

tools/tiffdump.c | 9 7 + 2 - 0 !
1 file changed, 7 insertions(+), 2 deletions(-)

 fix denial of service and possible code execution via tiffdump

libtiff/tif_getimage.c | 20 16 + 4 - 0 !
libtiff/tiffiop.h | 2 1 + 1 - 0 !
2 files changed, 17 insertions(+), 5 deletions(-)

 fix arbitrary code execution via size overflow

libtiff/tif_strip.c | 29 22 + 7 - 0 !
libtiff/tif_tile.c | 32 22 + 10 - 0 !
2 files changed, 44 insertions(+), 17 deletions(-)

 fix possible arbitrary code execution via buffer overflow
 due to type-conversion flaw

tools/tiff2pdf.c | 134 108 + 26 - 0 !
1 file changed, 108 insertions(+), 26 deletions(-)

 fix possible arbitrary code execution via integer
 overflows in tiff2pdf

tools/tiff2pdf.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 fix possible arbitrary code execution via heap overflow
 in tiff2pdf.

libtiff/tif_pixarlog.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

tools/ppm2tiff.c | 13 11 + 2 - 0 !
1 file changed, 11 insertions(+), 2 deletions(-)

---

libtiff/tif_dir.c | 277 137 + 140 - 0 !
1 file changed, 137 insertions(+), 140 deletions(-)

 * libtiff/tif_dir.c, tif_print.c : remove field_custom handling
  for PAGENUMBER, HALFTONEHINTS, and YCBCRSUBSAMPLING.  Implement DOTRANGE

tools/tiff2pdf.c | 103 62 + 41 - 0 !
1 file changed, 62 insertions(+), 41 deletions(-)

---

contrib/dbs/xtiff/xtiff.c | 4 2 + 2 - 0 !
libtiff/tif_codec.c | 3 2 + 1 - 0 !
libtiff/tif_dirinfo.c | 2 1 + 1 - 0 !
tools/rgb2ycbcr.c | 3 2 + 1 - 0 !
tools/tiff2bw.c | 2 1 + 1 - 0 !
tools/tiff2pdf.c | 208 87 + 121 - 0 !
tools/tiff2ps.c | 8 4 + 4 - 0 !
tools/tiffcrop.c | 6 3 + 3 - 0 !
tools/tiffdither.c | 2 1 + 1 - 0 !
9 files changed, 103 insertions(+), 135 deletions(-)

---

tools/gif2tiff.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 buffer overflow in gif2tiff
Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2450
Bug-Debian: http://bugs.debian.org/719303

tools/tiff2pdf.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 use after free in tiff2pdf
Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2449
Bug-Debian: http://bugs.debian.org/719303

tools/gif2tiff.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 oob write in gif2tiff
Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=996468

tools/gif2tiff.c | 12 12 + 0 - 0 !
1 file changed, 12 insertions(+)

---

tools/thumbnail.c | 8 7 + 1 - 0 !
1 file changed, 7 insertions(+), 1 deletion(-)

 [patch] * tools/thumbnail.c: fix out-of-buffer write
 http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128)

tools/thumbnail.c | 21 20 + 1 - 0 !
tools/tiffcmp.c | 17 15 + 2 - 0 !
2 files changed, 35 insertions(+), 3 deletions(-)

 [patch] * tools/thumbnail.c, tools/tiffcmp.c: only read/write
 TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is
 COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4
 http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128)

tools/tiff2pdf.c | 10 9 + 1 - 0 !
1 file changed, 9 insertions(+), 1 deletion(-)

 [patch] * tools/tiff2pdf.c: check return code of tiffgetfield() when
 reading TIFFTAG_SAMPLESPERPIXEL

[benh: Backported to 3.9.4: adjust context]

tools/tiffdither.c | 24 18 + 6 - 0 !
1 file changed, 18 insertions(+), 6 deletions(-)

---

libtiff/tif_dirinfo.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 backport of: fix out-of-bounds write in thumbnail and tiffcmp tools

libtiff/tif_next.c | 17 17 + 0 - 0 !
1 file changed, 17 insertions(+)

 [patch] * libtiff/tif_next.c: check that bitspersample = 2. fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129)

[benh: Backported to 3.9.4: adjust context]

libtiff/tif_getimage.c | 12 7 + 5 - 0 !
libtiff/tif_next.c | 4 3 + 1 - 0 !
2 files changed, 10 insertions(+), 6 deletions(-)

 [patch] * libtiff/tif_next.c: add new tests to check that we don't
 read outside of the compressed input stream buffer.

* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height

[benh: Backported to 3.9.4: adjust context]

libtiff/tif_dir.c | 21 19 + 2 - 0 !
libtiff/tif_dirread.c | 16 16 + 0 - 0 !
libtiff/tif_getimage.c | 15 15 + 0 - 0 !
libtiff/tif_next.c | 2 2 + 0 - 0 !
tools/bmp2tiff.c | 15 15 + 0 - 0 !
tools/tiff2pdf.c | 41 41 + 0 - 0 !
tools/tiffcrop.c | 7 4 + 3 - 0 !
7 files changed, 112 insertions(+), 5 deletions(-)

 Fix various crasher bugs on fuzzed images.
 * libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
 TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
 the directory
 * libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or
 TransferFunction if BitsPerSample has not yet been read, otherwise reading
 it later will cause user code to crash if BitsPerSample > 1
 * libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
 SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8
 * libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
 instead of imagewidth to avoid crash
 * tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions
 * tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by
 libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB
 * tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight
 * tools/tiffdump.c: fix crash due to overflow of entry count.
 .
 [This covers part of CVE-2014-8128, part of CVE-2014-8129, and CVE-2014-9330]
 .
 [benh: Backported to 3.9.4:
  - Drop changes to ChangeLog
  - Drop changes to tiffdump.c, not applicable to this version
  - s/\bTIFFField\b/TIFFFieldInfo/
  - Adjust context]

tools/pal2rgb.c | 2 1 + 1 - 0 !
tools/thumbnail.c | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 * tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling TIFFTAG_INKNAMES
 copying. The right fix would be to properly copy it, but not worth the burden
 for those esoteric utilities.
 http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
 .
 [benh: Backported to 3.9.4: drop changes to ChangeLog]

tools/tiff2bw.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 * tools/tiff2bw.c: when Photometric=RGB, the utility only works if
 SamplesPerPixel = 3. Enforce that
 http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127)
 .
 [benh: Backported to 3.9.4: drop changes to ChangeLog]

libtiff/tif_getimage.c | 41 33 + 8 - 0 !
1 file changed, 33 insertions(+), 8 deletions(-)

 [patch] * libtiff/tif_getimage.c: fix out-of-bound reads in
 TIFFRGBAImage interface in case of unsupported values of
 SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
 TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
 limingxing and CVE-2015-8683 reported by zzf of Alibaba.

libtiff/tif_luv.c | 55 46 + 9 - 0 !
1 file changed, 46 insertions(+), 9 deletions(-)

 fix potential out-of-bound reads/writes in decode functions in tif_luv.c
 Patch adapted from upstream commit aaab5c3c9d2a2c6984f23ccbc79702610439bc65
 Fixes CVE-2015-8781, CVE-2015-8782, CVE-2015-8783
 (bugzilla #2522)

libtiff/tif_next.c | 11 9 + 2 - 0 !
1 file changed, 9 insertions(+), 2 deletions(-)

 fix cve-2015-8784: potential out-of-bound write in nextdecode()
 Patch adopted from upstream commit b18012dae552f85dcc5c57d3bf4e997a15b1cc1c
 triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2508