tools/tiffgt.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 call glflush() in tiffgt

tools/ppm2tiff.c | 13 11 + 2 - 0 !
1 file changed, 11 insertions(+), 2 deletions(-)

---

tools/tiff2pdf.c | 103 62 + 41 - 0 !
1 file changed, 62 insertions(+), 41 deletions(-)

---

contrib/dbs/xtiff/xtiff.c | 4 2 + 2 - 0 !
libtiff/tif_codec.c | 3 2 + 1 - 0 !
libtiff/tif_dirinfo.c | 2 1 + 1 - 0 !
tools/rgb2ycbcr.c | 3 2 + 1 - 0 !
tools/tiff2bw.c | 2 1 + 1 - 0 !
tools/tiff2pdf.c | 208 87 + 121 - 0 !
tools/tiff2ps.c | 8 4 + 4 - 0 !
tools/tiffcrop.c | 10 5 + 5 - 0 !
tools/tiffdither.c | 2 1 + 1 - 0 !
9 files changed, 105 insertions(+), 137 deletions(-)

---

tools/gif2tiff.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 buffer overflow in gif2tiff
Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2450
Bug-Debian: http://bugs.debian.org/719303

tools/tiff2pdf.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 use after free in tiff2pdf
Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2449
Bug-Debian: http://bugs.debian.org/719303

tools/gif2tiff.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 oob write in gif2tiff
Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=996468

tools/gif2tiff.c | 12 12 + 0 - 0 !
1 file changed, 12 insertions(+)

---

tools/tiffcp.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 fix for debian bug #741451

tools/bmp2tiff.c | 17 16 + 1 - 0 !
1 file changed, 16 insertions(+), 1 deletion(-)

 cve-2014-9330
 Integer overflow in bmp2tiff

tools/tiff2bw.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 [patch] * tools/tiff2bw.c: when photometric=rgb, the utility only
 works if SamplesPerPixel = 3. Enforce that
 http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127)

tools/pal2rgb.c | 2 1 + 1 - 0 !
tools/thumbnail.c | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 [patch] * tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling
 TIFFTAG_INKNAMES copying. The right fix would be to properly copy it, but not
 worth the burden for those esoteric utilities.
 http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)

libtiff/tif_read.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch] * libtiff/tif_read.c: fix several invalid comparisons of a
 uint64 value with <= 0 by casting it to int64 first. This solves crashing bug
 on corrupted images generated by afl.

libtiff/tif_dir.c | 21 19 + 2 - 0 !
libtiff/tif_dirread.c | 17 17 + 0 - 0 !
libtiff/tif_getimage.c | 15 15 + 0 - 0 !
libtiff/tif_next.c | 2 2 + 0 - 0 !
tools/tiff2pdf.c | 41 41 + 0 - 0 !
tools/tiffcrop.c | 7 4 + 3 - 0 !
tools/tiffdump.c | 9 6 + 3 - 0 !
7 files changed, 104 insertions(+), 8 deletions(-)

 [patch] fix various crasher bugs on fuzzed images. *
 libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
 TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
 the directory * libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read
 ColorMap or TransferFunction if BitsPerSample has not yet been read,
 otherwise reading it later will cause user code to crash if BitsPerSample > 1
 * libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
 SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample
 != 8 * libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
 instead of imagewidth to avoid crash * tools/bmp2tiff.c: fix crash due to int
 overflow related to input BMP dimensions * tools/tiff2pdf.c: fix crash due to
 invalid tile count (should likely be checked by libtiff too). Detect invalid
 settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB *
 tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight *
 tools/tiffdump.c: fix crash due to overflow of entry count.

tools/thumbnail.c | 8 7 + 1 - 0 !
1 file changed, 7 insertions(+), 1 deletion(-)

 [patch] * tools/thumbnail.c: fix out-of-buffer write
 http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128)

tools/thumbnail.c | 21 20 + 1 - 0 !
tools/tiffcmp.c | 17 15 + 2 - 0 !
2 files changed, 35 insertions(+), 3 deletions(-)

 [patch] * tools/thumbnail.c, tools/tiffcmp.c: only read/write
 TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is
 COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4
 http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128)

tools/tiff2pdf.c | 10 9 + 1 - 0 !
1 file changed, 9 insertions(+), 1 deletion(-)

 [patch] * tools/tiff2pdf.c: check return code of tiffgetfield() when
 reading TIFFTAG_SAMPLESPERPIXEL

libtiff/tif_next.c | 17 17 + 0 - 0 !
1 file changed, 17 insertions(+)

 [patch] * libtiff/tif_next.c: check that bitspersample = 2. fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129)

libtiff/tif_getimage.c | 12 7 + 5 - 0 !
libtiff/tif_next.c | 4 3 + 1 - 0 !
2 files changed, 10 insertions(+), 6 deletions(-)

 [patch] * libtiff/tif_next.c: add new tests to check that we don't
 read outside of the compressed input stream buffer.

* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height

tools/tiffdither.c | 21 16 + 5 - 0 !
1 file changed, 16 insertions(+), 5 deletions(-)

---

libtiff/tif_dirinfo.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

---

ChangeLog | 8 8 + 0 - 0 !
libtiff/tif_getimage.c | 37 23 + 14 - 0 !
2 files changed, 31 insertions(+), 14 deletions(-)

 [patch] * libtiff/tif_getimage.c: fix out-of-bound reads in
 TIFFRGBAImage interface in case of unsupported values of
 SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
 TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
 limingxing and CVE-2015-8683 reported by zzf of Alibaba.

ChangeLog | 7 7 + 0 - 0 !
libtiff/tif_luv.c | 57 45 + 12 - 0 !
2 files changed, 52 insertions(+), 12 deletions(-)

 [patch] * libtiff/tif_luv.c: fix potential out-of-bound writes in
 decode functions in non debug builds by replacing assert()s by regular if
 checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
 input data.

ChangeLog | 6 6 + 0 - 0 !
libtiff/tif_next.c | 12 9 + 3 - 0 !
2 files changed, 15 insertions(+), 3 deletions(-)

 [patch] * libtiff/tif_next.c: fix potential out-of-bound write in
 NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
 (bugzilla #2508)

ChangeLog | 5 5 + 0 - 0 !
libtiff/tif_pixarlog.c | 8 8 + 0 - 0 !
2 files changed, 13 insertions(+)

 [patch] * libtiff/tif_pixarlog.c: fix potential buffer write overrun
 in PixarLogDecode() on corrupted/unexpected images (reported by Mathias
 Svensson)

ChangeLog | 7 7 + 0 - 0 !
libtiff/tif_read.c | 7 5 + 2 - 0 !
2 files changed, 12 insertions(+), 2 deletions(-)

 [patch] * libtiff/tif_read.c: fix out-of-bounds read on memory-mapped
 files in TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset is
 beyond tmsize_t max value (reported by Mathias Svensson)

ChangeLog | 7 7 + 0 - 0 !
tools/tiffcrop.c | 2 1 + 1 - 0 !
2 files changed, 8 insertions(+), 1 deletion(-)

---

ChangeLog | 2 1 + 1 - 0 !
tools/tiffcrop.c | 16 8 + 8 - 0 !
2 files changed, 9 insertions(+), 9 deletions(-)

---

ChangeLog | 8 8 + 0 - 0 !
tools/tiff2rgba.c | 34 30 + 4 - 0 !
2 files changed, 38 insertions(+), 4 deletions(-)

---

ChangeLog | 10 9 + 1 - 0 !
libtiff/tif_pixarlog.c | 7 7 + 0 - 0 !
2 files changed, 16 insertions(+), 1 deletion(-)

---

ChangeLog | 6 6 + 0 - 0 !
tools/tiffcrop.c | 59 56 + 3 - 0 !
2 files changed, 62 insertions(+), 3 deletions(-)

---

ChangeLog | 5 5 + 0 - 0 !
tools/rgb2ycbcr.c | 4 4 + 0 - 0 !
2 files changed, 9 insertions(+)

---

ChangeLog | 23 23 + 0 - 0 !
libtiff/tif_pixarlog.c | 55 23 + 32 - 0 !
libtiff/tif_write.c | 7 7 + 0 - 0 !
tools/tiff2pdf.c | 22 20 + 2 - 0 !
tools/tiffcrop.c | 20 19 + 1 - 0 !
5 files changed, 92 insertions(+), 35 deletions(-)

 [patch] * tools/tiffcrop.c: fix various out-of-bounds write
 vulnerabilities in heap or stack allocated buffers. Reported as MSVR 35093,
 MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal Chauhan from
 the MSRC Vulnerabilities & Mitigations team. * tools/tiff2pdf.c: fix
 out-of-bounds write vulnerabilities in heap allocate buffer in
 t2p_process_jpeg_strip(). Reported as MSVR 35098. Discovered by Axel Souchet
 and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
 libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities in heap
 allocated buffers. Reported as MSVR 35094. Discovered by Axel Souchet and
 Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
 libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1() that
 didn't reset the tif_rawcc and tif_rawcp members. I'm not completely sure if
 that could happen in practice outside of the odd behaviour of t2p_seekproc()
 of tiff2pdf). The report points that a better fix could be to check the
 return value of TIFFFlushData1() in places where it isn't done currently, but
 it seems this patch is enough. Reported as MSVR 35095. Discovered by Axel
 Souchet & Vishal Chauhan & Suha Can from the MSRC Vulnerabilities &
 Mitigations team.

ChangeLog | 9 9 + 0 - 0 !
libtiff/tif_getimage.c | 38 20 + 18 - 0 !
libtiff/tif_predict.c | 11 10 + 1 - 0 !
3 files changed, 39 insertions(+), 19 deletions(-)

 [patch] * libtiff/tif_getimage.c (tiffrgbaimageok): reject attempts
 to read floating point images.

* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
requirements of floating point predictor (3).  Fixes CVE-2016-3622
"Divide By Zero in the tiff2rgba tool."

places where it isn't done currently, but it seems this patch is enough.

ChangeLog | 9 9 + 0 - 0 !
tools/tiffcp.c | 4 2 + 2 - 0 !
tools/tiffcrop.c | 9 6 + 3 - 0 !
3 files changed, 17 insertions(+), 5 deletions(-)

 [patch] * tools/tiffcp.c: fix read of undefined variable in case of
 missing required tags. Found on test case of MSVR 35100. * tools/tiffcrop.c:
 fix read of undefined buffer in readContigStripsIntoBuffer() due to uint16
 overflow. Probably not a security issue but I can be wrong. Reported as MSVR
 35100 by Axel Souchet from the MSRC Vulnerabilities & Mitigations team.

ChangeLog | 7 7 + 0 - 0 !
tools/tiffcp.c | 4 2 + 2 - 0 !
2 files changed, 9 insertions(+), 2 deletions(-)

 [patch] * tools/tiffcp.c: fix out-of-bounds write on tiled images
 with odd tile width vs image width. Reported as MSVR 35103 by Axel Souchet
 and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.

ChangeLog | 7 7 + 0 - 0 !
tools/tiff2pdf.c | 17 10 + 7 - 0 !
2 files changed, 17 insertions(+), 7 deletions(-)

 [patch] * tools/tiff2pdf.c: fix write buffer overflow of 2 bytes on
 JPEG compressed images. Reported by Tyler Bohan of Cisco Talos as
 TALOS-CAN-0187 / CVE-2016-5652. Also prevents writing 2 extra uninitialized
 bytes to the file stream.

ChangeLog | 8 8 + 0 - 0 !
libtiff/tif_strip.c | 9 9 + 0 - 0 !
2 files changed, 17 insertions(+)

 [patch] * libtiff/tif_strip.c: make tiffnumberofstrips() return the
 td->td_nstrips value when it is non-zero, instead of recomputing it. This is
 needed in TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read
 outsize of array in tiffsplit (or other utilities using
 TIFFNumberOfStrips()). Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2587

ChangeLog | 8 8 + 0 - 0 !
tools/tiffcrop.c | 44 40 + 4 - 0 !
2 files changed, 48 insertions(+), 4 deletions(-)

 [patch] * tools/tiffcrop.c: fix multiple uint32 overflows in
 writeBufferToSeparateStrips(), writeBufferToContigTiles() and
 writeBufferToSeparateTiles() that could cause heap buffer overflows. Reported
 by Henri Salo from Nixu Corporation. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2592

ChangeLog | 8 8 + 0 - 0 !
libtiff/tif_dirread.c | 10 10 + 0 - 0 !
2 files changed, 18 insertions(+)

 [patch] * libtiff/tif_dirread.c: in tifffetchnormaltag(), make sure
 that values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII access
 are null terminated, to avoid potential read outside buffer in
 _TIFFPrintField(). Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590

ChangeLog | 9 9 + 0 - 0 !
libtiff/tif_dirread.c | 4 2 + 2 - 0 !
2 files changed, 11 insertions(+), 2 deletions(-)

 [patch] * libtiff/tif_dirread.c: in tifffetchnormaltag(), do not
 dereference NULL pointer when values of tags with TIFF_SETGET_C16_ASCII /
 TIFF_SETGET_C32_ASCII access are 0-byte arrays. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2593 (regression introduced by
 previous fix done on 2016-11-11 for CVE-2016-9297). Reported by Henri Salo.

ChangeLog | 7 7 + 0 - 0 !
tools/tiffcrop.c | 2 1 + 1 - 0 !
2 files changed, 8 insertions(+), 1 deletion(-)

 [patch] * tools/tiffcrop.c: fix readcontigstripsintobuffer() in -i
 (ignore) mode so that the output buffer is correctly incremented to avoid
 write outside bounds. Reported by Agostino Sarubbo. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2620

ChangeLog | 7 7 + 0 - 0 !
tools/tiffcp.c | 6 3 + 3 - 0 !
2 files changed, 10 insertions(+), 3 deletions(-)

 [patch] * tools/tiffcp.c: fix uint32 underflow/overflow that can
 cause heap-based buffer overflow. Reported by Agostino Sarubbo. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2610

ChangeLog | 6 6 + 0 - 0 !
tools/tiff2pdf.c | 2 1 + 1 - 0 !
2 files changed, 7 insertions(+), 1 deletion(-)

 [patch] * tools/tiff2pdf.c: avoid potential heap-based overflow in
 t2p_readwrite_pdf_image_tile(). Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2640

ChangeLog | 19 19 + 0 - 0 !
libtiff/tif_dir.c | 22 22 + 0 - 0 !
libtiff/tif_dirwrite.c | 16 14 + 2 - 0 !
3 files changed, 55 insertions(+), 2 deletions(-)

 [patch] * libtiff/tif_dir.c: discard values of sminsamplevalue and
 SMaxSampleValue when they have been read and the value of SamplesPerPixel is
 changed afterwards (like when reading a OJPEG compressed image with a missing
 SamplesPerPixel tag, and whose photometric is RGB or YCbCr, forcing
 SamplesPerPixel being 3). Otherwise when rewriting the directory (for example
 with tiffset, we will expect 3 values whereas the array had been allocated
 with just one), thus causing a out of bound read access. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2500 (CVE-2014-8127, duplicate:
 CVE-2016-3658)

* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
when writing directory, if FIELD_STRIPOFFSETS was artificially set
for a hack case	in OJPEG case.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
(CVE-2014-8127, duplicate: CVE-2016-3658)

ChangeLog | 9 9 + 0 - 0 !
libtiff/tif_predict.c | 149 110 + 39 - 0 !
libtiff/tif_predict.h | 6 4 + 2 - 0 !
3 files changed, 123 insertions(+), 41 deletions(-)

 [patch] * libtiff/tif_predict.h, libtiff/tif_predict.c: replace
 assertions by runtime checks to avoid assertions in debug mode, or buffer
 overflows in release mode. Can happen when dealing with unusual tile size
 like YCbCr with subsampling. Reported as MSVR 35105 by Axel Souchet	&
 Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.

ChangeLog | 5 5 + 0 - 0 !
libtiff/tif_predict.c | 8 6 + 2 - 0 !
2 files changed, 11 insertions(+), 2 deletions(-)

 [patch] * libtiff/tif_predic.c: fix memory leaks in error code paths
 added in previous commit (fix for MSVR 35105)

ChangeLog | 7 7 + 0 - 0 !
libtiff/tif_read.c | 2 1 + 1 - 0 !
libtiff/tiffiop.h | 4 4 + 0 - 0 !
3 files changed, 12 insertions(+), 1 deletion(-)

 [patch] * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow
 in TIFFReadEncodedStrip() that caused an integer division by zero. Reported
 by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596

ChangeLog | 10 10 + 0 - 0 !
libtiff/tif_luv.c | 18 14 + 4 - 0 !
libtiff/tif_pixarlog.c | 17 15 + 2 - 0 !
3 files changed, 39 insertions(+), 6 deletions(-)

 [patch] * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based
 buffer overflow on generation of PixarLog / LUV compressed files, with
 ColorMap, TransferFunction attached and nasty plays with bitspersample. The
 fix for LUV has not been tested, but suffers from the same kind of issue of
 PixarLog. Reported by Agostino Sarubbo. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2604

ChangeLog | 15 15 + 0 - 0 !
libtiff/tif_dirread.c | 22 10 + 12 - 0 !
libtiff/tif_strip.c | 9 0 + 9 - 0 !
3 files changed, 25 insertions(+), 21 deletions(-)

 [patch] * libtiff/tif_dirread.c: modify
 ChopUpSingleUncompressedStrip() to instanciate compute ntrips as
 TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on
 the total size of data. Which is faulty is the total size of data is not
 sufficient to fill the whole image, and thus results in reading outside of
 the StripByCounts/StripOffsets arrays when using TIFFReadScanline(). Reported
 by Agostino Sarubbo. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608.

* libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done
for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since
the above change is a better fix that makes it unnecessary.

ChangeLog | 7 7 + 0 - 0 !
libtiff/tif_ojpeg.c | 8 8 + 0 - 0 !
2 files changed, 15 insertions(+)

 [patch] * libtiff/tif_ojpeg.c: make ojpegdecode() early exit in case
 of failure in OJPEGPreDecode(). This will avoid a divide by zero, and
 potential other issues. Reported by Agostino Sarubbo. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2611

ChangeLog | 6 6 + 0 - 0 !
libtiff/tif_jpeg.c | 7 7 + 0 - 0 !
2 files changed, 13 insertions(+)

 [patch] * libtiff/tif_jpeg.c: avoid integer division by zero in
 JPEGSetupEncode() when horizontal or vertical sampling is set to 0. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2653

ChangeLog | 8 8 + 0 - 0 !
libtiff/tif_dirread.c | 10 8 + 2 - 0 !
2 files changed, 16 insertions(+), 2 deletions(-)

 [patch] * libtiff/tif_dirread.c: avoid division by floating point 0
 in TIFFReadDirEntryCheckedRational() and TIFFReadDirEntryCheckedSrational(),
 and return 0 in that case (instead of infinity as before presumably)
 Apparently some sanitizers do not like those divisions by zero. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2644

ChangeLog | 10 10 + 0 - 0 !
libtiff/tif_dir.c | 18 14 + 4 - 0 !
libtiff/tif_dirread.c | 10 9 + 1 - 0 !
libtiff/tif_dirwrite.c | 91 81 + 10 - 0 !
4 files changed, 114 insertions(+), 15 deletions(-)

 [patch] * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement
 various clampings of double to other data types to avoid undefined behaviour
 if the output range isn't big enough to hold the input value. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2643
 http://bugzilla.maptools.org/show_bug.cgi?id=2642
 http://bugzilla.maptools.org/show_bug.cgi?id=2646
 http://bugzilla.maptools.org/show_bug.cgi?id=2647

ChangeLog | 6 6 + 0 - 0 !
libtiff/tif_jpeg.c | 7 7 + 0 - 0 !
2 files changed, 13 insertions(+)

 [patch] * libtiff/tif_jpeg.c: validate bitspersample in
 JPEGSetupEncode() to avoid undefined behaviour caused by invalid shift
 exponent. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648

ChangeLog | 6 6 + 0 - 0 !
libtiff/tif_read.c | 27 18 + 9 - 0 !
2 files changed, 24 insertions(+), 9 deletions(-)

 [patch] * libtiff/tif_read.c: avoid potential undefined behaviour on
 signed integer addition in TIFFReadRawStrip1() in isMapped() case. Fixes
 http://bugzilla.maptools.org/show_bug.cgi?id=2650

ChangeLog | 7 7 + 0 - 0 !
libtiff/tif_getimage.c | 2 1 + 1 - 0 !
2 files changed, 8 insertions(+), 1 deletion(-)

 [patch] =?utf-8?q?*=20libtiff/tif=5fgetimage.c:=20add=20explicit?=
 =?UTF-8?q?=20uint32=20cast=20in=20putagreytile=20to=20avoid=20UndefinedBe?=
 =?UTF-8?q?haviorSanitizer=20warning.=20Patch=20by=20Nicol=C3=A1s=20Pe?=
 =?UTF-8?q?=C3=B1a.=20Fixes=20http://bugzilla.maptools.org/show=5Fbug.cgi?=
 =?UTF-8?q?=3Fid=3D2658?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ChangeLog | 8 8 + 0 - 0 !
libtiff/tif_read.c | 4 3 + 1 - 0 !
libtiff/tif_unix.c | 8 8 + 0 - 0 !
libtiff/tif_win32.c | 8 8 + 0 - 0 !
libtiff/tiffio.h | 1 1 + 0 - 0 !
5 files changed, 28 insertions(+), 1 deletion(-)

 [patch] * libtiff/tiffiop.h, tif_unix.c, tif_win32.c, tif_vms.c: add
 _TIFFcalloc()

* libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero
initialize tif_rawdata.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651

ChangeLog | 7 7 + 0 - 0 !
tools/tiffcp.c | 24 22 + 2 - 0 !
2 files changed, 29 insertions(+), 2 deletions(-)

 [patch] * tools/tiffcp.c: error out cleanly in cpcontig2separatebyrow
 and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based
 overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
 http://bugzilla.maptools.org/show_bug.cgi?id=2657

ChangeLog | 7 7 + 0 - 0 !
libtiff/tif_ojpeg.c | 5 4 + 1 - 0 !
2 files changed, 11 insertions(+), 1 deletion(-)

 [patch] =?utf-8?q?*=20libtiff/tif=5fojpeg.c:=20fix=20leak=20in=20?=
 =?UTF-8?q?OJPEGReadHeaderInfoSecTablesAcTable=20when=20read=20fails.=20Pa?=
 =?UTF-8?q?tch=20by=20Nicol=C3=A1s=20Pe=C3=B1a.=20Fixes=20http://bugzilla.?=
 =?UTF-8?q?maptools.org/show=5Fbug.cgi=3Fid=3D2659?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit