html/man/TIFFReadRawStrip.3tiff.html | 2 1 + 1 - 0 !
man/TIFFReadRawStrip.3tiff | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 fix tiffreadrawstrip man page typo
 Change TIFFReadEncodedStrip to TIFFReadRawStrip as needed.

libtiff/tif_dirread.c | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 [patch] tifffetchstripthing(): avoid calling memcpy() with a null
 source pointer and size of zero (fixes #362)

libtiff/tif_dirread.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] tiffreaddirectory(): avoid calling memcpy() with a null
 source pointer and size of zero (fixes #362)

tools/tiffset.c | 17 14 + 3 - 0 !
1 file changed, 14 insertions(+), 3 deletions(-)

 [patch] tiffset: fix global-buffer-overflow for ascii tags where
 count is required (fixes #355)

libtiff/tif_jbig.c | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 [patch] tif_jbig.c: fix crash when reading a file with multiple ifd
 in memory-mapped mode and when bit reversal is needed (fixes #385)

libtiff/tif_dirread.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 [patch] tifffetchnormaltag(): avoid calling memcpy() with a null
 source pointer and size of zero (fixes #383)

tools/tiffcrop.c | 33 21 + 12 - 0 !
1 file changed, 21 insertions(+), 12 deletions(-)

 [patch] add checks for return value of limitmalloc (#392)

libtiff/tif_dir.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] fix the fpe in tiffcrop (#393)

tools/tiffcrop.c | 92 36 + 56 - 0 !
1 file changed, 36 insertions(+), 56 deletions(-)

 [patch] tiffcrop: fix issue #380 and #382 heap buffer overflow in
 extractImageSection

tools/tiffcp.c | 17 16 + 1 - 0 !
1 file changed, 16 insertions(+), 1 deletion(-)

 [patch] fix heap buffer overflow in tiffcp (#278)

libtiff/tif_dirread.c | 162 83 + 79 - 0 !
1 file changed, 83 insertions(+), 79 deletions(-)

 [patch] tiffreaddirectory: fix ojpeg hack (fixes #319)

to avoid having the size of the strip arrays inconsistent with the
number of strips returned by TIFFNumberOfStrips(), which may cause
out-ouf-bounds array read afterwards.

One of the OJPEG hack that alters SamplesPerPixel may influence the
number of strips. Hence compute tif_dir.td_nstrips only afterwards.

tools/tiffcp.c | 25 20 + 5 - 0 !
1 file changed, 20 insertions(+), 5 deletions(-)

 [patch] tiffcp: avoid buffer overflow in "mode" string (fixes #400)

libtiff/tif_lzw.c | 16 15 + 1 - 0 !
1 file changed, 15 insertions(+), 1 deletion(-)

 [patch] tif_lzw.c: fix potential out-of-bounds error when trying to
 read in the same tile/strip after an error has occured (fixes #410)

libtiff/tif_aux.c | 9 9 + 0 - 0 !
libtiff/tiffiop.h | 1 1 + 0 - 0 !
tools/tiffcrop.c | 62 34 + 28 - 0 !
3 files changed, 44 insertions(+), 28 deletions(-)

 [patch] fix the fpe in tiffcrop (#415, #427, and #428)

tools/tiffcrop.c | 79 52 + 27 - 0 !
1 file changed, 52 insertions(+), 27 deletions(-)

 [patch] tiffcrop.c: fix issue #352 heap-buffer-overflow by correcting
 uint32 underflow.

tools/tiffcrop.c | 205 115 + 90 - 0 !
1 file changed, 115 insertions(+), 90 deletions(-)

 [patch] tiffcrop subroutines require a larger buffer (fixes #271,
 #381, #386, #388, #389, #435)

libtiff/tif_dir.c | 121 72 + 49 - 0 !
libtiff/tif_dir.h | 2 2 + 0 - 0 !
libtiff/tif_dirinfo.c | 2 1 + 1 - 0 !
libtiff/tif_dirwrite.c | 5 5 + 0 - 0 !
libtiff/tif_print.c | 4 4 + 0 - 0 !
5 files changed, 84 insertions(+), 50 deletions(-)

 [patch] revised handling of tifftag_inknames and related
 TIFFTAG_NUMBEROFINKS value

In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed:

Behaviour for writing:
    `NumberOfInks`  MUST fit to the number of inks in the `InkNames` string.
    `NumberOfInks` is automatically set when `InkNames` is set.

tools/tiffcrop.c | 39 39 + 0 - 0 !
1 file changed, 39 insertions(+)

---

libtiff/tif_getimage.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 [patch] tiffreadrgbatileext(): fix (unsigned) integer overflow on
 strips/tiles > 2 GB

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137

libtiff/tif_dirinfo.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [patch] _tiffcheckfieldisvalidforcodec(): return false when passed a
 codec-specific tag and the codec is not configured (fixes #433)

This avoids crashes when querying such tags

tools/tiffcrop.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] tiffcrop: correct simple copy paste error. fix #488.

tools/tiffcrop.c | 51 30 + 21 - 0 !
1 file changed, 30 insertions(+), 21 deletions(-)

 cve-2023-0795

This is also the fix for CVE-2023-0796, CVE-2023-0797, CVE-2023-0798,
CVE-2023-0799.

Bug-Debian: https://bugs.debian.org/1031632

tools/tiffcrop.c | 73 69 + 4 - 0 !
1 file changed, 69 insertions(+), 4 deletions(-)

 cve-2023-0800

This is also the fix for CVE-2023-0801, CVE-2023-0802, CVE-2023-0803,
CVE-2023-0804.

Bug-Debian: https://bugs.debian.org/1031632

tools/tiffcrop.c | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 [patch] fix memory leak in tiffcrop.c

tools/tiffcp.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 [patch] tiffcp: fix memory corruption (overflow) on hostile images
 (fixes #591)

tools/raw2tiff.c | 28 28 + 0 - 0 !
1 file changed, 28 insertions(+)

 [patch] raw2tiff: fix integer overflow and bypass of the check (fixes
 #592)