Patchwork Libtiff 4.0.7 update

login
register
mail settings
Submitter Leo Famulari
Date Nov. 21, 2016, 4:48 p.m.
Message ID <20161121164827.GA29287@jasmine>
Download mbox | patch
Permalink /patch/17671/
State New
Headers show

Comments

Leo Famulari - Nov. 21, 2016, 4:48 p.m.
This updates libtiff to the latest upstream version, 4.0.7. I went
through the tarball and confirmed that all the patches were contained in
it but, please, double-check :)

Also, libtiff has new source and home-page URLs. Read all about it:

http://www.asmail.be/msg0054885794.html

It will require ~1600 rebuilds.
From 755367331d73c36c91b493a440d533a96e12a5bc Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Mon, 21 Nov 2016 11:39:49 -0500
Subject: [PATCH] gnu: libtiff: Update to 4.0.7.

* gnu/packages/image.scm (libtiff): Update to 4.0.7.
[source]: Remove obsolete patches and update URL.
[home-page]: Update URL.
* gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch,
gnu/packages/patches/libtiff-CVE-2016-3623.patch,
gnu/packages/patches/libtiff-CVE-2016-3945.patch,
gnu/packages/patches/libtiff-CVE-2016-3990.patch,
gnu/packages/patches/libtiff-CVE-2016-3991.patch,
gnu/packages/patches/libtiff-CVE-2016-5314.patch,
gnu/packages/patches/libtiff-CVE-2016-5321.patch,
gnu/packages/patches/libtiff-CVE-2016-5323.patch,
gnu/packages/patches/libtiff-CVE-2016-5652.patch,
gnu/packages/patches/libtiff-CVE-2016-9273.patch,
gnu/packages/patches/libtiff-CVE-2016-9297.patch,
gnu/packages/patches/libtiff-CVE-2016-9448.patch,
gnu/packages/patches/libtiff-oob-accesses-in-decode.patch,
gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch,
gnu/packages/patches/libtiff-uint32-overflow.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
---
 gnu/local.mk                                       |  15 --
 gnu/packages/image.scm                             |  47 +-----
 .../libtiff-CVE-2015-8665+CVE-2015-8683.patch      | 107 -------------
 gnu/packages/patches/libtiff-CVE-2016-3623.patch   |  30 ----
 gnu/packages/patches/libtiff-CVE-2016-3945.patch   |  94 -----------
 gnu/packages/patches/libtiff-CVE-2016-3990.patch   |  31 ----
 gnu/packages/patches/libtiff-CVE-2016-3991.patch   | 123 ---------------
 gnu/packages/patches/libtiff-CVE-2016-5314.patch   |  45 ------
 gnu/packages/patches/libtiff-CVE-2016-5321.patch   |  25 ---
 gnu/packages/patches/libtiff-CVE-2016-5323.patch   |  88 -----------
 gnu/packages/patches/libtiff-CVE-2016-5652.patch   |  47 ------
 gnu/packages/patches/libtiff-CVE-2016-9273.patch   |  41 -----
 gnu/packages/patches/libtiff-CVE-2016-9297.patch   |  52 -------
 gnu/packages/patches/libtiff-CVE-2016-9448.patch   |  34 ----
 .../patches/libtiff-oob-accesses-in-decode.patch   | 171 ---------------------
 .../patches/libtiff-oob-write-in-nextdecode.patch  |  49 ------
 gnu/packages/patches/libtiff-uint32-overflow.patch | 102 ------------
 17 files changed, 7 insertions(+), 1094 deletions(-)
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-3623.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-3945.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-3990.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-3991.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-5314.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-5321.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-5323.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-5652.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-9273.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-9297.patch
 delete mode 100644 gnu/packages/patches/libtiff-CVE-2016-9448.patch
 delete mode 100644 gnu/packages/patches/libtiff-oob-accesses-in-decode.patch
 delete mode 100644 gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch
 delete mode 100644 gnu/packages/patches/libtiff-uint32-overflow.patch
Marius Bakke - Nov. 21, 2016, 5:21 p.m.
Leo Famulari <leo@famulari.name> writes:

> This updates libtiff to the latest upstream version, 4.0.7. I went
> through the tarball and confirmed that all the patches were contained in
> it but, please, double-check :)
>
> Also, libtiff has new source and home-page URLs. Read all about it:
>
> http://www.asmail.be/msg0054885794.html
>
> It will require ~1600 rebuilds.

Sweet. Perhaps it should be grafted on master first, then merge it and
ungraft on core-updates? Either approach will cause conflicts if there
are further updates to libtiff before next core-updates merge, so not
sure which is better.

Another approach could be to have special "ungraft" branches for each of
these widely used high-severity libraries, that are continously merged
once Hydra has built it all.

Not sure how many days it takes to build ~1600 packages for all
supported archs, probably better to merge "ungrafts" to staging.

Just throwing some ideas out. LGTM anyway!
Leo Famulari - Nov. 21, 2016, 6:32 p.m.
On Mon, Nov 21, 2016 at 06:21:47PM +0100, Marius Bakke wrote:
> Sweet. Perhaps it should be grafted on master first, then merge it and
> ungraft on core-updates? Either approach will cause conflicts if there
> are further updates to libtiff before next core-updates merge, so not
> sure which is better.

I'm sure there will be patches for 4.0.7. I'll handle master ->
core-updates merge conflicts when I commit those patches to master.

> Another approach could be to have special "ungraft" branches for each of
> these widely used high-severity libraries, that are continously merged
> once Hydra has built it all.
> 
> Not sure how many days it takes to build ~1600 packages for all
> supported archs, probably better to merge "ungrafts" to staging.

It would be nice to remove the grafts soon, but it's over the 1200
rebuild limit for staging:

http://lists.gnu.org/archive/html/guix-devel/2016-10/msg00933.html

But, I'll put it on staging if there is a consensus. I guess that
staging will end up requiring more than 1200 rebuilds anyways, since
there could be multiple changes with that much impact, but affecting
different parts of the package graph.
Leo Famulari - Nov. 22, 2016, 5:33 p.m.
On Mon, Nov 21, 2016 at 06:21:47PM +0100, Marius Bakke wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > This updates libtiff to the latest upstream version, 4.0.7. I went
> > through the tarball and confirmed that all the patches were contained in
> > it but, please, double-check :)
> >
> > Also, libtiff has new source and home-page URLs. Read all about it:
> >
> > http://www.asmail.be/msg0054885794.html
> >
> > It will require ~1600 rebuilds.
> 
> Sweet. Perhaps it should be grafted on master first, then merge it and
> ungraft on core-updates? Either approach will cause conflicts if there
> are further updates to libtiff before next core-updates merge, so not
> sure which is better.

I updated the graft on master, and I'll handle the core-updates merge
later today.
Ludovic Courtès - Nov. 23, 2016, 9:21 p.m.
Hi!

Leo Famulari <leo@famulari.name> skribis:

> It would be nice to remove the grafts soon, but it's over the 1200
> rebuild limit for staging:
>
> http://lists.gnu.org/archive/html/guix-devel/2016-10/msg00933.html
>
> But, I'll put it on staging if there is a consensus. I guess that
> staging will end up requiring more than 1200 rebuilds anyways, since
> there could be multiple changes with that much impact, but affecting
> different parts of the package graph.

Yes, that should be OK, especially since it’s a safe change.

Thanks,
Ludo’.
Leo Famulari - Nov. 24, 2016, 3:57 a.m.
On Wed, Nov 23, 2016 at 10:21:21PM +0100, Ludovic Courtès wrote:
> Hi!
> 
> Leo Famulari <leo@famulari.name> skribis:
> 
> > It would be nice to remove the grafts soon, but it's over the 1200
> > rebuild limit for staging:
> >
> > http://lists.gnu.org/archive/html/guix-devel/2016-10/msg00933.html
> >
> > But, I'll put it on staging if there is a consensus. I guess that
> > staging will end up requiring more than 1200 rebuilds anyways, since
> > there could be multiple changes with that much impact, but affecting
> > different parts of the package graph.
> 
> Yes, that should be OK, especially since it’s a safe change.

I made the change, updating libtiff to 4.0.7 and building it with GCC 5,
in 0bd1097c50950d47954b4dc136654dfbde45d5b1.

I had already updated it on core-updates; should I revert that change?
Ludovic Courtès - Nov. 24, 2016, 4:17 p.m.
Leo Famulari <leo@famulari.name> skribis:

> On Wed, Nov 23, 2016 at 10:21:21PM +0100, Ludovic Courtès wrote:
>> Hi!
>> 
>> Leo Famulari <leo@famulari.name> skribis:
>> 
>> > It would be nice to remove the grafts soon, but it's over the 1200
>> > rebuild limit for staging:
>> >
>> > http://lists.gnu.org/archive/html/guix-devel/2016-10/msg00933.html
>> >
>> > But, I'll put it on staging if there is a consensus. I guess that
>> > staging will end up requiring more than 1200 rebuilds anyways, since
>> > there could be multiple changes with that much impact, but affecting
>> > different parts of the package graph.
>> 
>> Yes, that should be OK, especially since it’s a safe change.
>
> I made the change, updating libtiff to 4.0.7 and building it with GCC 5,
> in 0bd1097c50950d47954b4dc136654dfbde45d5b1.
>
> I had already updated it on core-updates; should I revert that change?

No, the next merge will detect that it’s the same thing, I guess.

Ludo’.

Patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 430d05f..82e939b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -664,21 +664,6 @@  dist_patch_DATA =						\
   %D%/packages/patches/libssh-0.6.5-CVE-2016-0739.patch		\
   %D%/packages/patches/libtar-CVE-2013-4420.patch \
   %D%/packages/patches/libtheora-config-guess.patch		\
-  %D%/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch \
-  %D%/packages/patches/libtiff-CVE-2016-3623.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-3945.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-3990.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-3991.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-5314.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-5321.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-5323.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-5652.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-9273.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-9297.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-9448.patch		\
-  %D%/packages/patches/libtiff-oob-accesses-in-decode.patch	\
-  %D%/packages/patches/libtiff-oob-write-in-nextdecode.patch	\
-  %D%/packages/patches/libtiff-uint32-overflow.patch		\
   %D%/packages/patches/libtool-skip-tests2.patch		\
   %D%/packages/patches/libunwind-CVE-2015-3239.patch		\
   %D%/packages/patches/libupnp-CVE-2016-6255.patch		\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 309c336..25de802 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -243,25 +243,14 @@  extracting icontainer icon files.")
 (define-public libtiff
   (package
    (name "libtiff")
-   (replacement libtiff/fixed)
-   (version "4.0.6")
+   (version "4.0.7")
    (source (origin
             (method url-fetch)
-            (uri (string-append "ftp://ftp.remotesensing.org/pub/libtiff/tiff-"
-                   version ".tar.gz"))
-            (sha256 (base32
-                     "136nf1rj9dp5jgv1p7z4dk0xy3wki1w0vfjbk82f645m0w4samsd"))
-            (patches (search-patches
-                      "libtiff-oob-accesses-in-decode.patch"
-                      "libtiff-oob-write-in-nextdecode.patch"
-                      "libtiff-CVE-2015-8665+CVE-2015-8683.patch"
-                      "libtiff-CVE-2016-3623.patch"
-                      "libtiff-CVE-2016-3945.patch"
-                      "libtiff-CVE-2016-3990.patch"
-                      "libtiff-CVE-2016-3991.patch"
-                      "libtiff-CVE-2016-5314.patch"
-                      "libtiff-CVE-2016-5321.patch"
-                      "libtiff-CVE-2016-5323.patch"))))
+            (uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
+                                version ".tar.gz"))
+            (sha256
+             (base32
+              "06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                           ;1.3 MiB of HTML documentation
@@ -281,29 +270,7 @@  Included are a library, libtiff, for reading and writing TIFF and a small
 collection of tools for doing simple manipulations of TIFF images.")
    (license (license:non-copyleft "file://COPYRIGHT"
                                   "See COPYRIGHT in the distribution."))
-   (home-page "http://www.remotesensing.org/libtiff/")))
-
-(define libtiff/fixed
-  (package
-    (inherit libtiff)
-    (source (origin
-              (inherit (package-source libtiff))
-              (patches (search-patches
-                         "libtiff-oob-accesses-in-decode.patch"
-                         "libtiff-oob-write-in-nextdecode.patch"
-                         "libtiff-uint32-overflow.patch"
-                         "libtiff-CVE-2015-8665+CVE-2015-8683.patch"
-                         "libtiff-CVE-2016-3623.patch"
-                         "libtiff-CVE-2016-3945.patch"
-                         "libtiff-CVE-2016-3990.patch"
-                         "libtiff-CVE-2016-3991.patch"
-                         "libtiff-CVE-2016-5314.patch"
-                         "libtiff-CVE-2016-5321.patch"
-                         "libtiff-CVE-2016-5323.patch"
-                         "libtiff-CVE-2016-5652.patch"
-                         "libtiff-CVE-2016-9273.patch"
-                         "libtiff-CVE-2016-9297.patch"
-                         "libtiff-CVE-2016-9448.patch"))))))
+   (home-page "http://www.simplesystems.org/libtiff/")))
 
 (define-public libwmf
   (package
diff --git a/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch b/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
deleted file mode 100644
index 811516d..0000000
--- a/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
+++ /dev/null
@@ -1,107 +0,0 @@ 
-2015-12-26  Even Rouault <even.rouault at spatialys.com>
-
-	* libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
-	interface in case of unsupported values of SamplesPerPixel/ExtraSamples
-	for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
-	TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
-	CVE-2015-8683 reported by zzf of Alibaba.
-
-diff -u -r1.93 -r1.94
---- libtiff/libtiff/tif_getimage.c	22 Nov 2015 15:31:03 -0000	1.93
-+++ libtiff/libtiff/tif_getimage.c	26 Dec 2015 17:32:03 -0000	1.94
-@@ -182,20 +182,22 @@
- 				    "Planarconfiguration", td->td_planarconfig);
- 				return (0);
- 			}
--			if( td->td_samplesperpixel != 3 )
-+			if( td->td_samplesperpixel != 3 || colorchannels != 3 )
-             {
-                 sprintf(emsg,
--                        "Sorry, can not handle image with %s=%d",
--                        "Samples/pixel", td->td_samplesperpixel);
-+                        "Sorry, can not handle image with %s=%d, %s=%d",
-+                        "Samples/pixel", td->td_samplesperpixel,
-+                        "colorchannels", colorchannels);
-                 return 0;
-             }
- 			break;
- 		case PHOTOMETRIC_CIELAB:
--            if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
-+            if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
-             {
-                 sprintf(emsg,
--                        "Sorry, can not handle image with %s=%d and %s=%d",
-+                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
-                         "Samples/pixel", td->td_samplesperpixel,
-+                        "colorchannels", colorchannels,
-                         "Bits/sample", td->td_bitspersample);
-                 return 0;
-             }
-@@ -255,6 +257,9 @@
- 	int colorchannels;
- 	uint16 *red_orig, *green_orig, *blue_orig;
- 	int n_color;
-+	
-+	if( !TIFFRGBAImageOK(tif, emsg) )
-+		return 0;
- 
- 	/* Initialize to normal values */
- 	img->row_offset = 0;
-@@ -2509,29 +2514,33 @@
- 		case PHOTOMETRIC_RGB:
- 			switch (img->bitspersample) {
- 				case 8:
--					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
-+					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
-+						img->samplesperpixel >= 4)
- 						img->put.contig = putRGBAAcontig8bittile;
--					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
-+					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
-+							 img->samplesperpixel >= 4)
- 					{
- 						if (BuildMapUaToAa(img))
- 							img->put.contig = putRGBUAcontig8bittile;
- 					}
--					else
-+					else if( img->samplesperpixel >= 3 )
- 						img->put.contig = putRGBcontig8bittile;
- 					break;
- 				case 16:
--					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
-+					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
-+						img->samplesperpixel >=4 )
- 					{
- 						if (BuildMapBitdepth16To8(img))
- 							img->put.contig = putRGBAAcontig16bittile;
- 					}
--					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
-+					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
-+							 img->samplesperpixel >=4 )
- 					{
- 						if (BuildMapBitdepth16To8(img) &&
- 						    BuildMapUaToAa(img))
- 							img->put.contig = putRGBUAcontig16bittile;
- 					}
--					else
-+					else if( img->samplesperpixel >=3 )
- 					{
- 						if (BuildMapBitdepth16To8(img))
- 							img->put.contig = putRGBcontig16bittile;
-@@ -2540,7 +2549,7 @@
- 			}
- 			break;
- 		case PHOTOMETRIC_SEPARATED:
--			if (buildMap(img)) {
-+			if (img->samplesperpixel >=4 && buildMap(img)) {
- 				if (img->bitspersample == 8) {
- 					if (!img->Map)
- 						img->put.contig = putRGBcontig8bitCMYKtile;
-@@ -2636,7 +2645,7 @@
- 			}
- 			break;
- 		case PHOTOMETRIC_CIELAB:
--			if (buildMap(img)) {
-+			if (img->samplesperpixel == 3 && buildMap(img)) {
- 				if (img->bitspersample == 8)
- 					img->put.contig = initCIELabConversion(img);
- 				break;
diff --git a/gnu/packages/patches/libtiff-CVE-2016-3623.patch b/gnu/packages/patches/libtiff-CVE-2016-3623.patch
deleted file mode 100644
index 0870586..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-3623.patch
+++ /dev/null
@@ -1,30 +0,0 @@ 
-Fix CVE-2016-3623.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3623
-http://bugzilla.maptools.org/show_bug.cgi?id=2569
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.16 -r1.17 tools/rgb2ycbcr.c
-
-Index: tools/rgb2ycbcr.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/rgb2ycbcr.c,v
-retrieving revision 1.16
-retrieving revision 1.17
-diff -u -r1.16 -r1.17
---- libtiff/tools/rgb2ycbcr.c	21 Jun 2015 01:09:10 -0000	1.16
-+++ libtiff/tools/rgb2ycbcr.c	15 Aug 2016 21:26:56 -0000	1.17
-@@ -95,9 +95,13 @@
- 			break;
- 		case 'h':
- 			horizSubSampling = atoi(optarg);
-+            if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 )
-+                usage(-1);
- 			break;
- 		case 'v':
- 			vertSubSampling = atoi(optarg);
-+            if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 )
-+                usage(-1);
- 			break;
- 		case 'r':
- 			rowsperstrip = atoi(optarg);
diff --git a/gnu/packages/patches/libtiff-CVE-2016-3945.patch b/gnu/packages/patches/libtiff-CVE-2016-3945.patch
deleted file mode 100644
index 8ec62ba..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-3945.patch
+++ /dev/null
@@ -1,94 +0,0 @@ 
-Fix CVE-2016-3945 (integer overflow in size of allocated
-buffer, when -b mode is enabled, that could result in out-of-bounds
-write).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3945
-http://bugzilla.maptools.org/show_bug.cgi?id=2545
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.21 -r1.22 tools/tiff2rgba.c
-
-Index: tools/tiff2rgba.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2rgba.c,v
-retrieving revision 1.21
-retrieving revision 1.22
-diff -u -r1.21 -r1.22
---- libtiff/tools/tiff2rgba.c	21 Jun 2015 01:09:10 -0000	1.21
-+++ libtiff/tools/tiff2rgba.c	15 Aug 2016 20:06:41 -0000	1.22
-@@ -147,6 +147,7 @@
-     uint32  row, col;
-     uint32  *wrk_line;
-     int	    ok = 1;
-+    uint32  rastersize, wrk_linesize;
- 
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-@@ -163,7 +164,13 @@
-     /*
-      * Allocate tile buffer
-      */
--    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
-+    rastersize = tile_width * tile_height * sizeof (uint32);
-+    if (tile_width != (rastersize / tile_height) / sizeof( uint32))
-+    {
-+	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
-+	exit(-1);
-+    }
-+    raster = (uint32*)_TIFFmalloc(rastersize);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -173,7 +180,13 @@
-      * Allocate a scanline buffer for swapping during the vertical
-      * mirroring pass.
-      */
--    wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
-+    wrk_linesize = tile_width * sizeof (uint32);
-+    if (tile_width != wrk_linesize / sizeof (uint32))
-+    {
-+        TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
-+	exit(-1);
-+    }
-+    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
-     if (!wrk_line) {
-         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
-         ok = 0;
-@@ -249,6 +262,7 @@
-     uint32  row;
-     uint32  *wrk_line;
-     int	    ok = 1;
-+    uint32  rastersize, wrk_linesize;
- 
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-@@ -263,7 +277,13 @@
-     /*
-      * Allocate strip buffer
-      */
--    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
-+    rastersize = width * rowsperstrip * sizeof (uint32);
-+    if (width != (rastersize / rowsperstrip) / sizeof( uint32))
-+    {
-+	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
-+	exit(-1);
-+    }
-+    raster = (uint32*)_TIFFmalloc(rastersize);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -273,7 +293,13 @@
-      * Allocate a scanline buffer for swapping during the vertical
-      * mirroring pass.
-      */
--    wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
-+    wrk_linesize = width * sizeof (uint32);
-+    if (width != wrk_linesize / sizeof (uint32))
-+    {
-+        TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
-+	exit(-1);
-+    }
-+    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
-     if (!wrk_line) {
-         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
-         ok = 0;
diff --git a/gnu/packages/patches/libtiff-CVE-2016-3990.patch b/gnu/packages/patches/libtiff-CVE-2016-3990.patch
deleted file mode 100644
index 7641c30..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-3990.patch
+++ /dev/null
@@ -1,31 +0,0 @@ 
-Fix CVE-2016-3990 (write buffer overflow in PixarLogEncode if more input
-samples are provided than expected by PixarLogSetupEncode).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3990
-http://bugzilla.maptools.org/show_bug.cgi?id=2544
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.45 -r1.46 libtiff/tif_pixarlog.c
-
-Index: libtiff/tif_pixarlog.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v
-retrieving revision 1.45
-retrieving revision 1.46
-diff -u -r1.45 -r1.46
---- libtiff/libtiff/tif_pixarlog.c	28 Jun 2016 15:37:33 -0000	1.45
-+++ libtiff/libtiff/tif_pixarlog.c	15 Aug 2016 20:49:48 -0000	1.46
-@@ -1141,6 +1141,13 @@
- 	}
- 
- 	llen = sp->stride * td->td_imagewidth;
-+    /* Check against the number of elements (of size uint16) of sp->tbuf */
-+    if( n > td->td_rowsperstrip * llen )
-+    {
-+        TIFFErrorExt(tif->tif_clientdata, module,
-+                     "Too many input bytes provided");
-+        return 0;
-+    }
- 
- 	for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
- 		switch (sp->user_datafmt)  {
diff --git a/gnu/packages/patches/libtiff-CVE-2016-3991.patch b/gnu/packages/patches/libtiff-CVE-2016-3991.patch
deleted file mode 100644
index cb05f00..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-3991.patch
+++ /dev/null
@@ -1,123 +0,0 @@ 
-Fix CVE-2016-3991 (out-of-bounds write in loadImage()).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3991
-http://bugzilla.maptools.org/show_bug.cgi?id=2543
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.37 -r1.38 tools/tiffcrop.c
-
-Index: tools/tiffcrop.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
-retrieving revision 1.37
-retrieving revision 1.38
-diff -u -r1.37 -r1.38
---- libtiff/tools/tiffcrop.c	11 Jul 2016 21:38:31 -0000	1.37
-+++ libtiff/tools/tiffcrop.c	15 Aug 2016 21:05:40 -0000	1.38
-@@ -798,6 +798,11 @@
-     }
- 
-   tile_buffsize = tilesize;
-+  if (tilesize == 0 || tile_rowsize == 0)
-+  {
-+     TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
-+     exit(-1);
-+  }
- 
-   if (tilesize < (tsize_t)(tl * tile_rowsize))
-     {
-@@ -807,7 +812,12 @@
-               tilesize, tl * tile_rowsize);
- #endif
-     tile_buffsize = tl * tile_rowsize;
--    } 
-+    if (tl != (tile_buffsize / tile_rowsize))
-+    {
-+    	TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
-+        exit(-1);
-+    }
-+    }
- 
-   tilebuf = _TIFFmalloc(tile_buffsize);
-   if (tilebuf == 0)
-@@ -1210,6 +1220,12 @@
-       !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
-       return 1;
- 
-+  if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
-+  {
-+    TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
-+    exit(-1);
-+  }
-+  
-   tile_buffsize = tilesize;
-   if (tilesize < (tsize_t)(tl * tile_rowsize))
-     {
-@@ -1219,6 +1235,11 @@
-               tilesize, tl * tile_rowsize);
- #endif
-     tile_buffsize = tl * tile_rowsize;
-+    if (tl != tile_buffsize / tile_rowsize)
-+    {
-+	TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
-+	exit(-1);
-+    }
-     }
- 
-   tilebuf = _TIFFmalloc(tile_buffsize);
-@@ -5945,12 +5966,27 @@
-     TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
- 
-     tile_rowsize  = TIFFTileRowSize(in);      
-+    if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
-+    {
-+	TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
-+	exit(-1);
-+    }
-     buffsize = tlsize * ntiles;
-+    if (tlsize != (buffsize / ntiles))
-+    {
-+	TIFFError("loadImage", "Integer overflow when calculating buffer size");
-+	exit(-1);
-+    }
- 
--        
-     if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
-       {
-       buffsize = ntiles * tl * tile_rowsize;
-+      if (ntiles != (buffsize / tl / tile_rowsize))
-+      {
-+	TIFFError("loadImage", "Integer overflow when calculating buffer size");
-+	exit(-1);
-+      }
-+      
- #ifdef DEBUG2
-       TIFFError("loadImage",
- 	        "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
-@@ -5969,8 +6005,25 @@
-     TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
-     stsize = TIFFStripSize(in);
-     nstrips = TIFFNumberOfStrips(in);
-+    if (nstrips == 0 || stsize == 0)
-+    {
-+	TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
-+	exit(-1);
-+    }
-+
-     buffsize = stsize * nstrips;
--    
-+    if (stsize != (buffsize / nstrips))
-+    {
-+	TIFFError("loadImage", "Integer overflow when calculating buffer size");
-+	exit(-1);
-+    }
-+    uint32 buffsize_check;
-+    buffsize_check = ((length * width * spp * bps) + 7);
-+    if (length != ((buffsize_check - 7) / width / spp / bps))
-+    {
-+	TIFFError("loadImage", "Integer overflow detected.");
-+	exit(-1);
-+    }
-     if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
-       {
-       buffsize =  ((length * width * spp * bps) + 7) / 8;
diff --git a/gnu/packages/patches/libtiff-CVE-2016-5314.patch b/gnu/packages/patches/libtiff-CVE-2016-5314.patch
deleted file mode 100644
index e5380f8..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-5314.patch
+++ /dev/null
@@ -1,45 +0,0 @@ 
-Fix CVE-2016-5314.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5314
-bugzilla.maptools.org/show_bug.cgi?id=2554
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.43 -r1.44 libtiff/tif_pixarlog.c
-
-Index: libtiff/tif_pixarlog.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v
-retrieving revision 1.43
-retrieving revision 1.44
-diff -u -r1.43 -r1.44
---- libtiff/libtiff/tif_pixarlog.c	27 Dec 2015 20:14:11 -0000	1.43
-+++ libtiff/libtiff/tif_pixarlog.c	28 Jun 2016 15:12:19 -0000	1.44
-@@ -459,6 +459,7 @@
- typedef	struct {
- 	TIFFPredictorState	predict;
- 	z_stream		stream;
-+	tmsize_t		tbuf_size; /* only set/used on reading for now */
- 	uint16			*tbuf; 
- 	uint16			stride;
- 	int			state;
-@@ -694,6 +695,7 @@
- 	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
- 	if (sp->tbuf == NULL)
- 		return (0);
-+	sp->tbuf_size = tbuf_size;
- 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
- 		sp->user_datafmt = PixarLogGuessDataFmt(td);
- 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
-@@ -783,6 +785,12 @@
- 		TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
- 		return (0);
- 	}
-+	/* Check that we will not fill more than what was allocated */
-+	if (sp->stream.avail_out > sp->tbuf_size)
-+	{
-+		TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
-+		return (0);
-+	}
- 	do {
- 		int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
- 		if (state == Z_STREAM_END) {
diff --git a/gnu/packages/patches/libtiff-CVE-2016-5321.patch b/gnu/packages/patches/libtiff-CVE-2016-5321.patch
deleted file mode 100644
index 2afca18..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-5321.patch
+++ /dev/null
@@ -1,25 +0,0 @@ 
-Fix CVE-2016-5321. 
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5321
-http://bugzilla.maptools.org/show_bug.cgi?id=2558
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.35 -r1.36 tools/tiffcrop.c
-
-Index: tools/tiffcrop.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
-retrieving revision 1.35
-retrieving revision 1.36
-diff -u -r1.35 -r1.36
---- libtiff/tools/tiffcrop.c	19 Aug 2015 02:31:04 -0000	1.35
-+++ libtiff/tools/tiffcrop.c	11 Jul 2016 21:26:03 -0000	1.36
-@@ -989,7 +989,7 @@
-     nrow = (row + tl > imagelength) ? imagelength - row : tl;
-     for (col = 0; col < imagewidth; col += tw)
-       {
--      for (s = 0; s < spp; s++)
-+      for (s = 0; s < spp && s < MAX_SAMPLES; s++)
-         {  /* Read each plane of a tile set into srcbuffs[s] */
- 	tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s);
-         if (tbytes < 0  && !ignore)
diff --git a/gnu/packages/patches/libtiff-CVE-2016-5323.patch b/gnu/packages/patches/libtiff-CVE-2016-5323.patch
deleted file mode 100644
index 8b2a043..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-5323.patch
+++ /dev/null
@@ -1,88 +0,0 @@ 
-Fix CVE-2016-5323.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5323
-http://bugzilla.maptools.org/show_bug.cgi?id=2559
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.36  -r1.37 tools/tiffcrop.c
-
-Index: tools/tiffcrop.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
-retrieving revision 1.36
-retrieving revision 1.37
-diff -u -r1.36 -r1.37
---- libtiff/tools/tiffcrop.c	11 Jul 2016 21:26:03 -0000	1.36
-+++ libtiff/tools/tiffcrop.c	11 Jul 2016 21:38:31 -0000	1.37
-@@ -3738,7 +3738,7 @@
- 
-       matchbits = maskbits << (8 - src_bit - bps); 
-       /* load up next sample from each plane */
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
-         {
- 	src = in[s] + src_offset + src_byte;
-         buff1 = ((*src) & matchbits) << (src_bit);
-@@ -3837,7 +3837,7 @@
-       src_bit  = bit_offset % 8;
- 
-       matchbits = maskbits << (16 - src_bit - bps); 
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
-         {
- 	src = in[s] + src_offset + src_byte;
-         if (little_endian)
-@@ -3947,7 +3947,7 @@
-       src_bit  = bit_offset % 8;
- 
-       matchbits = maskbits << (32 - src_bit - bps); 
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
-         {
- 	src = in[s] + src_offset + src_byte;
-         if (little_endian)
-@@ -4073,7 +4073,7 @@
-       src_bit  = bit_offset % 8;
- 
-       matchbits = maskbits << (64 - src_bit - bps); 
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- 	{
- 	src = in[s] + src_offset + src_byte;
- 	if (little_endian)
-@@ -4263,7 +4263,7 @@
- 
-       matchbits = maskbits << (8 - src_bit - bps); 
-       /* load up next sample from each plane */
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
-         {
- 	src = in[s] + src_offset + src_byte;
-         buff1 = ((*src) & matchbits) << (src_bit);
-@@ -4362,7 +4362,7 @@
-       src_bit  = bit_offset % 8;
- 
-       matchbits = maskbits << (16 - src_bit - bps); 
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
-         {
- 	src = in[s] + src_offset + src_byte;
-         if (little_endian)
-@@ -4471,7 +4471,7 @@
-       src_bit  = bit_offset % 8;
- 
-       matchbits = maskbits << (32 - src_bit - bps); 
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
-         {
- 	src = in[s] + src_offset + src_byte;
-         if (little_endian)
-@@ -4597,7 +4597,7 @@
-       src_bit  = bit_offset % 8;
- 
-       matchbits = maskbits << (64 - src_bit - bps); 
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- 	{
- 	src = in[s] + src_offset + src_byte;
- 	if (little_endian)
diff --git a/gnu/packages/patches/libtiff-CVE-2016-5652.patch b/gnu/packages/patches/libtiff-CVE-2016-5652.patch
deleted file mode 100644
index 54b87d0..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-5652.patch
+++ /dev/null
@@ -1,47 +0,0 @@ 
-Fix CVE-2016-5652 (buffer overflow in t2p_readwrite_pdf_image_tile()).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652
-
-Patches exfiltrated from upstream CVS repo with:
-cvs diff -u -r 1.92 -r 1.94 tools/tiff2pdf.c
-
-Index: tools/tiff2pdf.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v
-retrieving revision 1.92
-retrieving revision 1.94
-diff -u -r1.92 -r1.94
---- a/tools/tiff2pdf.c	23 Sep 2016 22:12:18 -0000	1.92
-+++ b/tools/tiff2pdf.c	9 Oct 2016 11:03:36 -0000	1.94
-@@ -2887,21 +2887,24 @@
- 				return(0);
- 			}
- 			if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
--				if (count > 0) {
--					_TIFFmemcpy(buffer, jpt, count);
-+				if (count >= 4) {
-+                    /* Ignore EOI marker of JpegTables */
-+					_TIFFmemcpy(buffer, jpt, count - 2);
- 					bufferoffset += count - 2;
-+                    /* Store last 2 bytes of the JpegTables */
- 					table_end[0] = buffer[bufferoffset-2];
- 					table_end[1] = buffer[bufferoffset-1];
--				}
--				if (count > 0) {
- 					xuint32 = bufferoffset;
-+                    bufferoffset -= 2;
- 					bufferoffset += TIFFReadRawTile(
- 						input, 
- 						tile, 
--						(tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]), 
-+						(tdata_t) &(((unsigned char*)buffer)[bufferoffset]), 
- 						-1);
--						buffer[xuint32-2]=table_end[0];
--						buffer[xuint32-1]=table_end[1];
-+                    /* Overwrite SOI marker of image scan with previously */
-+                    /* saved end of JpegTables */
-+					buffer[xuint32-2]=table_end[0];
-+					buffer[xuint32-1]=table_end[1];
- 				} else {
- 					bufferoffset += TIFFReadRawTile(
- 						input, 
diff --git a/gnu/packages/patches/libtiff-CVE-2016-9273.patch b/gnu/packages/patches/libtiff-CVE-2016-9273.patch
deleted file mode 100644
index 9cd6b3d..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-9273.patch
+++ /dev/null
@@ -1,41 +0,0 @@ 
-Fix CVE-2016-9273:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9273
-http://bugzilla.maptools.org/show_bug.cgi?id=2587
-
-Patch extracted from upstream CVS repo:
-
-2016-11-10 Even Rouault <even.rouault at spatialys.com>
-
-revision 1.37
-date: 2016-11-09 18:00:49 -0500;  author: erouault;  state: Exp;  lines: +10 -1;  commitid: pzKipPxDJO2dxvtz;
-* libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips
-value when it is non-zero, instead of recomputing it. This is needed in
-TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of
-array in tiffsplit (or other utilities using TIFFNumberOfStrips()).
-Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587
-
-Index: libtiff/tif_strip.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v
-retrieving revision 1.36
-retrieving revision 1.37
-diff -u -r1.36 -r1.37
---- a/libtiff/tif_strip.c	7 Jun 2015 22:35:40 -0000	1.36
-+++ b/libtiff/tif_strip.c	9 Nov 2016 23:00:49 -0000	1.37
-@@ -63,6 +63,15 @@
- 	TIFFDirectory *td = &tif->tif_dir;
- 	uint32 nstrips;
- 
-+    /* If the value was already computed and store in td_nstrips, then return it,
-+       since ChopUpSingleUncompressedStrip might have altered and resized the
-+       since the td_stripbytecount and td_stripoffset arrays to the new value
-+       after the initial affectation of td_nstrips = TIFFNumberOfStrips() in
-+       tif_dirread.c ~line 3612.
-+       See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */
-+    if( td->td_nstrips )
-+        return td->td_nstrips;
-+
- 	nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 :
- 	     TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip));
- 	if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
diff --git a/gnu/packages/patches/libtiff-CVE-2016-9297.patch b/gnu/packages/patches/libtiff-CVE-2016-9297.patch
deleted file mode 100644
index c9207bb..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-9297.patch
+++ /dev/null
@@ -1,52 +0,0 @@ 
-Fix CVE-2016-9297:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9297
-http://bugzilla.maptools.org/show_bug.cgi?id=2590
-
-Patch copied from upstream source repository.
-
-2016-11-11 Even Rouault <even.rouault at spatialys.com>
-
-        * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that
-        values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
-        access are null terminated, to avoid potential read outside buffer
-        in _TIFFPrintField().
-        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590
-
-
-/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
-new revision: 1.1154; previous revision: 1.1153
-/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v  <-- 
-libtiff/tif_dirread.c
-new revision: 1.203; previous revision: 1.202Index: libtiff/libtiff/tif_dirread.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
-retrieving revision 1.202
-retrieving revision 1.203
-diff -u -r1.202 -r1.203
---- libtiff/libtiff/tif_dirread.c	11 Nov 2016 20:01:55 -0000	1.202
-+++ libtiff/libtiff/tif_dirread.c	11 Nov 2016 20:22:01 -0000	1.203
-@@ -5000,6 +5000,11 @@
- 					if (err==TIFFReadDirEntryErrOk)
- 					{
- 						int m;
-+                        if( data[dp->tdir_count-1] != '\0' )
-+                        {
-+                            TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
-+                            data[dp->tdir_count-1] = '\0';
-+                        }
- 						m=TIFFSetField(tif,dp->tdir_tag,(uint16)(dp->tdir_count),data);
- 						if (data!=0)
- 							_TIFFfree(data);
-@@ -5172,6 +5177,11 @@
- 				if (err==TIFFReadDirEntryErrOk)
- 				{
- 					int m;
-+                    if( data[dp->tdir_count-1] != '\0' )
-+                    {
-+                        TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
-+                        data[dp->tdir_count-1] = '\0';
-+                    }
- 					m=TIFFSetField(tif,dp->tdir_tag,(uint32)(dp->tdir_count),data);
- 					if (data!=0)
- 						_TIFFfree(data);
diff --git a/gnu/packages/patches/libtiff-CVE-2016-9448.patch b/gnu/packages/patches/libtiff-CVE-2016-9448.patch
deleted file mode 100644
index 05a3af8..0000000
--- a/gnu/packages/patches/libtiff-CVE-2016-9448.patch
+++ /dev/null
@@ -1,34 +0,0 @@ 
-Fix CVE-2016-9448 (regression caused by fix for CVE-2016-9297).
-
-http://bugzilla.maptools.org/show_bug.cgi?id=2593
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9448
-
-Patch copied from upstream source repository with:
-$ cvs diff -u -r 1.203 -r 1.204 libtiff/libtiff/tif_dirread.c
-
-Index: libtiff/libtiff/tif_dirread.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
-retrieving revision 1.203
-retrieving revision 1.204
-diff -u -r1.203 -r1.204
---- libtiff/libtiff/tif_dirread.c	11 Nov 2016 20:22:01 -0000	1.203
-+++ libtiff/libtiff/tif_dirread.c	16 Nov 2016 15:14:15 -0000	1.204
-@@ -5000,7 +5000,7 @@
- 					if (err==TIFFReadDirEntryErrOk)
- 					{
- 						int m;
--                        if( data[dp->tdir_count-1] != '\0' )
-+                        if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
-                         {
-                             TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
-                             data[dp->tdir_count-1] = '\0';
-@@ -5177,7 +5177,7 @@
- 				if (err==TIFFReadDirEntryErrOk)
- 				{
- 					int m;
--                    if( data[dp->tdir_count-1] != '\0' )
-+                    if( dp->tdir_count > 0 && data[dp->tdir_count-1] != '\0' )
-                     {
-                         TIFFWarningExt(tif->tif_clientdata,module,"ASCII value for tag \"%s\" does not end in null byte. Forcing it to be null",fip->field_name);
-                         data[dp->tdir_count-1] = '\0';
diff --git a/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch b/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch
deleted file mode 100644
index 3fea745..0000000
--- a/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch
+++ /dev/null
@@ -1,171 +0,0 @@ 
-2015-12-27  Even Rouault <even.rouault at spatialys.com>
-
-	* libtiff/tif_luv.c: fix potential out-of-bound writes in decode
-	functions in non debug builds by replacing assert()s by regular if
-	checks (bugzilla #2522).
-	Fix potential out-of-bound reads in case of short input data.
-
-diff -u -r1.40 -r1.41
---- libtiff/libtiff/tif_luv.c	21 Jun 2015 01:09:09 -0000	1.40
-+++ libtiff/libtiff/tif_luv.c	27 Dec 2015 16:25:11 -0000	1.41
-@@ -1,4 +1,4 @@
--/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */
-+/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */
- 
- /*
-  * Copyright (c) 1997 Greg Ward Larson
-@@ -202,7 +202,11 @@
- 	if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
- 		tp = (int16*) op;
- 	else {
--		assert(sp->tbuflen >= npixels);
-+		if(sp->tbuflen < npixels) {
-+			TIFFErrorExt(tif->tif_clientdata, module,
-+						 "Translation buffer too short");
-+			return (0);
-+		}
- 		tp = (int16*) sp->tbuf;
- 	}
- 	_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
-@@ -211,9 +215,11 @@
- 	cc = tif->tif_rawcc;
- 	/* get each byte string */
- 	for (shft = 2*8; (shft -= 8) >= 0; ) {
--		for (i = 0; i < npixels && cc > 0; )
-+		for (i = 0; i < npixels && cc > 0; ) {
- 			if (*bp >= 128) {		/* run */
--				rc = *bp++ + (2-128);   /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
-+				if( cc < 2 )
-+					break;
-+				rc = *bp++ + (2-128);
- 				b = (int16)(*bp++ << shft);
- 				cc -= 2;
- 				while (rc-- && i < npixels)
-@@ -223,6 +229,7 @@
- 				while (--cc && rc-- && i < npixels)
- 					tp[i++] |= (int16)*bp++ << shft;
- 			}
-+		}
- 		if (i != npixels) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- 			TIFFErrorExt(tif->tif_clientdata, module,
-@@ -268,13 +275,17 @@
- 	if (sp->user_datafmt == SGILOGDATAFMT_RAW)
- 		tp = (uint32 *)op;
- 	else {
--		assert(sp->tbuflen >= npixels);
-+		if(sp->tbuflen < npixels) {
-+			TIFFErrorExt(tif->tif_clientdata, module,
-+						 "Translation buffer too short");
-+			return (0);
-+		}
- 		tp = (uint32 *) sp->tbuf;
- 	}
- 	/* copy to array of uint32 */
- 	bp = (unsigned char*) tif->tif_rawcp;
- 	cc = tif->tif_rawcc;
--	for (i = 0; i < npixels && cc > 0; i++) {
-+	for (i = 0; i < npixels && cc >= 3; i++) {
- 		tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
- 		bp += 3;
- 		cc -= 3;
-@@ -325,7 +336,11 @@
- 	if (sp->user_datafmt == SGILOGDATAFMT_RAW)
- 		tp = (uint32*) op;
- 	else {
--		assert(sp->tbuflen >= npixels);
-+		if(sp->tbuflen < npixels) {
-+			TIFFErrorExt(tif->tif_clientdata, module,
-+						 "Translation buffer too short");
-+			return (0);
-+		}
- 		tp = (uint32*) sp->tbuf;
- 	}
- 	_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
-@@ -334,11 +349,13 @@
- 	cc = tif->tif_rawcc;
- 	/* get each byte string */
- 	for (shft = 4*8; (shft -= 8) >= 0; ) {
--		for (i = 0; i < npixels && cc > 0; )
-+		for (i = 0; i < npixels && cc > 0; ) {
- 			if (*bp >= 128) {		/* run */
-+				if( cc < 2 )
-+					break;
- 				rc = *bp++ + (2-128);
- 				b = (uint32)*bp++ << shft;
--				cc -= 2;                /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
-+				cc -= 2;
- 				while (rc-- && i < npixels)
- 					tp[i++] |= b;
- 			} else {			/* non-run */
-@@ -346,6 +363,7 @@
- 				while (--cc && rc-- && i < npixels)
- 					tp[i++] |= (uint32)*bp++ << shft;
- 			}
-+		}
- 		if (i != npixels) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- 			TIFFErrorExt(tif->tif_clientdata, module,
-@@ -413,6 +431,7 @@
- static int
- LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- {
-+	static const char module[] = "LogL16Encode";
- 	LogLuvState* sp = EncoderState(tif);
- 	int shft;
- 	tmsize_t i;
-@@ -433,7 +452,11 @@
- 		tp = (int16*) bp;
- 	else {
- 		tp = (int16*) sp->tbuf;
--		assert(sp->tbuflen >= npixels);
-+		if(sp->tbuflen < npixels) {
-+			TIFFErrorExt(tif->tif_clientdata, module,
-+						 "Translation buffer too short");
-+			return (0);
-+		}
- 		(*sp->tfunc)(sp, bp, npixels);
- 	}
- 	/* compress each byte string */
-@@ -506,6 +529,7 @@
- static int
- LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- {
-+	static const char module[] = "LogLuvEncode24";
- 	LogLuvState* sp = EncoderState(tif);
- 	tmsize_t i;
- 	tmsize_t npixels;
-@@ -521,7 +545,11 @@
- 		tp = (uint32*) bp;
- 	else {
- 		tp = (uint32*) sp->tbuf;
--		assert(sp->tbuflen >= npixels);
-+		if(sp->tbuflen < npixels) {
-+			TIFFErrorExt(tif->tif_clientdata, module,
-+						 "Translation buffer too short");
-+			return (0);
-+		}
- 		(*sp->tfunc)(sp, bp, npixels);
- 	}
- 	/* write out encoded pixels */
-@@ -553,6 +581,7 @@
- static int
- LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- {
-+	static const char module[] = "LogLuvEncode32";
- 	LogLuvState* sp = EncoderState(tif);
- 	int shft;
- 	tmsize_t i;
-@@ -574,7 +603,11 @@
- 		tp = (uint32*) bp;
- 	else {
- 		tp = (uint32*) sp->tbuf;
--		assert(sp->tbuflen >= npixels);
-+		if(sp->tbuflen < npixels) {
-+			TIFFErrorExt(tif->tif_clientdata, module,
-+						 "Translation buffer too short");
-+			return (0);
-+		}
- 		(*sp->tfunc)(sp, bp, npixels);
- 	}
- 	/* compress each byte string */
diff --git a/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch b/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch
deleted file mode 100644
index 50657b6..0000000
--- a/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch
+++ /dev/null
@@ -1,49 +0,0 @@ 
-2015-12-27  Even Rouault <even.rouault at spatialys.com>
-
-	* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
-	triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
-	(bugzilla #2508)
-
-diff -u -r1.16 -r1.18
---- libtiff/libtiff/tif_next.c	29 Dec 2014 12:09:11 -0000	1.16
-+++ libtiff/libtiff/tif_next.c	27 Dec 2015 17:14:52 -0000	1.18
-@@ -1,4 +1,4 @@
--/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */
-+/* $Id: tif_next.c,v 1.18 2015-12-27 17:14:52 erouault Exp $ */
- 
- /*
-  * Copyright (c) 1988-1997 Sam Leffler
-@@ -37,7 +37,7 @@
- 	case 0:	op[0]  = (unsigned char) ((v) << 6); break;	\
- 	case 1:	op[0] |= (v) << 4; break;	\
- 	case 2:	op[0] |= (v) << 2; break;	\
--	case 3:	*op++ |= (v);	   break;	\
-+	case 3:	*op++ |= (v);	   op_offset++; break;	\
- 	}					\
- }
- 
-@@ -103,6 +103,7 @@
- 		}
- 		default: {
- 			uint32 npixels = 0, grey;
-+			tmsize_t op_offset = 0;
- 			uint32 imagewidth = tif->tif_dir.td_imagewidth;
-             if( isTiled(tif) )
-                 imagewidth = tif->tif_dir.td_tilewidth;
-@@ -122,10 +123,15 @@
- 				 * bounds, potentially resulting in a security
- 				 * issue.
- 				 */
--				while (n-- > 0 && npixels < imagewidth)
-+				while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
- 					SETPIXEL(op, grey);
- 				if (npixels >= imagewidth)
- 					break;
-+                if (op_offset >= scanline ) {
-+                    TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
-+                        (long) tif->tif_row);
-+                    return (0);
-+                }
- 				if (cc == 0)
- 					goto bad;
- 				n = *bp++, cc--;
diff --git a/gnu/packages/patches/libtiff-uint32-overflow.patch b/gnu/packages/patches/libtiff-uint32-overflow.patch
deleted file mode 100644
index c95126f..0000000
--- a/gnu/packages/patches/libtiff-uint32-overflow.patch
+++ /dev/null
@@ -1,102 +0,0 @@ 
-Fix some buffer overflows:
-
-http://seclists.org/oss-sec/2016/q4/408
-http://bugzilla.maptools.org/show_bug.cgi?id=2592
-
-2016-11-11 Even Rouault <even.rouault at spatialys.com>
-
-        * tools/tiffcrop.c: fix multiple uint32 overflows in
-        writeBufferToSeparateStrips(), writeBufferToContigTiles() and
-        writeBufferToSeparateTiles() that could cause heap buffer
-overflows.
-        Reported by Henri Salo from Nixu Corporation.
-        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592
-
-
-/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
-new revision: 1.1152; previous revision: 1.1151
-/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v  <--  tools/tiffcrop.c
-new revision: 1.43; previous revision: 1.42
-
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
-retrieving revision 1.42
-retrieving revision 1.43
-diff -u -r1.42 -r1.43
---- libtiff/tools/tiffcrop.c	14 Oct 2016 19:13:20 -0000	1.42
-+++ libtiff/tools/tiffcrop.c	11 Nov 2016 19:33:06 -0000	1.43
-@@ -148,6 +148,8 @@
- #define PATH_MAX 1024
- #endif
- 
-+#define TIFF_UINT32_MAX     0xFFFFFFFFU
-+
- #ifndef streq
- #define	streq(a,b)	(strcmp((a),(b)) == 0)
- #endif
-@@ -1164,7 +1166,24 @@
-   (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
-   (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
-   bytes_per_sample = (bps + 7) / 8;
--  rowsize = ((bps * spp * width) + 7) / 8; /* source has interleaved samples */
-+  if( width == 0 ||
-+      (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width ||
-+      bps * spp * width > TIFF_UINT32_MAX - 7U )
-+  {
-+      TIFFError(TIFFFileName(out),
-+            "Error, uint32 overflow when computing (bps * spp * width) + 7");
-+      return 1;
-+  }
-+  rowsize = ((bps * spp * width) + 7U) / 8; /* source has interleaved samples */
-+  if( bytes_per_sample == 0 ||
-+      rowsperstrip > TIFF_UINT32_MAX / bytes_per_sample ||
-+      rowsperstrip * bytes_per_sample > TIFF_UINT32_MAX / (width + 1) )
-+  {
-+      TIFFError(TIFFFileName(out),
-+                "Error, uint32 overflow when computing rowsperstrip * "
-+                "bytes_per_sample * (width + 1)");
-+      return 1;
-+  }
-   rowstripsize = rowsperstrip * bytes_per_sample * (width + 1); 
- 
-   obuf = _TIFFmalloc (rowstripsize);
-@@ -1251,11 +1270,19 @@
-     }
-     }
- 
-+  if( imagewidth == 0 ||
-+      (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / imagewidth ||
-+      bps * spp * imagewidth > TIFF_UINT32_MAX - 7U )
-+  {
-+      TIFFError(TIFFFileName(out),
-+            "Error, uint32 overflow when computing (imagewidth * bps * spp) + 7");
-+      return 1;
-+  }
-+  src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
-+
-   tilebuf = _TIFFmalloc(tile_buffsize);
-   if (tilebuf == 0)
-     return 1;
--
--  src_rowsize = ((imagewidth * spp * bps) + 7) / 8;
-   for (row = 0; row < imagelength; row += tl)
-     {
-     nrow = (row + tl > imagelength) ? imagelength - row : tl;
-@@ -1315,7 +1342,16 @@
-   TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
-   TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
-   TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
--  src_rowsize = ((imagewidth * spp * bps) + 7) / 8;
-+
-+  if( imagewidth == 0 ||
-+      (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / imagewidth ||
-+      bps * spp * imagewidth > TIFF_UINT32_MAX - 7 )
-+  {
-+      TIFFError(TIFFFileName(out),
-+            "Error, uint32 overflow when computing (imagewidth * bps * spp) + 7");
-+      return 1;
-+  }
-+  src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
-          
-   for (row = 0; row < imagelength; row += tl)
-     {