5 files changed, 50 insertions, 179 deletions
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index 4d0e0e111a1..9138618baae 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: Leonardo Arena <rnalrd@gmail.com>
 # Maintainer: Michael Mason <ms13sp@gmail.com>
 pkgname=tiff
-pkgver=3.9.6
-pkgrel=1
+pkgver=3.9.7
+pkgrel=0
 pkgdesc="Provides support for the Tag Image File Format or TIFF"
 url="http://www.libtiff.org/"
 arch="all"
@@ -12,8 +12,8 @@ depends_dev="zlib-dev jpeg-dev"
 makedepends="libtool autoconf automake $depends_dev"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
 source="ftp://ftp.remotesensing.org/pub/libtiff/$pkgname-$pkgver.tar.gz
-	libtiff-negsize-3.9.patch
-	CVE-2012-3401.patch
+	CVE-2012-4447.patch
+	CVE-2012-4564.patch
 	"
 	
 _builddir="$srcdir"/$pkgname-$pkgver
@@ -50,6 +50,6 @@ tools() {
 	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
 }
 
-md5sums="6920f3bf628d791d49f268b83612ed23  tiff-3.9.6.tar.gz
-a0742e7c81551c51438a8d6fa5d68676  libtiff-negsize-3.9.patch
-8c862de25b906d3fcefce2fb06c7b604  CVE-2012-3401.patch"
+md5sums="626102f448ba441d42e3212538ad67d2  tiff-3.9.7.tar.gz
+f85847db8d4cf8d9564f0f9af5bb060a  CVE-2012-4447.patch
+e7b151b4a5acc8eb4b4428a98d6aa779  CVE-2012-4564.patch"
diff --git a/main/tiff/CVE-2012-3401.patch b/main/tiff/CVE-2012-3401.patch
deleted file mode 100644
index 847bd0d1382..00000000000
--- a/main/tiff/CVE-2012-3401.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -Naur tiff-4.0.2.orig/tools/tiff2pdf.c tiff-4.0.2/tools/tiff2pdf.c
---- tiff-4.0.2.orig/tools/tiff2pdf.c	2012-06-15 17:51:54.000000000 -0400
-+++ tiff-4.0.2/tools/tiff2pdf.c	2012-07-05 13:34:36.569691068 -0400
-@@ -1066,6 +1066,7 @@
- 				"Can't set directory %u of input file %s", 
- 				i,
- 				TIFFFileName(input));
-+			t2p->t2p_error = T2P_ERR_ERROR;
- 			return;
- 		}
- 		if(TIFFGetField(input, TIFFTAG_PAGENUMBER, &pagen, &paged)){
diff --git a/main/tiff/CVE-2012-4447.patch b/main/tiff/CVE-2012-4447.patch
new file mode 100644
index 00000000000..29271ee57c6
--- /dev/null
+++ b/main/tiff/CVE-2012-4447.patch
@@ -0,0 +1,13 @@
+Index: tiff-3.9.4/libtiff/tif_pixarlog.c
+===================================================================
+--- tiff-3.9.4.orig/libtiff/tif_pixarlog.c	2010-06-08 14:50:42.000000000 -0400
++++ tiff-3.9.4/libtiff/tif_pixarlog.c	2012-10-05 16:51:49.201609547 -0400
+@@ -663,7 +663,7 @@
+ 				      td->td_rowsperstrip), sizeof(uint16));
+ 	if (tbuf_size == 0)
+ 		return (0);
+-	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
++	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);
+ 	if (sp->tbuf == NULL)
+ 		return (0);
+ 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
diff --git a/main/tiff/CVE-2012-4564.patch b/main/tiff/CVE-2012-4564.patch
new file mode 100644
index 00000000000..9de7385cdef
--- /dev/null
+++ b/main/tiff/CVE-2012-4564.patch
@@ -0,0 +1,30 @@
+diff -u -r1.16 ppm2tiff.c
+--- ./tools/ppm2tiff.c	10 Apr 2010 19:22:34 -0000	1.16
++++ ./tools/ppm2tiff.c	31 Oct 2012 06:25:13 -0000
+@@ -89,6 +89,7 @@
+ 	int c;
+ 	extern int optind;
+ 	extern char* optarg;
++	size_t scanline_size;
+ 
+ 	if (argc < 2) {
+ 	    fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -237,8 +238,16 @@
+ 	}
+ 	if (TIFFScanlineSize(out) > linebytes)
+ 		buf = (unsigned char *)_TIFFmalloc(linebytes);
+-	else
+-		buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++	else {
++		scanline_size = TIFFScanlineSize(out);
++		if (scanline_size != 0)
++			buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++		else {
++			fprintf(stderr, "%s: scanline size overflow\n",infile);
++			(void) TIFFClose(out);
++			exit(-2);					
++			}
++		}
+ 	if (resolution > 0) {
+ 		TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+ 		TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff --git a/main/tiff/libtiff-negsize-3.9.patch b/main/tiff/libtiff-negsize-3.9.patch
deleted file mode 100644
index 75a42fabc7d..00000000000
--- a/main/tiff/libtiff-negsize-3.9.patch
+++ /dev/null
@@ -1,161 +0,0 @@
-Index: libtiff/tif_strip.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v
-retrieving revision 1.19.2.3
-diff -c -r1.19.2.3 tif_strip.c
-*** ./libtiff/tif_strip.c	15 Dec 2010 00:50:30 -0000	1.19.2.3
---- ./libtiff/tif_strip.c	17 Apr 2012 18:14:22 -0000
-***************
-*** 107,112 ****
---- 107,113 ----
-  TIFFVStripSize(TIFF* tif, uint32 nrows)
-  {
-  	TIFFDirectory *td = &tif->tif_dir;
-+ 	uint32 stripsize;
-  
-  	if (nrows == (uint32) -1)
-  		nrows = td->td_imagelength;
-***************
-*** 122,128 ****
-  		 * YCbCr data for the extended image.
-  		 */
-  		uint16 ycbcrsubsampling[2];
-! 		tsize_t w, scanline, samplingarea;
-  
-  		TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
-  				      ycbcrsubsampling + 0,
---- 123,129 ----
-  		 * YCbCr data for the extended image.
-  		 */
-  		uint16 ycbcrsubsampling[2];
-! 		uint32 w, scanline, samplingarea;
-  
-  		TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
-  				      ycbcrsubsampling + 0,
-***************
-*** 141,153 ****
-  		nrows = TIFFroundup(nrows, ycbcrsubsampling[1]);
-  		/* NB: don't need TIFFhowmany here 'cuz everything is rounded */
-  		scanline = multiply(tif, nrows, scanline, "TIFFVStripSize");
-! 		return ((tsize_t)
-  		    summarize(tif, scanline,
-  			      multiply(tif, 2, scanline / samplingarea,
-! 				       "TIFFVStripSize"), "TIFFVStripSize"));
-  	} else
-! 		return ((tsize_t) multiply(tif, nrows, TIFFScanlineSize(tif),
-! 					   "TIFFVStripSize"));
-  }
-  
-  
---- 142,160 ----
-  		nrows = TIFFroundup(nrows, ycbcrsubsampling[1]);
-  		/* NB: don't need TIFFhowmany here 'cuz everything is rounded */
-  		scanline = multiply(tif, nrows, scanline, "TIFFVStripSize");
-! 		stripsize =
-  		    summarize(tif, scanline,
-  			      multiply(tif, 2, scanline / samplingarea,
-! 				       "TIFFVStripSize"), "TIFFVStripSize");
-  	} else
-! 		stripsize = multiply(tif, nrows, TIFFScanlineSize(tif),
-! 				     "TIFFVStripSize");
-! 	/* Because tsize_t is signed, we might have conversion overflow */
-! 	if (((tsize_t) stripsize) < 0) {
-! 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVStripSize");
-! 		stripsize = 0;
-! 	}
-! 	return (tsize_t) stripsize;
-  }
-  
-  
-Index: libtiff/tif_tile.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_tile.c,v
-retrieving revision 1.12.2.1
-diff -c -r1.12.2.1 tif_tile.c
-*** ./libtiff/tif_tile.c	8 Jun 2010 18:50:43 -0000	1.12.2.1
---- ./libtiff/tif_tile.c	17 Apr 2012 18:14:22 -0000
-***************
-*** 174,180 ****
-  TIFFTileRowSize(TIFF* tif)
-  {
-  	TIFFDirectory *td = &tif->tif_dir;
-! 	tsize_t rowsize;
-  	
-  	if (td->td_tilelength == 0 || td->td_tilewidth == 0)
-  		return ((tsize_t) 0);
---- 174,180 ----
-  TIFFTileRowSize(TIFF* tif)
-  {
-  	TIFFDirectory *td = &tif->tif_dir;
-! 	uint32 rowsize;
-  	
-  	if (td->td_tilelength == 0 || td->td_tilewidth == 0)
-  		return ((tsize_t) 0);
-***************
-*** 193,199 ****
-  TIFFVTileSize(TIFF* tif, uint32 nrows)
-  {
-  	TIFFDirectory *td = &tif->tif_dir;
-! 	tsize_t tilesize;
-  
-  	if (td->td_tilelength == 0 || td->td_tilewidth == 0 ||
-  	    td->td_tiledepth == 0)
---- 193,199 ----
-  TIFFVTileSize(TIFF* tif, uint32 nrows)
-  {
-  	TIFFDirectory *td = &tif->tif_dir;
-! 	uint32 tilesize;
-  
-  	if (td->td_tilelength == 0 || td->td_tilewidth == 0 ||
-  	    td->td_tiledepth == 0)
-***************
-*** 209,220 ****
-  		 * horizontal/vertical subsampling area include
-  		 * YCbCr data for the extended image.
-  		 */
-! 		tsize_t w =
-  		    TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]);
-! 		tsize_t rowsize =
-  		    TIFFhowmany8(multiply(tif, w, td->td_bitspersample,
-  					  "TIFFVTileSize"));
-! 		tsize_t samplingarea =
-  		    td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1];
-  		if (samplingarea == 0) {
-  			TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling");
---- 209,220 ----
-  		 * horizontal/vertical subsampling area include
-  		 * YCbCr data for the extended image.
-  		 */
-! 		uint32 w =
-  		    TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]);
-! 		uint32 rowsize =
-  		    TIFFhowmany8(multiply(tif, w, td->td_bitspersample,
-  					  "TIFFVTileSize"));
-! 		uint32 samplingarea =
-  		    td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1];
-  		if (samplingarea == 0) {
-  			TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling");
-***************
-*** 230,237 ****
-  	} else
-  		tilesize = multiply(tif, nrows, TIFFTileRowSize(tif),
-  				    "TIFFVTileSize");
-! 	return ((tsize_t)
-! 	    multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize"));
-  }
-  
-  /*
---- 230,242 ----
-  	} else
-  		tilesize = multiply(tif, nrows, TIFFTileRowSize(tif),
-  				    "TIFFVTileSize");
-! 	tilesize = multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize");
-! 	/* Because tsize_t is signed, we might have conversion overflow */
-! 	if (((tsize_t) tilesize) < 0) {
-! 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVTileSize");
-! 		tilesize = 0;
-! 	}
-! 	return (tsize_t) tilesize;
-  }
-  
-  /*