Update to libtiff 3.9.4, and fix assorted crashing bugs

.cvsignore

@@ -1 +1 @@
-tiff-3.9.2.tar.gz
+tiff-3.9.4.tar.gz

libtiff-3samples.patch

@@ -0,0 +1,21 @@
+Patch for bug #603081: failure to guard against bogus SamplesPerPixel
+when converting a YCbCr image to RGB.
+
+This patch duplicates into PickContigCase() a safety check that already
+existed in PickSeparateCase().
+
+Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2216
+
+
+diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
+--- tiff-3.9.2.orig/libtiff/tif_getimage.c	2009-08-30 12:21:46.000000000 -0400
++++ tiff-3.9.2/libtiff/tif_getimage.c	2010-06-11 12:06:47.000000000 -0400
+@@ -2397,7 +2397,7 @@
+ 			}
+ 			break;
+ 		case PHOTOMETRIC_YCBCR:
+-			if (img->bitspersample == 8)
++			if ((img->bitspersample==8) && (img->samplesperpixel==3))
+ 			{
+ 				if (initYCbCrConversion(img)!=0)
+ 				{

libtiff-CVE-2009-2347.patch

@@ -1,93 +0,0 @@
-This is a portion of the patch we were carrying for CVE-2009-2347 in 3.8.2.
-Unfortunately the upstream fix in 3.9.2 is incomplete, so we still need this
-part.  Reported upstream at
-http://bugzilla.maptools.org/show_bug.cgi?id=2079
-
-
-diff -Naur tiff-3.9.2.orig/tools/tiff2rgba.c tiff-3.9.2/tools/tiff2rgba.c
---- tiff-3.9.2.orig/tools/tiff2rgba.c	2009-08-20 16:23:53.000000000 -0400
-+++ tiff-3.9.2/tools/tiff2rgba.c	2009-12-03 12:19:07.000000000 -0500
-@@ -125,6 +125,17 @@
-     return (0);
- }
- 
-+static tsize_t
-+multiply(tsize_t m1, tsize_t m2)
-+{
-+    tsize_t prod = m1 * m2;
-+
-+    if (m1 && prod / m1 != m2)
-+        prod = 0;		/* overflow */
-+
-+    return prod;
-+}
-+
- static int
- cvt_by_tile( TIFF *in, TIFF *out )
- 
-@@ -134,6 +145,7 @@
-     uint32  tile_width, tile_height;
-     uint32  row, col;
-     uint32  *wrk_line;
-+    tsize_t raster_size;
-     int	    ok = 1;
- 
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-@@ -151,7 +163,14 @@
-     /*
-      * Allocate tile buffer
-      */
--    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
-+    raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32));
-+    if (!raster_size) {
-+	TIFFError(TIFFFileName(in),
-+		  "Can't allocate buffer for raster of size %lux%lu",
-+		  (unsigned long) tile_width, (unsigned long) tile_height);
-+	return (0);
-+    }
-+    raster = (uint32*)_TIFFmalloc(raster_size);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -159,7 +178,7 @@
- 
-     /*
-      * Allocate a scanline buffer for swapping during the vertical
--     * mirroring pass.
-+     * mirroring pass.  (Request can't overflow given prior checks.)
-      */
-     wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
-     if (!wrk_line) {
-@@ -236,6 +255,7 @@
-     uint32  width, height;		/* image width & height */
-     uint32  row;
-     uint32  *wrk_line;
-+    tsize_t raster_size;
-     int	    ok = 1;
- 
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-@@ -251,7 +271,14 @@
-     /*
-      * Allocate strip buffer
-      */
--    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
-+    raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32));
-+    if (!raster_size) {
-+	TIFFError(TIFFFileName(in),
-+		  "Can't allocate buffer for raster of size %lux%lu",
-+		  (unsigned long) width, (unsigned long) rowsperstrip);
-+	return (0);
-+    }
-+    raster = (uint32*)_TIFFmalloc(raster_size);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -259,7 +286,7 @@
- 
-     /*
-      * Allocate a scanline buffer for swapping during the vertical
--     * mirroring pass.
-+     * mirroring pass.  (Request can't overflow given prior checks.)
-      */
-     wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
-     if (!wrk_line) {

libtiff-acversion.patch

@@ -2,15 +2,15 @@ This patch is needed for building the package as of F-11.  It can be
 dropped whenever autoconf 2.63 is no longer used on any live branch.
 
 
-diff -Naur tiff-3.9.2.orig/configure.ac tiff-3.9.2/configure.ac
---- tiff-3.9.2.orig/configure.ac	2009-11-04 12:11:20.000000000 -0500
-+++ tiff-3.9.2/configure.ac	2009-12-03 12:52:41.000000000 -0500
+diff -Naur tiff-3.9.4.orig/configure.ac tiff-3.9.4/configure.ac
+--- tiff-3.9.4.orig/configure.ac	2010-06-15 14:58:12.000000000 -0400
++++ tiff-3.9.4/configure.ac	2010-06-15 17:13:11.000000000 -0400
 @@ -24,7 +24,7 @@
  
  dnl Process this file with autoconf to produce a configure script.
  
 -AC_PREREQ(2.64)
 +AC_PREREQ(2.63)
- AC_INIT([LibTIFF Software],[3.9.2],[tiff@lists.maptools.org],[tiff])
+ AC_INIT([LibTIFF Software],[3.9.4],[tiff@lists.maptools.org],[tiff])
  AC_CONFIG_AUX_DIR(config)
  AC_CONFIG_MACRO_DIR(m4)

libtiff-checkbytecount.patch

@@ -0,0 +1,48 @@
+Upstream fix for bug #603024 is incomplete, tif_ojpeg.c should guard against
+missing strip byte counts too.  Testing shows that tiffsplit.c has an issue
+too.
+
+Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=1996
+
+
+diff -Naur tiff-3.9.4.orig/libtiff/tif_ojpeg.c tiff-3.9.4/libtiff/tif_ojpeg.c
+--- tiff-3.9.4.orig/libtiff/tif_ojpeg.c	2010-06-08 19:29:51.000000000 -0400
++++ tiff-3.9.4/libtiff/tif_ojpeg.c	2010-06-22 11:25:17.579807706 -0400
+@@ -1920,6 +1920,10 @@
+ 							sp->in_buffer_file_pos=0;
+ 						else
+ 						{
++							if (sp->tif->tif_dir.td_stripbytecount == 0) {
++								TIFFErrorExt(sp->tif->tif_clientdata,sp->tif->tif_name,"Strip byte counts are missing");
++								return(0);
++							}
+ 							sp->in_buffer_file_togo=sp->tif->tif_dir.td_stripbytecount[sp->in_buffer_next_strile];  
+ 							if (sp->in_buffer_file_togo==0)
+ 								sp->in_buffer_file_pos=0;
+diff -Naur tiff-3.9.4.orig/tools/tiffsplit.c tiff-3.9.4/tools/tiffsplit.c
+--- tiff-3.9.4.orig/tools/tiffsplit.c	2010-06-08 14:50:44.000000000 -0400
++++ tiff-3.9.4/tools/tiffsplit.c	2010-06-22 12:23:23.258823151 -0400
+@@ -237,7 +237,10 @@
+ 		tstrip_t s, ns = TIFFNumberOfStrips(in);
+ 		uint32 *bytecounts;
+ 
+-		TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts);
++		if (!TIFFGetField(in, TIFFTAG_STRIPBYTECOUNTS, &bytecounts)) {
++			fprintf(stderr, "tiffsplit: strip byte counts are missing\n");
++			return (0);
++		}
+ 		for (s = 0; s < ns; s++) {
+ 			if (bytecounts[s] > (uint32)bufsize) {
+ 				buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[s]);
+@@ -267,7 +270,10 @@
+ 		ttile_t t, nt = TIFFNumberOfTiles(in);
+ 		uint32 *bytecounts;
+ 
+-		TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts);
++		if (!TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts)) {
++			fprintf(stderr, "tiffsplit: tile byte counts are missing\n");
++			return (0);
++		}
+ 		for (t = 0; t < nt; t++) {
+ 			if (bytecounts[t] > (uint32) bufsize) {
+ 				buf = (unsigned char *)_TIFFrealloc(buf, bytecounts[t]);

libtiff-getimage-64bit.patch

@@ -0,0 +1,48 @@
+Fix misbehavior on 64-bit machines when trying to flip a downsampled image
+vertically: unsigned ints will be widened to 64 bits the wrong way.
+See RH bug #583081.
+
+Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2207
+
+
+diff -Naur tiff-3.9.2.orig/libtiff/tif_getimage.c tiff-3.9.2/libtiff/tif_getimage.c
+--- tiff-3.9.2.orig/libtiff/tif_getimage.c	2009-08-30 12:21:46.000000000 -0400
++++ tiff-3.9.2/libtiff/tif_getimage.c	2010-06-10 15:07:28.000000000 -0400
+@@ -1846,6 +1846,7 @@
+ DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
+ {
+ 	uint32* cp2;
++	int32 incr = 2*toskew+w;
+ 	(void) y;
+ 	fromskew = (fromskew / 2) * 6;
+ 	cp2 = cp+w+toskew;
+@@ -1872,8 +1873,8 @@
+ 			cp2 ++ ;
+ 			pp += 6;
+ 		}
+-		cp += toskew*2+w;
+-		cp2 += toskew*2+w;
++		cp += incr;
++		cp2 += incr;
+ 		pp += fromskew;
+ 		h-=2;
+ 	}
+@@ -1939,6 +1940,7 @@
+ DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
+ {
+ 	uint32* cp2;
++	int32 incr = 2*toskew+w;
+ 	(void) y;
+ 	fromskew = (fromskew / 2) * 4;
+ 	cp2 = cp+w+toskew;
+@@ -1953,8 +1955,8 @@
+ 			cp2 ++;
+ 			pp += 4;
+ 		} while (--x);
+-		cp += toskew*2+w;
+-		cp2 += toskew*2+w;
++		cp += incr;
++		cp2 += incr;
+ 		pp += fromskew;
+ 		h-=2;
+ 	}

libtiff-jpeg-scanline.patch

@@ -1,62 +0,0 @@
-Upstream patch for tiff2ps core dump noted in bug #460322.  (Note that
-the tiffcmp crash mentioned there is really a different bug.)
-Now also incorporating Adam Goode's patch for bug #552360.  See
-http://bugzilla.maptools.org/show_bug.cgi?id=1936
-
-
-diff -Naur tiff-3.9.2.orig/libtiff/tif_dir.c tiff-3.9.2/libtiff/tif_dir.c
---- tiff-3.9.2.orig/libtiff/tif_dir.c	2008-12-31 19:10:43.000000000 -0500
-+++ tiff-3.9.2/libtiff/tif_dir.c	2010-01-05 19:59:12.000000000 -0500
-@@ -1100,6 +1100,13 @@
- 	 */
- 	tif->tif_flags &= ~TIFF_ISTILED;
- 
-+	/*
-+	 * Clear other directory-specific fields.
-+	 */
-+	tif->tif_tilesize = 0;
-+	tif->tif_scanlinesize = 0;
-+	
-+
- 	return (1);
- }
- 
-diff -Naur tiff-3.9.2.orig/libtiff/tif_jpeg.c tiff-3.9.2/libtiff/tif_jpeg.c
---- tiff-3.9.2.orig/libtiff/tif_jpeg.c	2009-08-30 12:21:46.000000000 -0400
-+++ tiff-3.9.2/libtiff/tif_jpeg.c	2010-01-05 19:59:12.000000000 -0500
-@@ -1613,7 +1613,11 @@
- 	 * Must recalculate cached tile size in case sampling state changed.
- 	 * Should we really be doing this now if image size isn't set? 
- 	 */
--	tif->tif_tilesize = isTiled(tif) ? TIFFTileSize(tif) : (tsize_t) -1;
-+        if( tif->tif_tilesize > 0 )
-+            tif->tif_tilesize = isTiled(tif) ? TIFFTileSize(tif) : (tsize_t) -1;
-+
-+        if(tif->tif_scanlinesize > 0 )
-+            tif->tif_scanlinesize = TIFFScanlineSize(tif); 
- }
- 
- static int
-@@ -1741,13 +1745,21 @@
- 			return;
-     }
-     else
--	{
-+    {
-         if( !TIFFFillStrip( tif, 0 ) )
-             return;
-     }
- 
-     TIFFSetField( tif, TIFFTAG_YCBCRSUBSAMPLING, 
-                   (uint16) sp->h_sampling, (uint16) sp->v_sampling );
-+
-+    /*
-+    ** We want to clear the loaded strip so the application has time
-+    ** to set JPEGCOLORMODE or other behavior modifiers.  This essentially
-+    ** undoes the JPEGPreDecode triggers by TIFFFileStrip().  (#1936)
-+    */
-+    tif->tif_curstrip = -1;
-+
- #endif /* CHECK_JPEG_YCBCR_SUBSAMPLING */
- }
- 

libtiff-subsampling.patch

@@ -0,0 +1,51 @@
+Use the spec-mandated default YCbCrSubSampling values in strip size
+calculations, if the YCBCRSUBSAMPLING tag hasn't been provided.
+See bug #603703.
+
+Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2215
+
+NB: must be applied after libtiff-scanlinesize.patch to avoid fuzz issues.
+
+
+diff -Naur tiff-3.9.2.orig/libtiff/tif_strip.c tiff-3.9.2/libtiff/tif_strip.c
+--- tiff-3.9.2.orig/libtiff/tif_strip.c	2006-03-25 13:04:35.000000000 -0500
++++ tiff-3.9.2/libtiff/tif_strip.c	2010-06-14 12:00:49.000000000 -0400
+@@ -124,9 +124,9 @@
+ 		uint16 ycbcrsubsampling[2];
+ 		tsize_t w, scanline, samplingarea;
+ 
+-		TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING,
+-			      ycbcrsubsampling + 0,
+-			      ycbcrsubsampling + 1 );
++		TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
++				      ycbcrsubsampling + 0,
++				      ycbcrsubsampling + 1);
+ 
+ 		samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1];
+ 		if (samplingarea == 0) {
+@@ -234,9 +234,9 @@
+ 		    && !isUpSampled(tif)) {
+ 			uint16 ycbcrsubsampling[2];
+ 
+-			TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
+-				     ycbcrsubsampling + 0,
+-				     ycbcrsubsampling + 1);
++			TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
++					      ycbcrsubsampling + 0,
++					      ycbcrsubsampling + 1);
+ 
+ 			if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
+ 				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+@@ -308,9 +308,9 @@
+ 		    && !isUpSampled(tif)) {
+ 			uint16 ycbcrsubsampling[2];
+ 
+-			TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING,
+-				     ycbcrsubsampling + 0,
+-				     ycbcrsubsampling + 1);
++			TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING,
++					      ycbcrsubsampling + 0,
++					      ycbcrsubsampling + 1);
+ 
+ 			if (ycbcrsubsampling[0]*ycbcrsubsampling[1] == 0) {
+ 				TIFFErrorExt(tif->tif_clientdata, tif->tif_name,

libtiff-tiffdump.patch

@@ -0,0 +1,35 @@
+Make tiffdump more paranoid about checking the count field of a directory
+entry.
+
+Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2218
+
+
+diff -Naur tiff-3.9.4.orig/tools/tiffdump.c tiff-3.9.4/tools/tiffdump.c
+--- tiff-3.9.4.orig/tools/tiffdump.c	2010-06-08 14:50:44.000000000 -0400
++++ tiff-3.9.4/tools/tiffdump.c	2010-06-22 12:51:42.207932477 -0400
+@@ -46,6 +46,7 @@
+ # include <io.h>
+ #endif
+ 
++#include "tiffiop.h"
+ #include "tiffio.h"
+ 
+ #ifndef O_BINARY
+@@ -317,7 +318,7 @@
+ 			printf(">\n");
+ 			continue;
+ 		}
+-		space = dp->tdir_count * datawidth[dp->tdir_type];
++		space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]);
+ 		if (space <= 0) {
+ 			printf(">\n");
+ 			Error("Invalid count for tag %u", dp->tdir_tag);
+@@ -709,7 +710,7 @@
+ 	w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0);
+ 	cc = dir->tdir_count * w;
+ 	if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1
+-	    && read(fd, cp, cc) != -1) {
++	    && read(fd, cp, cc) == cc) {
+ 		if (swabflag) {
+ 			switch (dir->tdir_type) {
+ 			case TIFF_SHORT:

libtiff-unknown-fix.patch

@@ -0,0 +1,47 @@
+Ooops, previous fix to unknown-tag handling caused TIFFReadDirectory to
+sometimes complain about out-of-order tags when there weren't really any.
+Fix by decoupling that logic from the tag search logic.
+
+Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2210
+
+
+diff -Naur tiff-3.9.4.orig/libtiff/tif_dirread.c tiff-3.9.4/libtiff/tif_dirread.c
+--- tiff-3.9.4.orig/libtiff/tif_dirread.c	2010-06-14 10:27:51.000000000 -0400
++++ tiff-3.9.4/libtiff/tif_dirread.c	2010-06-16 01:27:03.000000000 -0400
+@@ -83,6 +83,7 @@
+ 	const TIFFFieldInfo* fip;
+ 	size_t fix;
+ 	uint16 dircount;
++	uint16 previous_tag = 0;
+ 	int diroutoforderwarning = 0, compressionknown = 0;
+ 	int haveunknowntags = 0;
+ 
+@@ -163,23 +164,24 @@
+ 
+ 		if (dp->tdir_tag == IGNORE)
+ 			continue;
+-		if (fix >= tif->tif_nfields)
+-			fix = 0;
+ 
+ 		/*
+ 		 * Silicon Beach (at least) writes unordered
+ 		 * directory tags (violating the spec).  Handle
+ 		 * it here, but be obnoxious (maybe they'll fix it?).
+ 		 */
+-		if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) {
++		if (dp->tdir_tag < previous_tag) {
+ 			if (!diroutoforderwarning) {
+ 				TIFFWarningExt(tif->tif_clientdata, module,
+ 	"%s: invalid TIFF directory; tags are not sorted in ascending order",
+ 					    tif->tif_name);
+ 				diroutoforderwarning = 1;
+ 			}
+-			fix = 0;			/* O(n^2) */
+ 		}
++		previous_tag = dp->tdir_tag;
++		if (fix >= tif->tif_nfields ||
++		    dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag)
++			fix = 0;			/* O(n^2) */
+ 		while (fix < tif->tif_nfields &&
+ 		    tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+ 			fix++;

libtiff-ycbcr-clamp.patch

@@ -0,0 +1,35 @@
+Using an array to clamp translated YCbCr values is insecure, because if the
+TIFF file contains bogus ReferenceBlackWhite parameters, the computed RGB
+values could be very far out of range (much further than the current array
+size, anyway), possibly resulting in SIGSEGV.  Just drop the whole idea in
+favor of using a comparison-based macro to clamp.  See RH bug #583081.
+
+Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2208
+
+
+diff -Naur tiff-3.9.2.orig/libtiff/tif_color.c tiff-3.9.2/libtiff/tif_color.c
+--- tiff-3.9.2.orig/libtiff/tif_color.c	2006-02-09 10:42:20.000000000 -0500
++++ tiff-3.9.2/libtiff/tif_color.c	2010-06-10 15:53:24.000000000 -0400
+@@ -183,13 +183,18 @@
+ TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr,
+ 	       uint32 *r, uint32 *g, uint32 *b)
+ {
++	int32 i;
++
+ 	/* XXX: Only 8-bit YCbCr input supported for now */
+ 	Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255);
+ 
+-	*r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]];
+-	*g = ycbcr->clamptab[ycbcr->Y_tab[Y]
+-	    + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)];
+-	*b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]];
++	i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr];
++	*r = CLAMP(i, 0, 255);
++	i = ycbcr->Y_tab[Y]
++	    + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT);
++	*g = CLAMP(i, 0, 255);
++	i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb];
++	*b = CLAMP(i, 0, 255);
+ }
+ 
+ /*

libtiff.spec

@@ -1,7 +1,7 @@
 Summary: Library of functions for manipulating TIFF format image files
 Name: libtiff
-Version: 3.9.2
-Release: 3%{?dist}
+Version: 3.9.4
+Release: 1%{?dist}
 
 License: libtiff
 Group: System Environment/Libraries
@@ -10,9 +10,14 @@ URL: http://www.remotesensing.org/libtiff/
 Source: ftp://ftp.remotesensing.org/pub/libtiff/tiff-%{version}.tar.gz
 Patch1: libtiff-acversion.patch
 Patch2: libtiff-mantypo.patch
-Patch3: libtiff-CVE-2009-2347.patch
-Patch4: libtiff-jpeg-scanline.patch
-Patch5: libtiff-scanlinesize.patch
+Patch3: libtiff-scanlinesize.patch
+Patch4: libtiff-getimage-64bit.patch
+Patch5: libtiff-ycbcr-clamp.patch
+Patch6: libtiff-3samples.patch
+Patch7: libtiff-subsampling.patch
+Patch8: libtiff-unknown-fix.patch
+Patch9: libtiff-checkbytecount.patch
+Patch10: libtiff-tiffdump.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: zlib-devel libjpeg-devel
@@ -70,6 +75,11 @@ image files using the libtiff library.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
 
 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@@ -181,6 +191,15 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man1/*
 
 %changelog
+* Tue Jun 22 2010 Tom Lane <tgl@redhat.com> 3.9.4-1
+- Update to libtiff 3.9.4, for numerous bug fixes including fixes for
+  CVE-2010-1411, CVE-2010-2065, CVE-2010-2067
+Resolves: #554371
+Related: #460653, #588784, #601274, #599576, #592361, #603024
+- Add fixes for multiple SIGSEGV problems
+Resolves: #583081
+Related: #603081, #603699, #603703
+
 * Tue Jan  5 2010 Tom Lane <tgl@redhat.com> 3.9.2-3
 - Apply Adam Goode's fix for Warmerdam's fix
 Resolves: #552360

sources

@@ -1 +1 @@
-93e56e421679c591de7552db13384cb8  tiff-3.9.2.tar.gz
+2006c1bdd12644dbf02956955175afd6  tiff-3.9.4.tar.gz