summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobin H. Johnson <robbat2@gentoo.org>2015-08-08 13:49:04 -0700
committerRobin H. Johnson <robbat2@gentoo.org>2015-08-08 17:38:18 -0700
commit56bd759df1d0c750a065b8c845e93d5dfa6b549d (patch)
tree3f91093cdb475e565ae857f1c5a7fd339e2d781e /media-libs/tiff
downloadgentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.tar.gz
gentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.tar.bz2
gentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.zip
proj/gentoo: Initial commit
This commit represents a new era for Gentoo: Storing the gentoo-x86 tree in Git, as converted from CVS. This commit is the start of the NEW history. Any historical data is intended to be grafted onto this point. Creation process: 1. Take final CVS checkout snapshot 2. Remove ALL ChangeLog* files 3. Transform all Manifests to thin 4. Remove empty Manifests 5. Convert all stale $Header$/$Id$ CVS keywords to non-expanded Git $Id$ 5.1. Do not touch files with -kb/-ko keyword flags. Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> X-Thanks: Alec Warner <antarus@gentoo.org> - did the GSoC 2006 migration tests X-Thanks: Robin H. Johnson <robbat2@gentoo.org> - infra guy, herding this project X-Thanks: Nguyen Thai Ngoc Duy <pclouds@gentoo.org> - Former Gentoo developer, wrote Git features for the migration X-Thanks: Brian Harring <ferringb@gentoo.org> - wrote much python to improve cvs2svn X-Thanks: Rich Freeman <rich0@gentoo.org> - validation scripts X-Thanks: Patrick Lauer <patrick@gentoo.org> - Gentoo dev, running new 2014 work in migration X-Thanks: Michał Górny <mgorny@gentoo.org> - scripts, QA, nagging X-Thanks: All of other Gentoo developers - many ideas and lots of paint on the bikeshed
Diffstat (limited to 'media-libs/tiff')
-rw-r--r--media-libs/tiff/Manifest2
-rw-r--r--media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch191
-rw-r--r--media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch77
-rw-r--r--media-libs/tiff/files/tiff-3.9.7-CVE-2012-5581.patch245
-rw-r--r--media-libs/tiff/files/tiff-3.9.7-printdir-width.patch36
-rw-r--r--media-libs/tiff/files/tiff-3.9.7-tiffinfo-exif.patch59
-rw-r--r--media-libs/tiff/files/tiff-4.0.3-CVE-2012-4447.patch40
-rw-r--r--media-libs/tiff/files/tiff-4.0.3-CVE-2012-4564.patch86
-rw-r--r--media-libs/tiff/files/tiff-4.0.3-CVE-2013-1960.patch145
-rw-r--r--media-libs/tiff/files/tiff-4.0.3-CVE-2013-1961.patch759
-rw-r--r--media-libs/tiff/files/tiff-4.0.3-CVE-2013-4231.patch16
-rw-r--r--media-libs/tiff/files/tiff-4.0.3-CVE-2013-4232.patch13
-rw-r--r--media-libs/tiff/files/tiff-4.0.3-CVE-2013-4244.patch15
-rw-r--r--media-libs/tiff/files/tiff-4.0.3-libjpeg-turbo.patch122
-rw-r--r--media-libs/tiff/files/tiff-4.0.3-tiff2pdf-colors.patch15
-rw-r--r--media-libs/tiff/metadata.xml7
-rw-r--r--media-libs/tiff/tiff-3.9.7-r1.ebuild72
-rw-r--r--media-libs/tiff/tiff-4.0.3-r6.ebuild79
18 files changed, 1979 insertions, 0 deletions
diff --git a/media-libs/tiff/Manifest b/media-libs/tiff/Manifest
new file mode 100644
index 000000000000..95d287afe209
--- /dev/null
+++ b/media-libs/tiff/Manifest
@@ -0,0 +1,2 @@
+DIST tiff-3.9.7.tar.gz 1468097 SHA256 f5d64dd4ce61c55f5e9f6dc3920fbe5a41e02c2e607da7117a35eb5c320cef6a SHA512 ca89584a9ffa33b4986e4bc2165043cec239896f1f0ab73db00818d0442b570efaa6345b2ed422e884202324d359713df849bf14782bb0cf3b959655febddd77 WHIRLPOOL c06b35da66c365c1fe7f0e6e06a400e139d3e2b5b280aa764015c2f0383a6191ffb3d335cdf2211b687bbb0caacf641be409148986a9813dfde5822a650a9b1c
+DIST tiff-4.0.3.tar.gz 2051630 SHA256 ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872 SHA512 d80e18b00e9e696a30b954c0d92e5f2f773fd9a7a0a944cf6cabb69c1798e671506580daa1cd2ebf493ae922000170c2491dfc6d4c0a9cd0b865684070595a73 WHIRLPOOL 762ace7c66dec7a6f350bc8c000a9e1f4b775e7b148b1d923eb3f7c015f47bda65a54bc0b5974ce665c7d836ec0b275c9307d1f18f3b6bee8b0949a6cceb319e
diff --git a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch
new file mode 100644
index 000000000000..6c28dc6ec9a8
--- /dev/null
+++ b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch
@@ -0,0 +1,191 @@
+Upstream patch for CVE-2012-4447. This also covers an out-of-bounds-read
+possibility in the same file, which wasn't given a separate CVE.
+
+
+diff -Naur tiff-3.9.4.orig/libtiff/tif_pixarlog.c tiff-3.9.4/libtiff/tif_pixarlog.c
+--- tiff-3.9.4.orig/libtiff/tif_pixarlog.c 2010-06-08 14:50:42.000000000 -0400
++++ tiff-3.9.4/libtiff/tif_pixarlog.c 2012-12-10 15:50:14.421538317 -0500
+@@ -117,9 +117,9 @@
+ if (n >= stride) {
+ mask = CODE_MASK;
+ if (stride == 3) {
+- t0 = ToLinearF[cr = wp[0]];
+- t1 = ToLinearF[cg = wp[1]];
+- t2 = ToLinearF[cb = wp[2]];
++ t0 = ToLinearF[cr = (wp[0] & mask)];
++ t1 = ToLinearF[cg = (wp[1] & mask)];
++ t2 = ToLinearF[cb = (wp[2] & mask)];
+ op[0] = t0;
+ op[1] = t1;
+ op[2] = t2;
+@@ -136,10 +136,10 @@
+ op[2] = t2;
+ }
+ } else if (stride == 4) {
+- t0 = ToLinearF[cr = wp[0]];
+- t1 = ToLinearF[cg = wp[1]];
+- t2 = ToLinearF[cb = wp[2]];
+- t3 = ToLinearF[ca = wp[3]];
++ t0 = ToLinearF[cr = (wp[0] & mask)];
++ t1 = ToLinearF[cg = (wp[1] & mask)];
++ t2 = ToLinearF[cb = (wp[2] & mask)];
++ t3 = ToLinearF[ca = (wp[3] & mask)];
+ op[0] = t0;
+ op[1] = t1;
+ op[2] = t2;
+@@ -183,9 +183,9 @@
+ if (n >= stride) {
+ mask = CODE_MASK;
+ if (stride == 3) {
+- t0 = ToLinearF[cr = wp[0]] * SCALE12;
+- t1 = ToLinearF[cg = wp[1]] * SCALE12;
+- t2 = ToLinearF[cb = wp[2]] * SCALE12;
++ t0 = ToLinearF[cr = (wp[0] & mask)] * SCALE12;
++ t1 = ToLinearF[cg = (wp[1] & mask)] * SCALE12;
++ t2 = ToLinearF[cb = (wp[2] & mask)] * SCALE12;
+ op[0] = CLAMP12(t0);
+ op[1] = CLAMP12(t1);
+ op[2] = CLAMP12(t2);
+@@ -202,10 +202,10 @@
+ op[2] = CLAMP12(t2);
+ }
+ } else if (stride == 4) {
+- t0 = ToLinearF[cr = wp[0]] * SCALE12;
+- t1 = ToLinearF[cg = wp[1]] * SCALE12;
+- t2 = ToLinearF[cb = wp[2]] * SCALE12;
+- t3 = ToLinearF[ca = wp[3]] * SCALE12;
++ t0 = ToLinearF[cr = (wp[0] & mask)] * SCALE12;
++ t1 = ToLinearF[cg = (wp[1] & mask)] * SCALE12;
++ t2 = ToLinearF[cb = (wp[2] & mask)] * SCALE12;
++ t3 = ToLinearF[ca = (wp[3] & mask)] * SCALE12;
+ op[0] = CLAMP12(t0);
+ op[1] = CLAMP12(t1);
+ op[2] = CLAMP12(t2);
+@@ -247,9 +247,9 @@
+ if (n >= stride) {
+ mask = CODE_MASK;
+ if (stride == 3) {
+- op[0] = ToLinear16[cr = wp[0]];
+- op[1] = ToLinear16[cg = wp[1]];
+- op[2] = ToLinear16[cb = wp[2]];
++ op[0] = ToLinear16[cr = (wp[0] & mask)];
++ op[1] = ToLinear16[cg = (wp[1] & mask)];
++ op[2] = ToLinear16[cb = (wp[2] & mask)];
+ n -= 3;
+ while (n > 0) {
+ wp += 3;
+@@ -260,10 +260,10 @@
+ op[2] = ToLinear16[(cb += wp[2]) & mask];
+ }
+ } else if (stride == 4) {
+- op[0] = ToLinear16[cr = wp[0]];
+- op[1] = ToLinear16[cg = wp[1]];
+- op[2] = ToLinear16[cb = wp[2]];
+- op[3] = ToLinear16[ca = wp[3]];
++ op[0] = ToLinear16[cr = (wp[0] & mask)];
++ op[1] = ToLinear16[cg = (wp[1] & mask)];
++ op[2] = ToLinear16[cb = (wp[2] & mask)];
++ op[3] = ToLinear16[ca = (wp[3] & mask)];
+ n -= 4;
+ while (n > 0) {
+ wp += 4;
+@@ -342,9 +342,9 @@
+ if (n >= stride) {
+ mask = CODE_MASK;
+ if (stride == 3) {
+- op[0] = ToLinear8[cr = wp[0]];
+- op[1] = ToLinear8[cg = wp[1]];
+- op[2] = ToLinear8[cb = wp[2]];
++ op[0] = ToLinear8[cr = (wp[0] & mask)];
++ op[1] = ToLinear8[cg = (wp[1] & mask)];
++ op[2] = ToLinear8[cb = (wp[2] & mask)];
+ n -= 3;
+ while (n > 0) {
+ n -= 3;
+@@ -355,10 +355,10 @@
+ op[2] = ToLinear8[(cb += wp[2]) & mask];
+ }
+ } else if (stride == 4) {
+- op[0] = ToLinear8[cr = wp[0]];
+- op[1] = ToLinear8[cg = wp[1]];
+- op[2] = ToLinear8[cb = wp[2]];
+- op[3] = ToLinear8[ca = wp[3]];
++ op[0] = ToLinear8[cr = (wp[0] & mask)];
++ op[1] = ToLinear8[cg = (wp[1] & mask)];
++ op[2] = ToLinear8[cb = (wp[2] & mask)];
++ op[3] = ToLinear8[ca = (wp[3] & mask)];
+ n -= 4;
+ while (n > 0) {
+ n -= 4;
+@@ -393,9 +393,9 @@
+ mask = CODE_MASK;
+ if (stride == 3) {
+ op[0] = 0;
+- t1 = ToLinear8[cb = wp[2]];
+- t2 = ToLinear8[cg = wp[1]];
+- t3 = ToLinear8[cr = wp[0]];
++ t1 = ToLinear8[cb = (wp[2] & mask)];
++ t2 = ToLinear8[cg = (wp[1] & mask)];
++ t3 = ToLinear8[cr = (wp[0] & mask)];
+ op[1] = t1;
+ op[2] = t2;
+ op[3] = t3;
+@@ -413,10 +413,10 @@
+ op[3] = t3;
+ }
+ } else if (stride == 4) {
+- t0 = ToLinear8[ca = wp[3]];
+- t1 = ToLinear8[cb = wp[2]];
+- t2 = ToLinear8[cg = wp[1]];
+- t3 = ToLinear8[cr = wp[0]];
++ t0 = ToLinear8[ca = (wp[3] & mask)];
++ t1 = ToLinear8[cb = (wp[2] & mask)];
++ t2 = ToLinear8[cg = (wp[1] & mask)];
++ t3 = ToLinear8[cr = (wp[0] & mask)];
+ op[0] = t0;
+ op[1] = t1;
+ op[2] = t2;
+@@ -630,10 +630,10 @@
+ return guess;
+ }
+
+-static uint32
+-multiply(size_t m1, size_t m2)
++static tsize_t
++multiply(tsize_t m1, tsize_t m2)
+ {
+- uint32 bytes = m1 * m2;
++ tsize_t bytes = m1 * m2;
+
+ if (m1 && bytes / m1 != m2)
+ bytes = 0;
+@@ -641,6 +641,20 @@
+ return bytes;
+ }
+
++static tsize_t
++add_ms(tsize_t m1, tsize_t m2)
++{
++ tsize_t bytes = m1 + m2;
++
++ /* if either input is zero, assume overflow already occurred */
++ if (m1 == 0 || m2 == 0)
++ bytes = 0;
++ else if (bytes <= m1 || bytes <= m2)
++ bytes = 0;
++
++ return bytes;
++}
++
+ static int
+ PixarLogSetupDecode(TIFF* tif)
+ {
+@@ -661,6 +675,8 @@
+ td->td_samplesperpixel : 1);
+ tbuf_size = multiply(multiply(multiply(sp->stride, td->td_imagewidth),
+ td->td_rowsperstrip), sizeof(uint16));
++ /* add one more stride in case input ends mid-stride */
++ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
+ if (tbuf_size == 0)
+ return (0);
+ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
diff --git a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch
new file mode 100644
index 000000000000..98a6e6c4409d
--- /dev/null
+++ b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch
@@ -0,0 +1,77 @@
+Upstream patch for CVE-2012-4564.
+
+
+diff -Naur tiff-3.9.4.orig/tools/ppm2tiff.c tiff-3.9.4/tools/ppm2tiff.c
+--- tiff-3.9.4.orig/tools/ppm2tiff.c 2010-06-08 14:50:44.000000000 -0400
++++ tiff-3.9.4/tools/ppm2tiff.c 2012-12-10 16:16:05.154045877 -0500
+@@ -68,6 +68,17 @@
+ exit(-2);
+ }
+
++static tsize_t
++multiply_ms(tsize_t m1, tsize_t m2)
++{
++ tsize_t bytes = m1 * m2;
++
++ if (m1 && bytes / m1 != m2)
++ bytes = 0;
++
++ return bytes;
++}
++
+ int
+ main(int argc, char* argv[])
+ {
+@@ -85,6 +96,7 @@
+ int c;
+ extern int optind;
+ extern char* optarg;
++ tsize_t scanline_size;
+
+ if (argc < 2) {
+ fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -217,7 +229,8 @@
+ }
+ switch (bpp) {
+ case 1:
+- linebytes = (spp * w + (8 - 1)) / 8;
++ /* if round-up overflows, result will be zero, OK */
++ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
+ if (rowsperstrip == (uint32) -1) {
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
+ } else {
+@@ -226,15 +239,31 @@
+ }
+ break;
+ case 8:
+- linebytes = spp * w;
++ linebytes = multiply_ms(spp, w);
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
+ TIFFDefaultStripSize(out, rowsperstrip));
+ break;
+ }
+- if (TIFFScanlineSize(out) > linebytes)
++ if (linebytes == 0) {
++ fprintf(stderr, "%s: scanline size overflow\n", infile);
++ (void) TIFFClose(out);
++ exit(-2);
++ }
++ scanline_size = TIFFScanlineSize(out);
++ if (scanline_size == 0) {
++ /* overflow - TIFFScanlineSize already printed a message */
++ (void) TIFFClose(out);
++ exit(-2);
++ }
++ if (scanline_size < linebytes)
+ buf = (unsigned char *)_TIFFmalloc(linebytes);
+ else
+- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++ buf = (unsigned char *)_TIFFmalloc(scanline_size);
++ if (buf == NULL) {
++ fprintf(stderr, "%s: Not enough memory\n", infile);
++ (void) TIFFClose(out);
++ exit(-2);
++ }
+ if (resolution > 0) {
+ TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+ TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff --git a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-5581.patch b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-5581.patch
new file mode 100644
index 000000000000..a6bdca137029
--- /dev/null
+++ b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-5581.patch
@@ -0,0 +1,245 @@
+Fix unsafe handling of DotRange and related tags. Back-port of upstream
+patch for CVE-2012-5581. (Note: I have not pushed this into upstream CVS
+for the 3.9 branch, because I'm not entirely convinced that it won't create
+application compatibility issues --- tgl)
+
+
+diff -Naur tiff-3.9.7.orig/libtiff/tif_dir.c tiff-3.9.7/libtiff/tif_dir.c
+--- tiff-3.9.7.orig/libtiff/tif_dir.c 2012-09-22 10:48:09.000000000 -0400
++++ tiff-3.9.7/libtiff/tif_dir.c 2012-12-13 13:39:20.448864070 -0500
+@@ -494,32 +494,28 @@
+ goto end;
+ }
+
+- if ((fip->field_passcount
++ if (fip->field_tag == TIFFTAG_DOTRANGE
++ && strcmp(fip->field_name,"DotRange") == 0) {
++ /* TODO: This is an evil exception and should not have been
++ handled this way ... likely best if we move it into
++ the directory structure with an explicit field in
++ libtiff 4.1 and assign it a FIELD_ value */
++ uint16 v[2];
++ v[0] = (uint16)va_arg(ap, int);
++ v[1] = (uint16)va_arg(ap, int);
++ _TIFFmemcpy(tv->value, v, 4);
++ }
++ else if (fip->field_passcount
+ || fip->field_writecount == TIFF_VARIABLE
+ || fip->field_writecount == TIFF_VARIABLE2
+ || fip->field_writecount == TIFF_SPP
+- || tv->count > 1)
+- && fip->field_tag != TIFFTAG_PAGENUMBER
+- && fip->field_tag != TIFFTAG_HALFTONEHINTS
+- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+- && fip->field_tag != TIFFTAG_DOTRANGE
+- && fip->field_tag != TIFFTAG_WHITELEVEL) {
++ || tv->count > 1) {
+ _TIFFmemcpy(tv->value, va_arg(ap, void *),
+ tv->count * tv_size);
+ } else {
+- /*
+- * XXX: The following loop required to handle
+- * TIFFTAG_PAGENUMBER, TIFFTAG_HALFTONEHINTS,
+- * TIFFTAG_YCBCRSUBSAMPLING and TIFFTAG_DOTRANGE tags.
+- * These tags are actually arrays and should be passed as
+- * array pointers to TIFFSetField() function, but actually
+- * passed as a list of separate values. This behaviour
+- * must be changed in the future!
+- */
+- int i;
+ char *val = (char *)tv->value;
+
+- for (i = 0; i < tv->count; i++, val += tv_size) {
++ assert( tv->count == 1 );
+ switch (fip->field_type) {
+ case TIFF_BYTE:
+ case TIFF_UNDEFINED:
+@@ -578,7 +574,6 @@
+ status = 0;
+ break;
+ }
+- }
+ }
+ }
+ }
+@@ -869,24 +864,27 @@
+ *va_arg(ap, uint16*) = (uint16)tv->count;
+ *va_arg(ap, void **) = tv->value;
+ ret_val = 1;
+- } else {
+- if ((fip->field_type == TIFF_ASCII
++ } else if (fip->field_tag == TIFFTAG_DOTRANGE
++ && strcmp(fip->field_name,"DotRange") == 0) {
++ /* TODO: This is an evil exception and should not have been
++ handled this way ... likely best if we move it into
++ the directory structure with an explicit field in
++ libtiff 4.1 and assign it a FIELD_ value */
++ *va_arg(ap, uint16*) = ((uint16 *)tv->value)[0];
++ *va_arg(ap, uint16*) = ((uint16 *)tv->value)[1];
++ ret_val = 1;
++ } else {
++ if (fip->field_type == TIFF_ASCII
+ || fip->field_readcount == TIFF_VARIABLE
+ || fip->field_readcount == TIFF_VARIABLE2
+ || fip->field_readcount == TIFF_SPP
+- || tv->count > 1)
+- && fip->field_tag != TIFFTAG_PAGENUMBER
+- && fip->field_tag != TIFFTAG_HALFTONEHINTS
+- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+- && fip->field_tag != TIFFTAG_DOTRANGE) {
++ || tv->count > 1) {
+ *va_arg(ap, void **) = tv->value;
+ ret_val = 1;
+ } else {
+- int j;
+ char *val = (char *)tv->value;
+
+- for (j = 0; j < tv->count;
+- j++, val += _TIFFDataSize(tv->info->field_type)) {
++ assert( tv->count == 1 );
+ switch (fip->field_type) {
+ case TIFF_BYTE:
+ case TIFF_UNDEFINED:
+@@ -936,7 +934,6 @@
+ ret_val = 0;
+ break;
+ }
+- }
+ }
+ }
+ break;
+diff -Naur tiff-3.9.7.orig/libtiff/tif_print.c tiff-3.9.7/libtiff/tif_print.c
+--- tiff-3.9.7.orig/libtiff/tif_print.c 2010-07-08 12:17:59.000000000 -0400
++++ tiff-3.9.7/libtiff/tif_print.c 2012-12-13 13:42:12.773478278 -0500
+@@ -112,16 +112,22 @@
+ }
+
+ static int
+-_TIFFPrettyPrintField(TIFF* tif, FILE* fd, ttag_t tag,
++_TIFFPrettyPrintField(TIFF* tif, const TIFFFieldInfo *fip, FILE* fd, ttag_t tag,
+ uint32 value_count, void *raw_data)
+ {
+ TIFFDirectory *td = &tif->tif_dir;
+
++ /* do not try to pretty print auto-defined fields */
++ if (strncmp(fip->field_name,"Tag ", 4) == 0) {
++ return 0;
++ }
++
+ switch (tag)
+ {
+ case TIFFTAG_INKSET:
+- fprintf(fd, " Ink Set: ");
+- switch (*((uint16*)raw_data)) {
++ if (value_count == 2 && fip->field_type == TIFF_SHORT) {
++ fprintf(fd, " Ink Set: ");
++ switch (*((uint16*)raw_data)) {
+ case INKSET_CMYK:
+ fprintf(fd, "CMYK\n");
+ break;
+@@ -130,11 +136,18 @@
+ *((uint16*)raw_data),
+ *((uint16*)raw_data));
+ break;
++ }
++ return 1;
+ }
+- return 1;
++ return 0;
++
+ case TIFFTAG_WHITEPOINT:
+- fprintf(fd, " White Point: %g-%g\n",
+- ((float *)raw_data)[0], ((float *)raw_data)[1]); return 1;
++ if (value_count == 2 && fip->field_type == TIFF_RATIONAL) {
++ fprintf(fd, " White Point: %g-%g\n",
++ ((float *)raw_data)[0], ((float *)raw_data)[1]); return 1;
++ }
++ return 0;
++
+ case TIFFTAG_REFERENCEBLACKWHITE:
+ {
+ uint16 i;
+@@ -174,10 +187,13 @@
+ (unsigned long) value_count);
+ return 1;
+ case TIFFTAG_STONITS:
+- fprintf(fd,
+- " Sample to Nits conversion factor: %.4e\n",
+- *((double*)raw_data));
+- return 1;
++ if (value_count == 1 && fip->field_type == TIFF_DOUBLE) {
++ fprintf(fd,
++ " Sample to Nits conversion factor: %.4e\n",
++ *((double*)raw_data));
++ return 1;
++ }
++ return 0;
+ }
+
+ return 0;
+@@ -524,44 +540,28 @@
+ value_count = td->td_samplesperpixel;
+ else
+ value_count = fip->field_readcount;
+- if ((fip->field_type == TIFF_ASCII
++ if (fip->field_tag == TIFFTAG_DOTRANGE
++ && strcmp(fip->field_name,"DotRange") == 0) {
++ /* TODO: This is an evil exception and should not have been
++ handled this way ... likely best if we move it into
++ the directory structure with an explicit field in
++ libtiff 4.1 and assign it a FIELD_ value */
++ static uint16 dotrange[2];
++ raw_data = dotrange;
++ TIFFGetField(tif, tag, dotrange+0, dotrange+1);
++ } else if (fip->field_type == TIFF_ASCII
+ || fip->field_readcount == TIFF_VARIABLE
+ || fip->field_readcount == TIFF_VARIABLE2
+ || fip->field_readcount == TIFF_SPP
+- || value_count > 1)
+- && fip->field_tag != TIFFTAG_PAGENUMBER
+- && fip->field_tag != TIFFTAG_HALFTONEHINTS
+- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+- && fip->field_tag != TIFFTAG_DOTRANGE) {
++ || value_count > 1) {
+ if(TIFFGetField(tif, tag, &raw_data) != 1)
+ continue;
+- } else if (fip->field_tag != TIFFTAG_PAGENUMBER
+- && fip->field_tag != TIFFTAG_HALFTONEHINTS
+- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+- && fip->field_tag != TIFFTAG_DOTRANGE) {
+- raw_data = _TIFFmalloc(
+- _TIFFDataSize(fip->field_type)
+- * value_count);
+- mem_alloc = 1;
+- if(TIFFGetField(tif, tag, raw_data) != 1) {
+- _TIFFfree(raw_data);
+- continue;
+- }
+ } else {
+- /*
+- * XXX: Should be fixed and removed, see the
+- * notes related to TIFFTAG_PAGENUMBER,
+- * TIFFTAG_HALFTONEHINTS,
+- * TIFFTAG_YCBCRSUBSAMPLING and
+- * TIFFTAG_DOTRANGE tags in tif_dir.c. */
+- char *tmp;
+ raw_data = _TIFFmalloc(
+ _TIFFDataSize(fip->field_type)
+ * value_count);
+- tmp = raw_data;
+ mem_alloc = 1;
+- if(TIFFGetField(tif, tag, tmp,
+- tmp + _TIFFDataSize(fip->field_type)) != 1) {
++ if(TIFFGetField(tif, tag, raw_data) != 1) {
+ _TIFFfree(raw_data);
+ continue;
+ }
+@@ -574,7 +574,7 @@
+ * _TIFFPrettyPrintField() fall down and print it as any other
+ * tag.
+ */
+- if (_TIFFPrettyPrintField(tif, fd, tag, value_count, raw_data)) {
++ if (_TIFFPrettyPrintField(tif, fip, fd, tag, value_count, raw_data)) {
+ if(mem_alloc)
+ _TIFFfree(raw_data);
+ continue;
diff --git a/media-libs/tiff/files/tiff-3.9.7-printdir-width.patch b/media-libs/tiff/files/tiff-3.9.7-printdir-width.patch
new file mode 100644
index 000000000000..6ad7534ac6fe
--- /dev/null
+++ b/media-libs/tiff/files/tiff-3.9.7-printdir-width.patch
@@ -0,0 +1,36 @@
+Make TIFFPrintDirectory cope with both TIFF_VARIABLE and TIFF_VARIABLE2
+conventions for field_passcount fields, ie, either 16- or 32-bit counts.
+This patch is taken from upstream commits dated 2012-05-23 ("fix crash
+with odd 16bit count types for some custom fields") and 2012-12-12 ("Fix
+TIFF_VARIABLE/TIFF_VARIABLE2 confusion in TIFFPrintDirectory").
+
+This doesn't qualify as a security issue in itself, mainly because
+TIFFPrintDirectory is unlikely to be used in any security-exposed
+scenarios; but we need to fix it so that our test case for CVE-2012-5581
+works on all platforms.
+
+
+diff -Naur tiff-3.9.4.orig/libtiff/tif_print.c tiff-3.9.4/libtiff/tif_print.c
+--- tiff-3.9.4.orig/libtiff/tif_print.c 2010-06-08 14:50:42.000000000 -0400
++++ tiff-3.9.4/libtiff/tif_print.c 2012-12-13 12:17:33.726765771 -0500
+@@ -518,8 +518,19 @@
+ continue;
+
+ if(fip->field_passcount) {
+- if(TIFFGetField(tif, tag, &value_count, &raw_data) != 1)
++ if (fip->field_readcount == TIFF_VARIABLE2 ) {
++ if(TIFFGetField(tif, tag, &value_count, &raw_data) != 1)
++ continue;
++ } else if (fip->field_readcount == TIFF_VARIABLE ) {
++ uint16 small_value_count;
++ if(TIFFGetField(tif, tag, &small_value_count, &raw_data) != 1)
++ continue;
++ value_count = small_value_count;
++ } else {
++ assert (fip->field_readcount == TIFF_VARIABLE
++ || fip->field_readcount == TIFF_VARIABLE2);
+ continue;
++ }
+ } else {
+ if (fip->field_readcount == TIFF_VARIABLE
+ || fip->field_readcount == TIFF_VARIABLE2)
diff --git a/media-libs/tiff/files/tiff-3.9.7-tiffinfo-exif.patch b/media-libs/tiff/files/tiff-3.9.7-tiffinfo-exif.patch
new file mode 100644
index 000000000000..a326e21e298b
--- /dev/null
+++ b/media-libs/tiff/files/tiff-3.9.7-tiffinfo-exif.patch
@@ -0,0 +1,59 @@
+Teach "tiffinfo -D" to not try to print image data inside an EXIF subdirectory,
+because there isn't any. Back-patched from an upstream 4.0.2 fix.
+
+This is not a security issue in itself (it crashes, but with a simple NULL
+pointer dereference). However, our test case for CVE-2012-5581 tickles this
+bug, so it seems easier to fix this than make a new test case.
+
+
+diff -Naur tiff-3.9.4.orig/tools/tiffinfo.c tiff-3.9.4/tools/tiffinfo.c
+--- tiff-3.9.4.orig/tools/tiffinfo.c 2010-06-08 14:50:44.000000000 -0400
++++ tiff-3.9.4/tools/tiffinfo.c 2012-12-11 16:33:17.062228558 -0500
+@@ -49,7 +49,7 @@
+ int stoponerr = 1; /* stop on first read error */
+
+ static void usage(void);
+-static void tiffinfo(TIFF*, uint16, long);
++static void tiffinfo(TIFF*, uint16, long, int);
+
+ int
+ main(int argc, char* argv[])
+@@ -124,19 +124,20 @@
+ if (tif != NULL) {
+ if (dirnum != -1) {
+ if (TIFFSetDirectory(tif, (tdir_t) dirnum))
+- tiffinfo(tif, order, flags);
++ tiffinfo(tif, order, flags, 1);
+ } else if (diroff != 0) {
+ if (TIFFSetSubDirectory(tif, diroff))
+- tiffinfo(tif, order, flags);
++ tiffinfo(tif, order, flags, 1);
+ } else {
+ do {
+ uint32 offset;
+
+- tiffinfo(tif, order, flags);
++ tiffinfo(tif, order, flags, 1);
+ if (TIFFGetField(tif, TIFFTAG_EXIFIFD,
+ &offset)) {
+- if (TIFFReadEXIFDirectory(tif, offset))
+- tiffinfo(tif, order, flags);
++ if (TIFFReadEXIFDirectory(tif, offset)) {
++ tiffinfo(tif, order, flags, 0);
++ }
+ }
+ } while (TIFFReadDirectory(tif));
+ }
+@@ -426,10 +427,10 @@
+ }
+
+ static void
+-tiffinfo(TIFF* tif, uint16 order, long flags)
++tiffinfo(TIFF* tif, uint16 order, long flags, int is_image)
+ {
+ TIFFPrintDirectory(tif, stdout, flags);
+- if (!readdata)
++ if (!readdata || !is_image)
+ return;
+ if (rawdata) {
+ if (order) {
diff --git a/media-libs/tiff/files/tiff-4.0.3-CVE-2012-4447.patch b/media-libs/tiff/files/tiff-4.0.3-CVE-2012-4447.patch
new file mode 100644
index 000000000000..ebf9a00e1b6d
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.3-CVE-2012-4447.patch
@@ -0,0 +1,40 @@
+Upstream patch for CVE-2012-4447.
+
+
+diff -Naur tiff-4.0.3.orig/libtiff/tif_pixarlog.c tiff-4.0.3/libtiff/tif_pixarlog.c
+--- tiff-4.0.3.orig/libtiff/tif_pixarlog.c 2012-07-04 15:26:31.000000000 -0400
++++ tiff-4.0.3/libtiff/tif_pixarlog.c 2012-12-12 16:43:18.931315699 -0500
+@@ -644,6 +644,20 @@
+ return bytes;
+ }
+
++static tmsize_t
++add_ms(tmsize_t m1, tmsize_t m2)
++{
++ tmsize_t bytes = m1 + m2;
++
++ /* if either input is zero, assume overflow already occurred */
++ if (m1 == 0 || m2 == 0)
++ bytes = 0;
++ else if (bytes <= m1 || bytes <= m2)
++ bytes = 0;
++
++ return bytes;
++}
++
+ static int
+ PixarLogFixupTags(TIFF* tif)
+ {
+@@ -671,9 +685,11 @@
+ td->td_samplesperpixel : 1);
+ tbuf_size = multiply_ms(multiply_ms(multiply_ms(sp->stride, td->td_imagewidth),
+ td->td_rowsperstrip), sizeof(uint16));
++ /* add one more stride in case input ends mid-stride */
++ tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
+ if (tbuf_size == 0)
+ return (0); /* TODO: this is an error return without error report through TIFFErrorExt */
+- sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride);
++ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+ if (sp->tbuf == NULL)
+ return (0);
+ if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
diff --git a/media-libs/tiff/files/tiff-4.0.3-CVE-2012-4564.patch b/media-libs/tiff/files/tiff-4.0.3-CVE-2012-4564.patch
new file mode 100644
index 000000000000..3d7946c7ec3f
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.3-CVE-2012-4564.patch
@@ -0,0 +1,86 @@
+Upstream patch for CVE-2012-4564.
+
+
+diff -Naur tiff-4.0.3.orig/tools/ppm2tiff.c tiff-4.0.3/tools/ppm2tiff.c
+--- tiff-4.0.3.orig/tools/ppm2tiff.c 2010-04-10 15:22:34.000000000 -0400
++++ tiff-4.0.3/tools/ppm2tiff.c 2012-12-12 16:43:18.932315708 -0500
+@@ -72,6 +72,17 @@
+ exit(-2);
+ }
+
++static tmsize_t
++multiply_ms(tmsize_t m1, tmsize_t m2)
++{
++ tmsize_t bytes = m1 * m2;
++
++ if (m1 && bytes / m1 != m2)
++ bytes = 0;
++
++ return bytes;
++}
++
+ int
+ main(int argc, char* argv[])
+ {
+@@ -79,7 +90,7 @@
+ uint32 rowsperstrip = (uint32) -1;
+ double resolution = -1;
+ unsigned char *buf = NULL;
+- tsize_t linebytes = 0;
++ tmsize_t linebytes = 0;
+ uint16 spp = 1;
+ uint16 bpp = 8;
+ TIFF *out;
+@@ -89,6 +100,7 @@
+ int c;
+ extern int optind;
+ extern char* optarg;
++ tmsize_t scanline_size;
+
+ if (argc < 2) {
+ fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -221,7 +233,8 @@
+ }
+ switch (bpp) {
+ case 1:
+- linebytes = (spp * w + (8 - 1)) / 8;
++ /* if round-up overflows, result will be zero, OK */
++ linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
+ if (rowsperstrip == (uint32) -1) {
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
+ } else {
+@@ -230,15 +243,31 @@
+ }
+ break;
+ case 8:
+- linebytes = spp * w;
++ linebytes = multiply_ms(spp, w);
+ TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
+ TIFFDefaultStripSize(out, rowsperstrip));
+ break;
+ }
+- if (TIFFScanlineSize(out) > linebytes)
++ if (linebytes == 0) {
++ fprintf(stderr, "%s: scanline size overflow\n", infile);
++ (void) TIFFClose(out);
++ exit(-2);
++ }
++ scanline_size = TIFFScanlineSize(out);
++ if (scanline_size == 0) {
++ /* overflow - TIFFScanlineSize already printed a message */
++ (void) TIFFClose(out);
++ exit(-2);
++ }
++ if (scanline_size < linebytes)
+ buf = (unsigned char *)_TIFFmalloc(linebytes);
+ else
+- buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++ buf = (unsigned char *)_TIFFmalloc(scanline_size);
++ if (buf == NULL) {
++ fprintf(stderr, "%s: Not enough memory\n", infile);
++ (void) TIFFClose(out);
++ exit(-2);
++ }
+ if (resolution > 0) {
+ TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+ TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff --git a/media-libs/tiff/files/tiff-4.0.3-CVE-2013-1960.patch b/media-libs/tiff/files/tiff-4.0.3-CVE-2013-1960.patch
new file mode 100644
index 000000000000..1c8dfb7bc65d
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.3-CVE-2013-1960.patch
@@ -0,0 +1,145 @@
+diff -Naur tiff-4.0.3.orig/tools/tiff2pdf.c tiff-4.0.3/tools/tiff2pdf.c
+--- tiff-4.0.3.orig/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400
++++ tiff-4.0.3/tools/tiff2pdf.c 2013-05-02 12:04:49.057090227 -0400
+@@ -3341,33 +3341,56 @@
+ uint32 height){
+
+ tsize_t i=0;
+- uint16 ri =0;
+- uint16 v_samp=1;
+- uint16 h_samp=1;
+- int j=0;
+-
+- i++;
+-
+- while(i<(*striplength)){
++
++ while (i < *striplength) {
++ tsize_t datalen;
++ uint16 ri;
++ uint16 v_samp;
++ uint16 h_samp;
++ int j;
++ int ncomp;
++
++ /* marker header: one or more FFs */
++ if (strip[i] != 0xff)
++ return(0);
++ i++;
++ while (i < *striplength && strip[i] == 0xff)
++ i++;
++ if (i >= *striplength)
++ return(0);
++ /* SOI is the only pre-SOS marker without a length word */
++ if (strip[i] == 0xd8)
++ datalen = 0;
++ else {
++ if ((*striplength - i) <= 2)
++ return(0);
++ datalen = (strip[i+1] << 8) | strip[i+2];
++ if (datalen < 2 || datalen >= (*striplength - i))
++ return(0);
++ }
+ switch( strip[i] ){
+- case 0xd8:
+- /* SOI - start of image */
++ case 0xd8: /* SOI - start of image */
+ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
+ *bufferoffset+=2;
+- i+=2;
+ break;
+- case 0xc0:
+- case 0xc1:
+- case 0xc3:
+- case 0xc9:
+- case 0xca:
++ case 0xc0: /* SOF0 */
++ case 0xc1: /* SOF1 */
++ case 0xc3: /* SOF3 */
++ case 0xc9: /* SOF9 */
++ case 0xca: /* SOF10 */
+ if(no==0){
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+- for(j=0;j<buffer[*bufferoffset+9];j++){
+- if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp)
+- h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
+- if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp)
+- v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++ ncomp = buffer[*bufferoffset+9];
++ if (ncomp < 1 || ncomp > 4)
++ return(0);
++ v_samp=1;
++ h_samp=1;
++ for(j=0;j<ncomp;j++){
++ uint16 samp = buffer[*bufferoffset+11+(3*j)];
++ if( (samp>>4) > h_samp)
++ h_samp = (samp>>4);
++ if( (samp & 0x0f) > v_samp)
++ v_samp = (samp & 0x0f);
+ }
+ v_samp*=8;
+ h_samp*=8;
+@@ -3381,45 +3404,43 @@
+ (unsigned char) ((height>>8) & 0xff);
+ buffer[*bufferoffset+6]=
+ (unsigned char) (height & 0xff);
+- *bufferoffset+=strip[i+2]+2;
+- i+=strip[i+2]+2;
+-
++ *bufferoffset+=datalen+2;
++ /* insert a DRI marker */
+ buffer[(*bufferoffset)++]=0xff;
+ buffer[(*bufferoffset)++]=0xdd;
+ buffer[(*bufferoffset)++]=0x00;
+ buffer[(*bufferoffset)++]=0x04;
+ buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
+ buffer[(*bufferoffset)++]= ri & 0xff;
+- } else {
+- i+=strip[i+2]+2;
+ }
+ break;
+- case 0xc4:
+- case 0xdb:
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+- *bufferoffset+=strip[i+2]+2;
+- i+=strip[i+2]+2;
++ case 0xc4: /* DHT */
++ case 0xdb: /* DQT */
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++ *bufferoffset+=datalen+2;
+ break;
+- case 0xda:
++ case 0xda: /* SOS */
+ if(no==0){
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
+- *bufferoffset+=strip[i+2]+2;
+- i+=strip[i+2]+2;
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
++ *bufferoffset+=datalen+2;
+ } else {
+ buffer[(*bufferoffset)++]=0xff;
+ buffer[(*bufferoffset)++]=
+ (unsigned char)(0xd0 | ((no-1)%8));
+- i+=strip[i+2]+2;
+ }
+- _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
+- *bufferoffset+=(*striplength)-i-1;
++ i += datalen + 1;
++ /* copy remainder of strip */
++ _TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
++ *bufferoffset+= *striplength - i;
+ return(1);
+ default:
+- i+=strip[i+2]+2;
++ /* ignore any other marker */
++ break;
+ }
++ i += datalen + 1;
+ }
+-
+
++ /* failed to find SOS marker */
+ return(0);
+ }
+ #endif
diff --git a/media-libs/tiff/files/tiff-4.0.3-CVE-2013-1961.patch b/media-libs/tiff/files/tiff-4.0.3-CVE-2013-1961.patch
new file mode 100644
index 000000000000..0ea9b52e3fff
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.3-CVE-2013-1961.patch
@@ -0,0 +1,759 @@
+diff -Naur tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c tiff-4.0.3/contrib/dbs/xtiff/xtiff.c
+--- tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c 2010-06-08 14:55:15.000000000 -0400
++++ tiff-4.0.3/contrib/dbs/xtiff/xtiff.c 2013-05-02 12:02:42.782287939 -0400
+@@ -512,9 +512,9 @@
+ Arg args[1];
+
+ if (tfMultiPage)
+- sprintf(buffer, "%s - page %d", fileName, tfDirectory);
++ snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory);
+ else
+- strcpy(buffer, fileName);
++ snprintf(buffer, sizeof(buffer), "%s", fileName);
+ XtSetArg(args[0], XtNlabel, buffer);
+ XtSetValues(labelWidget, args, 1);
+ }
+diff -Naur tiff-4.0.3.orig/libtiff/tif_codec.c tiff-4.0.3/libtiff/tif_codec.c
+--- tiff-4.0.3.orig/libtiff/tif_codec.c 2010-12-14 09:18:28.000000000 -0500
++++ tiff-4.0.3/libtiff/tif_codec.c 2013-05-02 12:02:42.783287946 -0400
+@@ -108,7 +108,8 @@
+ const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression);
+ char compression_code[20];
+
+- sprintf( compression_code, "%d", tif->tif_dir.td_compression );
++ snprintf(compression_code, sizeof(compression_code), "%d",
++ tif->tif_dir.td_compression );
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "%s compression support is not configured",
+ c ? c->name : compression_code );
+diff -Naur tiff-4.0.3.orig/libtiff/tif_dirinfo.c tiff-4.0.3/libtiff/tif_dirinfo.c
+--- tiff-4.0.3.orig/libtiff/tif_dirinfo.c 2012-08-19 12:56:34.000000000 -0400
++++ tiff-4.0.3/libtiff/tif_dirinfo.c 2013-05-02 12:02:42.784287953 -0400
+@@ -711,7 +711,7 @@
+ * note that this name is a special sign to TIFFClose() and
+ * _TIFFSetupFields() to free the field
+ */
+- sprintf(fld->field_name, "Tag %d", (int) tag);
++ snprintf(fld->field_name, 32, "Tag %d", (int) tag);
+
+ return fld;
+ }
+diff -Naur tiff-4.0.3.orig/tools/rgb2ycbcr.c tiff-4.0.3/tools/rgb2ycbcr.c
+--- tiff-4.0.3.orig/tools/rgb2ycbcr.c 2011-05-31 13:03:16.000000000 -0400
++++ tiff-4.0.3/tools/rgb2ycbcr.c 2013-05-02 12:02:42.785287961 -0400
+@@ -332,7 +332,8 @@
+ TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);
+ { char buf[2048];
+ char *cp = strrchr(TIFFFileName(in), '/');
+- sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in));
++ snprintf(buf, sizeof(buf), "YCbCr conversion of %s",
++ cp ? cp+1 : TIFFFileName(in));
+ TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf);
+ }
+ TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
+diff -Naur tiff-4.0.3.orig/tools/tiff2bw.c tiff-4.0.3/tools/tiff2bw.c
+--- tiff-4.0.3.orig/tools/tiff2bw.c 2010-07-08 12:10:24.000000000 -0400
++++ tiff-4.0.3/tools/tiff2bw.c 2013-05-02 12:02:42.785287961 -0400
+@@ -205,7 +205,7 @@
+ }
+ }
+ TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK);
+- sprintf(thing, "B&W version of %s", argv[optind]);
++ snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]);
+ TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
+ TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
+ outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+diff -Naur tiff-4.0.3.orig/tools/tiff2pdf.c tiff-4.0.3/tools/tiff2pdf.c
+--- tiff-4.0.3.orig/tools/tiff2pdf.c 2012-07-25 22:56:43.000000000 -0400
++++ tiff-4.0.3/tools/tiff2pdf.c 2013-05-02 12:02:42.788287983 -0400
+@@ -3609,7 +3609,9 @@
+ char buffer[16];
+ int buflen=0;
+
+- buflen=sprintf(buffer, "%%PDF-%u.%u ", t2p->pdf_majorversion&0xff, t2p->pdf_minorversion&0xff);
++ buflen = snprintf(buffer, sizeof(buffer), "%%PDF-%u.%u ",
++ t2p->pdf_majorversion&0xff,
++ t2p->pdf_minorversion&0xff);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t)"\n%\342\343\317\323\n", 7);
+
+@@ -3623,10 +3625,10 @@
+ tsize_t t2p_write_pdf_obj_start(uint32 number, TIFF* output){
+
+ tsize_t written=0;
+- char buffer[16];
++ char buffer[32];
+ int buflen=0;
+
+- buflen=sprintf(buffer, "%lu", (unsigned long)number);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen );
+ written += t2pWriteFile(output, (tdata_t) " 0 obj\n", 7);
+
+@@ -3665,13 +3667,13 @@
+ written += t2pWriteFile(output, (tdata_t) "/", 1);
+ for (i=0;i<namelen;i++){
+ if ( ((unsigned char)name[i]) < 0x21){
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ nextchar=1;
+ }
+ if ( ((unsigned char)name[i]) > 0x7E){
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ nextchar=1;
+@@ -3679,57 +3681,57 @@
+ if (nextchar==0){
+ switch (name[i]){
+ case 0x23:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x25:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x28:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x29:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x2F:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x3C:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x3E:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x5B:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x5D:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x7B:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+ case 0x7D:
+- sprintf(buffer, "#%.2X", name[i]);
++ snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
+ buffer[sizeof(buffer) - 1] = '\0';
+ written += t2pWriteFile(output, (tdata_t) buffer, 3);
+ break;
+@@ -3844,14 +3846,14 @@
+ tsize_t t2p_write_pdf_stream_dict(tsize_t len, uint32 number, TIFF* output){
+
+ tsize_t written=0;
+- char buffer[16];
++ char buffer[32];
+ int buflen=0;
+
+ written += t2pWriteFile(output, (tdata_t) "/Length ", 8);
+ if(len!=0){
+ written += t2p_write_pdf_stream_length(len, output);
+ } else {
+- buflen=sprintf(buffer, "%lu", (unsigned long)number);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
+ }
+@@ -3892,10 +3894,10 @@
+ tsize_t t2p_write_pdf_stream_length(tsize_t len, TIFF* output){
+
+ tsize_t written=0;
+- char buffer[16];
++ char buffer[32];
+ int buflen=0;
+
+- buflen=sprintf(buffer, "%lu", (unsigned long)len);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)len);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "\n", 1);
+
+@@ -3909,7 +3911,7 @@
+ tsize_t t2p_write_pdf_catalog(T2P* t2p, TIFF* output)
+ {
+ tsize_t written = 0;
+- char buffer[16];
++ char buffer[32];
+ int buflen = 0;
+
+ written += t2pWriteFile(output,
+@@ -3948,7 +3950,6 @@
+ written += t2p_write_pdf_string(t2p->pdf_datetime, output);
+ }
+ written += t2pWriteFile(output, (tdata_t) "\n/Producer ", 11);
+- _TIFFmemset((tdata_t)buffer, 0x00, sizeof(buffer));
+ snprintf(buffer, sizeof(buffer), "libtiff / tiff2pdf - %d", TIFFLIB_VERSION);
+ written += t2p_write_pdf_string(buffer, output);
+ written += t2pWriteFile(output, (tdata_t) "\n", 1);
+@@ -4089,7 +4090,7 @@
+ {
+ tsize_t written=0;
+ tdir_t i=0;
+- char buffer[16];
++ char buffer[32];
+ int buflen=0;
+
+ int page=0;
+@@ -4097,7 +4098,7 @@
+ (tdata_t) "<< \n/Type /Pages \n/Kids [ ", 26);
+ page = t2p->pdf_pages+1;
+ for (i=0;i<t2p->tiff_pagecount;i++){
+- buflen=sprintf(buffer, "%d", page);
++ buflen=snprintf(buffer, sizeof(buffer), "%d", page);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
+ if ( ((i+1)%8)==0 ) {
+@@ -4112,8 +4113,7 @@
+ }
+ }
+ written += t2pWriteFile(output, (tdata_t) "] \n/Count ", 10);
+- _TIFFmemset(buffer, 0x00, 16);
+- buflen=sprintf(buffer, "%d", t2p->tiff_pagecount);
++ buflen=snprintf(buffer, sizeof(buffer), "%d", t2p->tiff_pagecount);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " \n>> \n", 6);
+
+@@ -4128,28 +4128,28 @@
+
+ unsigned int i=0;
+ tsize_t written=0;
+- char buffer[16];
++ char buffer[256];
+ int buflen=0;
+
+ written += t2pWriteFile(output, (tdata_t) "<<\n/Type /Page \n/Parent ", 24);
+- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_pages);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
+ written += t2pWriteFile(output, (tdata_t) "/MediaBox [", 11);
+- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x1);
++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x1);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " ", 1);
+- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y1);
++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y1);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " ", 1);
+- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x2);
++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x2);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " ", 1);
+- buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2);
++ buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y2);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "] \n", 3);
+ written += t2pWriteFile(output, (tdata_t) "/Contents ", 10);
+- buflen=sprintf(buffer, "%lu", (unsigned long)(object + 1));
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 1));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
+ written += t2pWriteFile(output, (tdata_t) "/Resources << \n", 15);
+@@ -4157,15 +4157,13 @@
+ written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12);
+ for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount;i++){
+ written += t2pWriteFile(output, (tdata_t) "/Im", 3);
+- buflen = sprintf(buffer, "%u", t2p->pdf_page+1);
++ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "_", 1);
+- buflen = sprintf(buffer, "%u", i+1);
++ buflen = snprintf(buffer, sizeof(buffer), "%u", i+1);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " ", 1);
+- buflen = sprintf(
+- buffer,
+- "%lu",
++ buflen = snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
+@@ -4177,12 +4175,10 @@
+ } else {
+ written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12);
+ written += t2pWriteFile(output, (tdata_t) "/Im", 3);
+- buflen = sprintf(buffer, "%u", t2p->pdf_page+1);
++ buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " ", 1);
+- buflen = sprintf(
+- buffer,
+- "%lu",
++ buflen = snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
+@@ -4191,9 +4187,7 @@
+ if(t2p->tiff_transferfunctioncount != 0) {
+ written += t2pWriteFile(output, (tdata_t) "/ExtGState <<", 13);
+ t2pWriteFile(output, (tdata_t) "/GS1 ", 5);
+- buflen = sprintf(
+- buffer,
+- "%lu",
++ buflen = snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)(object + 3));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
+@@ -4566,7 +4560,7 @@
+ if(t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount>0){
+ for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount; i++){
+ box=t2p->tiff_tiles[t2p->pdf_page].tiles_tiles[i].tile_box;
+- buflen=sprintf(buffer,
++ buflen=snprintf(buffer, sizeof(buffer),
+ "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d_%ld Do Q\n",
+ t2p->tiff_transferfunctioncount?"/GS1 gs ":"",
+ box.mat[0],
+@@ -4581,7 +4575,7 @@
+ }
+ } else {
+ box=t2p->pdf_imagebox;
+- buflen=sprintf(buffer,
++ buflen=snprintf(buffer, sizeof(buffer),
+ "q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d Do Q\n",
+ t2p->tiff_transferfunctioncount?"/GS1 gs ":"",
+ box.mat[0],
+@@ -4606,59 +4600,48 @@
+ TIFF* output){
+
+ tsize_t written=0;
+- char buffer[16];
++ char buffer[32];
+ int buflen=0;
+
+ written += t2p_write_pdf_stream_dict(0, t2p->pdf_xrefcount+1, output);
+ written += t2pWriteFile(output,
+ (tdata_t) "/Type /XObject \n/Subtype /Image \n/Name /Im",
+ 42);
+- buflen=sprintf(buffer, "%u", t2p->pdf_page+1);
++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ if(tile != 0){
+ written += t2pWriteFile(output, (tdata_t) "_", 1);
+- buflen=sprintf(buffer, "%lu", (unsigned long)tile);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)tile);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ }
+ written += t2pWriteFile(output, (tdata_t) "\n/Width ", 8);
+- _TIFFmemset((tdata_t)buffer, 0x00, 16);
+ if(tile==0){
+- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_width);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width);
+ } else {
+ if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){
+- buflen=sprintf(
+- buffer,
+- "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth);
+ } else {
+- buflen=sprintf(
+- buffer,
+- "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);
+ }
+ }
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "\n/Height ", 9);
+- _TIFFmemset((tdata_t)buffer, 0x00, 16);
+ if(tile==0){
+- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_length);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length);
+ } else {
+ if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){
+- buflen=sprintf(
+- buffer,
+- "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);
+ } else {
+- buflen=sprintf(
+- buffer,
+- "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);
+ }
+ }
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "\n/BitsPerComponent ", 19);
+- _TIFFmemset((tdata_t)buffer, 0x00, 16);
+- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample);
++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "\n/ColorSpace ", 13);
+ written += t2p_write_pdf_xobject_cs(t2p, output);
+@@ -4702,11 +4685,10 @@
+ t2p->pdf_colorspace ^= T2P_CS_PALETTE;
+ written += t2p_write_pdf_xobject_cs(t2p, output);
+ t2p->pdf_colorspace |= T2P_CS_PALETTE;
+- buflen=sprintf(buffer, "%u", (0x0001 << t2p->tiff_bitspersample)-1 );
++ buflen=snprintf(buffer, sizeof(buffer), "%u", (0x0001 << t2p->tiff_bitspersample)-1 );
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " ", 1);
+- _TIFFmemset(buffer, 0x00, 16);
+- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_palettecs );
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_palettecs );
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R ]\n", 7);
+ return(written);
+@@ -4740,10 +4722,10 @@
+ X_W /= Y_W;
+ Z_W /= Y_W;
+ Y_W = 1.0F;
+- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "/Range ", 7);
+- buflen=sprintf(buffer, "[%d %d %d %d] \n",
++ buflen=snprintf(buffer, sizeof(buffer), "[%d %d %d %d] \n",
+ t2p->pdf_labrange[0],
+ t2p->pdf_labrange[1],
+ t2p->pdf_labrange[2],
+@@ -4759,26 +4741,26 @@
+ tsize_t t2p_write_pdf_transfer(T2P* t2p, TIFF* output){
+
+ tsize_t written=0;
+- char buffer[16];
++ char buffer[32];
+ int buflen=0;
+
+ written += t2pWriteFile(output, (tdata_t) "<< /Type /ExtGState \n/TR ", 25);
+ if(t2p->tiff_transferfunctioncount == 1){
+- buflen=sprintf(buffer, "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)(t2p->pdf_xrefcount + 1));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
+ } else {
+ written += t2pWriteFile(output, (tdata_t) "[ ", 2);
+- buflen=sprintf(buffer, "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)(t2p->pdf_xrefcount + 1));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
+- buflen=sprintf(buffer, "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)(t2p->pdf_xrefcount + 2));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
+- buflen=sprintf(buffer, "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)(t2p->pdf_xrefcount + 3));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
+@@ -4800,7 +4782,7 @@
+ written += t2pWriteFile(output, (tdata_t) "/FunctionType 0 \n", 17);
+ written += t2pWriteFile(output, (tdata_t) "/Domain [0.0 1.0] \n", 19);
+ written += t2pWriteFile(output, (tdata_t) "/Range [0.0 1.0] \n", 18);
+- buflen=sprintf(buffer, "/Size [%u] \n", (1<<t2p->tiff_bitspersample));
++ buflen=snprintf(buffer, sizeof(buffer), "/Size [%u] \n", (1<<t2p->tiff_bitspersample));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "/BitsPerSample 16 \n", 19);
+ written += t2p_write_pdf_stream_dict(((tsize_t)1)<<(t2p->tiff_bitspersample+1), 0, output);
+@@ -4827,7 +4809,7 @@
+ tsize_t t2p_write_pdf_xobject_calcs(T2P* t2p, TIFF* output){
+
+ tsize_t written=0;
+- char buffer[128];
++ char buffer[256];
+ int buflen=0;
+
+ float X_W=0.0;
+@@ -4895,16 +4877,16 @@
+ written += t2pWriteFile(output, (tdata_t) "<< \n", 4);
+ if(t2p->pdf_colorspace & T2P_CS_CALGRAY){
+ written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12);
+- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "/Gamma 2.2 \n", 12);
+ }
+ if(t2p->pdf_colorspace & T2P_CS_CALRGB){
+ written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12);
+- buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "/Matrix ", 8);
+- buflen=sprintf(buffer, "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n",
++ buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n",
+ X_R, Y_R, Z_R,
+ X_G, Y_G, Z_G,
+ X_B, Y_B, Z_B);
+@@ -4923,11 +4905,11 @@
+ tsize_t t2p_write_pdf_xobject_icccs(T2P* t2p, TIFF* output){
+
+ tsize_t written=0;
+- char buffer[16];
++ char buffer[32];
+ int buflen=0;
+
+ written += t2pWriteFile(output, (tdata_t) "[/ICCBased ", 11);
+- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_icccs);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_icccs);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " 0 R] \n", 7);
+
+@@ -4937,11 +4919,11 @@
+ tsize_t t2p_write_pdf_xobject_icccs_dict(T2P* t2p, TIFF* output){
+
+ tsize_t written=0;
+- char buffer[16];
++ char buffer[32];
+ int buflen=0;
+
+ written += t2pWriteFile(output, (tdata_t) "/N ", 3);
+- buflen=sprintf(buffer, "%u \n", t2p->tiff_samplesperpixel);
++ buflen=snprintf(buffer, sizeof(buffer), "%u \n", t2p->tiff_samplesperpixel);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) "/Alternate ", 11);
+ t2p->pdf_colorspace ^= T2P_CS_ICCBASED;
+@@ -5006,7 +4988,7 @@
+ tsize_t t2p_write_pdf_xobject_stream_filter(ttile_t tile, T2P* t2p, TIFF* output){
+
+ tsize_t written=0;
+- char buffer[16];
++ char buffer[32];
+ int buflen=0;
+
+ if(t2p->pdf_compression==T2P_COMPRESS_NONE){
+@@ -5021,41 +5003,33 @@
+ written += t2pWriteFile(output, (tdata_t) "<< /K -1 ", 9);
+ if(tile==0){
+ written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
+- buflen=sprintf(buffer, "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_width);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
+- buflen=sprintf(buffer, "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_length);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ } else {
+ if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){
+ written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
+- buflen=sprintf(
+- buffer,
+- "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ } else {
+ written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
+- buflen=sprintf(
+- buffer,
+- "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ }
+ if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){
+ written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
+- buflen=sprintf(
+- buffer,
+- "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ } else {
+ written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
+- buflen=sprintf(
+- buffer,
+- "%lu",
++ buflen=snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ }
+@@ -5082,21 +5056,17 @@
+ if(t2p->pdf_compressionquality%100){
+ written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13);
+ written += t2pWriteFile(output, (tdata_t) "<< /Predictor ", 14);
+- _TIFFmemset(buffer, 0x00, 16);
+- buflen=sprintf(buffer, "%u", t2p->pdf_compressionquality%100);
++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_compressionquality%100);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " /Columns ", 10);
+- _TIFFmemset(buffer, 0x00, 16);
+- buflen = sprintf(buffer, "%lu",
++ buflen = snprintf(buffer, sizeof(buffer), "%lu",
+ (unsigned long)t2p->tiff_width);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " /Colors ", 9);
+- _TIFFmemset(buffer, 0x00, 16);
+- buflen=sprintf(buffer, "%u", t2p->tiff_samplesperpixel);
++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_samplesperpixel);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " /BitsPerComponent ", 19);
+- _TIFFmemset(buffer, 0x00, 16);
+- buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample);
++ buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) ">>\n", 3);
+ }
+@@ -5116,16 +5086,16 @@
+ tsize_t t2p_write_pdf_xreftable(T2P* t2p, TIFF* output){
+
+ tsize_t written=0;
+- char buffer[21];
++ char buffer[64];
+ int buflen=0;
+ uint32 i=0;
+
+ written += t2pWriteFile(output, (tdata_t) "xref\n0 ", 7);
+- buflen=sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount + 1));
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+ written += t2pWriteFile(output, (tdata_t) " \n0000000000 65535 f \n", 22);
+ for (i=0;i<t2p->pdf_xrefcount;i++){
+- sprintf(buffer, "%.10lu 00000 n \n",
++ snprintf(buffer, sizeof(buffer), "%.10lu 00000 n \n",
+ (unsigned long)t2p->pdf_xrefoffsets[i]);
+ written += t2pWriteFile(output, (tdata_t) buffer, 20);
+ }
+@@ -5149,17 +5119,14 @@
+ snprintf(t2p->pdf_fileid + i, 9, "%.8X", rand());
+
+ written += t2pWriteFile(output, (tdata_t) "trailer\n<<\n/Size ", 17);
+- buflen = sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount+1));
++ buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount+1));
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+- _TIFFmemset(buffer, 0x00, 32);
+ written += t2pWriteFile(output, (tdata_t) "\n/Root ", 7);
+- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_catalog);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_catalog);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+- _TIFFmemset(buffer, 0x00, 32);
+ written += t2pWriteFile(output, (tdata_t) " 0 R \n/Info ", 12);
+- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_info);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_info);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+- _TIFFmemset(buffer, 0x00, 32);
+ written += t2pWriteFile(output, (tdata_t) " 0 R \n/ID[<", 11);
+ written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid,
+ sizeof(t2p->pdf_fileid) - 1);
+@@ -5167,9 +5134,8 @@
+ written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid,
+ sizeof(t2p->pdf_fileid) - 1);
+ written += t2pWriteFile(output, (tdata_t) ">]\n>>\nstartxref\n", 16);
+- buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_startxref);
++ buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_startxref);
+ written += t2pWriteFile(output, (tdata_t) buffer, buflen);
+- _TIFFmemset(buffer, 0x00, 32);
+ written += t2pWriteFile(output, (tdata_t) "\n%%EOF\n", 7);
+
+ return(written);
+diff -Naur tiff-4.0.3.orig/tools/tiff2ps.c tiff-4.0.3/tools/tiff2ps.c
+--- tiff-4.0.3.orig/tools/tiff2ps.c 2011-05-31 13:10:18.000000000 -0400
++++ tiff-4.0.3/tools/tiff2ps.c 2013-05-02 12:02:42.789287990 -0400
+@@ -1781,8 +1781,8 @@
+ imageOp = "imagemask";
+
+ (void)strcpy(im_x, "0");
+- (void)sprintf(im_y, "%lu", (long) h);
+- (void)sprintf(im_h, "%lu", (long) h);
++ (void)snprintf(im_y, sizeof(im_y), "%lu", (long) h);
++ (void)snprintf(im_h, sizeof(im_h), "%lu", (long) h);
+ tile_width = w;
+ tile_height = h;
+ if (TIFFIsTiled(tif)) {
+@@ -1803,7 +1803,7 @@
+ }
+ if (tile_height < h) {
+ fputs("/im_y 0 def\n", fd);
+- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h);
++ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h);
+ }
+ } else {
+ repeat_count = tf_numberstrips;
+@@ -1815,7 +1815,7 @@
+ fprintf(fd, "/im_h %lu def\n",
+ (unsigned long) tile_height);
+ (void)strcpy(im_h, "im_h");
+- (void)sprintf(im_y, "%lu im_y sub", (unsigned long) h);
++ (void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h);
+ }
+ }
+
+diff -Naur tiff-4.0.3.orig/tools/tiffcrop.c tiff-4.0.3/tools/tiffcrop.c
+--- tiff-4.0.3.orig/tools/tiffcrop.c 2010-12-14 09:18:28.000000000 -0500
++++ tiff-4.0.3/tools/tiffcrop.c 2013-05-02 12:02:42.791288005 -0400
+@@ -2077,7 +2077,7 @@
+ return 1;
+ }
+
+- sprintf (filenum, "-%03d%s", findex, export_ext);
++ snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext);
+ filenum[14] = '\0';
+ strncat (exportname, filenum, 15);
+ }
+@@ -2230,8 +2230,8 @@
+
+ /* dump.infilename is guaranteed to be NUL termimated and have 20 bytes
+ fewer than PATH_MAX */
+- memset (temp_filename, '\0', PATH_MAX + 1);
+- sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images,
++ snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s",
++ dump.infilename, dump_images,
+ (dump.format == DUMP_TEXT) ? "txt" : "raw");
+ if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL)
+ {
+@@ -2249,8 +2249,8 @@
+
+ /* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes
+ fewer than PATH_MAX */
+- memset (temp_filename, '\0', PATH_MAX + 1);
+- sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images,
++ snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s",
++ dump.outfilename, dump_images,
+ (dump.format == DUMP_TEXT) ? "txt" : "raw");
+ if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL)
+ {
+diff -Naur tiff-4.0.3.orig/tools/tiffdither.c tiff-4.0.3/tools/tiffdither.c
+--- tiff-4.0.3.orig/tools/tiffdither.c 2010-03-10 13:56:50.000000000 -0500
++++ tiff-4.0.3/tools/tiffdither.c 2013-05-02 12:02:42.792288013 -0400
+@@ -260,7 +260,7 @@
+ TIFFSetField(out, TIFFTAG_FILLORDER, fillorder);
+ else
+ CopyField(TIFFTAG_FILLORDER, shortv);
+- sprintf(thing, "Dithered B&W version of %s", argv[optind]);
++ snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]);
+ TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
+ CopyField(TIFFTAG_PHOTOMETRIC, shortv);
+ CopyField(TIFFTAG_ORIENTATION, shortv);
diff --git a/media-libs/tiff/files/tiff-4.0.3-CVE-2013-4231.patch b/media-libs/tiff/files/tiff-4.0.3-CVE-2013-4231.patch
new file mode 100644
index 000000000000..c4b344602e0b
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.3-CVE-2013-4231.patch
@@ -0,0 +1,16 @@
+http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-4231.patch
+http://bugs.gentoo.org/480466
+
+--- tools/gif2tiff.c
++++ tools/gif2tiff.c
+@@ -333,6 +333,10 @@ readraster(void)
+ int status = 1;
+
+ datasize = getc(infile);
++
++ if (datasize > 12)
++ return 0;
++
+ clear = 1 << datasize;
+ eoi = clear + 1;
+ avail = clear + 2;
diff --git a/media-libs/tiff/files/tiff-4.0.3-CVE-2013-4232.patch b/media-libs/tiff/files/tiff-4.0.3-CVE-2013-4232.patch
new file mode 100644
index 000000000000..98edff5d44d5
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.3-CVE-2013-4232.patch
@@ -0,0 +1,13 @@
+http://pkgs.fedoraproject.org/cgit/libtiff.git/plain/libtiff-CVE-2013-4232.patch
+http://bugs.gentoo.org/480466
+
+--- tools/tiff2pdf.c
++++ tools/tiff2pdf.c
+@@ -2462,6 +2462,7 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
+ TIFFFileName(input));
+ t2p->t2p_error = T2P_ERR_ERROR;
+ _TIFFfree(buffer);
++ return(0);
+ } else {
+ buffer=samplebuffer;
+ t2p->tiff_datasize *= t2p->tiff_samplesperpixel;
diff --git a/media-libs/tiff/files/tiff-4.0.3-CVE-2013-4244.patch b/media-libs/tiff/files/tiff-4.0.3-CVE-2013-4244.patch
new file mode 100644
index 000000000000..792e076981a6
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.3-CVE-2013-4244.patch
@@ -0,0 +1,15 @@
+diff --git a/tools/gif2tiff.c b/tools/gif2tiff.c
+index 375b152..2731273 100644
+--- a/tools/gif2tiff.c
++++ b/tools/gif2tiff.c
+@@ -402,6 +402,10 @@ process(register int code, unsigned char** fill)
+ }
+
+ if (oldcode == -1) {
++ if (code >= clear) {
++ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
++ return 0;
++ }
+ *(*fill)++ = suffix[code];
+ firstchar = oldcode = code;
+ return 1;
diff --git a/media-libs/tiff/files/tiff-4.0.3-libjpeg-turbo.patch b/media-libs/tiff/files/tiff-4.0.3-libjpeg-turbo.patch
new file mode 100644
index 000000000000..92cff7ea4e16
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.3-libjpeg-turbo.patch
@@ -0,0 +1,122 @@
+Back-port upstream patch to avoid assuming quite so much about what libjpeg
+will return. Needed because libjpeg-turbo with the jpeg8 API broke the
+expectations of the previous coding.
+
+
+diff -Naur tiff-4.0.3.orig/test/raw_decode.c tiff-4.0.3/test/raw_decode.c
+--- tiff-4.0.3.orig/test/raw_decode.c 2012-07-06 13:05:16.000000000 -0400
++++ tiff-4.0.3/test/raw_decode.c 2012-12-19 13:04:37.609738276 -0500
+@@ -71,33 +71,54 @@
+ return 1;
+ }
+
+-static int check_rgb_pixel( int pixel, int red, int green, int blue, unsigned char *buffer ) {
++static int check_rgb_pixel( int pixel,
++ int min_red, int max_red,
++ int min_green, int max_green,
++ int min_blue, int max_blue,
++ unsigned char *buffer ) {
+ unsigned char *rgb = buffer + 3 * pixel;
+
+- if( rgb[0] == red && rgb[1] == green && rgb[2] == blue ) {
++ if( rgb[0] >= min_red && rgb[0] <= max_red &&
++ rgb[1] >= min_green && rgb[1] <= max_green &&
++ rgb[2] >= min_blue && rgb[2] <= max_blue ) {
+ return 0;
+ }
+
+ fprintf( stderr, "Pixel %d did not match expected results.\n", pixel );
+- fprintf( stderr, "Expect: %3d %3d %3d\n", red, green, blue );
+- fprintf( stderr, " Got: %3d %3d %3d\n", rgb[0], rgb[1], rgb[2] );
++ fprintf( stderr, "Got R=%d (expected %d..%d), G=%d (expected %d..%d), B=%d (expected %d..%d)\n",
++ rgb[0], min_red, max_red,
++ rgb[1], min_green, max_green,
++ rgb[2], min_blue, max_blue );
+ return 1;
+ }
+
+-static int check_rgba_pixel( int pixel, int red, int green, int blue, int alpha, uint32 *buffer ) {
++static int check_rgba_pixel( int pixel,
++ int min_red, int max_red,
++ int min_green, int max_green,
++ int min_blue, int max_blue,
++ int min_alpha, int max_alpha,
++ uint32 *buffer ) {
+ /* RGBA images are upside down - adjust for normal ordering */
+ int adjusted_pixel = pixel % 128 + (127 - (pixel/128)) * 128;
+ uint32 rgba = buffer[adjusted_pixel];
+
+- if( TIFFGetR(rgba) == (uint32) red && TIFFGetG(rgba) == (uint32) green &&
+- TIFFGetB(rgba) == (uint32) blue && TIFFGetA(rgba) == (uint32) alpha ) {
++ if( TIFFGetR(rgba) >= (uint32) min_red &&
++ TIFFGetR(rgba) <= (uint32) max_red &&
++ TIFFGetG(rgba) >= (uint32) min_green &&
++ TIFFGetG(rgba) <= (uint32) max_green &&
++ TIFFGetB(rgba) >= (uint32) min_blue &&
++ TIFFGetB(rgba) <= (uint32) max_blue &&
++ TIFFGetA(rgba) >= (uint32) min_alpha &&
++ TIFFGetA(rgba) <= (uint32) max_alpha ) {
+ return 0;
+ }
+
+ fprintf( stderr, "Pixel %d did not match expected results.\n", pixel );
+- fprintf( stderr, "Expect: %3d %3d %3d %3d\n", red, green, blue, alpha );
+- fprintf( stderr, " Got: %3d %3d %3d %3d\n",
+- TIFFGetR(rgba), TIFFGetG(rgba), TIFFGetB(rgba), TIFFGetA(rgba) );
++ fprintf( stderr, "Got R=%d (expected %d..%d), G=%d (expected %d..%d), B=%d (expected %d..%d), A=%d (expected %d..%d)\n",
++ TIFFGetR(rgba), min_red, max_red,
++ TIFFGetG(rgba), min_green, max_green,
++ TIFFGetB(rgba), min_blue, max_blue,
++ TIFFGetA(rgba), min_alpha, max_alpha );
+ return 1;
+ }
+
+@@ -191,15 +212,17 @@
+ return 1;
+ }
+
+-#if JPEG_LIB_VERSION >= 70
+- pixel_status |= check_rgb_pixel( 0, 18, 0, 41, buffer );
+- pixel_status |= check_rgb_pixel( 64, 0, 0, 0, buffer );
+- pixel_status |= check_rgb_pixel( 512, 5, 34, 196, buffer );
+-#else
+- pixel_status |= check_rgb_pixel( 0, 15, 0, 18, buffer );
+- pixel_status |= check_rgb_pixel( 64, 0, 0, 2, buffer );
+- pixel_status |= check_rgb_pixel( 512, 6, 36, 182, buffer );
+-#endif
++ /*
++ * JPEG decoding is inherently inexact, so we can't test for exact
++ * pixel values. (Well, if we knew exactly which libjpeg version
++ * we were using, and with what settings, we could expect specific
++ * values ... but it's not worth the trouble to keep track of.)
++ * Hence, use ranges of expected values. The ranges may need to be
++ * widened over time as more versions of libjpeg appear.
++ */
++ pixel_status |= check_rgb_pixel( 0, 15, 18, 0, 0, 18, 41, buffer );
++ pixel_status |= check_rgb_pixel( 64, 0, 0, 0, 0, 0, 2, buffer );
++ pixel_status |= check_rgb_pixel( 512, 5, 6, 34, 36, 182, 196, buffer );
+
+ free( buffer );
+
+@@ -224,15 +247,12 @@
+ * accomplish it from the YCbCr subsampled buffer ourselves in which
+ * case the results may be subtly different but similar.
+ */
+-#if JPEG_LIB_VERSION >= 70
+- pixel_status |= check_rgba_pixel( 0, 18, 0, 41, 255, rgba_buffer );
+- pixel_status |= check_rgba_pixel( 64, 0, 0, 0, 255, rgba_buffer );
+- pixel_status |= check_rgba_pixel( 512, 5, 34, 196, 255, rgba_buffer );
+-#else
+- pixel_status |= check_rgba_pixel( 0, 15, 0, 18, 255, rgba_buffer );
+- pixel_status |= check_rgba_pixel( 64, 0, 0, 2, 255, rgba_buffer );
+- pixel_status |= check_rgba_pixel( 512, 6, 36, 182, 255, rgba_buffer );
+-#endif
++ pixel_status |= check_rgba_pixel( 0, 15, 18, 0, 0, 18, 41, 255, 255,
++ rgba_buffer );
++ pixel_status |= check_rgba_pixel( 64, 0, 0, 0, 0, 0, 2, 255, 255,
++ rgba_buffer );
++ pixel_status |= check_rgba_pixel( 512, 5, 6, 34, 36, 182, 196, 255, 255,
++ rgba_buffer );
+
+ free( rgba_buffer );
+ TIFFClose(tif);
diff --git a/media-libs/tiff/files/tiff-4.0.3-tiff2pdf-colors.patch b/media-libs/tiff/files/tiff-4.0.3-tiff2pdf-colors.patch
new file mode 100644
index 000000000000..a503444b107c
--- /dev/null
+++ b/media-libs/tiff/files/tiff-4.0.3-tiff2pdf-colors.patch
@@ -0,0 +1,15 @@
+http://bugs.gentoo.org/145055
+
+http://build.opensuse.org/package/view_file?file=tiff-4.0.2-tiff2pdf-colors.patch&package=tiff&project=openSUSE%3AFactory
+
+--- tools/tiff2pdf.c
++++ tools/tiff2pdf.c
+@@ -4991,7 +4991,7 @@
+
+ if(t2p->tiff_photometric != PHOTOMETRIC_YCBCR) {
+ written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13);
+- written += t2pWriteFile(output, (tdata_t) "<< /ColorTransform 0 >>\n", 24);
++ written += t2pWriteFile(output, (tdata_t) "<< /ColorTransform 1 >>\n", 24);
+ }
+ break;
+ #endif
diff --git a/media-libs/tiff/metadata.xml b/media-libs/tiff/metadata.xml
new file mode 100644
index 000000000000..fee1dc15ab8d
--- /dev/null
+++ b/media-libs/tiff/metadata.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<herd>graphics</herd>
+<longdescription>TIFF image library and tools, mostly for scanner and fax
+ support, but also used by GIS and other imaging tools.</longdescription>
+</pkgmetadata>
diff --git a/media-libs/tiff/tiff-3.9.7-r1.ebuild b/media-libs/tiff/tiff-3.9.7-r1.ebuild
new file mode 100644
index 000000000000..4d32404e5da6
--- /dev/null
+++ b/media-libs/tiff/tiff-3.9.7-r1.ebuild
@@ -0,0 +1,72 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+# this ebuild is only for the libtiff.so.3 (+ 4) and libtiffxx.so.3 (+ 4) SONAME for ABI compat
+
+inherit eutils libtool multilib multilib-minimal
+
+DESCRIPTION="Library for manipulation of TIFF (Tag Image File Format) images"
+HOMEPAGE="http://www.remotesensing.org/libtiff/"
+SRC_URI="ftp://ftp.remotesensing.org/pub/libtiff/${P}.tar.gz"
+
+LICENSE="libtiff"
+SLOT="3"
+KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 m68k ~mips ~ppc ~ppc64 s390 sh ~sparc x86 ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~x86-interix ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
+IUSE="+cxx jbig jpeg zlib"
+
+RDEPEND="jpeg? ( >=virtual/jpeg-0-r2[${MULTILIB_USEDEP}] )
+ jbig? ( >=media-libs/jbigkit-2.1[${MULTILIB_USEDEP}] )
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )
+ !media-libs/tiff-compat
+ !=media-libs/tiff-3*:0
+ abi_x86_32? (
+ !<=app-emulation/emul-linux-x86-baselibs-20130224-r10
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+ )"
+DEPEND="${RDEPEND}"
+
+src_prepare() {
+ epatch \
+ "${FILESDIR}"/${P}-CVE-2012-{4447,4564,5581}.patch \
+ "${FILESDIR}"/${P}-tiffinfo-exif.patch \
+ "${FILESDIR}"/${P}-printdir-width.patch
+
+ elibtoolize
+}
+
+multilib_src_configure() {
+ ECONF_SOURCE="${S}" econf \
+ --libdir=/libdir \
+ --disable-static \
+ $(use_enable cxx) \
+ $(use_enable zlib) \
+ $(use_enable jpeg) \
+ $(use_enable jbig) \
+ --without-x
+}
+
+multilib_src_install() {
+ # Let `make install` and libtool handle insecure runpath(s)
+ dodir tmp
+ emake DESTDIR="${ED}/tmp" install
+
+ # .so.3 (upstream) is used by sci-chemistry/icm
+ # .so.4 (Debian) is used by net-im/skype
+ exeinto /usr/$(get_libdir)
+ doexe "${ED}"/tmp/libdir/libtiff$(get_libname 3)
+ dosym libtiff$(get_libname 3) /usr/$(get_libdir)/libtiff$(get_libname 4)
+ if use cxx; then
+ doexe "${ED}"/tmp/libdir/libtiffxx$(get_libname 3)
+ dosym libtiffxx$(get_libname 3) /usr/$(get_libdir)/libtiffxx$(get_libname 4)
+ fi
+
+ rm -rf "${ED}"/tmp
+}
+
+multilib_src_install_all() {
+ # (avoid installing docs)
+ :
+}
diff --git a/media-libs/tiff/tiff-4.0.3-r6.ebuild b/media-libs/tiff/tiff-4.0.3-r6.ebuild
new file mode 100644
index 000000000000..b893a65173da
--- /dev/null
+++ b/media-libs/tiff/tiff-4.0.3-r6.ebuild
@@ -0,0 +1,79 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+inherit eutils libtool multilib-minimal
+
+DESCRIPTION="Tag Image File Format (TIFF) library"
+HOMEPAGE="http://www.remotesensing.org/libtiff/"
+SRC_URI="http://download.osgeo.org/libtiff/${P}.tar.gz
+ ftp://ftp.remotesensing.org/pub/libtiff/${P}.tar.gz"
+
+LICENSE="libtiff"
+SLOT="0"
+KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~x64-solaris ~x86-solaris"
+IUSE="+cxx jbig jpeg lzma static-libs test zlib"
+
+RDEPEND="jpeg? ( >=virtual/jpeg-0-r2:0=[${MULTILIB_USEDEP}] )
+ jbig? ( >=media-libs/jbigkit-2.1:=[${MULTILIB_USEDEP}] )
+ lzma? ( >=app-arch/xz-utils-5.0.5-r1:=[${MULTILIB_USEDEP}] )
+ zlib? ( >=sys-libs/zlib-1.2.8-r1:=[${MULTILIB_USEDEP}] )
+ abi_x86_32? (
+ !<=app-emulation/emul-linux-x86-baselibs-20130224-r9
+ !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+ )"
+DEPEND="${RDEPEND}"
+
+REQUIRED_USE="test? ( jpeg )" #483132
+
+MULTILIB_WRAPPED_HEADERS=(
+ /usr/include/tiffconf.h
+)
+
+src_prepare() {
+ epatch "${FILESDIR}"/${PN}-4.0.3-tiff2pdf-colors.patch #145055
+ epatch "${FILESDIR}"/${P}-CVE-2012-{4447,4564}.patch #440944
+ epatch "${FILESDIR}"/${P}-CVE-2013-{1960,1961}.patch #468334
+ epatch "${FILESDIR}"/${P}-CVE-2013-{4231,4232}.patch #480466
+ epatch "${FILESDIR}"/${P}-CVE-2013-4244.patch #486590
+ epatch "${FILESDIR}"/${P}-libjpeg-turbo.patch
+
+ elibtoolize
+}
+
+multilib_src_configure() {
+ ECONF_SOURCE="${S}" econf \
+ $(use_enable static-libs static) \
+ $(use_enable zlib) \
+ $(use_enable jpeg) \
+ $(use_enable jbig) \
+ $(use_enable lzma) \
+ $(use_enable cxx) \
+ --without-x \
+ --with-docdir="${EPREFIX}"/usr/share/doc/${PF}
+
+ # remove useless subdirs
+ if ! multilib_is_native_abi ; then
+ sed -i \
+ -e 's/ tools//' \
+ -e 's/ contrib//' \
+ -e 's/ man//' \
+ -e 's/ html//' \
+ Makefile || die
+ fi
+}
+
+multilib_src_test() {
+ if ! multilib_is_native_abi ; then
+ cd tools
+ emake
+ cd "${BUILD_DIR}"
+ fi
+ emake check
+}
+
+multilib_src_install_all() {
+ prune_libtool_files --all
+ rm -f "${ED}"/usr/share/doc/${PF}/{COPYRIGHT,README*,RELEASE-DATE,TODO,VERSION}
+}