-diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c
---- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100
-@@ -1136,6 +1136,7 @@
- Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
- {
- Fax3BaseState* sp = Fax3State(tif);
-+ const TIFFFieldInfo* fip;
-
- assert(sp != 0);
- assert(sp->vsetparent != 0);
-@@ -1181,7 +1182,13 @@
- default:
- return (*sp->vsetparent)(tif, tag, ap);
- }
-- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+
-+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
-+ TIFFSetFieldBit(tif, fip->field_bit);
-+ } else {
-+ return (0);
-+ }
-+
- tif->tif_flags |= TIFF_DIRTYDIRECT;
- return (1);
- }
-diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c
---- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100
-@@ -722,15 +722,31 @@
- segment_width = TIFFhowmany(segment_width, sp->h_sampling);
- segment_height = TIFFhowmany(segment_height, sp->v_sampling);
- }
-- if (sp->cinfo.d.image_width != segment_width ||
-- sp->cinfo.d.image_height != segment_height) {
-+ if (sp->cinfo.d.image_width < segment_width ||
-+ sp->cinfo.d.image_height < segment_height) {
- TIFFWarningExt(tif->tif_clientdata, module,
- "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
- segment_width,
- segment_height,
- sp->cinfo.d.image_width,
- sp->cinfo.d.image_height);
-+ }
-+
-+ if (sp->cinfo.d.image_width > segment_width ||
-+ sp->cinfo.d.image_height > segment_height) {
-+ /*
-+ * This case could be dangerous, if the strip or tile size has been
-+ * reported as less than the amount of data jpeg will return, some
-+ * potential security issues arise. Catch this case and error out.
-+ * -- taviso@google.com 14 Jun 2006
-+ */
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "JPEG strip/tile size exceeds expected dimensions,"
-+ "expected %dx%d, got %dx%d", segment_width, segment_height,
-+ sp->cinfo.d.image_width, sp->cinfo.d.image_height);
-+ return (0);
- }
-+
- if (sp->cinfo.d.num_components !=
- (td->td_planarconfig == PLANARCONFIG_CONTIG ?
- td->td_samplesperpixel : 1)) {
-@@ -761,6 +777,22 @@
- sp->cinfo.d.comp_info[0].v_samp_factor,
- sp->h_sampling, sp->v_sampling);
-
-+ /*
-+ * There are potential security issues here for decoders that
-+ * have already allocated buffers based on the expected sampling
-+ * factors. Lets check the sampling factors dont exceed what
-+ * we were expecting.
-+ * -- taviso@google.com 14 June 2006
-+ */
-+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
-+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Cannot honour JPEG sampling factors that"
-+ " exceed those specified.");
-+ return (0);
-+ }
-+
-+
- /*
- * XXX: Files written by the Intergraph software
- * has different sampling factors stored in the
-@@ -1521,15 +1553,18 @@
- {
- JPEGState *sp = JState(tif);
-
-- assert(sp != 0);
-+ /* assert(sp != 0); */
-
- tif->tif_tagmethods.vgetfield = sp->vgetparent;
- tif->tif_tagmethods.vsetfield = sp->vsetparent;
-
-- if( sp->cinfo_initialized )
-- TIFFjpeg_destroy(sp); /* release libjpeg resources */
-- if (sp->jpegtables) /* tag value */
-- _TIFFfree(sp->jpegtables);
-+ if (sp != NULL) {
-+ if( sp->cinfo_initialized )
-+ TIFFjpeg_destroy(sp); /* release libjpeg resources */
-+ if (sp->jpegtables) /* tag value */
-+ _TIFFfree(sp->jpegtables);
-+ }
-+
- _TIFFfree(tif->tif_data); /* release local state */
- tif->tif_data = NULL;
-
-@@ -1541,6 +1576,7 @@
- {
- JPEGState* sp = JState(tif);
- TIFFDirectory* td = &tif->tif_dir;
-+ const TIFFFieldInfo* fip;
- uint32 v32;
-
- assert(sp != NULL);
-@@ -1606,7 +1642,13 @@
- default:
- return (*sp->vsetparent)(tif, tag, ap);
- }
-- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+
-+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
-+ TIFFSetFieldBit(tif, fip->field_bit);
-+ } else {
-+ return (0);
-+ }
-+
- tif->tif_flags |= TIFF_DIRTYDIRECT;
- return (1);
- }
-@@ -1726,7 +1768,11 @@
- {
- JPEGState* sp = JState(tif);
-
-- assert(sp != NULL);
-+ /* assert(sp != NULL); */
-+ if (sp == NULL) {
-+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
-+ return;
-+ }
-
- (void) flags;
- if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
-diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c
---- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100
-@@ -105,11 +105,16 @@
- * as codes of the form <color><npixels>
- * until we've filled the scanline.
- */
-+ /*
-+ * Ensure the run does not exceed the scanline
-+ * bounds, potentially resulting in a security issue.
-+ * -- taviso@google.com 14 Jun 2006.
-+ */
- op = row;
- for (;;) {
- grey = (n>>6) & 0x3;
- n &= 0x3f;
-- while (n-- > 0)
-+ while (n-- > 0 && npixels < imagewidth)
- SETPIXEL(op, grey);
- if (npixels >= (int) imagewidth)
- break;
-diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c
---- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100
-@@ -768,7 +768,19 @@
- if (tif->tif_flags & TIFF_SWAB)
- TIFFSwabArrayOfShort(up, nsamples);
-
-- for (i = 0; i < nsamples; i += llen, up += llen) {
-+ /*
-+ * if llen is not an exact multiple of nsamples, the decode operation
-+ * may overflow the output buffer, so truncate it enough to prevent that
-+ * but still salvage as much data as possible.
-+ * -- taviso@google.com 14th June 2006
-+ */
-+ if (nsamples % llen)
-+ TIFFWarningExt(tif->tif_clientdata, module,
-+ "%s: stride %lu is not a multiple of sample count, "
-+ "%lu, data truncated.", tif->tif_name, llen, nsamples);
-+
-+
-+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
- switch (sp->user_datafmt) {
- case PIXARLOGDATAFMT_FLOAT:
- horizontalAccumulateF(up, llen, sp->stride,
-diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c
---- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100
-@@ -31,6 +31,8 @@
- #include "tiffiop.h"
- #include <stdio.h>
-
-+#include <limits.h>
-+
- int TIFFFillStrip(TIFF*, tstrip_t);
- int TIFFFillTile(TIFF*, ttile_t);
- static int TIFFStartStrip(TIFF*, tstrip_t);
-@@ -272,7 +274,13 @@
- if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
- _TIFFfree(tif->tif_rawdata);
- tif->tif_flags &= ~TIFF_MYBUFFER;
-- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
-+ /*
-+ * This sanity check could potentially overflow, causing an OOB read.
-+ * verify that offset + bytecount is > offset.
-+ * -- taviso@google.com 14 Jun 2006
-+ */
-+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
-+ bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
- /*
- * This error message might seem strange, but it's
- * what would happen if a read were done instead.
-@@ -470,7 +478,13 @@
- if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
- _TIFFfree(tif->tif_rawdata);
- tif->tif_flags &= ~TIFF_MYBUFFER;
-- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
-+ /*
-+ * We must check this calculation doesnt overflow, potentially
-+ * causing an OOB read.
-+ * -- taviso@google.com 15 Jun 2006
-+ */
-+ if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
-+ bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
- tif->tif_curtile = NOTILE;
- return (0);
- }