2017-06-11  Juan Manuel Guerrero  <juan.guerrero@gmx.de>

	* contrib/iptcutil/iptcutil.c [_O_BINARY]:  Define _O_BINARY as O_BINARY,
	_fileno as _fileno and _setmode as setmode.
	[__DJGPP__]:  Include <sys/exceptn.h> for __djgpp_set_ctrl_c declaration
	and <unistd.h> for isatty declaration.
	Define SET_BINARY macro.  For POSIX like OS this is a no-op.  For Win32
	it calls setmode.
	(main):  For DJGPP, call SET_BINARY to reenable SIGINT and SIGQUIT
	signals if stdin and/or stdout is connected to console and has been
	switched to binary mode.

	* libtiff/tiffiop.h [HAVE_SEARCH_H]:  New guard HAVE_LFIND added.
	Do not assume that <search.h> provides lfind().

	* libtiff/tif_jpeg.c (JPEGCleanup, JPEGPrintDir):  Assertion did not
	hold true, resulting in the client application calling abort().

	* tools/fax2ps.c [_O_BINARY]:  Define _O_BINARY as O_BINARY, _fileno as
	_fileno and _setmode as setmode.
	[__DJGPP__]:  Define SET_BINARY to have interruptible terminal reads
	and writes; include <unistd.h> for isatty declaration and
	<sys/exceptn.h> for __djgpp_set_ctrl_c declaration.  For POSIX like OS
	this is a no-op.  For Win32 it calls setmode.
	(main):  Use SET_BINARY instead of setmode() to reenable SIGINT and
	SIGQUIT if stdin and/or stdout is connected to console and has been
	switched to binary mode.

	* tools/ppm2tiff.c [_O_BINARY]:  Define _O_BINARY as O_BINARY, _fileno as
	_fileno and _setmode as setmode.
	[__DJGPP__]: Define SET_BINARY to have interruptible terminale reads
	and writes; include <unistd.h> for isatty declaration and
	<sys/exceptn.h> for __djgpp_set_ctrl_c declaration.  For POSIX like OS
	this is a no-op.  For Win32 it calls setmode.
	(main):  Use SET_BINARY instead of setmode() to reenable SIGINT and
	SIGQUIT if stdin and/or stdout is connected to console and has been
	switched to binary mode.






diff -aprNU5 tiff-4.0.8.orig/contrib/iptcutil/iptcutil.c tiff-4.0.8/contrib/iptcutil/iptcutil.c
--- tiff-4.0.8.orig/contrib/iptcutil/iptcutil.c	2015-06-21 01:09:08 +0000
+++ tiff-4.0.8/contrib/iptcutil/iptcutil.c	2017-06-11 14:28:16 +0000
@@ -11,10 +11,50 @@
 # include <strings.h>
 #endif
 
 #ifdef HAVE_IO_H
 # include <io.h>
+# ifdef _O_BINARY
+#  define _O_BINARY       O_BINARY
+#  define _fileno(f)      fileno(f)
+#  define _setmode(f, m)  setmode(f, m)
+# endif /* __O_BINARY */
+
+# ifdef __DJGPP__
+#  if defined (__GNUC__) && (__GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 8))
+#    define __gnuc_extension__  __extension__
+#  else
+#    define __gnuc_extension__
+#  endif
+
+#  include <unistd.h>       /* to declare isatty() */
+#  include <sys/exceptn.h>  /* to declare __djgpp_set_ctrl_c() */
+   /* This is DJGPP-specific.  By default, switching console
+      to binary mode disables SIGINT and SIGQUIT.  But it
+      is preferable to have terminal reads and writes to
+      be interruptible.  */
+#  define SET_BINARY(f)                                          \
+   (__gnuc_extension__                                           \
+     ({                                                          \
+        int file_descriptor = fileno(f);                         \
+        int previous_mode = setmode(file_descriptor, O_BINARY);  \
+        if (isatty(file_descriptor))                             \
+          __djgpp_set_ctrl_c(1);                                 \
+        previous_mode;                                           \
+     })                                                          \
+   )
+# endif /* __DJGPP__ */
+# ifdef WIN32
+#  define SET_BINARY(f)   (setmode(fileno(f), O_BINARY))
+# endif
+# ifdef __CYGWIN__
+#  define SET_BINARY(f)   /* */
+# endif
+#endif
+
+#ifndef SET_BINARY
+# define SET_BINARY(f)   /* */
 #endif
 
 #ifdef HAVE_FCNTL_H
 # include <fcntl.h>
 #endif
@@ -414,21 +454,17 @@ int main(int argc, char *argv[])
           c = argv[i][1];
           switch( c )
             {
             case 't':
               mode = 1;
-#ifdef WIN32
               /* Set "stdout" to binary mode: */
-              _setmode( _fileno( ofile ), _O_BINARY );
-#endif
+              SET_BINARY(ofile);
               break;
             case 'b':
               mode = 0;
-#ifdef WIN32
               /* Set "stdin" to binary mode: */
-              _setmode( _fileno( ifile ), _O_BINARY );
-#endif
+              SET_BINARY(ifile);
               break;
             case 'i':
               if (mode == 0)
                 ifile = fopen(argv[++i], "rb");
               else
diff -aprNU5 tiff-4.0.8.orig/libtiff/tiffiop.h tiff-4.0.8/libtiff/tiffiop.h
--- tiff-4.0.8.orig/libtiff/tiffiop.h	2016-12-13 21:39:04 +0000
+++ tiff-4.0.8/libtiff/tiffiop.h	2017-06-11 14:29:58 +0000
@@ -48,11 +48,11 @@
 # include <assert.h>
 #else
 # define assert(x) 
 #endif
 
-#ifdef HAVE_SEARCH_H
+#if defined HAVE_SEARCH_H && defined HAVE_LFIND
 # include <search.h>
 #else
 extern void *lfind(const void *, const void *, size_t *, size_t,
 		   int (*)(const void *, const void *));
 #endif
diff -aprNU5 tiff-4.0.8.orig/libtiff/tif_jpeg.c tiff-4.0.8/libtiff/tif_jpeg.c
--- tiff-4.0.8.orig/libtiff/tif_jpeg.c	2017-02-13 14:30:20 +0000
+++ tiff-4.0.8/libtiff/tif_jpeg.c	2017-06-11 14:32:30 +0000
@@ -2086,11 +2086,11 @@ JPEGPostEncode(TIFF* tif)
 static void
 JPEGCleanup(TIFF* tif)
 {
 	JPEGState *sp = JState(tif);
 	
-	assert(sp != 0);
+	/* assert(sp != 0); */
 
 	tif->tif_tagmethods.vgetfield = sp->vgetparent;
 	tif->tif_tagmethods.vsetfield = sp->vsetparent;
 	tif->tif_tagmethods.printdir = sp->printdir;
         if( sp->cinfo_initialized )
@@ -2223,11 +2223,15 @@ JPEGVGetField(TIFF* tif, uint32 tag, va_
 static void
 JPEGPrintDir(TIFF* tif, FILE* fd, long flags)
 {
 	JPEGState* sp = JState(tif);
 
-	assert(sp != NULL);
+	/* assert(sp != NULL); */
+	if (sp == NULL) {
+		TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
+		return;
+	}
 	(void) flags;
 
         if( sp != NULL ) {
 		if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
 			fprintf(fd, "  JPEG Tables: (%lu bytes)\n",
diff -aprNU5 tiff-4.0.8.orig/tools/fax2ps.c tiff-4.0.8/tools/fax2ps.c
--- tiff-4.0.8.orig/tools/fax2ps.c	2015-09-06 18:24:26 +0000
+++ tiff-4.0.8/tools/fax2ps.c	2017-06-11 14:33:32 +0000
@@ -39,10 +39,50 @@
 # include <fcntl.h>
 #endif
 
 #ifdef HAVE_IO_H
 # include <io.h>
+# ifdef _O_BINARY
+#  define _O_BINARY       O_BINARY
+#  define _fileno(f)      fileno(f)
+#  define _setmode(f, m)  setmode(f, m)
+# endif /* __O_BINARY */
+
+# ifdef __DJGPP__
+#  if defined (__GNUC__) && (__GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 8))
+#    define __gnuc_extension__  __extension__
+#  else
+#    define __gnuc_extension__
+#  endif
+
+#  include <unistd.h>       /* to declare isatty() */
+#  include <sys/exceptn.h>  /* to declare __djgpp_set_ctrl_c() */
+   /* This is DJGPP-specific.  By default, switching console
+      to binary mode disables SIGINT and SIGQUIT.  But it
+      is preferable to have terminal reads and writes to
+      be interruptible.  */
+#  define SET_BINARY(f)                                          \
+   (__gnuc_extension__                                           \
+     ({                                                          \
+        int file_descriptor = fileno(f);                         \
+        int previous_mode = setmode(file_descriptor, O_BINARY);  \
+        if (isatty(file_descriptor))                             \
+          __djgpp_set_ctrl_c(1);                                 \
+        previous_mode;                                           \
+     })                                                          \
+   )
+# endif /* __DJGPP__ */
+# ifdef WIN32
+#  define SET_BINARY(f)   (setmode(fileno(f), O_BINARY))
+# endif
+# ifdef __CYGWIN__
+#  define SET_BINARY(f)   /* */
+# endif
+#endif
+
+#ifndef SET_BINARY
+# define SET_BINARY(f)   /* */
 #endif
 
 #ifdef NEED_LIBPORT
 # include "libport.h"
 #endif
@@ -393,13 +433,11 @@ main(int argc, char** argv)
 	fd = tmpfile();
 	if (fd == NULL) {
 	    fprintf(stderr, "Could not obtain temporary file.\n");
 	    exit(-2);
 	}
-#if defined(HAVE_SETMODE) && defined(O_BINARY)
-	setmode(fileno(stdin), O_BINARY);
-#endif
+	SET_BINARY(stdin);
 	while ((n = read(fileno(stdin), buf, sizeof (buf))) > 0) {
                 if (write(fileno(fd), buf, n) != n) {
                         fclose(fd);
                         fprintf(stderr,
                                 "Could not copy stdin to temporary file.\n");
diff -aprNU5 tiff-4.0.8.orig/tools/ppm2tiff.c tiff-4.0.8/tools/ppm2tiff.c
--- tiff-4.0.8.orig/tools/ppm2tiff.c	2015-08-28 22:17:08 +0000
+++ tiff-4.0.8/tools/ppm2tiff.c	2017-06-11 14:34:54 +0000
@@ -39,10 +39,50 @@
 # include <fcntl.h>
 #endif
 
 #ifdef HAVE_IO_H
 # include <io.h>
+# ifdef _O_BINARY
+#  define _O_BINARY       O_BINARY
+#  define _fileno(f)      fileno(f)
+#  define _setmode(f, m)  setmode(f, m)
+# endif /* __O_BINARY */
+
+# ifdef __DJGPP__
+#  if defined (__GNUC__) && (__GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 8))
+#    define __gnuc_extension__  __extension__
+#  else
+#    define __gnuc_extension__
+#  endif
+
+#  include <unistd.h>       /* to declare isatty() */
+#  include <sys/exceptn.h>  /* to declare __djgpp_set_ctrl_c() */
+   /* This is DJGPP-specific.  By default, switching console
+      to binary mode disables SIGINT and SIGQUIT.  But it
+      is preferable to have terminal reads and writes to
+      be interruptible.  */
+#  define SET_BINARY(f)                                          \
+   (__gnuc_extension__                                           \
+     ({                                                          \
+        int file_descriptor = fileno(f);                         \
+        int previous_mode = setmode(file_descriptor, O_BINARY);  \
+        if (isatty(file_descriptor))                             \
+          __djgpp_set_ctrl_c(1);                                 \
+        previous_mode;                                           \
+     })                                                          \
+   )
+# endif /* __DJGPP__ */
+# ifdef WIN32
+#  define SET_BINARY(f)   (setmode(fileno(f), O_BINARY))
+# endif
+# ifdef __CYGWIN__
+#  define SET_BINARY(f)   /* */
+# endif
+#endif
+
+#ifndef SET_BINARY
+# define SET_BINARY(f)   /* */
 #endif
 
 #ifdef NEED_LIBPORT
 # include "libport.h"
 #endif
@@ -142,13 +182,11 @@ main(int argc, char* argv[])
 			return (-1);
 		}
 	} else {
 		infile = "<stdin>";
 		in = stdin;
-#if defined(HAVE_SETMODE) && defined(O_BINARY)
-		setmode(fileno(stdin), O_BINARY);
-#endif
+		SET_BINARY(stdin);
 	}
 
 	if (fgetc(in) != 'P')
 		BadPPM(infile);
 	switch (fgetc(in)) {


2017-06-11  Juan Manuel Guerrero  <juan.guerrero@gmx.de>

	Applied all patches taken from tiff_4.0.8-2.debian.tar.xz available at
	http://ftp.de.debian.org/debian/pool/main/t/tiff/.
	See the ChangeLog file for changes.






diff -aprNU5 tiff-4.0.8.orig/ChangeLog tiff-4.0.8/ChangeLog
--- tiff-4.0.8.orig/ChangeLog	2017-05-21 18:49:08 +0000
+++ tiff-4.0.8/ChangeLog	2017-06-11 14:48:52 +0000
@@ -1,5 +1,40 @@
+2017-06-01  Even Rouault <even.rouault at spatialys.com>
+
+	* libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
+	and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
+	codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
+	to behave differently depending on whether the codec is enabled or not, and
+	thus can avoid stack based buffer overflows in a number of TIFF utilities
+	such as tiffsplit, tiffcmp, thumbnail, etc.
+	Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
+	(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
+	Fixes:
+	http://bugzilla.maptools.org/show_bug.cgi?id=2580
+	http://bugzilla.maptools.org/show_bug.cgi?id=2693
+	http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
+	http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
+	http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
+	http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
+	http://bugzilla.maptools.org/show_bug.cgi?id=2441
+	http://bugzilla.maptools.org/show_bug.cgi?id=2433
+
+2017-05-29  Even Rouault <even.rouault at spatialys.com>
+
+	* libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for
+	refBlackWhite coefficients values. To avoid invalid float->int32 conversion
+	(when refBlackWhite[0] == 2147483648.f)
+	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907
+	Credit to OSS Fuzz
+
+2017-05-29  Even Rouault <even.rouault at spatialys.com>
+
+	* libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid
+	int32 overflow in TIFFYCbCrtoRGB().
+	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844
+	Credit to OSS Fuzz
+
 2017-05-21  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
 
 	* configure.ac: libtiff 4.0.8 released.
 
 	* html/v4.0.8.html: Add description of changes targeting the 4.0.8
diff -aprNU5 tiff-4.0.8.orig/libtiff/tif_color.c tiff-4.0.8/libtiff/tif_color.c
--- tiff-4.0.8.orig/libtiff/tif_color.c	2017-05-20 17:55:44 +0000
+++ tiff-4.0.8/libtiff/tif_color.c	2017-06-11 14:47:26 +0000
@@ -273,22 +273,22 @@ TIFFYCbCrToRGBInit(TIFFYCbCrToRGB* ycbcr
        * constructing tables indexed by the raw pixel data.
        */
       for (i = 0, x = -128; i < 256; i++, x++) {
 	    int32 Cr = (int32)CLAMPw(Code2V(x, refBlackWhite[4] - 128.0F,
 			    refBlackWhite[5] - 128.0F, 127),
-                            -128.0F * 64, 128.0F * 64);
+                            -128.0F * 32, 128.0F * 32);
 	    int32 Cb = (int32)CLAMPw(Code2V(x, refBlackWhite[2] - 128.0F,
 			    refBlackWhite[3] - 128.0F, 127),
-                            -128.0F * 64, 128.0F * 64);
+                            -128.0F * 32, 128.0F * 32);
 
 	    ycbcr->Cr_r_tab[i] = (int32)((D1*Cr + ONE_HALF)>>SHIFT);
 	    ycbcr->Cb_b_tab[i] = (int32)((D3*Cb + ONE_HALF)>>SHIFT);
 	    ycbcr->Cr_g_tab[i] = D2*Cr;
 	    ycbcr->Cb_g_tab[i] = D4*Cb + ONE_HALF;
 	    ycbcr->Y_tab[i] =
 		    (int32)CLAMPw(Code2V(x + 128, refBlackWhite[0], refBlackWhite[1], 255),
-                                  -128.0F * 64, 128.0F * 64);
+                                  -128.0F * 32, 128.0F * 32);
       }
     }
 
     return 0;
 }
diff -aprNU5 tiff-4.0.8.orig/libtiff/tif_dir.h tiff-4.0.8/libtiff/tif_dir.h
--- tiff-4.0.8.orig/libtiff/tif_dir.h	2015-08-28 22:16:10 +0000
+++ tiff-4.0.8/libtiff/tif_dir.h	2017-06-11 14:48:52 +0000
@@ -1,6 +1,6 @@
-/* $Id: tif_dir.h,v 1.54 2011-02-18 20:53:05 fwarmerdam Exp $ */
+/* $Id: tif_dir.h,v 1.55 2017-06-01 12:44:04 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
  * Copyright (c) 1991-1997 Silicon Graphics, Inc.
  *
@@ -289,10 +289,11 @@ struct _TIFFField {
 };
 
 extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
 extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
 extern  TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
 
 #if defined(__cplusplus)
 }
 #endif
 #endif /* _TIFFDIR_ */
diff -aprNU5 tiff-4.0.8.orig/libtiff/tif_dirinfo.c tiff-4.0.8/libtiff/tif_dirinfo.c
--- tiff-4.0.8.orig/libtiff/tif_dirinfo.c	2016-11-18 02:52:08 +0000
+++ tiff-4.0.8/libtiff/tif_dirinfo.c	2017-06-11 14:48:52 +0000
@@ -1,6 +1,6 @@
-/* $Id: tif_dirinfo.c,v 1.126 2016-11-18 02:52:13 bfriesen Exp $ */
+/* $Id: tif_dirinfo.c,v 1.127 2017-06-01 12:44:04 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
  * Copyright (c) 1991-1997 Silicon Graphics, Inc.
  *
@@ -954,10 +954,113 @@ TIFFMergeFieldInfo(TIFF* tif, const TIFF
 	}
 
 	return 0;
 }
 
+int
+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
+{
+	/* Filter out non-codec specific tags */
+	switch (tag) {
+	    /* Shared tags */
+	    case TIFFTAG_PREDICTOR:
+	    /* JPEG tags */
+	    case TIFFTAG_JPEGTABLES:
+	    /* OJPEG tags */
+	    case TIFFTAG_JPEGIFOFFSET:
+	    case TIFFTAG_JPEGIFBYTECOUNT:
+	    case TIFFTAG_JPEGQTABLES:
+	    case TIFFTAG_JPEGDCTABLES:
+	    case TIFFTAG_JPEGACTABLES:
+	    case TIFFTAG_JPEGPROC:
+	    case TIFFTAG_JPEGRESTARTINTERVAL:
+	    /* CCITT* */
+	    case TIFFTAG_BADFAXLINES:
+	    case TIFFTAG_CLEANFAXDATA:
+	    case TIFFTAG_CONSECUTIVEBADFAXLINES:
+	    case TIFFTAG_GROUP3OPTIONS:
+	    case TIFFTAG_GROUP4OPTIONS:
+		break;
+	    default:
+		return 1;
+	}
+	/* Check if codec specific tags are allowed for the current
+	 * compression scheme (codec) */
+	switch (tif->tif_dir.td_compression) {
+	    case COMPRESSION_LZW:
+		if (tag == TIFFTAG_PREDICTOR)
+		    return 1;
+		break;
+	    case COMPRESSION_PACKBITS:
+		/* No codec-specific tags */
+		break;
+	    case COMPRESSION_THUNDERSCAN:
+		/* No codec-specific tags */
+		break;
+	    case COMPRESSION_NEXT:
+		/* No codec-specific tags */
+		break;
+	    case COMPRESSION_JPEG:
+		if (tag == TIFFTAG_JPEGTABLES)
+		    return 1;
+		break;
+	    case COMPRESSION_OJPEG:
+		switch (tag) {
+		    case TIFFTAG_JPEGIFOFFSET:
+		    case TIFFTAG_JPEGIFBYTECOUNT:
+		    case TIFFTAG_JPEGQTABLES:
+		    case TIFFTAG_JPEGDCTABLES:
+		    case TIFFTAG_JPEGACTABLES:
+		    case TIFFTAG_JPEGPROC:
+		    case TIFFTAG_JPEGRESTARTINTERVAL:
+			return 1;
+		}
+		break;
+	    case COMPRESSION_CCITTRLE:
+	    case COMPRESSION_CCITTRLEW:
+	    case COMPRESSION_CCITTFAX3:
+	    case COMPRESSION_CCITTFAX4:
+		switch (tag) {
+		    case TIFFTAG_BADFAXLINES:
+		    case TIFFTAG_CLEANFAXDATA:
+		    case TIFFTAG_CONSECUTIVEBADFAXLINES:
+			return 1;
+		    case TIFFTAG_GROUP3OPTIONS:
+			if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
+			    return 1;
+			break;
+		    case TIFFTAG_GROUP4OPTIONS:
+			if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
+			    return 1;
+			break;
+		}
+		break;
+	    case COMPRESSION_JBIG:
+		/* No codec-specific tags */
+		break;
+	    case COMPRESSION_DEFLATE:
+	    case COMPRESSION_ADOBE_DEFLATE:
+		if (tag == TIFFTAG_PREDICTOR)
+		    return 1;
+		break;
+	   case COMPRESSION_PIXARLOG:
+		if (tag == TIFFTAG_PREDICTOR)
+		    return 1;
+		break;
+	    case COMPRESSION_SGILOG:
+	    case COMPRESSION_SGILOG24:
+		/* No codec-specific tags */
+		break;
+	    case COMPRESSION_LZMA:
+		if (tag == TIFFTAG_PREDICTOR)
+		    return 1;
+		break;
+
+	}
+	return 0;
+}
+
 /* vim: set ts=8 sts=8 sw=8 noet: */
 
 /*
  * Local Variables:
  * mode: c
diff -aprNU5 tiff-4.0.8.orig/libtiff/tif_dirread.c tiff-4.0.8/libtiff/tif_dirread.c
--- tiff-4.0.8.orig/libtiff/tif_dirread.c	2017-05-20 17:55:44 +0000
+++ tiff-4.0.8/libtiff/tif_dirread.c	2017-06-11 14:48:52 +0000
@@ -1,6 +1,6 @@
-/* $Id: tif_dirread.c,v 1.208 2017-04-27 15:46:22 erouault Exp $ */
+/* $Id: tif_dirread.c,v 1.209 2017-06-01 12:44:04 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
  * Copyright (c) 1991-1997 Silicon Graphics, Inc.
  *
@@ -3578,10 +3578,14 @@ TIFFReadDirectory(TIFF* tif)
 					case TIFFTAG_EXTRASAMPLES:
 						if (!TIFFFetchNormalTag(tif,dp,0))
 							goto bad;
 						dp->tdir_tag=IGNORE;
 						break;
+                                        default:
+                                            if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
+                                                dp->tdir_tag=IGNORE;
+                                            break;
 				}
 			}
 		}
 	}
 	/*
diff -aprNU5 tiff-4.0.8.orig/libtiff/tif_getimage.c tiff-4.0.8/libtiff/tif_getimage.c
--- tiff-4.0.8.orig/libtiff/tif_getimage.c	2017-05-20 17:55:44 +0000
+++ tiff-4.0.8/libtiff/tif_getimage.c	2017-06-11 14:48:00 +0000
@@ -2239,11 +2239,11 @@ DECLARESepPutFunc(putseparate8bitYCbCr11
 }
 #undef YCbCrtoRGB
 
 static int isInRefBlackWhiteRange(float f)
 {
-    return f >= (float)(-0x7FFFFFFF + 128) && f <= (float)0x7FFFFFFF;
+    return f > (float)(-0x7FFFFFFF + 128) && f < (float)0x7FFFFFFF;
 }
 
 static int
 initYCbCrConversion(TIFFRGBAImage* img)
 {
diff -aprNU5 tiff-4.0.8.orig/tools/tiffsplit.c tiff-4.0.8/tools/tiffsplit.c
--- tiff-4.0.8.orig/tools/tiffsplit.c	2015-08-28 22:17:04 +0000
+++ tiff-4.0.8/tools/tiffsplit.c	2017-06-11 14:46:16 +0000
@@ -177,20 +177,21 @@ tiffcp(TIFF* in, TIFF* out)
 		if (TIFFGetField(in, TIFFTAG_JPEGTABLES, &count, &table)
 		    && count > 0 && table) {
 		    TIFFSetField(out, TIFFTAG_JPEGTABLES, count, table);
 		}
 	}
+	uint32 count = 0;
         CopyField(TIFFTAG_PHOTOMETRIC, shortv);
-	CopyField(TIFFTAG_PREDICTOR, shortv);
+	CopyField2(TIFFTAG_PREDICTOR, count, shortv);
 	CopyField(TIFFTAG_THRESHHOLDING, shortv);
 	CopyField(TIFFTAG_FILLORDER, shortv);
 	CopyField(TIFFTAG_ORIENTATION, shortv);
 	CopyField(TIFFTAG_MINSAMPLEVALUE, shortv);
 	CopyField(TIFFTAG_MAXSAMPLEVALUE, shortv);
 	CopyField(TIFFTAG_XRESOLUTION, floatv);
 	CopyField(TIFFTAG_YRESOLUTION, floatv);
-	CopyField(TIFFTAG_GROUP3OPTIONS, longv);
+	CopyField2(TIFFTAG_GROUP3OPTIONS, count, longv);
 	CopyField(TIFFTAG_GROUP4OPTIONS, longv);
 	CopyField(TIFFTAG_RESOLUTIONUNIT, shortv);
 	CopyField(TIFFTAG_PLANARCONFIG, shortv);
 	CopyField(TIFFTAG_ROWSPERSTRIP, longv);
 	CopyField(TIFFTAG_XPOSITION, floatv);
