aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDirk Meyer <dinoex@FreeBSD.org>2008-09-20 07:33:20 +0000
committerDirk Meyer <dinoex@FreeBSD.org>2008-09-20 07:33:20 +0000
commitf025b838e67c696a3de58d6d7d1b4981cb2ffe43 (patch)
treea3d4c336b5bc71be7bf030c374a5d83663476eb6
parentc6fc6694926feecde74cb523b1845e4781aa691e (diff)
downloadports-f025b838e67c696a3de58d6d7d1b4981cb2ffe43.tar.gz
ports-f025b838e67c696a3de58d6d7d1b4981cb2ffe43.zip
- add Security patches
- fix missign macro in manpages - add regression test Security: CVE-2006-2193 Security: CVE-2006-2327 Security: CVE-2006-2656 Security: CVE-2006-3459 Security: CVE-2006-3460 Security: CVE-2006-3461 Security: CVE-2006-3462 Security: CVE-2006-3463 Security: CVE-2006-3464 Security: CVE-2006-3465 Security: CVE-2008-2327 PR: 127434 Submitted by: <bf2006a@yahoo.com> Obtained From: Gentoo,Debian Approved by: portmgr (marcus)
Notes
Notes: svn path=/head/; revision=220438
-rw-r--r--graphics/tiff/Makefile5
-rw-r--r--graphics/tiff/files/patch-TIFFClose.3tiff11
-rw-r--r--graphics/tiff/files/patch-fax2ps.174
-rw-r--r--graphics/tiff/files/patch-raw2tiff.111
-rw-r--r--graphics/tiff/files/patch-tif_dir.c94
-rw-r--r--graphics/tiff/files/patch-tif_dirinfo.c24
-rw-r--r--graphics/tiff/files/patch-tif_dirread.c321
-rw-r--r--graphics/tiff/files/patch-tif_fax3.c27
-rw-r--r--graphics/tiff/files/patch-tif_jpeg.c121
-rw-r--r--graphics/tiff/files/patch-tif_lzw.c60
-rw-r--r--graphics/tiff/files/patch-tif_next.c22
-rw-r--r--graphics/tiff/files/patch-tif_pixarlog.c25
-rw-r--r--graphics/tiff/files/patch-tif_print.c13
-rw-r--r--graphics/tiff/files/patch-tif_read.c43
-rw-r--r--graphics/tiff/files/patch-tiff2pdf.134
-rw-r--r--graphics/tiff/files/patch-tiff2pdf.c13
-rw-r--r--graphics/tiff/files/patch-tiff2ps.1142
-rw-r--r--graphics/tiff/files/patch-tiffcmp.111
-rw-r--r--graphics/tiff/files/patch-tiffsplit.111
-rw-r--r--graphics/tiff/files/patch-tiffsplit.c21
20 files changed, 1082 insertions, 1 deletions
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile
index 8a009ee25875..49ef6d7b7cda 100644
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@@ -9,7 +9,7 @@
PORTNAME= tiff
PORTVERSION= 3.8.2
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= graphics
MASTER_SITES= ftp://ftp.remotesensing.org/pub/libtiff/ \
http://dl1.maptools.org/dl/libtiff/
@@ -126,4 +126,7 @@ post-install:
${INSTALL_DATA} ${WRKSRC}/html/man/*.html ${DOCSDIR}/man/
.endif
+regression-test: build
+ @(cd ${WRKSRC}; ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_ARGS} check)
+
.include <bsd.port.mk>
diff --git a/graphics/tiff/files/patch-TIFFClose.3tiff b/graphics/tiff/files/patch-TIFFClose.3tiff
new file mode 100644
index 000000000000..e9a36fae58da
--- /dev/null
+++ b/graphics/tiff/files/patch-TIFFClose.3tiff
@@ -0,0 +1,11 @@
+--- man/TIFFClose.3tiff.orig 2008-08-17 13:03:49.058994404 -0400
++++ man/TIFFClose.3tiff 2008-08-17 13:03:52.522727821 -0400
+@@ -40,7 +40,7 @@
+ current directory (if modified); and all resources are reclaimed.
+ .SH DIAGNOSTICS
+ All error messages are directed to the
+-.bR TIFFError (3TIFF)
++.BR TIFFError (3TIFF)
+ routine.
+ Likewise, warning messages are directed to the
+ .BR TIFFWarning (3TIFF)
diff --git a/graphics/tiff/files/patch-fax2ps.1 b/graphics/tiff/files/patch-fax2ps.1
new file mode 100644
index 000000000000..5fce8e717dae
--- /dev/null
+++ b/graphics/tiff/files/patch-fax2ps.1
@@ -0,0 +1,74 @@
+--- man/fax2ps.1.orig 2008-08-17 13:03:49.038994710 -0400
++++ man/fax2ps.1 2008-08-17 13:03:52.510994390 -0400
+@@ -27,7 +27,7 @@
+ .SH NAME
+ fax2ps \- convert a
+ .SM TIFF
+-facsimile to compressed \*(Ps\(tm
++facsimile to compressed PostScript\(tm
+ .SH SYNOPSIS
+ .B fax2ps
+ [
+@@ -40,7 +40,7 @@
+ reads one or more
+ .SM TIFF
+ facsimile image files and prints a compressed form of
+-\*(Ps on the standard output that is suitable for printing.
++PostScript on the standard output that is suitable for printing.
+ .PP
+ By default, each page is scaled to reflect the
+ image dimensions and resolutions stored in the file.
+@@ -62,26 +62,26 @@
+ .PP
+ By default
+ .I fax2ps
+-generates \*(Ps for all pages in the file.
++generates PostScript for all pages in the file.
+ The
+ .B \-p
+ option can be used to select one or more pages from
+ a multi-page document.
+ .PP
+ .I fax2ps
+-generates a compressed form of \*(Ps that is
+-optimized for sending pages of text to a \*(Ps
++generates a compressed form of PostScript that is
++optimized for sending pages of text to a PostScript
+ printer attached to a host through a low-speed link (such
+ as a serial line).
+ Each output page is filled with white and then only
+ the black areas are drawn.
+-The \*(Ps specification of the black drawing operations
++The PostScript specification of the black drawing operations
+ is optimized by using a special font that encodes the
+ move-draw operations required to fill
+ the black regions on the page.
+ This compression scheme typically results in a substantially
+-reduced \*(Ps description, relative to the straightforward
+-imaging of the page with a \*(Ps
++reduced PostScript description, relative to the straightforward
++imaging of the page with a PostScript
+ .I image
+ operator.
+ This algorithm can, however, be ineffective
+@@ -138,9 +138,9 @@
+ attempts to recover from such data errors by resynchronizing
+ decoding at the end of the current scanline.
+ This can result in long horizontal black lines in the resultant
+-\*(Ps image.
++PostScript image.
+ .SH NOTES
+-If the destination printer supports \*(Ps Level II then
++If the destination printer supports PostScript Level II then
+ it is always faster to just send the encoded bitmap generated
+ by the
+ .BR tiff2ps (1)
+@@ -149,7 +149,7 @@
+ .I fax2ps
+ should probably figure out when it is doing a poor
+ job of compressing the output and just generate
+-\*(Ps to image the bitmap raster instead.
++PostScript to image the bitmap raster instead.
+ .SH "SEE ALSO"
+ .BR tiff2ps (1),
+ .BR libtiff (3)
diff --git a/graphics/tiff/files/patch-raw2tiff.1 b/graphics/tiff/files/patch-raw2tiff.1
new file mode 100644
index 000000000000..b02ff0d69c1e
--- /dev/null
+++ b/graphics/tiff/files/patch-raw2tiff.1
@@ -0,0 +1,11 @@
+--- man/raw2tiff.1.orig 2008-08-17 13:03:49.042994359 -0400
++++ man/raw2tiff.1 2008-08-17 13:03:52.519034963 -0400
+@@ -184,7 +184,7 @@
+ in some cases. But for most ordinary images guessing method will work fine.
+ .SH "SEE ALSO"
+ .BR pal2rgb (1),
+-.bR tiffinfo (1),
++.BR tiffinfo (1),
+ .BR tiffcp (1),
+ .BR tiffmedian (1),
+ .BR libtiff (3)
diff --git a/graphics/tiff/files/patch-tif_dir.c b/graphics/tiff/files/patch-tif_dir.c
new file mode 100644
index 000000000000..61ab63cefd00
--- /dev/null
+++ b/graphics/tiff/files/patch-tif_dir.c
@@ -0,0 +1,94 @@
+CVE-2006-3464,3465
+===================================================================
+--- libtiff/tif_dir.c.orig 2008-08-17 13:03:48.954994295 -0400
++++ libtiff/tif_dir.c 2008-08-17 13:03:52.881994558 -0400
+@@ -122,6 +122,7 @@
+ {
+ static const char module[] = "_TIFFVSetField";
+
++ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
+ TIFFDirectory* td = &tif->tif_dir;
+ int status = 1;
+ uint32 v32, i, v;
+@@ -195,10 +196,12 @@
+ break;
+ case TIFFTAG_ORIENTATION:
+ v = va_arg(ap, uint32);
++ const TIFFFieldInfo* fip;
+ if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
++ fip = _TIFFFieldWithTag(tif, tag);
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "Bad value %lu for \"%s\" tag ignored",
+- v, _TIFFFieldWithTag(tif, tag)->field_name);
++ v, fip ? fip->field_name : "Unknown");
+ } else
+ td->td_orientation = (uint16) v;
+ break;
+@@ -387,11 +390,15 @@
+ * happens, for example, when tiffcp is used to convert between
+ * compression schemes and codec-specific tags are blindly copied.
+ */
++ /*
++ * better not dereference fip if it is NULL.
++ * -- taviso@google.com 15 Jun 2006
++ */
+ if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "%s: Invalid %stag \"%s\" (not supported by codec)",
+ tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
+- _TIFFFieldWithTag(tif, tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ status = 0;
+ break;
+ }
+@@ -468,7 +475,7 @@
+ if (fip->field_type == TIFF_ASCII)
+ _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
+ else {
+- tv->value = _TIFFmalloc(tv_size * tv->count);
++ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
+ if (!tv->value) {
+ status = 0;
+ goto end;
+@@ -563,7 +570,7 @@
+ }
+ }
+ if (status) {
+- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++ TIFFSetFieldBit(tif, fip->field_bit);
+ tif->tif_flags |= TIFF_DIRTYDIRECT;
+ }
+
+@@ -572,12 +579,12 @@
+ return (status);
+ badvalue:
+ TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
+- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
++ tif->tif_name, v, fip ? fip->field_name : "Unknown");
+ va_end(ap);
+ return (0);
+ badvalue32:
+ TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
+- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
++ tif->tif_name, v32, fip ? fip->field_name : "Unknown");
+ va_end(ap);
+ return (0);
+ }
+@@ -813,12 +820,16 @@
+ * If the client tries to get a tag that is not valid
+ * for the image's codec then we'll arrive here.
+ */
++ /*
++ * dont dereference fip if it's NULL.
++ * -- taviso@google.com 15 Jun 2006
++ */
+ if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
+ {
+ TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
+ "%s: Invalid %stag \"%s\" (not supported by codec)",
+ tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
+- _TIFFFieldWithTag(tif, tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ ret_val = 0;
+ break;
+ }
diff --git a/graphics/tiff/files/patch-tif_dirinfo.c b/graphics/tiff/files/patch-tif_dirinfo.c
new file mode 100644
index 000000000000..921b79aae815
--- /dev/null
+++ b/graphics/tiff/files/patch-tif_dirinfo.c
@@ -0,0 +1,24 @@
+CVE-2006-3464,3465
+===================================================================
+--- libtiff/tif_dirinfo.c.orig 2008-08-17 13:03:48.958994316 -0400
++++ libtiff/tif_dirinfo.c 2008-08-17 13:03:52.890034927 -0400
+@@ -775,7 +775,8 @@
+ TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
+ "Internal error, unknown tag 0x%x",
+ (unsigned int) tag);
+- assert(fip != NULL);
++ /* assert(fip != NULL); */
++
+ /*NOTREACHED*/
+ }
+ return (fip);
+@@ -789,7 +790,8 @@
+ if (!fip) {
+ TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
+ "Internal error, unknown tag %s", field_name);
+- assert(fip != NULL);
++ /* assert(fip != NULL); */
++
+ /*NOTREACHED*/
+ }
+ return (fip);
diff --git a/graphics/tiff/files/patch-tif_dirread.c b/graphics/tiff/files/patch-tif_dirread.c
new file mode 100644
index 000000000000..35ec18463f5d
--- /dev/null
+++ b/graphics/tiff/files/patch-tif_dirread.c
@@ -0,0 +1,321 @@
+CVE-2006-3459,3463,3464,3465
+===================================================================
+--- libtiff/tif_dirread.c.orig 2008-08-17 13:03:48.962994506 -0400
++++ libtiff/tif_dirread.c 2008-08-17 13:03:52.890034927 -0400
+@@ -29,6 +29,9 @@
+ *
+ * Directory Read Support Routines.
+ */
++
++#include <limits.h>
++
+ #include "tiffiop.h"
+
+ #define IGNORE 0 /* tag placeholder used below */
+@@ -81,6 +84,7 @@
+ uint16 dircount;
+ toff_t nextdiroff;
+ int diroutoforderwarning = 0;
++ int compressionknown = 0;
+ toff_t* new_dirlist;
+
+ tif->tif_diroff = tif->tif_nextdiroff;
+@@ -147,13 +151,20 @@
+ } else {
+ toff_t off = tif->tif_diroff;
+
+- if (off + sizeof (uint16) > tif->tif_size) {
+- TIFFErrorExt(tif->tif_clientdata, module,
+- "%s: Can not read TIFF directory count",
+- tif->tif_name);
+- return (0);
++ /*
++ * Check for integer overflow when validating the dir_off, otherwise
++ * a very high offset may cause an OOB read and crash the client.
++ * -- taviso@google.com, 14 Jun 2006.
++ */
++ if (off + sizeof (uint16) > tif->tif_size ||
++ off > (UINT_MAX - sizeof(uint16))) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "%s: Can not read TIFF directory count",
++ tif->tif_name);
++ return (0);
+ } else
+- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
++ _TIFFmemcpy(&dircount, tif->tif_base + off,
++ sizeof (uint16));
+ off += sizeof (uint16);
+ if (tif->tif_flags & TIFF_SWAB)
+ TIFFSwabShort(&dircount);
+@@ -254,6 +265,7 @@
+ while (fix < tif->tif_nfields &&
+ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+ fix++;
++
+ if (fix >= tif->tif_nfields ||
+ tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
+
+@@ -264,17 +276,23 @@
+ dp->tdir_tag,
+ dp->tdir_tag,
+ dp->tdir_type);
+-
+- TIFFMergeFieldInfo(tif,
+- _TIFFCreateAnonFieldInfo(tif,
+- dp->tdir_tag,
+- (TIFFDataType) dp->tdir_type),
+- 1 );
++ /*
++ * creating anonymous fields prior to knowing the compression
++ * algorithm (ie, when the field info has been merged) could cause
++ * crashes with pathological directories.
++ * -- taviso@google.com 15 Jun 2006
++ */
++ if (compressionknown)
++ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
++ (TIFFDataType) dp->tdir_type), 1 );
++ else goto ignore;
++
+ fix = 0;
+ while (fix < tif->tif_nfields &&
+ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
+ fix++;
+ }
++
+ /*
+ * Null out old tags that we ignore.
+ */
+@@ -326,6 +344,7 @@
+ dp->tdir_type, dp->tdir_offset);
+ if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
+ goto bad;
++ else compressionknown++;
+ break;
+ /* XXX: workaround for broken TIFFs */
+ } else if (dp->tdir_type == TIFF_LONG) {
+@@ -540,6 +559,7 @@
+ * Attempt to deal with a missing StripByteCounts tag.
+ */
+ if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+ /*
+ * Some manufacturers violate the spec by not giving
+ * the size of the strips. In this case, assume there
+@@ -556,7 +576,7 @@
+ "%s: TIFF directory is missing required "
+ "\"%s\" field, calculating from imagelength",
+ tif->tif_name,
+- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++ fip ? fip->field_name : "Unknown");
+ if (EstimateStripByteCounts(tif, dir, dircount) < 0)
+ goto bad;
+ /*
+@@ -580,6 +600,7 @@
+ } else if (td->td_nstrips == 1
+ && td->td_stripoffset[0] != 0
+ && BYTECOUNTLOOKSBAD) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+ /*
+ * XXX: Plexus (and others) sometimes give a value of zero for
+ * a tag when they don't know what the correct value is! Try
+@@ -589,13 +610,14 @@
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
+ tif->tif_name,
+- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++ fip ? fip->field_name : "Unknown");
+ if(EstimateStripByteCounts(tif, dir, dircount) < 0)
+ goto bad;
+ } else if (td->td_planarconfig == PLANARCONFIG_CONTIG
+ && td->td_nstrips > 2
+ && td->td_compression == COMPRESSION_NONE
+ && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
+ /*
+ * XXX: Some vendors fill StripByteCount array with absolutely
+ * wrong values (it can be equal to StripOffset array, for
+@@ -604,7 +626,7 @@
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
+ tif->tif_name,
+- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
++ fip ? fip->field_name : "Unknown");
+ if (EstimateStripByteCounts(tif, dir, dircount) < 0)
+ goto bad;
+ }
+@@ -870,7 +892,13 @@
+
+ register TIFFDirEntry *dp;
+ register TIFFDirectory *td = &tif->tif_dir;
+- uint16 i;
++
++ /* i is used to iterate over td->td_nstrips, so must be
++ * at least the same width.
++ * -- taviso@google.com 15 Jun 2006
++ */
++
++ uint32 i;
+
+ if (td->td_stripbytecount)
+ _TIFFfree(td->td_stripbytecount);
+@@ -947,16 +975,18 @@
+ static int
+ CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
+ {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
++
+ if (count > dir->tdir_count) {
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
++ fip ? fip->field_name : "Unknown",
+ dir->tdir_count, count);
+ return (0);
+ } else if (count < dir->tdir_count) {
+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+ "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
++ fip ? fip->field_name : "Unknown",
+ dir->tdir_count, count);
+ return (1);
+ }
+@@ -970,6 +1000,7 @@
+ TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
+ {
+ int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ tsize_t cc = dir->tdir_count * w;
+
+ /* Check for overflow. */
+@@ -1013,7 +1044,7 @@
+ bad:
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Error fetching data for field \"%s\"",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ return (tsize_t) 0;
+ }
+
+@@ -1039,10 +1070,12 @@
+ static int
+ cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
+ {
++ const TIFFFieldInfo* fip;
+ if (denom == 0) {
++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "%s: Rational with zero denominator (num = %lu)",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
++ fip ? fip->field_name : "Unknown", num);
+ return (0);
+ } else {
+ if (dir->tdir_type == TIFF_RATIONAL)
+@@ -1159,6 +1192,20 @@
+ static int
+ TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
+ {
++ /*
++ * Prevent overflowing the v stack arrays below by performing a sanity
++ * check on tdir_count, this should never be greater than two.
++ * -- taviso@google.com 14 Jun 2006.
++ */
++ if (dir->tdir_count > 2) {
++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
++ "unexpected count for field \"%s\", %lu, expected 2; ignored.",
++ fip ? fip->field_name : "Unknown",
++ dir->tdir_count);
++ return 0;
++ }
++
+ switch (dir->tdir_type) {
+ case TIFF_BYTE:
+ case TIFF_SBYTE:
+@@ -1329,14 +1376,15 @@
+ case TIFF_DOUBLE:
+ return (TIFFFetchDoubleArray(tif, dir, (double*) v));
+ default:
++ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ /* TIFF_NOTYPE */
+ /* TIFF_ASCII */
+ /* TIFF_UNDEFINED */
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "cannot read TIFF_ANY type %d for field \"%s\"",
+ dir->tdir_type,
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+- return (0);
++ fip ? fip->field_name : "Unknown");
++ return (0); }
+ }
+ return (1);
+ }
+@@ -1351,6 +1399,9 @@
+ int ok = 0;
+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
+
++ if (fip == NULL) {
++ return (0);
++ }
+ if (dp->tdir_count > 1) { /* array of values */
+ char* cp = NULL;
+
+@@ -1493,6 +1544,7 @@
+ TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
+ {
+ uint16 samples = tif->tif_dir.td_samplesperpixel;
++ const TIFFFieldInfo* fip;
+ int status = 0;
+
+ if (CheckDirCount(tif, dir, (uint32) samples)) {
+@@ -1510,9 +1562,10 @@
+
+ for (i = 1; i < check_count; i++)
+ if (v[i] != v[0]) {
++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Cannot handle different per-sample values for field \"%s\"",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ goto bad;
+ }
+ *pl = v[0];
+@@ -1534,6 +1587,7 @@
+ TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
+ {
+ uint16 samples = tif->tif_dir.td_samplesperpixel;
++ const TIFFFieldInfo* fip;
+ int status = 0;
+
+ if (CheckDirCount(tif, dir, (uint32) samples)) {
+@@ -1551,9 +1605,10 @@
+ check_count = samples;
+ for (i = 1; i < check_count; i++)
+ if (v[i] != v[0]) {
++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Cannot handle different per-sample values for field \"%s\"",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ goto bad;
+ }
+ *pl = v[0];
+@@ -1574,6 +1629,7 @@
+ TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
+ {
+ uint16 samples = tif->tif_dir.td_samplesperpixel;
++ const TIFFFieldInfo* fip;
+ int status = 0;
+
+ if (CheckDirCount(tif, dir, (uint32) samples)) {
+@@ -1591,9 +1647,10 @@
+
+ for (i = 1; i < check_count; i++)
+ if (v[i] != v[0]) {
++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+ "Cannot handle different per-sample values for field \"%s\"",
+- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
++ fip ? fip->field_name : "Unknown");
+ goto bad;
+ }
+ *pl = v[0];
diff --git a/graphics/tiff/files/patch-tif_fax3.c b/graphics/tiff/files/patch-tif_fax3.c
new file mode 100644
index 000000000000..5b9e94d23d47
--- /dev/null
+++ b/graphics/tiff/files/patch-tif_fax3.c
@@ -0,0 +1,27 @@
+CVE-2006-3464,3465
+===================================================================
+--- libtiff/tif_fax3.c.orig 2008-08-17 13:03:48.970994629 -0400
++++ libtiff/tif_fax3.c 2008-08-17 13:03:52.890034927 -0400
+@@ -1136,6 +1136,7 @@
+ Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
+ {
+ Fax3BaseState* sp = Fax3State(tif);
++ const TIFFFieldInfo* fip;
+
+ assert(sp != 0);
+ assert(sp->vsetparent != 0);
+@@ -1181,7 +1182,13 @@
+ default:
+ return (*sp->vsetparent)(tif, tag, ap);
+ }
+- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++
++ if ((fip = _TIFFFieldWithTag(tif, tag))) {
++ TIFFSetFieldBit(tif, fip->field_bit);
++ } else {
++ return (0);
++ }
++
+ tif->tif_flags |= TIFF_DIRTYDIRECT;
+ return (1);
+ }
diff --git a/graphics/tiff/files/patch-tif_jpeg.c b/graphics/tiff/files/patch-tif_jpeg.c
new file mode 100644
index 000000000000..4ce2999e579f
--- /dev/null
+++ b/graphics/tiff/files/patch-tif_jpeg.c
@@ -0,0 +1,121 @@
+CVE-2006-3460,3464,3465
+===================================================================
+--- libtiff/tif_jpeg.c.orig 2008-08-17 13:03:48.974994391 -0400
++++ libtiff/tif_jpeg.c 2008-08-17 13:03:52.894064968 -0400
+@@ -722,15 +722,31 @@
+ segment_width = TIFFhowmany(segment_width, sp->h_sampling);
+ segment_height = TIFFhowmany(segment_height, sp->v_sampling);
+ }
+- if (sp->cinfo.d.image_width != segment_width ||
+- sp->cinfo.d.image_height != segment_height) {
++ if (sp->cinfo.d.image_width < segment_width ||
++ sp->cinfo.d.image_height < segment_height) {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
+ segment_width,
+ segment_height,
+ sp->cinfo.d.image_width,
+ sp->cinfo.d.image_height);
++ }
++
++ if (sp->cinfo.d.image_width > segment_width ||
++ sp->cinfo.d.image_height > segment_height) {
++ /*
++ * This case could be dangerous, if the strip or tile size has been
++ * reported as less than the amount of data jpeg will return, some
++ * potential security issues arise. Catch this case and error out.
++ * -- taviso@google.com 14 Jun 2006
++ */
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "JPEG strip/tile size exceeds expected dimensions,"
++ "expected %dx%d, got %dx%d", segment_width, segment_height,
++ sp->cinfo.d.image_width, sp->cinfo.d.image_height);
++ return (0);
+ }
++
+ if (sp->cinfo.d.num_components !=
+ (td->td_planarconfig == PLANARCONFIG_CONTIG ?
+ td->td_samplesperpixel : 1)) {
+@@ -761,6 +777,22 @@
+ sp->cinfo.d.comp_info[0].v_samp_factor,
+ sp->h_sampling, sp->v_sampling);
+
++ /*
++ * There are potential security issues here for decoders that
++ * have already allocated buffers based on the expected sampling
++ * factors. Lets check the sampling factors dont exceed what
++ * we were expecting.
++ * -- taviso@google.com 14 June 2006
++ */
++ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
++ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
++ TIFFErrorExt(tif->tif_clientdata, module,
++ "Cannot honour JPEG sampling factors that"
++ " exceed those specified.");
++ return (0);
++ }
++
++
+ /*
+ * XXX: Files written by the Intergraph software
+ * has different sampling factors stored in the
+@@ -1521,15 +1553,18 @@
+ {
+ JPEGState *sp = JState(tif);
+
+- assert(sp != 0);
++ /* assert(sp != 0); */
+
+ tif->tif_tagmethods.vgetfield = sp->vgetparent;
+ tif->tif_tagmethods.vsetfield = sp->vsetparent;
+
+- if( sp->cinfo_initialized )
+- TIFFjpeg_destroy(sp); /* release libjpeg resources */
+- if (sp->jpegtables) /* tag value */
+- _TIFFfree(sp->jpegtables);
++ if (sp != NULL) {
++ if( sp->cinfo_initialized )
++ TIFFjpeg_destroy(sp); /* release libjpeg resources */
++ if (sp->jpegtables) /* tag value */
++ _TIFFfree(sp->jpegtables);
++ }
++
+ _TIFFfree(tif->tif_data); /* release local state */
+ tif->tif_data = NULL;
+
+@@ -1541,6 +1576,7 @@
+ {
+ JPEGState* sp = JState(tif);
+ TIFFDirectory* td = &tif->tif_dir;
++ const TIFFFieldInfo* fip;
+ uint32 v32;
+
+ assert(sp != NULL);
+@@ -1606,7 +1642,13 @@
+ default:
+ return (*sp->vsetparent)(tif, tag, ap);
+ }
+- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
++
++ if ((fip = _TIFFFieldWithTag(tif, tag))) {
++ TIFFSetFieldBit(tif, fip->field_bit);
++ } else {
++ return (0);
++ }
++
+ tif->tif_flags |= TIFF_DIRTYDIRECT;
+ return (1);
+ }
+@@ -1726,7 +1768,11 @@
+ {
+ JPEGState* sp = JState(tif);
+
+- assert(sp != NULL);
++ /* assert(sp != NULL); */
++ if (sp == NULL) {
++ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
++ return;
++ }
+
+ (void) flags;
+ if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
diff --git a/graphics/tiff/files/patch-tif_lzw.c b/graphics/tiff/files/patch-tif_lzw.c
new file mode 100644
index 000000000000..e4a36858b4d0
--- /dev/null
+++ b/graphics/tiff/files/patch-tif_lzw.c
@@ -0,0 +1,60 @@
+CVE-2008-2327
+===================================================================
+--- libtiff/tif_lzw.c.orig 2008-08-17 13:03:49.090994393 -0400
++++ libtiff/tif_lzw.c 2008-08-17 13:03:52.354994400 -0400
+@@ -237,6 +237,13 @@
+ sp->dec_codetab[code].length = 1;
+ sp->dec_codetab[code].next = NULL;
+ } while (code--);
++ /*
++ * Zero-out the unused entries
++ */
++ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
++ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
++
++
+ }
+ return (1);
+ }
+@@ -408,12 +415,20 @@
+ break;
+ if (code == CODE_CLEAR) {
+ free_entp = sp->dec_codetab + CODE_FIRST;
++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
+ nbits = BITS_MIN;
+ nbitsmask = MAXCODE(BITS_MIN);
+ maxcodep = sp->dec_codetab + nbitsmask-1;
+ NextCode(tif, sp, bp, code, GetNextCode);
+ if (code == CODE_EOI)
+ break;
++ if (code == CODE_CLEAR) {
++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
++ "LZWDecode: Corrupted LZW table at scanline %d",
++ tif->tif_row);
++ return (0);
++ }
++
+ *op++ = (char)code, occ--;
+ oldcodep = sp->dec_codetab + code;
+ continue;
+@@ -604,12 +619,20 @@
+ break;
+ if (code == CODE_CLEAR) {
+ free_entp = sp->dec_codetab + CODE_FIRST;
++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
+ nbits = BITS_MIN;
+ nbitsmask = MAXCODE(BITS_MIN);
+ maxcodep = sp->dec_codetab + nbitsmask;
+ NextCode(tif, sp, bp, code, GetNextCodeCompat);
+ if (code == CODE_EOI)
+ break;
++ if (code == CODE_CLEAR) {
++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
++ "LZWDecode: Corrupted LZW table at scanline %d",
++ tif->tif_row);
++ return (0);
++ }
++
+ *op++ = code, occ--;
+ oldcodep = sp->dec_codetab + code;
+ continue;
diff --git a/graphics/tiff/files/patch-tif_next.c b/graphics/tiff/files/patch-tif_next.c
new file mode 100644
index 000000000000..e02f075eacd2
--- /dev/null
+++ b/graphics/tiff/files/patch-tif_next.c
@@ -0,0 +1,22 @@
+CVE-2006-3462
+===================================================================
+--- libtiff/tif_next.c.orig 2008-08-17 13:03:48.978994352 -0400
++++ libtiff/tif_next.c 2008-08-17 13:03:52.894064968 -0400
+@@ -105,11 +105,16 @@
+ * as codes of the form <color><npixels>
+ * until we've filled the scanline.
+ */
++ /*
++ * Ensure the run does not exceed the scanline
++ * bounds, potentially resulting in a security issue.
++ * -- taviso@google.com 14 Jun 2006.
++ */
+ op = row;
+ for (;;) {
+ grey = (n>>6) & 0x3;
+ n &= 0x3f;
+- while (n-- > 0)
++ while (n-- > 0 && npixels < imagewidth)
+ SETPIXEL(op, grey);
+ if (npixels >= (int) imagewidth)
+ break;
diff --git a/graphics/tiff/files/patch-tif_pixarlog.c b/graphics/tiff/files/patch-tif_pixarlog.c
new file mode 100644
index 000000000000..cf99c0c5b368
--- /dev/null
+++ b/graphics/tiff/files/patch-tif_pixarlog.c
@@ -0,0 +1,25 @@
+CVE-2006-3461
+===================================================================
+--- libtiff/tif_pixarlog.c.orig 2008-08-17 13:03:48.986994374 -0400
++++ libtiff/tif_pixarlog.c 2008-08-17 13:03:52.894064968 -0400
+@@ -768,7 +768,19 @@
+ if (tif->tif_flags & TIFF_SWAB)
+ TIFFSwabArrayOfShort(up, nsamples);
+
+- for (i = 0; i < nsamples; i += llen, up += llen) {
++ /*
++ * if llen is not an exact multiple of nsamples, the decode operation
++ * may overflow the output buffer, so truncate it enough to prevent that
++ * but still salvage as much data as possible.
++ * -- taviso@google.com 14th June 2006
++ */
++ if (nsamples % llen)
++ TIFFWarningExt(tif->tif_clientdata, module,
++ "%s: stride %lu is not a multiple of sample count, "
++ "%lu, data truncated.", tif->tif_name, llen, nsamples);
++
++
++ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
+ switch (sp->user_datafmt) {
+ case PIXARLOGDATAFMT_FLOAT:
+ horizontalAccumulateF(up, llen, sp->stride,
diff --git a/graphics/tiff/files/patch-tif_print.c b/graphics/tiff/files/patch-tif_print.c
new file mode 100644
index 000000000000..48699484ca4e
--- /dev/null
+++ b/graphics/tiff/files/patch-tif_print.c
@@ -0,0 +1,13 @@
+CVE-2006-3464,3465
+===================================================================
+--- libtiff/tif_print.c.orig 2008-08-17 13:03:49.113994690 -0400
++++ libtiff/tif_print.c 2008-08-17 13:03:52.201994368 -0400
+@@ -491,7 +491,7 @@
+ } else
+ fprintf(fd, "(present)\n");
+ }
+- if (TIFFFieldSet(tif, FIELD_SUBIFD)) {
++ if (TIFFFieldSet(tif, FIELD_SUBIFD) && (td->td_subifd)) {
+ fprintf(fd, " SubIFD Offsets:");
+ for (i = 0; i < td->td_nsubifd; i++)
+ fprintf(fd, " %5lu", (long) td->td_subifd[i]);
diff --git a/graphics/tiff/files/patch-tif_read.c b/graphics/tiff/files/patch-tif_read.c
new file mode 100644
index 000000000000..67c18ccb5b94
--- /dev/null
+++ b/graphics/tiff/files/patch-tif_read.c
@@ -0,0 +1,43 @@
+CVE-2006-3464,3465
+===================================================================
+--- libtiff/tif_read.c.orig 2008-08-17 13:03:48.990994211 -0400
++++ libtiff/tif_read.c 2008-08-17 13:03:52.898026507 -0400
+@@ -31,6 +31,8 @@
+ #include "tiffiop.h"
+ #include <stdio.h>
+
++#include <limits.h>
++
+ int TIFFFillStrip(TIFF*, tstrip_t);
+ int TIFFFillTile(TIFF*, ttile_t);
+ static int TIFFStartStrip(TIFF*, tstrip_t);
+@@ -272,7 +274,13 @@
+ if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
+ _TIFFfree(tif->tif_rawdata);
+ tif->tif_flags &= ~TIFF_MYBUFFER;
+- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
++ /*
++ * This sanity check could potentially overflow, causing an OOB read.
++ * verify that offset + bytecount is > offset.
++ * -- taviso@google.com 14 Jun 2006
++ */
++ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
++ bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
+ /*
+ * This error message might seem strange, but it's
+ * what would happen if a read were done instead.
+@@ -470,7 +478,13 @@
+ if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
+ _TIFFfree(tif->tif_rawdata);
+ tif->tif_flags &= ~TIFF_MYBUFFER;
+- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
++ /*
++ * We must check this calculation doesnt overflow, potentially
++ * causing an OOB read.
++ * -- taviso@google.com 15 Jun 2006
++ */
++ if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
++ bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
+ tif->tif_curtile = NOTILE;
+ return (0);
+ }
diff --git a/graphics/tiff/files/patch-tiff2pdf.1 b/graphics/tiff/files/patch-tiff2pdf.1
new file mode 100644
index 000000000000..2a081a39e2e8
--- /dev/null
+++ b/graphics/tiff/files/patch-tiff2pdf.1
@@ -0,0 +1,34 @@
+--- man/tiff2pdf.1.orig 2008-08-17 13:03:49.046994376 -0400
++++ man/tiff2pdf.1 2008-08-17 13:03:52.522727821 -0400
+@@ -207,18 +207,14 @@
+ The following example would generate the file output.pdf from input.tiff.
+ .PP
+ .RS
+-.NF
+-tiff2pdf -o output.pdf input.tiff
+-.FI
++\f(CWtiff2pdf -o output.pdf input.tiff\fP
+ .RE
+ .PP
+ The following example would generate PDF output from input.tiff and write it
+ to standard output.
+ .PP
+ .RS
+-.NF
+-tiff2pdf input.tiff
+-.FI
++\f(CWtiff2pdf input.tiff\fP
+ .RE
+ .PP
+ The following example would generate the file output.pdf from input.tiff,
+@@ -227,9 +223,7 @@
+ the "Fit Window" option.
+ .PP
+ .RS
+-.NF
+-tiff2pdf -p letter -j -q 75 -t "Document" -f -o output.pdf input.tiff
+-.FI
++\f(CWtiff2pdf -p letter -j -q 75 -t "Document" -f -o output.pdf input.tiff\f)
+ .RE
+ .SH BUGS
+ Please report bugs via the web interface at
diff --git a/graphics/tiff/files/patch-tiff2pdf.c b/graphics/tiff/files/patch-tiff2pdf.c
new file mode 100644
index 000000000000..6206cce935dc
--- /dev/null
+++ b/graphics/tiff/files/patch-tiff2pdf.c
@@ -0,0 +1,13 @@
+CVE-2006-2193
+===================================================================
+--- tools/tiff2pdf.c.orig 2006-06-04 18:26:40.000000000 -0700
++++ tools/tiff2pdf.c 2006-06-04 18:27:22.000000000 -0700
+@@ -3668,7 +3668,7 @@
+ written += TIFFWriteFile(output, (tdata_t) "(", 1);
+ for (i=0;i<len;i++){
+ if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){
+- sprintf(buffer, "\\%.3o", pdfstr[i]);
++ snprintf(buffer, sizeof(buffer), "\\%.3o", pdfstr[i]);
+ written += TIFFWriteFile(output, (tdata_t) buffer, 4);
+ } else {
+ switch (pdfstr[i]){
diff --git a/graphics/tiff/files/patch-tiff2ps.1 b/graphics/tiff/files/patch-tiff2ps.1
new file mode 100644
index 000000000000..b9051f53e70a
--- /dev/null
+++ b/graphics/tiff/files/patch-tiff2ps.1
@@ -0,0 +1,142 @@
+--- man/tiff2ps.1.orig 2008-08-17 13:03:49.050994382 -0400
++++ man/tiff2ps.1 2008-08-17 13:03:52.522727821 -0400
+@@ -27,7 +27,7 @@
+ .SH NAME
+ tiff2ps \- convert a
+ .SM TIFF
+-image to \*(Ps\(tm
++image to PostScript\(tm
+ .SH SYNOPSIS
+ .B tiff2ps
+ [
+@@ -38,17 +38,17 @@
+ .I tiff2ps
+ reads
+ .SM TIFF
+-images and writes \*(Ps or Encapsulated \*(Ps (EPS)
++images and writes PostScript or Encapsulated PostScript (EPS)
+ on the standard output.
+ By default,
+ .I tiff2ps
+-writes Encapsulated \*(Ps for the first image in the specified
++writes Encapsulated PostScript for the first image in the specified
+ .SM TIFF
+ image file.
+ .PP
+ By default,
+ .I tiff2ps
+-will generate \*(Ps that fills a printed area specified
++will generate PostScript that fills a printed area specified
+ by the
+ .SM TIFF
+ tags in the input file.
+@@ -67,22 +67,22 @@
+ .SM TIFF
+ tags.
+ .PP
+-The \*(Ps generated for
++The PostScript generated for
+ .SM RGB,
+ palette, and
+ .SM CMYK
+ images uses the
+ .I colorimage
+ operator.
+-The \*(Ps generated for
++The PostScript generated for
+ greyscale and bilevel images
+ uses the
+ .I image
+ operator.
+ When the
+ .I colorimage
+-operator is used, \*(Ps code to emulate this operator
+-on older \*(Ps printers is also generated.
++operator is used, PostScript code to emulate this operator
++on older PostScript printers is also generated.
+ Note that this emulation code can be very slow.
+ .PP
+ Color images with associated alpha data are composited over
+@@ -90,13 +90,13 @@
+ .SH OPTIONS
+ .TP
+ .B \-1
+-Generate \*(Ps Level 1 (the default).
++Generate PostScript Level 1 (the default).
+ .TP
+ .B \-2
+-Generate \*(Ps Level 2.
++Generate PostScript Level 2.
+ .TP
+ .B \-3
+-Generate \*(Ps Level 3. It basically allows one to use the /flateDecode
++Generate PostScript Level 3. It basically allows one to use the /flateDecode
+ filter for ZIP compressed TIFF images.
+ .TP
+ .B \-a
+@@ -119,7 +119,7 @@
+ multi-page (e.g. facsimile) file.
+ .TP
+ .B \-e
+-Force the generation of Encapsulated \*(Ps (implies -z).
++Force the generation of Encapsulated PostScript (implies -z).
+ .TP
+ .B \-h
+ Specify the vertical size of the printed area (in inches).
+@@ -148,7 +148,7 @@
+ .B \-m
+ Where possible render using the
+ .B imagemask
+-\*(Ps operator instead of the image operator. When this option is specified
++PostScript operator instead of the image operator. When this option is specified
+ .I tiff2ps
+ will use
+ .B imagemask
+@@ -166,7 +166,7 @@
+ like which are hidden using the SubIFD tag.
+ .TP
+ .B \-p
+-Force the generation of (non-Encapsulated) \*(Ps.
++Force the generation of (non-Encapsulated) PostScript.
+ .TP
+ .B \-r
+ Rotate image by 180 degrees.
+@@ -184,15 +184,15 @@
+ Override resolution units specified in the TIFF as inches.
+ .TP
+ .B \-z
+-When generating \*(Ps Level 2, data is scaled so that it does not
++When generating PostScript Level 2, data is scaled so that it does not
+ image into the
+ .I deadzone
+ on a page (the outer margin that the printing device is unable to mark).
+ This option suppresses this behavior.
+-When \*(Ps Level 1 is generated, data is imaged to the entire printed
++When PostScript Level 1 is generated, data is imaged to the entire printed
+ page and this option has no affect.
+ .SH EXAMPLES
+-The following generates \*(Ps Level 2 for all pages of a facsimile:
++The following generates PostScript Level 2 for all pages of a facsimile:
+ .RS
+ .nf
+ tiff2ps -a2 fax.tif | lpr
+@@ -201,7 +201,7 @@
+ Note also that if you have version 2.6.1 or newer of Ghostscript then you
+ can efficiently preview facsimile generated with the above command.
+ .PP
+-To generate Encapsulated \*(Ps for a the image at directory 2
++To generate Encapsulated PostScript for a the image at directory 2
+ of an image use:
+ .RS
+ .nf
+@@ -228,8 +228,8 @@
+ .B \-L.5
+ option says to repeat a half inch on the next page (to improve readability).
+ .SH BUGS
+-Because \*(Ps does not support the notion of a colormap,
+-8-bit palette images produce 24-bit \*(Ps images.
++Because PostScript does not support the notion of a colormap,
++8-bit palette images produce 24-bit PostScript images.
+ This conversion results in output that is six times
+ bigger than the original image and which takes a long time
+ to send to a printer over a serial line.
diff --git a/graphics/tiff/files/patch-tiffcmp.1 b/graphics/tiff/files/patch-tiffcmp.1
new file mode 100644
index 000000000000..df179f116621
--- /dev/null
+++ b/graphics/tiff/files/patch-tiffcmp.1
@@ -0,0 +1,11 @@
+--- man/tiffcmp.1.orig 2008-08-17 13:03:49.062994301 -0400
++++ man/tiffcmp.1 2008-08-17 13:03:52.522727821 -0400
+@@ -77,7 +77,7 @@
+ in some exotic cases.
+ .SH "SEE ALSO"
+ .BR pal2rgb (1),
+-.bR tiffinfo (1),
++.BR tiffinfo (1),
+ .BR tiffcp (1),
+ .BR tiffmedian (1),
+ .BR libtiff (3TIFF)
diff --git a/graphics/tiff/files/patch-tiffsplit.1 b/graphics/tiff/files/patch-tiffsplit.1
new file mode 100644
index 000000000000..5bb19b84fdb1
--- /dev/null
+++ b/graphics/tiff/files/patch-tiffsplit.1
@@ -0,0 +1,11 @@
+--- man/tiffsplit.1.orig 2008-08-17 13:03:49.070994233 -0400
++++ man/tiffsplit.1 2008-08-17 13:03:52.522727821 -0400
+@@ -50,7 +50,7 @@
+ (e.g.
+ .IR xaaa.tif ,
+ .IR xaab.tif ,
+-\...
++.IR ... ,
+ .IR xzzz.tif ).
+ If a prefix is not specified on the command line,
+ the default prefix of
diff --git a/graphics/tiff/files/patch-tiffsplit.c b/graphics/tiff/files/patch-tiffsplit.c
new file mode 100644
index 000000000000..ea75a024ce85
--- /dev/null
+++ b/graphics/tiff/files/patch-tiffsplit.c
@@ -0,0 +1,21 @@
+CVE-2006-2656
+===================================================================
+--- tools/tiffsplit.c.orig 2008-08-17 13:03:49.014994263 -0400
++++ tools/tiffsplit.c 2008-08-17 13:03:52.726994578 -0400
+@@ -61,14 +61,13 @@
+ return (-3);
+ }
+ if (argc > 2)
+- strcpy(fname, argv[2]);
++ snprintf(fname, sizeof(fname), "%s", argv[2]);
+ in = TIFFOpen(argv[1], "r");
+ if (in != NULL) {
+ do {
+ char path[1024+1];
+ newfilename();
+- strcpy(path, fname);
+- strcat(path, ".tif");
++ snprintf(path, sizeof(path), "%s.tif", fname);
+ out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
+ if (out == NULL)
+ return (-2);