1 files changed, 88 insertions, 0 deletions

diff --git a/gnu/packages/patches/libtiff-CVE-2016-5323.patch b/gnu/packages/patches/libtiff-CVE-2016-5323.patch
new file mode 100644
index 0000000000..8b2a043d29
--- /dev/null
+++ b/gnu/packages/patches/libtiff-CVE-2016-5323.patch
@@ -0,0 +1,88 @@
+Fix CVE-2016-5323.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5323
+http://bugzilla.maptools.org/show_bug.cgi?id=2559
+
+Patch extracted from upstream CVS repo with:
+$ cvs diff -u -r1.36  -r1.37 tools/tiffcrop.c
+
+Index: tools/tiffcrop.c
+===================================================================
+RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
+retrieving revision 1.36
+retrieving revision 1.37
+diff -u -r1.36 -r1.37
+--- libtiff/tools/tiffcrop.c	11 Jul 2016 21:26:03 -0000	1.36
++++ libtiff/tools/tiffcrop.c	11 Jul 2016 21:38:31 -0000	1.37
+@@ -3738,7 +3738,7 @@
+ 
+       matchbits = maskbits << (8 - src_bit - bps); 
+       /* load up next sample from each plane */
+-      for (s = 0; s < spp; s++)
++      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+ 	src = in[s] + src_offset + src_byte;
+         buff1 = ((*src) & matchbits) << (src_bit);
+@@ -3837,7 +3837,7 @@
+       src_bit  = bit_offset % 8;
+ 
+       matchbits = maskbits << (16 - src_bit - bps); 
+-      for (s = 0; s < spp; s++)
++      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+ 	src = in[s] + src_offset + src_byte;
+         if (little_endian)
+@@ -3947,7 +3947,7 @@
+       src_bit  = bit_offset % 8;
+ 
+       matchbits = maskbits << (32 - src_bit - bps); 
+-      for (s = 0; s < spp; s++)
++      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+ 	src = in[s] + src_offset + src_byte;
+         if (little_endian)
+@@ -4073,7 +4073,7 @@
+       src_bit  = bit_offset % 8;
+ 
+       matchbits = maskbits << (64 - src_bit - bps); 
+-      for (s = 0; s < spp; s++)
++      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+ 	{
+ 	src = in[s] + src_offset + src_byte;
+ 	if (little_endian)
+@@ -4263,7 +4263,7 @@
+ 
+       matchbits = maskbits << (8 - src_bit - bps); 
+       /* load up next sample from each plane */
+-      for (s = 0; s < spp; s++)
++      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+ 	src = in[s] + src_offset + src_byte;
+         buff1 = ((*src) & matchbits) << (src_bit);
+@@ -4362,7 +4362,7 @@
+       src_bit  = bit_offset % 8;
+ 
+       matchbits = maskbits << (16 - src_bit - bps); 
+-      for (s = 0; s < spp; s++)
++      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+ 	src = in[s] + src_offset + src_byte;
+         if (little_endian)
+@@ -4471,7 +4471,7 @@
+       src_bit  = bit_offset % 8;
+ 
+       matchbits = maskbits << (32 - src_bit - bps); 
+-      for (s = 0; s < spp; s++)
++      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+ 	src = in[s] + src_offset + src_byte;
+         if (little_endian)
+@@ -4597,7 +4597,7 @@
+       src_bit  = bit_offset % 8;
+ 
+       matchbits = maskbits << (64 - src_bit - bps); 
+-      for (s = 0; s < spp; s++)
++      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+ 	{
+ 	src = in[s] + src_offset + src_byte;
+ 	if (little_endian)