summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--gnu-system.am19
-rw-r--r--gnu/packages/image.scm23
-rw-r--r--gnu/packages/patches/libtiff-CVE-2012-4564.patch33
-rw-r--r--gnu/packages/patches/libtiff-CVE-2013-1960.patch148
-rw-r--r--gnu/packages/patches/libtiff-CVE-2013-1961.patch770
-rw-r--r--gnu/packages/patches/libtiff-CVE-2013-4231.patch19
-rw-r--r--gnu/packages/patches/libtiff-CVE-2013-4232.patch20
-rw-r--r--gnu/packages/patches/libtiff-CVE-2013-4243.patch39
-rw-r--r--gnu/packages/patches/libtiff-CVE-2013-4244.patch20
-rw-r--r--gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch30
-rw-r--r--gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch42
-rw-r--r--gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch45
-rw-r--r--gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch295
-rw-r--r--gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch32
-rw-r--r--gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch83
-rw-r--r--gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch34
-rw-r--r--gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch77
-rw-r--r--gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch16
-rw-r--r--gnu/packages/patches/libtiff-CVE-2014-8129.patch45
-rw-r--r--gnu/packages/patches/libtiff-CVE-2014-9330.patch47
-rw-r--r--gnu/packages/patches/libtiff-CVE-2014-9655.patch88
21 files changed, 2 insertions, 1923 deletions
diff --git a/gnu-system.am b/gnu-system.am
index 974201b479..72ec9fc666 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -527,25 +527,6 @@ dist_patch_DATA =						\
   gnu/packages/patches/libmad-frame-length.patch		\
   gnu/packages/patches/libmad-mips-newgcc.patch			\
   gnu/packages/patches/libtheora-config-guess.patch		\
-  gnu/packages/patches/libtiff-CVE-2012-4564.patch		\
-  gnu/packages/patches/libtiff-CVE-2013-1960.patch		\
-  gnu/packages/patches/libtiff-CVE-2013-1961.patch		\
-  gnu/packages/patches/libtiff-CVE-2013-4231.patch		\
-  gnu/packages/patches/libtiff-CVE-2013-4232.patch		\
-  gnu/packages/patches/libtiff-CVE-2013-4243.patch		\
-  gnu/packages/patches/libtiff-CVE-2013-4244.patch		\
-  gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch		\
-  gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch		\
-  gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch		\
-  gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch		\
-  gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch		\
-  gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch		\
-  gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch		\
-  gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch		\
-  gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch		\
-  gnu/packages/patches/libtiff-CVE-2014-8129.patch		\
-  gnu/packages/patches/libtiff-CVE-2014-9330.patch		\
-  gnu/packages/patches/libtiff-CVE-2014-9655.patch		\
   gnu/packages/patches/libtool-skip-tests2.patch		\
   gnu/packages/patches/libssh-CVE-2014-0017.patch		\
   gnu/packages/patches/libwmf-CVE-2006-3376.patch		\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 84f03967a7..d2de92586f 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -106,32 +106,13 @@ image files in PBMPLUS PPM/PGM, GIF, BMP, and Targa file formats.")
 (define-public libtiff
   (package
    (name "libtiff")
-   (version "4.0.3")
+   (version "4.0.5")
    (source (origin
             (method url-fetch)
             (uri (string-append "ftp://ftp.remotesensing.org/pub/libtiff/tiff-"
                    version ".tar.gz"))
             (sha256 (base32
-                     "0wj8d1iwk9vnpax2h29xqc2hwknxg3s0ay2d5pxkg59ihbifn6pa"))
-            (patches (map search-patch '("libtiff-CVE-2012-4564.patch"
-                                         "libtiff-CVE-2013-1960.patch"
-                                         "libtiff-CVE-2013-1961.patch"
-                                         "libtiff-CVE-2013-4231.patch"
-                                         "libtiff-CVE-2013-4232.patch"
-                                         "libtiff-CVE-2013-4244.patch"
-                                         "libtiff-CVE-2013-4243.patch"
-                                         "libtiff-CVE-2014-9330.patch"
-                                         "libtiff-CVE-2014-8127-pt1.patch"
-                                         "libtiff-CVE-2014-8127-pt2.patch"
-                                         "libtiff-CVE-2014-8127-pt3.patch"
-                                         "libtiff-CVE-2014-8127-pt4.patch"
-                                         "libtiff-CVE-2014-8128-pt1.patch"
-                                         "libtiff-CVE-2014-8128-pt2.patch"
-                                         "libtiff-CVE-2014-8128-pt3.patch"
-                                         "libtiff-CVE-2014-8129.patch"
-                                         "libtiff-CVE-2014-9655.patch"
-                                         "libtiff-CVE-2014-8128-pt4.patch"
-                                         "libtiff-CVE-2014-8128-pt5.patch")))))
+                     "171hgy4mylwmvdm7gp6ffjva81m4j56v3fbqsbfl7avzxn1slpp2"))))
    (build-system gnu-build-system)
    (inputs `(("zlib" ,zlib)
              ("libjpeg-8" ,libjpeg-8)))
diff --git a/gnu/packages/patches/libtiff-CVE-2012-4564.patch b/gnu/packages/patches/libtiff-CVE-2012-4564.patch
deleted file mode 100644
index 472f9ca35f..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2012-4564.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Copied from Debian
-
-Index: tiff-4.0.3/tools/ppm2tiff.c
-===================================================================
---- tiff-4.0.3.orig/tools/ppm2tiff.c	2013-06-23 10:36:50.779629492 -0400
-+++ tiff-4.0.3/tools/ppm2tiff.c	2013-06-23 10:36:50.775629494 -0400
-@@ -89,6 +89,7 @@
- 	int c;
- 	extern int optind;
- 	extern char* optarg;
-+	tmsize_t scanline_size;
- 
- 	if (argc < 2) {
- 	    fprintf(stderr, "%s: Too few arguments\n", argv[0]);
-@@ -237,8 +238,16 @@
- 	}
- 	if (TIFFScanlineSize(out) > linebytes)
- 		buf = (unsigned char *)_TIFFmalloc(linebytes);
--	else
--		buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
-+	else {
-+		scanline_size = TIFFScanlineSize(out);
-+		if (scanline_size != 0)
-+			buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
-+		else {
-+			fprintf(stderr, "%s: scanline size overflow\n",infile);
-+			(void) TIFFClose(out);
-+			exit(-2);
-+			}
-+		}
- 	if (resolution > 0) {
- 		TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
- 		TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff --git a/gnu/packages/patches/libtiff-CVE-2013-1960.patch b/gnu/packages/patches/libtiff-CVE-2013-1960.patch
deleted file mode 100644
index 341063f25d..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2013-1960.patch
+++ /dev/null
@@ -1,148 +0,0 @@
-Copied from Debian
-
-Index: tiff-4.0.3/tools/tiff2pdf.c
-===================================================================
---- tiff-4.0.3.orig/tools/tiff2pdf.c	2013-06-23 10:36:50.979629486 -0400
-+++ tiff-4.0.3/tools/tiff2pdf.c	2013-06-23 10:36:50.975629486 -0400
-@@ -3341,33 +3341,56 @@
- 	uint32 height){
- 
- 	tsize_t i=0;
--	uint16 ri =0;
--	uint16 v_samp=1;
--	uint16 h_samp=1;
--	int j=0;
--	
--	i++;
--	
--	while(i<(*striplength)){
-+
-+	while (i < *striplength) {
-+		tsize_t datalen;
-+		uint16 ri;
-+		uint16 v_samp;
-+		uint16 h_samp;
-+		int j;
-+		int ncomp;
-+
-+		/* marker header: one or more FFs */
-+		if (strip[i] != 0xff)
-+			return(0);
-+		i++;
-+		while (i < *striplength && strip[i] == 0xff)
-+			i++;
-+		if (i >= *striplength)
-+			return(0);
-+		/* SOI is the only pre-SOS marker without a length word */
-+		if (strip[i] == 0xd8)
-+			datalen = 0;
-+		else {
-+			if ((*striplength - i) <= 2)
-+				return(0);
-+			datalen = (strip[i+1] << 8) | strip[i+2];
-+			if (datalen < 2 || datalen >= (*striplength - i))
-+				return(0);
-+		}
- 		switch( strip[i] ){
--			case 0xd8:
--				/* SOI - start of image */
-+			case 0xd8:	/* SOI - start of image */
- 				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
- 				*bufferoffset+=2;
--				i+=2;
- 				break;
--			case 0xc0:
--			case 0xc1:
--			case 0xc3:
--			case 0xc9:
--			case 0xca:
-+			case 0xc0:	/* SOF0 */
-+			case 0xc1:	/* SOF1 */
-+			case 0xc3:	/* SOF3 */
-+			case 0xc9:	/* SOF9 */
-+			case 0xca:	/* SOF10 */
- 				if(no==0){
--					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
--					for(j=0;j<buffer[*bufferoffset+9];j++){
--						if( (buffer[*bufferoffset+11+(2*j)]>>4) > h_samp) 
--							h_samp = (buffer[*bufferoffset+11+(2*j)]>>4);
--						if( (buffer[*bufferoffset+11+(2*j)] & 0x0f) > v_samp) 
--							v_samp = (buffer[*bufferoffset+11+(2*j)] & 0x0f);
-+					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
-+					ncomp = buffer[*bufferoffset+9];
-+					if (ncomp < 1 || ncomp > 4)
-+						return(0);
-+					v_samp=1;
-+					h_samp=1;
-+					for(j=0;j<ncomp;j++){
-+						uint16 samp = buffer[*bufferoffset+11+(3*j)];
-+						if( (samp>>4) > h_samp) 
-+							h_samp = (samp>>4);
-+						if( (samp & 0x0f) > v_samp) 
-+							v_samp = (samp & 0x0f);
- 					}
- 					v_samp*=8;
- 					h_samp*=8;
-@@ -3381,45 +3404,43 @@
-                                           (unsigned char) ((height>>8) & 0xff);
- 					buffer[*bufferoffset+6]=
-                                             (unsigned char) (height & 0xff);
--					*bufferoffset+=strip[i+2]+2;
--					i+=strip[i+2]+2;
--
-+					*bufferoffset+=datalen+2;
-+					/* insert a DRI marker */
- 					buffer[(*bufferoffset)++]=0xff;
- 					buffer[(*bufferoffset)++]=0xdd;
- 					buffer[(*bufferoffset)++]=0x00;
- 					buffer[(*bufferoffset)++]=0x04;
- 					buffer[(*bufferoffset)++]=(ri >> 8) & 0xff;
- 					buffer[(*bufferoffset)++]= ri & 0xff;
--				} else {
--					i+=strip[i+2]+2;
- 				}
- 				break;
--			case 0xc4:
--			case 0xdb:
--				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
--				*bufferoffset+=strip[i+2]+2;
--				i+=strip[i+2]+2;
-+			case 0xc4: /* DHT */
-+			case 0xdb: /* DQT */
-+				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
-+				*bufferoffset+=datalen+2;
- 				break;
--			case 0xda:
-+			case 0xda: /* SOS */
- 				if(no==0){
--					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), strip[i+2]+2);
--					*bufferoffset+=strip[i+2]+2;
--					i+=strip[i+2]+2;
-+					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
-+					*bufferoffset+=datalen+2;
- 				} else {
- 					buffer[(*bufferoffset)++]=0xff;
- 					buffer[(*bufferoffset)++]=
-                                             (unsigned char)(0xd0 | ((no-1)%8));
--					i+=strip[i+2]+2;
- 				}
--				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), (*striplength)-i-1);
--				*bufferoffset+=(*striplength)-i-1;
-+				i += datalen + 1;
-+				/* copy remainder of strip */
-+				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
-+				*bufferoffset+= *striplength - i;
- 				return(1);
- 			default:
--				i+=strip[i+2]+2;
-+				/* ignore any other marker */
-+				break;
- 		}
-+		i += datalen + 1;
- 	}
--	
- 
-+	/* failed to find SOS marker */
- 	return(0);
- }
- #endif
diff --git a/gnu/packages/patches/libtiff-CVE-2013-1961.patch b/gnu/packages/patches/libtiff-CVE-2013-1961.patch
deleted file mode 100644
index 9c2481ce83..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2013-1961.patch
+++ /dev/null
@@ -1,770 +0,0 @@
-Copied from Debian
-
-Index: tiff-4.0.3/contrib/dbs/xtiff/xtiff.c
-===================================================================
---- tiff-4.0.3.orig/contrib/dbs/xtiff/xtiff.c	2013-06-23 10:36:51.163629483 -0400
-+++ tiff-4.0.3/contrib/dbs/xtiff/xtiff.c	2013-06-23 10:36:51.147629484 -0400
-@@ -512,9 +512,9 @@
-     Arg args[1];
- 
-     if (tfMultiPage)
--        sprintf(buffer, "%s - page %d", fileName, tfDirectory);
-+        snprintf(buffer, sizeof(buffer), "%s - page %d", fileName, tfDirectory);
-     else
--        strcpy(buffer, fileName);
-+        snprintf(buffer, sizeof(buffer), "%s", fileName);
-     XtSetArg(args[0], XtNlabel, buffer);
-     XtSetValues(labelWidget, args, 1);
- }
-Index: tiff-4.0.3/libtiff/tif_dirinfo.c
-===================================================================
---- tiff-4.0.3.orig/libtiff/tif_dirinfo.c	2013-06-23 10:36:51.163629483 -0400
-+++ tiff-4.0.3/libtiff/tif_dirinfo.c	2013-06-23 10:36:51.147629484 -0400
-@@ -711,7 +711,7 @@
- 	 * note that this name is a special sign to TIFFClose() and
- 	 * _TIFFSetupFields() to free the field
- 	 */
--	sprintf(fld->field_name, "Tag %d", (int) tag);
-+	snprintf(fld->field_name, 32, "Tag %d", (int) tag);
- 
- 	return fld;    
- }
-Index: tiff-4.0.3/libtiff/tif_codec.c
-===================================================================
---- tiff-4.0.3.orig/libtiff/tif_codec.c	2013-06-23 10:36:51.163629483 -0400
-+++ tiff-4.0.3/libtiff/tif_codec.c	2013-06-23 10:36:51.151629482 -0400
-@@ -108,7 +108,8 @@
- 	const TIFFCodec* c = TIFFFindCODEC(tif->tif_dir.td_compression);
-         char compression_code[20];
-         
--        sprintf( compression_code, "%d", tif->tif_dir.td_compression );
-+        snprintf(compression_code, sizeof(compression_code), "%d",
-+		 tif->tif_dir.td_compression );
- 	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-                      "%s compression support is not configured", 
-                      c ? c->name : compression_code );
-Index: tiff-4.0.3/tools/tiffdither.c
-===================================================================
---- tiff-4.0.3.orig/tools/tiffdither.c	2013-06-23 10:36:51.163629483 -0400
-+++ tiff-4.0.3/tools/tiffdither.c	2013-06-23 10:36:51.151629482 -0400
-@@ -260,7 +260,7 @@
- 		TIFFSetField(out, TIFFTAG_FILLORDER, fillorder);
- 	else
- 		CopyField(TIFFTAG_FILLORDER, shortv);
--	sprintf(thing, "Dithered B&W version of %s", argv[optind]);
-+	snprintf(thing, sizeof(thing), "Dithered B&W version of %s", argv[optind]);
- 	TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
- 	CopyField(TIFFTAG_PHOTOMETRIC, shortv);
- 	CopyField(TIFFTAG_ORIENTATION, shortv);
-Index: tiff-4.0.3/tools/rgb2ycbcr.c
-===================================================================
---- tiff-4.0.3.orig/tools/rgb2ycbcr.c	2013-06-23 10:36:51.163629483 -0400
-+++ tiff-4.0.3/tools/rgb2ycbcr.c	2013-06-23 10:36:51.151629482 -0400
-@@ -332,7 +332,8 @@
- 	TIFFSetField(out, TIFFTAG_PLANARCONFIG, PLANARCONFIG_CONTIG);
- 	{ char buf[2048];
- 	  char *cp = strrchr(TIFFFileName(in), '/');
--	  sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in));
-+	  snprintf(buf, sizeof(buf), "YCbCr conversion of %s",
-+		   cp ? cp+1 : TIFFFileName(in));
- 	  TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf);
- 	}
- 	TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
-Index: tiff-4.0.3/tools/tiff2pdf.c
-===================================================================
---- tiff-4.0.3.orig/tools/tiff2pdf.c	2013-06-23 10:36:51.163629483 -0400
-+++ tiff-4.0.3/tools/tiff2pdf.c	2013-06-23 10:36:51.151629482 -0400
-@@ -3630,7 +3630,9 @@
- 	char buffer[16];
- 	int buflen=0;
- 	
--	buflen=sprintf(buffer, "%%PDF-%u.%u ", t2p->pdf_majorversion&0xff, t2p->pdf_minorversion&0xff);
-+	buflen = snprintf(buffer, sizeof(buffer), "%%PDF-%u.%u ",
-+			  t2p->pdf_majorversion&0xff,
-+			  t2p->pdf_minorversion&0xff);
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 	written += t2pWriteFile(output, (tdata_t)"\n%\342\343\317\323\n", 7);
- 
-@@ -3644,10 +3646,10 @@
- tsize_t t2p_write_pdf_obj_start(uint32 number, TIFF* output){
- 
- 	tsize_t written=0;
--	char buffer[16];
-+	char buffer[32];
- 	int buflen=0;
- 
--	buflen=sprintf(buffer, "%lu", (unsigned long)number);
-+	buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen );
- 	written += t2pWriteFile(output, (tdata_t) " 0 obj\n", 7);
- 
-@@ -3686,13 +3688,13 @@
- 	written += t2pWriteFile(output, (tdata_t) "/", 1);
- 	for (i=0;i<namelen;i++){
- 		if ( ((unsigned char)name[i]) < 0x21){
--			sprintf(buffer, "#%.2X", name[i]);
-+			snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- 			buffer[sizeof(buffer) - 1] = '\0';
- 			written += t2pWriteFile(output, (tdata_t) buffer, 3);
- 			nextchar=1;
- 		}
- 		if ( ((unsigned char)name[i]) > 0x7E){
--			sprintf(buffer, "#%.2X", name[i]);
-+			snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- 			buffer[sizeof(buffer) - 1] = '\0';
- 			written += t2pWriteFile(output, (tdata_t) buffer, 3);
- 			nextchar=1;
-@@ -3700,57 +3702,57 @@
- 		if (nextchar==0){
- 			switch (name[i]){
- 				case 0x23:
--					sprintf(buffer, "#%.2X", name[i]);
-+					snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- 					buffer[sizeof(buffer) - 1] = '\0';
- 					written += t2pWriteFile(output, (tdata_t) buffer, 3);
- 					break;
- 				case 0x25:
--					sprintf(buffer, "#%.2X", name[i]);
-+					snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- 					buffer[sizeof(buffer) - 1] = '\0';
- 					written += t2pWriteFile(output, (tdata_t) buffer, 3);
- 					break;
- 				case 0x28:
--					sprintf(buffer, "#%.2X", name[i]);
-+					snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- 					buffer[sizeof(buffer) - 1] = '\0';
- 					written += t2pWriteFile(output, (tdata_t) buffer, 3);
- 					break;
- 				case 0x29:
--					sprintf(buffer, "#%.2X", name[i]); 
-+					snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); 
- 					buffer[sizeof(buffer) - 1] = '\0';
- 					written += t2pWriteFile(output, (tdata_t) buffer, 3);
- 					break;
- 				case 0x2F:
--					sprintf(buffer, "#%.2X", name[i]); 
-+					snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); 
- 					buffer[sizeof(buffer) - 1] = '\0';
- 					written += t2pWriteFile(output, (tdata_t) buffer, 3);
- 					break;
- 				case 0x3C:
--					sprintf(buffer, "#%.2X", name[i]); 
-+					snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); 
- 					buffer[sizeof(buffer) - 1] = '\0';
- 					written += t2pWriteFile(output, (tdata_t) buffer, 3);
- 					break;
- 				case 0x3E:
--					sprintf(buffer, "#%.2X", name[i]);
-+					snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- 					buffer[sizeof(buffer) - 1] = '\0';
- 					written += t2pWriteFile(output, (tdata_t) buffer, 3);
- 					break;
- 				case 0x5B:
--					sprintf(buffer, "#%.2X", name[i]); 
-+					snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); 
- 					buffer[sizeof(buffer) - 1] = '\0';
- 					written += t2pWriteFile(output, (tdata_t) buffer, 3);
- 					break;
- 				case 0x5D:
--					sprintf(buffer, "#%.2X", name[i]);
-+					snprintf(buffer, sizeof(buffer), "#%.2X", name[i]);
- 					buffer[sizeof(buffer) - 1] = '\0';
- 					written += t2pWriteFile(output, (tdata_t) buffer, 3);
- 					break;
- 				case 0x7B:
--					sprintf(buffer, "#%.2X", name[i]); 
-+					snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); 
- 					buffer[sizeof(buffer) - 1] = '\0';
- 					written += t2pWriteFile(output, (tdata_t) buffer, 3);
- 					break;
- 				case 0x7D:
--					sprintf(buffer, "#%.2X", name[i]); 
-+					snprintf(buffer, sizeof(buffer), "#%.2X", name[i]); 
- 					buffer[sizeof(buffer) - 1] = '\0';
- 					written += t2pWriteFile(output, (tdata_t) buffer, 3);
- 					break;
-@@ -3865,14 +3867,14 @@
- tsize_t t2p_write_pdf_stream_dict(tsize_t len, uint32 number, TIFF* output){
- 	
- 	tsize_t written=0;
--	char buffer[16];
-+	char buffer[32];
- 	int buflen=0;
- 	
- 	written += t2pWriteFile(output, (tdata_t) "/Length ", 8);
- 	if(len!=0){
- 		written += t2p_write_pdf_stream_length(len, output);
- 	} else {
--		buflen=sprintf(buffer, "%lu", (unsigned long)number);
-+		buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)number);
- 		written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 		written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
- 	}
-@@ -3913,10 +3915,10 @@
- tsize_t t2p_write_pdf_stream_length(tsize_t len, TIFF* output){
- 
- 	tsize_t written=0;
--	char buffer[16];
-+	char buffer[32];
- 	int buflen=0;
- 
--	buflen=sprintf(buffer, "%lu", (unsigned long)len);
-+	buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)len);
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 	written += t2pWriteFile(output, (tdata_t) "\n", 1);
- 
-@@ -3930,7 +3932,7 @@
- tsize_t t2p_write_pdf_catalog(T2P* t2p, TIFF* output)
- {
- 	tsize_t written = 0;
--	char buffer[16];
-+	char buffer[32];
- 	int buflen = 0;
- 
- 	written += t2pWriteFile(output, 
-@@ -3969,7 +3971,6 @@
- 		written += t2p_write_pdf_string(t2p->pdf_datetime, output);
- 	}
- 	written += t2pWriteFile(output, (tdata_t) "\n/Producer ", 11);
--	_TIFFmemset((tdata_t)buffer, 0x00, sizeof(buffer));
- 	snprintf(buffer, sizeof(buffer), "libtiff / tiff2pdf - %d", TIFFLIB_VERSION);
- 	written += t2p_write_pdf_string(buffer, output);
- 	written += t2pWriteFile(output, (tdata_t) "\n", 1);
-@@ -4110,7 +4111,7 @@
- {
- 	tsize_t written=0;
- 	tdir_t i=0;
--	char buffer[16];
-+	char buffer[32];
- 	int buflen=0;
- 
- 	int page=0;
-@@ -4118,7 +4119,7 @@
- 		(tdata_t) "<< \n/Type /Pages \n/Kids [ ", 26);
- 	page = t2p->pdf_pages+1;
- 	for (i=0;i<t2p->tiff_pagecount;i++){
--		buflen=sprintf(buffer, "%d", page);
-+		buflen=snprintf(buffer, sizeof(buffer), "%d", page);
- 		written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 		written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
- 		if ( ((i+1)%8)==0 ) {
-@@ -4133,8 +4134,7 @@
- 		}
- 	}
- 	written += t2pWriteFile(output, (tdata_t) "] \n/Count ", 10);
--	_TIFFmemset(buffer, 0x00, 16);
--	buflen=sprintf(buffer, "%d", t2p->tiff_pagecount);
-+	buflen=snprintf(buffer, sizeof(buffer), "%d", t2p->tiff_pagecount);
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 	written += t2pWriteFile(output, (tdata_t) " \n>> \n", 6);
- 
-@@ -4149,28 +4149,28 @@
- 
- 	unsigned int i=0;
- 	tsize_t written=0;
--	char buffer[16];
-+	char buffer[256];
- 	int buflen=0;
- 
- 	written += t2pWriteFile(output, (tdata_t) "<<\n/Type /Page \n/Parent ", 24);
--	buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_pages);
-+	buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_pages);
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 	written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
- 	written += t2pWriteFile(output, (tdata_t) "/MediaBox [", 11); 
--	buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x1);
-+	buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x1);
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 	written += t2pWriteFile(output, (tdata_t) " ", 1); 
--	buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y1);
-+	buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y1);
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 	written += t2pWriteFile(output, (tdata_t) " ", 1); 
--	buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.x2);
-+	buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.x2);
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 	written += t2pWriteFile(output, (tdata_t) " ", 1); 
--	buflen=sprintf(buffer, "%.4f",t2p->pdf_mediabox.y2);
-+	buflen=snprintf(buffer, sizeof(buffer), "%.4f",t2p->pdf_mediabox.y2);
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 	written += t2pWriteFile(output, (tdata_t) "] \n", 3); 
- 	written += t2pWriteFile(output, (tdata_t) "/Contents ", 10);
--	buflen=sprintf(buffer, "%lu", (unsigned long)(object + 1));
-+	buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(object + 1));
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 	written += t2pWriteFile(output, (tdata_t) " 0 R \n", 6);
- 	written += t2pWriteFile(output, (tdata_t) "/Resources << \n", 15);
-@@ -4178,15 +4178,13 @@
- 		written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12);
- 		for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount;i++){
- 			written += t2pWriteFile(output, (tdata_t) "/Im", 3);
--			buflen = sprintf(buffer, "%u", t2p->pdf_page+1);
-+			buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
- 			written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 			written += t2pWriteFile(output, (tdata_t) "_", 1);
--			buflen = sprintf(buffer, "%u", i+1);
-+			buflen = snprintf(buffer, sizeof(buffer), "%u", i+1);
- 			written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 			written += t2pWriteFile(output, (tdata_t) " ", 1);
--			buflen = sprintf(
--				buffer, 
--				"%lu", 
-+			buflen = snprintf(buffer, sizeof(buffer), "%lu",
- 				(unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); 
- 			written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 			written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
-@@ -4198,12 +4196,10 @@
- 	} else {
- 			written += t2pWriteFile(output, (tdata_t) "/XObject <<\n", 12);
- 			written += t2pWriteFile(output, (tdata_t) "/Im", 3);
--			buflen = sprintf(buffer, "%u", t2p->pdf_page+1);
-+			buflen = snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
- 			written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 			written += t2pWriteFile(output, (tdata_t) " ", 1);
--			buflen = sprintf(
--				buffer, 
--				"%lu", 
-+			buflen = snprintf(buffer, sizeof(buffer), "%lu",
- 				(unsigned long)(object+3+(2*i)+t2p->tiff_pages[t2p->pdf_page].page_extra)); 
- 			written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 			written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
-@@ -4212,9 +4208,7 @@
- 	if(t2p->tiff_transferfunctioncount != 0) {
- 		written += t2pWriteFile(output, (tdata_t) "/ExtGState <<", 13);
- 		t2pWriteFile(output, (tdata_t) "/GS1 ", 5);
--		buflen = sprintf(
--			buffer, 
--			"%lu", 
-+		buflen = snprintf(buffer, sizeof(buffer), "%lu",
- 			(unsigned long)(object + 3)); 
- 		written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 		written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
-@@ -4587,7 +4581,7 @@
- 	if(t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount>0){ 
- 		for(i=0;i<t2p->tiff_tiles[t2p->pdf_page].tiles_tilecount; i++){
- 			box=t2p->tiff_tiles[t2p->pdf_page].tiles_tiles[i].tile_box;
--			buflen=sprintf(buffer, 
-+			buflen=snprintf(buffer, sizeof(buffer), 
- 				"q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d_%ld Do Q\n", 
- 				t2p->tiff_transferfunctioncount?"/GS1 gs ":"",
- 				box.mat[0],
-@@ -4602,7 +4596,7 @@
- 		}
- 	} else {
- 		box=t2p->pdf_imagebox;
--		buflen=sprintf(buffer, 
-+		buflen=snprintf(buffer, sizeof(buffer), 
- 			"q %s %.4f %.4f %.4f %.4f %.4f %.4f cm /Im%d Do Q\n", 
- 			t2p->tiff_transferfunctioncount?"/GS1 gs ":"",
- 			box.mat[0],
-@@ -4627,59 +4621,48 @@
- 												TIFF* output){
- 
- 	tsize_t written=0;
--	char buffer[16];
-+	char buffer[32];
- 	int buflen=0;
- 
- 	written += t2p_write_pdf_stream_dict(0, t2p->pdf_xrefcount+1, output); 
- 	written += t2pWriteFile(output, 
- 		(tdata_t) "/Type /XObject \n/Subtype /Image \n/Name /Im", 
- 		42);
--	buflen=sprintf(buffer, "%u", t2p->pdf_page+1);
-+	buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_page+1);
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 	if(tile != 0){
- 		written += t2pWriteFile(output, (tdata_t) "_", 1);
--		buflen=sprintf(buffer, "%lu", (unsigned long)tile);
-+		buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)tile);
- 		written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 	}
- 	written += t2pWriteFile(output, (tdata_t) "\n/Width ", 8);
--	_TIFFmemset((tdata_t)buffer, 0x00, 16);
- 	if(tile==0){
--		buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_width);
-+		buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_width);
- 	} else {
- 		if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){
--			buflen=sprintf(
--				buffer, 
--				"%lu", 
-+			buflen=snprintf(buffer, sizeof(buffer), "%lu",
- 				(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth);
- 		} else {
--			buflen=sprintf(
--				buffer, 
--				"%lu", 
-+			buflen=snprintf(buffer, sizeof(buffer), "%lu",
- 				(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);
- 		}
- 	}
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 	written += t2pWriteFile(output, (tdata_t) "\n/Height ", 9);
--	_TIFFmemset((tdata_t)buffer, 0x00, 16);
- 	if(tile==0){
--		buflen=sprintf(buffer, "%lu", (unsigned long)t2p->tiff_length);
-+		buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->tiff_length);
- 	} else {
- 		if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)!=0){
--			buflen=sprintf(
--				buffer, 
--				"%lu", 
-+			buflen=snprintf(buffer, sizeof(buffer), "%lu",
- 				(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);
- 		} else {
--			buflen=sprintf(
--				buffer, 
--				"%lu", 
-+			buflen=snprintf(buffer, sizeof(buffer), "%lu",
- 				(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);
- 		}
- 	}
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 	written += t2pWriteFile(output, (tdata_t) "\n/BitsPerComponent ", 19);
--	_TIFFmemset((tdata_t)buffer, 0x00, 16);
--	buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample);
-+	buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample);
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 	written += t2pWriteFile(output, (tdata_t) "\n/ColorSpace ", 13);
- 	written += t2p_write_pdf_xobject_cs(t2p, output);
-@@ -4723,11 +4706,10 @@
- 		t2p->pdf_colorspace ^= T2P_CS_PALETTE;
- 		written += t2p_write_pdf_xobject_cs(t2p, output);
- 		t2p->pdf_colorspace |= T2P_CS_PALETTE;
--		buflen=sprintf(buffer, "%u", (0x0001 << t2p->tiff_bitspersample)-1 );
-+		buflen=snprintf(buffer, sizeof(buffer), "%u", (0x0001 << t2p->tiff_bitspersample)-1 );
- 		written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 		written += t2pWriteFile(output, (tdata_t) " ", 1);
--		_TIFFmemset(buffer, 0x00, 16);
--		buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_palettecs ); 
-+		buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_palettecs ); 
- 		written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 		written += t2pWriteFile(output, (tdata_t) " 0 R ]\n", 7);
- 		return(written);
-@@ -4761,10 +4743,10 @@
- 			X_W /= Y_W;
- 			Z_W /= Y_W;
- 			Y_W = 1.0F;
--			buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
-+			buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
- 			written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 			written += t2pWriteFile(output, (tdata_t) "/Range ", 7);
--			buflen=sprintf(buffer, "[%d %d %d %d] \n", 
-+			buflen=snprintf(buffer, sizeof(buffer), "[%d %d %d %d] \n", 
- 				t2p->pdf_labrange[0], 
- 				t2p->pdf_labrange[1], 
- 				t2p->pdf_labrange[2], 
-@@ -4780,26 +4762,26 @@
- tsize_t t2p_write_pdf_transfer(T2P* t2p, TIFF* output){
- 
- 	tsize_t written=0;
--	char buffer[16];
-+	char buffer[32];
- 	int buflen=0;
- 
- 	written += t2pWriteFile(output, (tdata_t) "<< /Type /ExtGState \n/TR ", 25);
- 	if(t2p->tiff_transferfunctioncount == 1){
--		buflen=sprintf(buffer, "%lu",
-+		buflen=snprintf(buffer, sizeof(buffer), "%lu",
- 			       (unsigned long)(t2p->pdf_xrefcount + 1));
- 		written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 		written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
- 	} else {
- 		written += t2pWriteFile(output, (tdata_t) "[ ", 2);
--		buflen=sprintf(buffer, "%lu",
-+		buflen=snprintf(buffer, sizeof(buffer), "%lu",
- 			       (unsigned long)(t2p->pdf_xrefcount + 1));
- 		written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 		written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
--		buflen=sprintf(buffer, "%lu",
-+		buflen=snprintf(buffer, sizeof(buffer), "%lu",
- 			       (unsigned long)(t2p->pdf_xrefcount + 2));
- 		written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 		written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
--		buflen=sprintf(buffer, "%lu",
-+		buflen=snprintf(buffer, sizeof(buffer), "%lu",
- 			       (unsigned long)(t2p->pdf_xrefcount + 3));
- 		written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 		written += t2pWriteFile(output, (tdata_t) " 0 R ", 5);
-@@ -4821,7 +4803,7 @@
- 	written += t2pWriteFile(output, (tdata_t) "/FunctionType 0 \n", 17);
- 	written += t2pWriteFile(output, (tdata_t) "/Domain [0.0 1.0] \n", 19);
- 	written += t2pWriteFile(output, (tdata_t) "/Range [0.0 1.0] \n", 18);
--	buflen=sprintf(buffer, "/Size [%u] \n", (1<<t2p->tiff_bitspersample));
-+	buflen=snprintf(buffer, sizeof(buffer), "/Size [%u] \n", (1<<t2p->tiff_bitspersample));
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 	written += t2pWriteFile(output, (tdata_t) "/BitsPerSample 16 \n", 19);
- 	written += t2p_write_pdf_stream_dict(((tsize_t)1)<<(t2p->tiff_bitspersample+1), 0, output);
-@@ -4848,7 +4830,7 @@
- tsize_t t2p_write_pdf_xobject_calcs(T2P* t2p, TIFF* output){
- 
- 	tsize_t written=0;
--	char buffer[128];
-+	char buffer[256];
- 	int buflen=0;
- 	
- 	float X_W=0.0;
-@@ -4916,16 +4898,16 @@
- 	written += t2pWriteFile(output, (tdata_t) "<< \n", 4);
- 	if(t2p->pdf_colorspace & T2P_CS_CALGRAY){
- 		written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12);
--		buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
-+		buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
- 		written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 		written += t2pWriteFile(output, (tdata_t) "/Gamma 2.2 \n", 12);
- 	}
- 	if(t2p->pdf_colorspace & T2P_CS_CALRGB){
- 		written += t2pWriteFile(output, (tdata_t) "/WhitePoint ", 12);
--		buflen=sprintf(buffer, "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
-+		buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f] \n", X_W, Y_W, Z_W);
- 		written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 		written += t2pWriteFile(output, (tdata_t) "/Matrix ", 8);
--		buflen=sprintf(buffer, "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", 
-+		buflen=snprintf(buffer, sizeof(buffer), "[%.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f %.4f] \n", 
- 			X_R, Y_R, Z_R, 
- 			X_G, Y_G, Z_G, 
- 			X_B, Y_B, Z_B); 
-@@ -4944,11 +4926,11 @@
- tsize_t t2p_write_pdf_xobject_icccs(T2P* t2p, TIFF* output){
- 
- 	tsize_t written=0;
--	char buffer[16];
-+	char buffer[32];
- 	int buflen=0;
- 	
- 	written += t2pWriteFile(output, (tdata_t) "[/ICCBased ", 11);
--	buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_icccs);
-+	buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_icccs);
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 	written += t2pWriteFile(output, (tdata_t) " 0 R] \n", 7);
- 
-@@ -4958,11 +4940,11 @@
- tsize_t t2p_write_pdf_xobject_icccs_dict(T2P* t2p, TIFF* output){
- 
- 	tsize_t written=0;
--	char buffer[16];
-+	char buffer[32];
- 	int buflen=0;
- 	
- 	written += t2pWriteFile(output, (tdata_t) "/N ", 3);
--	buflen=sprintf(buffer, "%u \n", t2p->tiff_samplesperpixel);
-+	buflen=snprintf(buffer, sizeof(buffer), "%u \n", t2p->tiff_samplesperpixel);
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 	written += t2pWriteFile(output, (tdata_t) "/Alternate ", 11);
- 	t2p->pdf_colorspace ^= T2P_CS_ICCBASED;
-@@ -5027,7 +5009,7 @@
- tsize_t t2p_write_pdf_xobject_stream_filter(ttile_t tile, T2P* t2p, TIFF* output){
- 
- 	tsize_t written=0;
--	char buffer[16];
-+	char buffer[32];
- 	int buflen=0;
- 
- 	if(t2p->pdf_compression==T2P_COMPRESS_NONE){
-@@ -5042,41 +5024,33 @@
- 			written += t2pWriteFile(output, (tdata_t) "<< /K -1 ", 9);
- 			if(tile==0){
- 				written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
--				buflen=sprintf(buffer, "%lu",
-+				buflen=snprintf(buffer, sizeof(buffer), "%lu",
- 					       (unsigned long)t2p->tiff_width);
- 				written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 				written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
--				buflen=sprintf(buffer, "%lu",
-+				buflen=snprintf(buffer, sizeof(buffer), "%lu",
- 					       (unsigned long)t2p->tiff_length);
- 				written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 			} else {
- 				if(t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){
- 					written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
--					buflen=sprintf(
--						buffer, 
--						"%lu", 
-+					buflen=snprintf(buffer, sizeof(buffer), "%lu",
- 						(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilewidth);
- 					written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 				} else {
- 					written += t2pWriteFile(output, (tdata_t) "/Columns ", 9);
--					buflen=sprintf(
--						buffer, 
--						"%lu", 
-+					buflen=snprintf(buffer, sizeof(buffer), "%lu",
- 						(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilewidth);
- 					written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 				}
- 				if(t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile-1)==0){
- 					written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
--					buflen=sprintf(
--						buffer, 
--						"%lu", 
-+					buflen=snprintf(buffer, sizeof(buffer), "%lu",
- 						(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_tilelength);
- 					written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 				} else {
- 					written += t2pWriteFile(output, (tdata_t) " /Rows ", 7);
--					buflen=sprintf(
--						buffer, 
--						"%lu", 
-+					buflen=snprintf(buffer, sizeof(buffer), "%lu",
- 						(unsigned long)t2p->tiff_tiles[t2p->pdf_page].tiles_edgetilelength);
- 					written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 				}
-@@ -5103,21 +5077,17 @@
- 			if(t2p->pdf_compressionquality%100){
- 				written += t2pWriteFile(output, (tdata_t) "/DecodeParms ", 13);
- 				written += t2pWriteFile(output, (tdata_t) "<< /Predictor ", 14);
--				_TIFFmemset(buffer, 0x00, 16);
--				buflen=sprintf(buffer, "%u", t2p->pdf_compressionquality%100);
-+				buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->pdf_compressionquality%100);
- 				written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 				written += t2pWriteFile(output, (tdata_t) " /Columns ", 10);
--				_TIFFmemset(buffer, 0x00, 16);
--				buflen = sprintf(buffer, "%lu",
-+				buflen = snprintf(buffer, sizeof(buffer), "%lu",
- 						 (unsigned long)t2p->tiff_width);
- 				written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 				written += t2pWriteFile(output, (tdata_t) " /Colors ", 9);
--				_TIFFmemset(buffer, 0x00, 16);
--				buflen=sprintf(buffer, "%u", t2p->tiff_samplesperpixel);
-+				buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_samplesperpixel);
- 				written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 				written += t2pWriteFile(output, (tdata_t) " /BitsPerComponent ", 19);
--				_TIFFmemset(buffer, 0x00, 16);
--				buflen=sprintf(buffer, "%u", t2p->tiff_bitspersample);
-+				buflen=snprintf(buffer, sizeof(buffer), "%u", t2p->tiff_bitspersample);
- 				written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 				written += t2pWriteFile(output, (tdata_t) ">>\n", 3);
- 			}
-@@ -5137,16 +5107,16 @@
- tsize_t t2p_write_pdf_xreftable(T2P* t2p, TIFF* output){
- 
- 	tsize_t written=0;
--	char buffer[21];
-+	char buffer[64];
- 	int buflen=0;
- 	uint32 i=0;
- 
- 	written += t2pWriteFile(output, (tdata_t) "xref\n0 ", 7);
--	buflen=sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount + 1));
-+	buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount + 1));
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
- 	written += t2pWriteFile(output, (tdata_t) " \n0000000000 65535 f \n", 22);
- 	for (i=0;i<t2p->pdf_xrefcount;i++){
--		sprintf(buffer, "%.10lu 00000 n \n",
-+		snprintf(buffer, sizeof(buffer), "%.10lu 00000 n \n",
- 			(unsigned long)t2p->pdf_xrefoffsets[i]);
- 		written += t2pWriteFile(output, (tdata_t) buffer, 20);
- 	}
-@@ -5170,17 +5140,14 @@
- 		snprintf(t2p->pdf_fileid + i, 9, "%.8X", rand());
- 
- 	written += t2pWriteFile(output, (tdata_t) "trailer\n<<\n/Size ", 17);
--	buflen = sprintf(buffer, "%lu", (unsigned long)(t2p->pdf_xrefcount+1));
-+	buflen = snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)(t2p->pdf_xrefcount+1));
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
--	_TIFFmemset(buffer, 0x00, 32);	
- 	written += t2pWriteFile(output, (tdata_t) "\n/Root ", 7);
--	buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_catalog);
-+	buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_catalog);
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
--	_TIFFmemset(buffer, 0x00, 32);	
- 	written += t2pWriteFile(output, (tdata_t) " 0 R \n/Info ", 12);
--	buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_info);
-+	buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_info);
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
--	_TIFFmemset(buffer, 0x00, 32);	
- 	written += t2pWriteFile(output, (tdata_t) " 0 R \n/ID[<", 11);
- 	written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid,
- 				sizeof(t2p->pdf_fileid) - 1);
-@@ -5188,9 +5155,8 @@
- 	written += t2pWriteFile(output, (tdata_t) t2p->pdf_fileid,
- 				sizeof(t2p->pdf_fileid) - 1);
- 	written += t2pWriteFile(output, (tdata_t) ">]\n>>\nstartxref\n", 16);
--	buflen=sprintf(buffer, "%lu", (unsigned long)t2p->pdf_startxref);
-+	buflen=snprintf(buffer, sizeof(buffer), "%lu", (unsigned long)t2p->pdf_startxref);
- 	written += t2pWriteFile(output, (tdata_t) buffer, buflen);
--	_TIFFmemset(buffer, 0x00, 32);	
- 	written += t2pWriteFile(output, (tdata_t) "\n%%EOF\n", 7);
- 
- 	return(written);
-Index: tiff-4.0.3/tools/tiff2ps.c
-===================================================================
---- tiff-4.0.3.orig/tools/tiff2ps.c	2013-06-23 10:36:51.163629483 -0400
-+++ tiff-4.0.3/tools/tiff2ps.c	2013-06-23 10:36:51.155629481 -0400
-@@ -1781,8 +1781,8 @@
- 		imageOp = "imagemask";
- 
- 	(void)strcpy(im_x, "0");
--	(void)sprintf(im_y, "%lu", (long) h);
--	(void)sprintf(im_h, "%lu", (long) h);
-+	(void)snprintf(im_y, sizeof(im_y), "%lu", (long) h);
-+	(void)snprintf(im_h, sizeof(im_h), "%lu", (long) h);
- 	tile_width = w;
- 	tile_height = h;
- 	if (TIFFIsTiled(tif)) {
-@@ -1803,7 +1803,7 @@
- 		}
- 		if (tile_height < h) {
- 			fputs("/im_y 0 def\n", fd);
--			(void)sprintf(im_y, "%lu im_y sub", (unsigned long) h);
-+			(void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h);
- 		}
- 	} else {
- 		repeat_count = tf_numberstrips;
-@@ -1815,7 +1815,7 @@
- 			fprintf(fd, "/im_h %lu def\n",
- 			    (unsigned long) tile_height);
- 			(void)strcpy(im_h, "im_h");
--			(void)sprintf(im_y, "%lu im_y sub", (unsigned long) h);
-+			(void)snprintf(im_y, sizeof(im_y), "%lu im_y sub", (unsigned long) h);
- 		}
- 	}
- 
-Index: tiff-4.0.3/tools/tiffcrop.c
-===================================================================
---- tiff-4.0.3.orig/tools/tiffcrop.c	2013-06-23 10:36:51.163629483 -0400
-+++ tiff-4.0.3/tools/tiffcrop.c	2013-06-23 10:36:51.159629481 -0400
-@@ -2077,7 +2077,7 @@
-         return 1;
-         }
- 
--      sprintf (filenum, "-%03d%s", findex, export_ext);
-+      snprintf(filenum, sizeof(filenum), "-%03d%s", findex, export_ext);
-       filenum[14] = '\0';
-       strncat (exportname, filenum, 15);
-       }
-@@ -2230,8 +2230,8 @@
- 
-           /* dump.infilename is guaranteed to be NUL termimated and have 20 bytes 
-              fewer than PATH_MAX */ 
--          memset (temp_filename, '\0', PATH_MAX + 1);              
--          sprintf (temp_filename, "%s-read-%03d.%s", dump.infilename, dump_images,
-+          snprintf(temp_filename, sizeof(temp_filename), "%s-read-%03d.%s",
-+		   dump.infilename, dump_images,
-                   (dump.format == DUMP_TEXT) ? "txt" : "raw");
-           if ((dump.infile = fopen(temp_filename, dump.mode)) == NULL)
-             {
-@@ -2249,8 +2249,8 @@
- 
-           /* dump.outfilename is guaranteed to be NUL termimated and have 20 bytes 
-              fewer than PATH_MAX */ 
--          memset (temp_filename, '\0', PATH_MAX + 1);              
--          sprintf (temp_filename, "%s-write-%03d.%s", dump.outfilename, dump_images,
-+          snprintf(temp_filename, sizeof(temp_filename), "%s-write-%03d.%s",
-+		   dump.outfilename, dump_images,
-                   (dump.format == DUMP_TEXT) ? "txt" : "raw");
-           if ((dump.outfile = fopen(temp_filename, dump.mode)) == NULL)
-             {
-Index: tiff-4.0.3/tools/tiff2bw.c
-===================================================================
---- tiff-4.0.3.orig/tools/tiff2bw.c	2013-06-23 10:36:51.163629483 -0400
-+++ tiff-4.0.3/tools/tiff2bw.c	2013-06-23 10:36:51.159629481 -0400
-@@ -205,7 +205,7 @@
- 		}
- 	}
- 	TIFFSetField(out, TIFFTAG_PHOTOMETRIC, PHOTOMETRIC_MINISBLACK);
--	sprintf(thing, "B&W version of %s", argv[optind]);
-+	snprintf(thing, sizeof(thing), "B&W version of %s", argv[optind]);
- 	TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
- 	TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
- 	outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
diff --git a/gnu/packages/patches/libtiff-CVE-2013-4231.patch b/gnu/packages/patches/libtiff-CVE-2013-4231.patch
deleted file mode 100644
index c71f7dac2e..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2013-4231.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Copied from Debian
-
-Description: Buffer overflow in gif2tiff
-Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2450
-Bug-Debian: http://bugs.debian.org/719303
-
-Index: tiff-4.0.3/tools/gif2tiff.c
-===================================================================
---- tiff-4.0.3.orig/tools/gif2tiff.c	2013-08-22 11:46:11.960846910 -0400
-+++ tiff-4.0.3/tools/gif2tiff.c	2013-08-22 11:46:11.956846910 -0400
-@@ -333,6 +333,8 @@
-     int status = 1;
- 
-     datasize = getc(infile);
-+    if (datasize > 12)
-+	return 0;
-     clear = 1 << datasize;
-     eoi = clear + 1;
-     avail = clear + 2;
diff --git a/gnu/packages/patches/libtiff-CVE-2013-4232.patch b/gnu/packages/patches/libtiff-CVE-2013-4232.patch
deleted file mode 100644
index 3a92f61fef..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2013-4232.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Copied from Debian
-
-Description: use after free in tiff2pdf
-Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2449
-Bug-Debian: http://bugs.debian.org/719303
-
-Index: tiff-4.0.3/tools/tiff2pdf.c
-===================================================================
---- tiff-4.0.3.orig/tools/tiff2pdf.c	2013-08-22 11:46:37.292847242 -0400
-+++ tiff-4.0.3/tools/tiff2pdf.c	2013-08-22 11:46:37.292847242 -0400
-@@ -2461,7 +2461,8 @@
- 					(unsigned long) t2p->tiff_datasize, 
- 					TIFFFileName(input));
- 				t2p->t2p_error = T2P_ERR_ERROR;
--			  _TIFFfree(buffer);
-+				_TIFFfree(buffer);
-+				return(0);
- 			} else {
- 				buffer=samplebuffer;
- 				t2p->tiff_datasize *= t2p->tiff_samplesperpixel;
diff --git a/gnu/packages/patches/libtiff-CVE-2013-4243.patch b/gnu/packages/patches/libtiff-CVE-2013-4243.patch
deleted file mode 100644
index a10884cd89..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2013-4243.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-Copied from Debian
-
-Index: tiff/tools/gif2tiff.c
-===================================================================
---- tiff.orig/tools/gif2tiff.c
-+++ tiff/tools/gif2tiff.c
-@@ -280,6 +280,10 @@ readgifimage(char* mode)
-         fprintf(stderr, "no colormap present for image\n");
-         return (0);
-     }
-+    if (width == 0 || height == 0) {
-+        fprintf(stderr, "Invalid value of width or height\n");
-+        return(0);
-+    }
-     if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
-         fprintf(stderr, "not enough memory for image\n");
-         return (0);
-@@ -404,6 +408,10 @@ process(register int code, unsigned char
-             fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
-             return 0;
-         }
-+        if (*fill >= raster + width*height) {
-+            fprintf(stderr, "raster full before eoi code\n");
-+            return 0;
-+        }
- 	*(*fill)++ = suffix[code];
- 	firstchar = oldcode = code;
- 	return 1;
-@@ -434,6 +442,10 @@ process(register int code, unsigned char
-     }
-     oldcode = incode;
-     do {
-+        if (*fill >= raster + width*height) {
-+            fprintf(stderr, "raster full before eoi code\n");
-+            return 0;
-+        }
- 	*(*fill)++ = *--stackp;
-     } while (stackp > stack);
-     return 1;
diff --git a/gnu/packages/patches/libtiff-CVE-2013-4244.patch b/gnu/packages/patches/libtiff-CVE-2013-4244.patch
deleted file mode 100644
index be9c65c311..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2013-4244.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Copied from Debian
-
-Description: OOB write in gif2tiff
-Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=996468
-
-Index: tiff-4.0.3/tools/gif2tiff.c
-===================================================================
---- tiff-4.0.3.orig/tools/gif2tiff.c	2013-08-24 11:17:13.546447901 -0400
-+++ tiff-4.0.3/tools/gif2tiff.c	2013-08-24 11:17:13.546447901 -0400
-@@ -400,6 +400,10 @@
-     }
- 
-     if (oldcode == -1) {
-+        if (code >= clear) {
-+            fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
-+            return 0;
-+        }
- 	*(*fill)++ = suffix[code];
- 	firstchar = oldcode = code;
- 	return 1;
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch b/gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch
deleted file mode 100644
index 7f70edb86f..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8127-pt1.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Copied from Debian
-
-From 0782c759084daaf9e4de7ee6be7543081823455e Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 21 Dec 2014 20:58:29 +0000
-Subject: [PATCH] * tools/tiff2bw.c: when Photometric=RGB, the utility only
- works if SamplesPerPixel = 3. Enforce that
- http://bugzilla.maptools.org/show_bug.cgi?id=2485 (CVE-2014-8127)
-
----
- ChangeLog       | 6 ++++++
- tools/tiff2bw.c | 5 +++++
- 2 files changed, 11 insertions(+)
-
-diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
-index 22467cd..94b8e31 100644
---- a/tools/tiff2bw.c
-+++ b/tools/tiff2bw.c
-@@ -171,6 +171,11 @@ main(int argc, char* argv[])
- 		    argv[optind], samplesperpixel);
- 		return (-1);
- 	}
-+	if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) {
-+		fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n",
-+		    argv[optind], samplesperpixel);
-+		return (-1);
-+	}
- 	TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample);
- 	if (bitspersample != 8) {
- 		fprintf(stderr,
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch b/gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch
deleted file mode 100644
index a177ebfa21..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8127-pt2.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-Copied from Debian
-
-From 3996fa0f84f4a8b7e65fe4b8f0681711022034ea Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 21 Dec 2014 20:04:31 +0000
-Subject: [PATCH] * tools/pal2rgb.c, tools/thumbnail.c: fix crash by disabling
- TIFFTAG_INKNAMES copying. The right fix would be to properly copy it, but not
- worth the burden for those esoteric utilities.
- http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)
-
----
- ChangeLog         | 7 +++++++
- tools/pal2rgb.c   | 2 +-
- tools/thumbnail.c | 2 +-
- 3 files changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
-index bfe7899..3fc3de3 100644
---- a/tools/pal2rgb.c
-+++ b/tools/pal2rgb.c
-@@ -372,7 +372,7 @@ static struct cpTag {
-     { TIFFTAG_CLEANFAXDATA,		1, TIFF_SHORT },
-     { TIFFTAG_CONSECUTIVEBADFAXLINES,	1, TIFF_LONG },
-     { TIFFTAG_INKSET,			1, TIFF_SHORT },
--    { TIFFTAG_INKNAMES,			1, TIFF_ASCII },
-+    /*{ TIFFTAG_INKNAMES,			1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */
-     { TIFFTAG_DOTRANGE,			2, TIFF_SHORT },
-     { TIFFTAG_TARGETPRINTER,		1, TIFF_ASCII },
-     { TIFFTAG_SAMPLEFORMAT,		1, TIFF_SHORT },
-diff --git a/tools/thumbnail.c b/tools/thumbnail.c
-index c50bbff..73f9c34 100644
---- a/tools/thumbnail.c
-+++ b/tools/thumbnail.c
-@@ -257,7 +257,7 @@ static struct cpTag {
-     { TIFFTAG_CLEANFAXDATA,		1, TIFF_SHORT },
-     { TIFFTAG_CONSECUTIVEBADFAXLINES,	1, TIFF_LONG },
-     { TIFFTAG_INKSET,			1, TIFF_SHORT },
--    { TIFFTAG_INKNAMES,			1, TIFF_ASCII },
-+    /*{ TIFFTAG_INKNAMES,			1, TIFF_ASCII },*/ /* Needs much more complicated logic. See tiffcp */
-     { TIFFTAG_DOTRANGE,			2, TIFF_SHORT },
-     { TIFFTAG_TARGETPRINTER,		1, TIFF_ASCII },
-     { TIFFTAG_SAMPLEFORMAT,		1, TIFF_SHORT },
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch b/gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch
deleted file mode 100644
index b8a3703c4c..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8127-pt3.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Copied from Debian
-
-From 1f7359b00663804d96c3a102bcb6ead9812c1509 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Tue, 23 Dec 2014 10:15:35 +0000
-Subject: [PATCH] * libtiff/tif_read.c: fix several invalid comparisons of a
- uint64 value with <= 0 by casting it to int64 first. This solves crashing bug
- on corrupted images generated by afl.
-
----
- ChangeLog          | 6 ++++++
- libtiff/tif_read.c | 6 +++---
- 2 files changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
-index 2ba822a..dfc5b07 100644
---- a/libtiff/tif_read.c
-+++ b/libtiff/tif_read.c
-@@ -458,7 +458,7 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
- 		return ((tmsize_t)(-1));
- 	}
- 	bytecount = td->td_stripbytecount[strip];
--	if (bytecount <= 0) {
-+	if ((int64)bytecount <= 0) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- 		TIFFErrorExt(tif->tif_clientdata, module,
- 			     "%I64u: Invalid strip byte count, strip %lu",
-@@ -498,7 +498,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
- 	if ((tif->tif_flags&TIFF_NOREADRAW)==0)
- 	{
- 		uint64 bytecount = td->td_stripbytecount[strip];
--		if (bytecount <= 0) {
-+		if ((int64)bytecount <= 0) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- 			TIFFErrorExt(tif->tif_clientdata, module,
- 				"Invalid strip byte count %I64u, strip %lu",
-@@ -801,7 +801,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
- 	if ((tif->tif_flags&TIFF_NOREADRAW)==0)
- 	{
- 		uint64 bytecount = td->td_stripbytecount[tile];
--		if (bytecount <= 0) {
-+		if ((int64)bytecount <= 0) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- 			TIFFErrorExt(tif->tif_clientdata, module,
- 				"%I64u: Invalid tile byte count, tile %lu",
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch b/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch
deleted file mode 100644
index 62d903c650..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8127-pt4.patch
+++ /dev/null
@@ -1,295 +0,0 @@
-Copied from Debian
-
-From 662f74445b2fea2eeb759c6524661118aef567ca Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 21 Dec 2014 15:15:31 +0000
-Subject: [PATCH] Fix various crasher bugs on fuzzed images. *
- libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
- TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
- the directory * libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read
- ColorMap or TransferFunction if BitsPerSample has not yet been read,
- otherwise reading it later will cause user code to crash if BitsPerSample > 1
- * libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
- SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample
- != 8 * libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
- instead of imagewidth to avoid crash * tools/bmp2tiff.c: fix crash due to int
- overflow related to input BMP dimensions * tools/tiff2pdf.c: fix crash due to
- invalid tile count (should likely be checked by libtiff too). Detect invalid
- settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB *
- tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight *
- tools/tiffdump.c: fix crash due to overflow of entry count.
-
----
- ChangeLog              | 19 +++++++++++++++++++
- libtiff/tif_dir.c      | 21 +++++++++++++++++++--
- libtiff/tif_dirread.c  | 17 +++++++++++++++++
- libtiff/tif_getimage.c | 15 +++++++++++++++
- libtiff/tif_next.c     |  2 ++
- tools/bmp2tiff.c       | 15 +++++++++++++++
- tools/tiff2pdf.c       | 41 +++++++++++++++++++++++++++++++++++++++++
- tools/tiffcrop.c       |  7 ++++---
- tools/tiffdump.c       |  9 ++++++---
- 9 files changed, 138 insertions(+), 8 deletions(-)
-
-diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
-index 98cf66d..ab43a28 100644
---- a/libtiff/tif_dir.c
-+++ b/libtiff/tif_dir.c
-@@ -160,6 +160,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
- 	TIFFDirectory* td = &tif->tif_dir;
- 	int status = 1;
- 	uint32 v32, i, v;
-+    double dblval;
- 	char* s;
- 	const TIFFField *fip = TIFFFindField(tif, tag, TIFF_ANY);
- 	uint32 standard_tag = tag;
-@@ -284,10 +285,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
- 			setDoubleArrayOneValue(&td->td_smaxsamplevalue, va_arg(ap, double), td->td_samplesperpixel);
- 		break;
- 	case TIFFTAG_XRESOLUTION:
--		td->td_xresolution = (float) va_arg(ap, double);
-+        dblval = va_arg(ap, double);
-+        if( dblval < 0 )
-+            goto badvaluedouble;
-+		td->td_xresolution = (float) dblval;
- 		break;
- 	case TIFFTAG_YRESOLUTION:
--		td->td_yresolution = (float) va_arg(ap, double);
-+        dblval = va_arg(ap, double);
-+        if( dblval < 0 )
-+            goto badvaluedouble;
-+		td->td_yresolution = (float) dblval;
- 		break;
- 	case TIFFTAG_PLANARCONFIG:
- 		v = (uint16) va_arg(ap, uint16_vap);
-@@ -694,6 +701,16 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
- 		va_end(ap);
-         }
- 	return (0);
-+badvaluedouble:
-+        {
-+        const TIFFField* fip=TIFFFieldWithTag(tif,tag);
-+        TIFFErrorExt(tif->tif_clientdata, module,
-+             "%s: Bad value %f for \"%s\" tag",
-+             tif->tif_name, dblval,
-+             fip ? fip->field_name : "Unknown");
-+        va_end(ap);
-+        }
-+    return (0);
- }
- 
- /*
-diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
-index 391c823..f66c9a7 100644
---- a/libtiff/tif_dirread.c
-+++ b/libtiff/tif_dirread.c
-@@ -3430,6 +3430,8 @@ TIFFReadDirectory(TIFF* tif)
- 	const TIFFField* fip;
- 	uint32 fii=FAILED_FII;
-         toff_t nextdiroff;
-+    int bitspersample_read = FALSE;
-+
- 	tif->tif_diroff=tif->tif_nextdiroff;
- 	if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
- 		return 0;           /* last offset or bad offset (IFD looping) */
-@@ -3706,6 +3708,8 @@ TIFFReadDirectory(TIFF* tif)
- 					}
- 					if (!TIFFSetField(tif,dp->tdir_tag,value))
- 						goto bad;
-+                    if( dp->tdir_tag == TIFFTAG_BITSPERSAMPLE )
-+                        bitspersample_read = TRUE;
- 				}
- 				break;
- 			case TIFFTAG_SMINSAMPLEVALUE:
-@@ -3763,6 +3767,19 @@ TIFFReadDirectory(TIFF* tif)
- 					uint32 countrequired;
- 					uint32 incrementpersample;
- 					uint16* value=NULL;
-+                    /* It would be dangerous to instanciate those tag values */
-+                    /* since if td_bitspersample has not yet been read (due to */
-+                    /* unordered tags), it could be read afterwards with a */
-+                    /* values greater than the default one (1), which may cause */
-+                    /* crashes in user code */
-+                    if( !bitspersample_read )
-+                    {
-+                        fip = TIFFFieldWithTag(tif,dp->tdir_tag);
-+                        TIFFWarningExt(tif->tif_clientdata,module,
-+                                       "Ignoring %s since BitsPerSample tag not found",
-+                                       fip ? fip->field_name : "unknown tagname");
-+                        continue;
-+                    }
- 					countpersample=(1L<<tif->tif_dir.td_bitspersample);
- 					if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample))
- 					{
-diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
-index 074d32a..396ad08 100644
---- a/libtiff/tif_getimage.c
-+++ b/libtiff/tif_getimage.c
-@@ -182,8 +182,23 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
- 				    "Planarconfiguration", td->td_planarconfig);
- 				return (0);
- 			}
-+			if( td->td_samplesperpixel != 3 )
-+            {
-+                sprintf(emsg,
-+                        "Sorry, can not handle image with %s=%d",
-+                        "Samples/pixel", td->td_samplesperpixel);
-+                return 0;
-+            }
- 			break;
- 		case PHOTOMETRIC_CIELAB:
-+            if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
-+            {
-+                sprintf(emsg,
-+                        "Sorry, can not handle image with %s=%d and %s=%d",
-+                        "Samples/pixel", td->td_samplesperpixel,
-+                        "Bits/sample", td->td_bitspersample);
-+                return 0;
-+            }
- 			break;
- 		default:
- 			sprintf(emsg, "Sorry, can not handle image with %s=%d",
-diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
-index 55e2537..a53c716 100644
---- a/libtiff/tif_next.c
-+++ b/libtiff/tif_next.c
-@@ -102,6 +102,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
- 		default: {
- 			uint32 npixels = 0, grey;
- 			uint32 imagewidth = tif->tif_dir.td_imagewidth;
-+            if( isTiled(tif) )
-+                imagewidth = tif->tif_dir.td_tilewidth;
- 
- 			/*
- 			 * The scanline is composed of a sequence of constant
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index dfda963..f202b41 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -1167,6 +1167,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
- 		if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0)
- 			&& (xuint16 == PLANARCONFIG_SEPARATE ) ){
- 				TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16);
-+                if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 )
-+                {
-+                    TIFFError(
-+                        TIFF2PDF_MODULE, 
-+                        "Invalid tile count, %s", 
-+                        TIFFFileName(input));
-+                    t2p->t2p_error = T2P_ERR_ERROR;
-+                    return;
-+                }
- 				t2p->tiff_tiles[i].tiles_tilecount/= xuint16;
- 		}
- 		if( t2p->tiff_tiles[i].tiles_tilecount > 0){
-@@ -1552,6 +1561,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
- #endif
- 			break;
- 		case PHOTOMETRIC_CIELAB:
-+            if( t2p->tiff_samplesperpixel != 3){
-+                TIFFError(
-+                    TIFF2PDF_MODULE, 
-+                    "Unsupported samplesperpixel = %d for CIELAB", 
-+                    t2p->tiff_samplesperpixel);
-+                t2p->t2p_error = T2P_ERR_ERROR;
-+                return;
-+            }
-+            if( t2p->tiff_bitspersample != 8){
-+                TIFFError(
-+                    TIFF2PDF_MODULE, 
-+                    "Invalid bitspersample = %d for CIELAB", 
-+                    t2p->tiff_bitspersample);
-+                t2p->t2p_error = T2P_ERR_ERROR;
-+                return;
-+            }
- 			t2p->pdf_labrange[0]= -127;
- 			t2p->pdf_labrange[1]= 127;
- 			t2p->pdf_labrange[2]= -127;
-@@ -1567,6 +1592,22 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
- 			t2p->pdf_colorspace=T2P_CS_LAB;
- 			break;
- 		case PHOTOMETRIC_ITULAB:
-+            if( t2p->tiff_samplesperpixel != 3){
-+                TIFFError(
-+                    TIFF2PDF_MODULE, 
-+                    "Unsupported samplesperpixel = %d for ITULAB", 
-+                    t2p->tiff_samplesperpixel);
-+                t2p->t2p_error = T2P_ERR_ERROR;
-+                return;
-+            }
-+            if( t2p->tiff_bitspersample != 8){
-+                TIFFError(
-+                    TIFF2PDF_MODULE, 
-+                    "Invalid bitspersample = %d for ITULAB", 
-+                    t2p->tiff_bitspersample);
-+                t2p->t2p_error = T2P_ERR_ERROR;
-+                return;
-+            }
- 			t2p->pdf_labrange[0]=-85;
- 			t2p->pdf_labrange[1]=85;
- 			t2p->pdf_labrange[2]=-75;
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index f5530bb..4088463 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -1205,9 +1205,10 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
-   tsize_t tilesize = TIFFTileSize(out);
-   unsigned char *tilebuf = NULL;
- 
--  TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
--  TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
--  TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
-+  if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
-+      !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
-+      !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
-+      return 1;
- 
-   tile_buffsize = tilesize;
-   if (tilesize < (tsize_t)(tl * tile_rowsize))
-diff --git a/tools/tiffdump.c b/tools/tiffdump.c
-index cf5d62f..8247765 100644
---- a/tools/tiffdump.c
-+++ b/tools/tiffdump.c
-@@ -374,6 +374,8 @@ ReadDirectory(int fd, unsigned int ix, uint64 off)
- 		void* datamem;
- 		uint64 dataoffset;
- 		int datatruncated;
-+        int datasizeoverflow;
-+
- 		tag = *(uint16*)dp;
- 		if (swabflag)
- 			TIFFSwabShort(&tag);
-@@ -412,13 +414,14 @@ ReadDirectory(int fd, unsigned int ix, uint64 off)
- 		else
- 			typewidth = datawidth[type];
- 		datasize = count*typewidth;
-+        datasizeoverflow = (typewidth > 0 && datasize / typewidth != count);
- 		datafits = 1;
- 		datamem = dp;
- 		dataoffset = 0;
- 		datatruncated = 0;
- 		if (!bigtiff)
- 		{
--			if (datasize>4)
-+			if (datasizeoverflow || datasize>4)
- 			{
- 				uint32 dataoffset32;
- 				datafits = 0;
-@@ -432,7 +435,7 @@ ReadDirectory(int fd, unsigned int ix, uint64 off)
- 		}
- 		else
- 		{
--			if (datasize>8)
-+			if (datasizeoverflow || datasize>8)
- 			{
- 				datafits = 0;
- 				datamem = NULL;
-@@ -442,7 +445,7 @@ ReadDirectory(int fd, unsigned int ix, uint64 off)
- 			}
- 			dp += sizeof(uint64);
- 		}
--		if (datasize>0x10000)
-+		if (datasizeoverflow || datasize>0x10000)
- 		{
- 			datatruncated = 1;
- 			count = 0x10000/typewidth;
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch b/gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch
deleted file mode 100644
index fda018b7bb..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8128-pt1.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Copied from Debian
-
-From 3206e0c752a62da1ae606867113ed3bf9bf73306 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 21 Dec 2014 19:53:59 +0000
-Subject: [PATCH] * tools/thumbnail.c: fix out-of-buffer write
- http://bugzilla.maptools.org/show_bug.cgi?id=2489 (CVE-2014-8128)
-
----
- ChangeLog         | 5 +++++
- tools/thumbnail.c | 8 +++++++-
- 2 files changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/tools/thumbnail.c b/tools/thumbnail.c
-index fab63f6..c50bbff 100644
---- a/tools/thumbnail.c
-+++ b/tools/thumbnail.c
-@@ -568,7 +568,13 @@ setImage1(const uint8* br, uint32 rw, uint32 rh)
- 	    err -= limit;
- 	    sy++;
- 	    if (err >= limit)
--		rows[nrows++] = br + bpr*sy;
-+		{
-+			/* We should perhaps error loudly, but I can't make sense of that */
-+			/* code... */
-+			if( nrows == 256 )
-+				break;
-+			rows[nrows++] = br + bpr*sy;
-+		}
- 	}
- 	setrow(row, nrows, rows);
- 	row += tnw;
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch b/gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch
deleted file mode 100644
index 6f9ef85d14..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8128-pt2.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-Copied from Debian
-
-From 8b6e80fca434525497e5a31c3309a3bab5b3c1c8 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 21 Dec 2014 18:52:42 +0000
-Subject: [PATCH] * tools/thumbnail.c, tools/tiffcmp.c: only read/write
- TIFFTAG_GROUP3OPTIONS or TIFFTAG_GROUP4OPTIONS if compression is
- COMPRESSION_CCITTFAX3 or COMPRESSION_CCITTFAX4
- http://bugzilla.maptools.org/show_bug.cgi?id=2493 (CVE-2014-8128)
-
----
- ChangeLog         |  7 +++++++
- tools/thumbnail.c | 21 ++++++++++++++++++++-
- tools/tiffcmp.c   | 17 +++++++++++++++--
- 3 files changed, 42 insertions(+), 3 deletions(-)
-
-diff --git a/tools/thumbnail.c b/tools/thumbnail.c
-index a98a881..fab63f6 100644
---- a/tools/thumbnail.c
-+++ b/tools/thumbnail.c
-@@ -274,7 +274,26 @@ cpTags(TIFF* in, TIFF* out)
- {
-     struct cpTag *p;
-     for (p = tags; p < &tags[NTAGS]; p++)
--	cpTag(in, out, p->tag, p->count, p->type);
-+	{
-+		/* Horrible: but TIFFGetField() expects 2 arguments to be passed */
-+		/* if we request a tag that is defined in a codec, but that codec */
-+		/* isn't used */
-+		if( p->tag == TIFFTAG_GROUP3OPTIONS )
-+		{
-+			uint16 compression;
-+			if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
-+				compression != COMPRESSION_CCITTFAX3 )
-+				continue;
-+		}
-+		if( p->tag == TIFFTAG_GROUP4OPTIONS )
-+		{
-+			uint16 compression;
-+			if( !TIFFGetField(in, TIFFTAG_COMPRESSION, &compression) ||
-+				compression != COMPRESSION_CCITTFAX4 )
-+				continue;
-+		}
-+		cpTag(in, out, p->tag, p->count, p->type);
-+	}
- }
- #undef NTAGS
- 
-diff --git a/tools/tiffcmp.c b/tools/tiffcmp.c
-index 508a461..d6392af 100644
---- a/tools/tiffcmp.c
-+++ b/tools/tiffcmp.c
-@@ -260,6 +260,7 @@ tiffcmp(TIFF* tif1, TIFF* tif2)
- static int
- cmptags(TIFF* tif1, TIFF* tif2)
- {
-+	uint16 compression1, compression2;
- 	CmpLongField(TIFFTAG_SUBFILETYPE,	"SubFileType");
- 	CmpLongField(TIFFTAG_IMAGEWIDTH,	"ImageWidth");
- 	CmpLongField(TIFFTAG_IMAGELENGTH,	"ImageLength");
-@@ -276,8 +277,20 @@ cmptags(TIFF* tif1, TIFF* tif2)
- 	CmpShortField(TIFFTAG_SAMPLEFORMAT,	"SampleFormat");
- 	CmpFloatField(TIFFTAG_XRESOLUTION,	"XResolution");
- 	CmpFloatField(TIFFTAG_YRESOLUTION,	"YResolution");
--	CmpLongField(TIFFTAG_GROUP3OPTIONS,	"Group3Options");
--	CmpLongField(TIFFTAG_GROUP4OPTIONS,	"Group4Options");
-+	if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) &&
-+		compression1 == COMPRESSION_CCITTFAX3 &&
-+		TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) &&
-+		compression2 == COMPRESSION_CCITTFAX3 )
-+	{
-+		CmpLongField(TIFFTAG_GROUP3OPTIONS,	"Group3Options");
-+	}
-+	if( TIFFGetField(tif1, TIFFTAG_COMPRESSION, &compression1) &&
-+		compression1 == COMPRESSION_CCITTFAX4 &&
-+		TIFFGetField(tif2, TIFFTAG_COMPRESSION, &compression2) &&
-+		compression2 == COMPRESSION_CCITTFAX4 )
-+	{
-+		CmpLongField(TIFFTAG_GROUP4OPTIONS,	"Group4Options");
-+	}
- 	CmpShortField(TIFFTAG_RESOLUTIONUNIT,	"ResolutionUnit");
- 	CmpShortField(TIFFTAG_PLANARCONFIG,	"PlanarConfiguration");
- 	CmpLongField(TIFFTAG_ROWSPERSTRIP,	"RowsPerStrip");
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch b/gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch
deleted file mode 100644
index 200af0ef8b..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8128-pt3.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Copied from Debian
-
-From 266bc48054b018a2f1d74562aa48eb2f509436d5 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 21 Dec 2014 17:36:36 +0000
-Subject: [PATCH] * tools/tiff2pdf.c: check return code of TIFFGetField() when
- reading TIFFTAG_SAMPLESPERPIXEL
-
----
- ChangeLog        |  5 +++++
- tools/tiff2pdf.c | 10 +++++++++-
- 2 files changed, 14 insertions(+), 1 deletion(-)
-
-Index: tiff-4.0.3/tools/tiff2pdf.c
-===================================================================
---- tiff-4.0.3.orig/tools/tiff2pdf.c
-+++ tiff-4.0.3/tools/tiff2pdf.c
-@@ -1164,7 +1164,15 @@ void t2p_read_tiff_init(T2P* t2p, TIFF*
- 			t2p->tiff_pages[i].page_tilecount;
- 		if( (TIFFGetField(input, TIFFTAG_PLANARCONFIG, &xuint16) != 0)
- 			&& (xuint16 == PLANARCONFIG_SEPARATE ) ){
--				TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16);
-+				if( !TIFFGetField(input, TIFFTAG_SAMPLESPERPIXEL, &xuint16) )
-+				{
-+					TIFFError(
-+                        TIFF2PDF_MODULE, 
-+                        "Missing SamplesPerPixel, %s", 
-+                        TIFFFileName(input));
-+                    t2p->t2p_error = T2P_ERR_ERROR;
-+                    return;
-+				}
-                 if( (t2p->tiff_tiles[i].tiles_tilecount % xuint16) != 0 )
-                 {
-                     TIFFError(
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch b/gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch
deleted file mode 100644
index fda4045504..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8128-pt4.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-Copied from Debian
-
-Picked from CVE: diff -u -r1.14 -r1.15
-http://bugzilla.maptools.org/show_bug.cgi?id=2501
-
-Author: Even Rouault <even.rouault@spatialys.com>
-
---- tiff-4.0.3.orig/tools/tiffdither.c
-+++ tiff-4.0.3/tools/tiffdither.c
-@@ -39,6 +39,7 @@
- #endif
- 
- #include "tiffio.h"
-+#include "tiffiop.h"
- 
- #define	streq(a,b)	(strcmp(a,b) == 0)
- #define	strneq(a,b,n)	(strncmp(a,b,n) == 0)
-@@ -56,7 +57,7 @@ static	void usage(void);
-  * Floyd-Steinberg error propragation with threshold.
-  * This code is stolen from tiffmedian.
-  */
--static void
-+static int
- fsdither(TIFF* in, TIFF* out)
- {
- 	unsigned char *outline, *inputline, *inptr;
-@@ -68,14 +69,19 @@ fsdither(TIFF* in, TIFF* out)
- 	int lastline, lastpixel;
- 	int bit;
- 	tsize_t outlinesize;
-+	int errcode = 0;
- 
- 	imax = imagelength - 1;
- 	jmax = imagewidth - 1;
- 	inputline = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
--	thisline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
--	nextline = (short *)_TIFFmalloc(imagewidth * sizeof (short));
-+	thisline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short)));
-+	nextline = (short *)_TIFFmalloc(TIFFSafeMultiply(tmsize_t, imagewidth, sizeof (short)));
- 	outlinesize = TIFFScanlineSize(out);
- 	outline = (unsigned char *) _TIFFmalloc(outlinesize);
-+	if (! (inputline && thisline && nextline && outline)) {
-+	    fprintf(stderr, "Out of memory.\n");
-+	    goto skip_on_error;
-+	}
- 
- 	/*
- 	 * Get first line
-@@ -93,7 +99,7 @@ fsdither(TIFF* in, TIFF* out)
- 		nextline = tmpptr;
- 		lastline = (i == imax);
- 		if (TIFFReadScanline(in, inputline, i, 0) <= 0)
--			break;
-+			goto skip_on_error;
- 		inptr = inputline;
- 		nextptr = nextline;
- 		for (j = 0; j < imagewidth; ++j)
-@@ -131,13 +137,18 @@ fsdither(TIFF* in, TIFF* out)
- 			}
- 		}
- 		if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
--			break;
-+			goto skip_on_error;
- 	}
-+	goto exit_label;
-+
-   skip_on_error:
-+	errcode = 1;
-+  exit_label:
- 	_TIFFfree(inputline);
- 	_TIFFfree(thisline);
- 	_TIFFfree(nextline);
- 	_TIFFfree(outline);
-+	return errcode;
- }
- 
- static	uint16 compression = COMPRESSION_PACKBITS;
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch b/gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch
deleted file mode 100644
index a555a18747..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8128-pt5.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Copied from Debian
-
-Patches by Petr Gajdos (pgajdos@suse.cz) from
-http://bugzilla.maptools.org/show_bug.cgi?id=2499
-
---- tiff-4.0.3.orig/libtiff/tif_dirinfo.c
-+++ tiff-4.0.3/libtiff/tif_dirinfo.c
-@@ -141,6 +141,8 @@ tiffFields[] = {
- 	{ TIFFTAG_FAXDCS, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_ASCII, FIELD_CUSTOM, TRUE, FALSE, "FaxDcs", NULL },
- 	{ TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL },
- 	{ TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL },
-+	{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL },
-+        { TIFFTAG_PREDICTOR, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CUSTOM, FALSE, FALSE, "Predictor", NULL },
- 	/* begin DNG tags */
- 	{ TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL },
- 	{ TIFFTAG_DNGBACKWARDVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGBackwardVersion", NULL },
diff --git a/gnu/packages/patches/libtiff-CVE-2014-8129.patch b/gnu/packages/patches/libtiff-CVE-2014-8129.patch
deleted file mode 100644
index 091ec8f573..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2014-8129.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Copied from Debian
-
-From cd82b5267ad4c10eb91e4ee8a716a81362cf851c Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 21 Dec 2014 18:07:48 +0000
-Subject: [PATCH] * libtiff/tif_next.c: check that BitsPerSample = 2. Fixes
- http://bugzilla.maptools.org/show_bug.cgi?id=2487 (CVE-2014-8129)
-
----
- ChangeLog          |  5 +++++
- libtiff/tif_next.c | 17 +++++++++++++++++
- 2 files changed, 22 insertions(+)
-
-diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
-index a53c716..d834196 100644
---- a/libtiff/tif_next.c
-+++ b/libtiff/tif_next.c
-@@ -141,10 +141,27 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
- 	return (0);
- }
- 
-+static int
-+NeXTPreDecode(TIFF* tif, uint16 s)
-+{
-+	static const char module[] = "NeXTPreDecode";
-+	TIFFDirectory *td = &tif->tif_dir;
-+	(void)s;
-+
-+	if( td->td_bitspersample != 2 )
-+	{
-+		TIFFErrorExt(tif->tif_clientdata, module, "Unsupported BitsPerSample = %d",
-+					 td->td_bitspersample);
-+		return (0);
-+	}
-+	return (1);
-+}
-+	
- int
- TIFFInitNeXT(TIFF* tif, int scheme)
- {
- 	(void) scheme;
-+	tif->tif_predecode = NeXTPreDecode;  
- 	tif->tif_decoderow = NeXTDecode;  
- 	tif->tif_decodestrip = NeXTDecode;  
- 	tif->tif_decodetile = NeXTDecode;
diff --git a/gnu/packages/patches/libtiff-CVE-2014-9330.patch b/gnu/packages/patches/libtiff-CVE-2014-9330.patch
deleted file mode 100644
index c3c5fc0367..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2014-9330.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Copied from Debian
-
-Description: CVE-2014-9330
- Integer overflow in bmp2tiff
-Origin: upstream, http://bugzilla.maptools.org/show_bug.cgi?id=2494
-Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2494
-Bug-Debian: http://bugs.debian.org/773987
-
-Index: tiff/tools/bmp2tiff.c
-===================================================================
---- tiff.orig/tools/bmp2tiff.c
-+++ tiff/tools/bmp2tiff.c
-@@ -1,4 +1,4 @@
--/* $Id: bmp2tiff.c,v 1.23 2010-03-10 18:56:49 bfriesen Exp $
-+/* $Id: bmp2tiff.c,v 1.24 2014-12-21 15:15:32 erouault Exp $
-  *
-  * Project:  libtiff tools
-  * Purpose:  Convert Windows BMP files in TIFF.
-@@ -403,6 +403,13 @@ main(int argc, char* argv[])
- 
- 		width = info_hdr.iWidth;
- 		length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;
-+        if( width <= 0 || length <= 0 )
-+        {
-+            TIFFError(infilename,
-+                  "Invalid dimensions of BMP file" );
-+            close(fd);
-+            return -1;
-+        }
- 
- 		switch (info_hdr.iBitCount)
- 		{
-@@ -593,6 +600,14 @@ main(int argc, char* argv[])
- 
- 			compr_size = file_hdr.iSize - file_hdr.iOffBits;
- 			uncompr_size = width * length;
-+            /* Detect int overflow */
-+            if( uncompr_size / width != length )
-+            {
-+                TIFFError(infilename,
-+                    "Invalid dimensions of BMP file" );
-+                close(fd);
-+                return -1;
-+            }
- 			comprbuf = (unsigned char *) _TIFFmalloc( compr_size );
- 			if (!comprbuf) {
- 				TIFFError(infilename,
diff --git a/gnu/packages/patches/libtiff-CVE-2014-9655.patch b/gnu/packages/patches/libtiff-CVE-2014-9655.patch
deleted file mode 100644
index 065804d03a..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2014-9655.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-Copied from Debian
-
-From 40a5955cbf0df62b1f9e9bd7d9657b0070725d19 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Mon, 29 Dec 2014 12:09:11 +0000
-Subject: [PATCH] * libtiff/tif_next.c: add new tests to check that we don't
- read outside of the compressed input stream buffer.
-
-* libtiff/tif_getimage.c: in OJPEG case, fix checks on strile width/height
----
- ChangeLog              |  9 +++++++++
- libtiff/tif_getimage.c | 12 +++++++-----
- libtiff/tif_next.c     |  4 +++-
- 3 files changed, 19 insertions(+), 6 deletions(-)
-
-diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
-index a4f46d9..3ad8ee7 100644
---- a/libtiff/tif_getimage.c
-+++ b/libtiff/tif_getimage.c
-@@ -1871,7 +1871,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
- 
-     (void) y;
-     fromskew = (fromskew * 10) / 4;
--    if ((h & 3) == 0 && (w & 1) == 0) {
-+    if ((w & 3) == 0 && (h & 1) == 0) {
-         for (; h >= 2; h -= 2) {
-             x = w>>2;
-             do {
-@@ -1948,7 +1948,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
-     /* XXX adjust fromskew */
-     do {
- 	x = w>>2;
--	do {
-+	while(x>0) {
- 	    int32 Cb = pp[4];
- 	    int32 Cr = pp[5];
- 
-@@ -1959,7 +1959,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr41tile)
- 
- 	    cp += 4;
- 	    pp += 6;
--	} while (--x);
-+		x--;
-+	}
- 
-         if( (w&3) != 0 )
-         {
-@@ -2050,7 +2051,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
- 	fromskew = (fromskew * 4) / 2;
- 	do {
- 		x = w>>1;
--		do {
-+		while(x>0) {
- 			int32 Cb = pp[2];
- 			int32 Cr = pp[3];
- 
-@@ -2059,7 +2060,8 @@ DECLAREContigPutFunc(putcontig8bitYCbCr21tile)
- 
- 			cp += 2;
- 			pp += 4;
--		} while (--x);
-+			x --;
-+		}
- 
- 		if( (w&1) != 0 )
- 		{
-diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
-index d834196..dd669cc 100644
---- a/libtiff/tif_next.c
-+++ b/libtiff/tif_next.c
-@@ -71,7 +71,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
- 		TIFFErrorExt(tif->tif_clientdata, module, "Fractional scanlines cannot be read");
- 		return (0);
- 	}
--	for (row = buf; occ > 0; occ -= scanline, row += scanline) {
-+	for (row = buf; cc > 0 && occ > 0; occ -= scanline, row += scanline) {
- 		n = *bp++, cc--;
- 		switch (n) {
- 		case LITERALROW:
-@@ -90,6 +90,8 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize_t occ, uint16 s)
- 			 * The scanline has a literal span that begins at some
- 			 * offset.
- 			 */
-+			if( cc < 4 )
-+				goto bad;
- 			off = (bp[0] * 256) + bp[1];
- 			n = (bp[2] * 256) + bp[3];
- 			if (cc < 4+n || off+n > scanline)