[OE-core] [PATCH]] libtiff: Update to 4.0.7

Armin Kuster akuster808 at gmail.com
Sat Dec 10 17:38:43 UTC 2016


Major changes:
The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution, used for demos.

CVEs fixed:
CVE-2016-9297
CVE-2016-9448
CVE-2016-9273
CVE-2014-8127
CVE-2016-3658
CVE-2016-5875
CVE-2016-5652
CVE-2016-3632

plus more that are not identified in the changelog.

removed patches integrated into update.
more info: http://libtiff.maptools.org/v4.0.7.html

Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
 .../libtiff/files/CVE-2015-8665_8683.patch         | 137 -------
 .../libtiff/files/CVE-2015-8781.patch              | 195 ----------
 .../libtiff/files/CVE-2015-8784.patch              |  73 ----
 .../libtiff/files/CVE-2016-3186.patch              |  24 --
 .../libtiff/files/CVE-2016-3622.patch              | 129 -------
 .../libtiff/files/CVE-2016-3623.patch              |  52 ---
 .../libtiff/files/CVE-2016-3632.patch              |  34 --
 .../libtiff/files/CVE-2016-3658.patch              | 111 ------
 .../libtiff/files/CVE-2016-3945.patch              | 118 ------
 .../libtiff/files/CVE-2016-3990.patch              |  66 ----
 .../libtiff/files/CVE-2016-3991.patch              | 147 -------
 .../libtiff/files/CVE-2016-5321.patch              |  49 ---
 .../libtiff/files/CVE-2016-5323.patch              | 107 ------
 .../libtiff/files/CVE-2016-9535-1.patch            | 423 ---------------------
 .../libtiff/files/CVE-2016-9535-2.patch            |  67 ----
 .../libtiff/files/CVE-2016-9538.patch              |  67 ----
 .../libtiff/files/CVE-2016-9539.patch              |  60 ---
 .../libtiff/files/CVE-2016-9540.patch              |  60 ---
 .../libtiff/files/Fix_several_CVE_issues.patch     | 281 --------------
 .../libtiff/{tiff_4.0.6.bb => tiff_4.0.7.bb}       |  23 +-
 20 files changed, 2 insertions(+), 2221 deletions(-)
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch
 delete mode 100644 meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch
 rename meta/recipes-multimedia/libtiff/{tiff_4.0.6.bb => tiff_4.0.7.bb} (65%)

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
deleted file mode 100644
index 39c5059..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-From f94a29a822f5528d2334592760fbb7938f15eb55 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sat, 26 Dec 2015 17:32:03 +0000
-Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
- TIFFRGBAImage interface in case of unsupported values of
- SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
- TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
- limingxing and CVE-2015-8683 reported by zzf of Alibaba.
-
-Upstream-Status: Backport
-CVE: CVE-2015-8665
-CVE: CVE-2015-8683
-https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55
-
-Signed-off-by: Armin Kuster <akuster at mvista.com>
-
----
- ChangeLog              |  8 ++++++++
- libtiff/tif_getimage.c | 35 ++++++++++++++++++++++-------------
- 2 files changed, 30 insertions(+), 13 deletions(-)
-
-Index: tiff-4.0.6/libtiff/tif_getimage.c
-===================================================================
---- tiff-4.0.6.orig/libtiff/tif_getimage.c
-+++ tiff-4.0.6/libtiff/tif_getimage.c
-@@ -182,20 +182,22 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[102
- 				    "Planarconfiguration", td->td_planarconfig);
- 				return (0);
- 			}
--			if( td->td_samplesperpixel != 3 )
-+			if( td->td_samplesperpixel != 3 || colorchannels != 3 )
-             {
-                 sprintf(emsg,
--                        "Sorry, can not handle image with %s=%d",
--                        "Samples/pixel", td->td_samplesperpixel);
-+                        "Sorry, can not handle image with %s=%d, %s=%d",
-+                        "Samples/pixel", td->td_samplesperpixel,
-+                        "colorchannels", colorchannels);
-                 return 0;
-             }
- 			break;
- 		case PHOTOMETRIC_CIELAB:
--            if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
-+            if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
-             {
-                 sprintf(emsg,
--                        "Sorry, can not handle image with %s=%d and %s=%d",
-+                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
-                         "Samples/pixel", td->td_samplesperpixel,
-+                        "colorchannels", colorchannels,
-                         "Bits/sample", td->td_bitspersample);
-                 return 0;
-             }
-@@ -255,6 +257,9 @@ TIFFRGBAImageBegin(TIFFRGBAImage* img, T
- 	int colorchannels;
- 	uint16 *red_orig, *green_orig, *blue_orig;
- 	int n_color;
-+	
-+	if( !TIFFRGBAImageOK(tif, emsg) )
-+		return 0;
- 
- 	/* Initialize to normal values */
- 	img->row_offset = 0;
-@@ -2508,29 +2513,33 @@ PickContigCase(TIFFRGBAImage* img)
- 		case PHOTOMETRIC_RGB:
- 			switch (img->bitspersample) {
- 				case 8:
--					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
-+					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
-+						img->samplesperpixel >= 4)
- 						img->put.contig = putRGBAAcontig8bittile;
--					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
-+					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
-+							 img->samplesperpixel >= 4)
- 					{
- 						if (BuildMapUaToAa(img))
- 							img->put.contig = putRGBUAcontig8bittile;
- 					}
--					else
-+					else if( img->samplesperpixel >= 3 )
- 						img->put.contig = putRGBcontig8bittile;
- 					break;
- 				case 16:
--					if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
-+					if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
-+						img->samplesperpixel >=4 )
- 					{
- 						if (BuildMapBitdepth16To8(img))
- 							img->put.contig = putRGBAAcontig16bittile;
- 					}
--					else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
-+					else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
-+							 img->samplesperpixel >=4 )
- 					{
- 						if (BuildMapBitdepth16To8(img) &&
- 						    BuildMapUaToAa(img))
- 							img->put.contig = putRGBUAcontig16bittile;
- 					}
--					else
-+					else if( img->samplesperpixel >=3 )
- 					{
- 						if (BuildMapBitdepth16To8(img))
- 							img->put.contig = putRGBcontig16bittile;
-@@ -2539,7 +2548,7 @@ PickContigCase(TIFFRGBAImage* img)
- 			}
- 			break;
- 		case PHOTOMETRIC_SEPARATED:
--			if (buildMap(img)) {
-+			if (img->samplesperpixel >=4 && buildMap(img)) {
- 				if (img->bitspersample == 8) {
- 					if (!img->Map)
- 						img->put.contig = putRGBcontig8bitCMYKtile;
-@@ -2635,7 +2644,7 @@ PickContigCase(TIFFRGBAImage* img)
- 			}
- 			break;
- 		case PHOTOMETRIC_CIELAB:
--			if (buildMap(img)) {
-+			if (img->samplesperpixel == 3 && buildMap(img)) {
- 				if (img->bitspersample == 8)
- 					img->put.contig = initCIELabConversion(img);
- 				break;
-Index: tiff-4.0.6/ChangeLog
-===================================================================
---- tiff-4.0.6.orig/ChangeLog
-+++ tiff-4.0.6/ChangeLog
-@@ -1,3 +1,11 @@
-+2015-12-26  Even Rouault <even.rouault at spatialys.com>
-+
-+   * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
-+   interface in case of unsupported values of SamplesPerPixel/ExtraSamples
-+   for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
-+   TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
-+   CVE-2015-8683 reported by zzf of Alibaba.
-+
- 2015-09-12  Bob Friesenhahn  <bfriesen at simple.dallas.tx.us>
- 
- 	* libtiff 4.0.6 released.
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
deleted file mode 100644
index 0846f0f..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8781.patch
+++ /dev/null
@@ -1,195 +0,0 @@
-From aaab5c3c9d2a2c6984f23ccbc79702610439bc65 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 27 Dec 2015 16:25:11 +0000
-Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
- decode functions in non debug builds by replacing assert()s by regular if
- checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
- input data.
-
-Upstream-Status: Backport
-
-https://github.com/vadz/libtiff/commit/aaab5c3c9d2a2c6984f23ccbc79702610439bc65
-hand applied Changelog changes
-
-CVE: CVE-2015-8781
-
-Signed-off-by: Armin Kuster <akuster at mvista.com>
----
- ChangeLog         |  7 +++++++
- libtiff/tif_luv.c | 55 ++++++++++++++++++++++++++++++++++++++++++++-----------
- 2 files changed, 51 insertions(+), 11 deletions(-)
-
-Index: tiff-4.0.4/ChangeLog
-===================================================================
---- tiff-4.0.4.orig/ChangeLog
-+++ tiff-4.0.4/ChangeLog
-@@ -1,3 +1,10 @@
-+2015-12-27  Even Rouault <even.rouault at spatialys.com>
-+
-+	* libtiff/tif_luv.c: fix potential out-of-bound writes in decode
-+	functions in non debug builds by replacing assert()s by regular if
-+	checks (bugzilla #2522).
-+	Fix potential out-of-bound reads in case of short input data.
-+
- 2015-12-26  Even Rouault <even.rouault at spatialys.com>
- 
- 	* libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
-Index: tiff-4.0.4/libtiff/tif_luv.c
-===================================================================
---- tiff-4.0.4.orig/libtiff/tif_luv.c
-+++ tiff-4.0.4/libtiff/tif_luv.c
-@@ -202,7 +202,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
- 	if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
- 		tp = (int16*) op;
- 	else {
--		assert(sp->tbuflen >= npixels);
-+		if(sp->tbuflen < npixels) {
-+			TIFFErrorExt(tif->tif_clientdata, module,
-+						 "Translation buffer too short");
-+			return (0);
-+		}
- 		tp = (int16*) sp->tbuf;
- 	}
- 	_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
-@@ -211,9 +215,11 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
- 	cc = tif->tif_rawcc;
- 	/* get each byte string */
- 	for (shft = 2*8; (shft -= 8) >= 0; ) {
--		for (i = 0; i < npixels && cc > 0; )
-+		for (i = 0; i < npixels && cc > 0; ) {
- 			if (*bp >= 128) {		/* run */
--				rc = *bp++ + (2-128);   /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
-+				if( cc < 2 )
-+					break;
-+				rc = *bp++ + (2-128);
- 				b = (int16)(*bp++ << shft);
- 				cc -= 2;
- 				while (rc-- && i < npixels)
-@@ -223,6 +229,7 @@ LogL16Decode(TIFF* tif, uint8* op, tmsiz
- 				while (--cc && rc-- && i < npixels)
- 					tp[i++] |= (int16)*bp++ << shft;
- 			}
-+		}
- 		if (i != npixels) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- 			TIFFErrorExt(tif->tif_clientdata, module,
-@@ -268,13 +275,17 @@ LogLuvDecode24(TIFF* tif, uint8* op, tms
- 	if (sp->user_datafmt == SGILOGDATAFMT_RAW)
- 		tp = (uint32 *)op;
- 	else {
--		assert(sp->tbuflen >= npixels);
-+		if(sp->tbuflen < npixels) {
-+			TIFFErrorExt(tif->tif_clientdata, module,
-+						 "Translation buffer too short");
-+			return (0);
-+		}
- 		tp = (uint32 *) sp->tbuf;
- 	}
- 	/* copy to array of uint32 */
- 	bp = (unsigned char*) tif->tif_rawcp;
- 	cc = tif->tif_rawcc;
--	for (i = 0; i < npixels && cc > 0; i++) {
-+	for (i = 0; i < npixels && cc >= 3; i++) {
- 		tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
- 		bp += 3;
- 		cc -= 3;
-@@ -325,7 +336,11 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
- 	if (sp->user_datafmt == SGILOGDATAFMT_RAW)
- 		tp = (uint32*) op;
- 	else {
--		assert(sp->tbuflen >= npixels);
-+		if(sp->tbuflen < npixels) {
-+			TIFFErrorExt(tif->tif_clientdata, module,
-+						 "Translation buffer too short");
-+			return (0);
-+		}
- 		tp = (uint32*) sp->tbuf;
- 	}
- 	_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
-@@ -334,11 +349,13 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
- 	cc = tif->tif_rawcc;
- 	/* get each byte string */
- 	for (shft = 4*8; (shft -= 8) >= 0; ) {
--		for (i = 0; i < npixels && cc > 0; )
-+		for (i = 0; i < npixels && cc > 0; ) {
- 			if (*bp >= 128) {		/* run */
-+				if( cc < 2 )
-+					break;
- 				rc = *bp++ + (2-128);
- 				b = (uint32)*bp++ << shft;
--				cc -= 2;                /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
-+				cc -= 2;
- 				while (rc-- && i < npixels)
- 					tp[i++] |= b;
- 			} else {			/* non-run */
-@@ -346,6 +363,7 @@ LogLuvDecode32(TIFF* tif, uint8* op, tms
- 				while (--cc && rc-- && i < npixels)
- 					tp[i++] |= (uint32)*bp++ << shft;
- 			}
-+		}
- 		if (i != npixels) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- 			TIFFErrorExt(tif->tif_clientdata, module,
-@@ -413,6 +431,7 @@ LogLuvDecodeTile(TIFF* tif, uint8* bp, t
- static int
- LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- {
-+	static const char module[] = "LogL16Encode";
- 	LogLuvState* sp = EncoderState(tif);
- 	int shft;
- 	tmsize_t i;
-@@ -433,7 +452,11 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
- 		tp = (int16*) bp;
- 	else {
- 		tp = (int16*) sp->tbuf;
--		assert(sp->tbuflen >= npixels);
-+		if(sp->tbuflen < npixels) {
-+			TIFFErrorExt(tif->tif_clientdata, module,
-+						 "Translation buffer too short");
-+			return (0);
-+		}
- 		(*sp->tfunc)(sp, bp, npixels);
- 	}
- 	/* compress each byte string */
-@@ -506,6 +529,7 @@ LogL16Encode(TIFF* tif, uint8* bp, tmsiz
- static int
- LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- {
-+	static const char module[] = "LogLuvEncode24";
- 	LogLuvState* sp = EncoderState(tif);
- 	tmsize_t i;
- 	tmsize_t npixels;
-@@ -521,7 +545,11 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
- 		tp = (uint32*) bp;
- 	else {
- 		tp = (uint32*) sp->tbuf;
--		assert(sp->tbuflen >= npixels);
-+		if(sp->tbuflen < npixels) {
-+			TIFFErrorExt(tif->tif_clientdata, module,
-+						 "Translation buffer too short");
-+			return (0);
-+		}
- 		(*sp->tfunc)(sp, bp, npixels);
- 	}
- 	/* write out encoded pixels */
-@@ -553,6 +581,7 @@ LogLuvEncode24(TIFF* tif, uint8* bp, tms
- static int
- LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- {
-+	static const char module[] = "LogLuvEncode32";
- 	LogLuvState* sp = EncoderState(tif);
- 	int shft;
- 	tmsize_t i;
-@@ -574,7 +603,11 @@ LogLuvEncode32(TIFF* tif, uint8* bp, tms
- 		tp = (uint32*) bp;
- 	else {
- 		tp = (uint32*) sp->tbuf;
--		assert(sp->tbuflen >= npixels);
-+		if(sp->tbuflen < npixels) {
-+			TIFFErrorExt(tif->tif_clientdata, module,
-+						 "Translation buffer too short");
-+			return (0);
-+		}
- 		(*sp->tfunc)(sp, bp, npixels);
- 	}
- 	/* compress each byte string */
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch b/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch
deleted file mode 100644
index 0caf800..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2015-8784.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From b18012dae552f85dcc5c57d3bf4e997a15b1cc1c Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sun, 27 Dec 2015 16:55:20 +0000
-Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in
- NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
- (bugzilla #2508)
-
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c
-hand applied Changelog changes
-
-CVE:  CVE-2015-8784
-Signed-off-by: Armin Kuster <akuster at mvista.com>
-
----
- ChangeLog          |  6 ++++++
- libtiff/tif_next.c | 10 ++++++++--
- 2 files changed, 14 insertions(+), 2 deletions(-)
-
-Index: tiff-4.0.4/ChangeLog
-===================================================================
---- tiff-4.0.4.orig/ChangeLog
-+++ tiff-4.0.4/ChangeLog
-@@ -1,5 +1,11 @@
- 2015-12-27  Even Rouault <even.rouault at spatialys.com>
- 
-+	* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
-+	triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
-+	(bugzilla #2508)
-+
-+2015-12-27  Even Rouault <even.rouault at spatialys.com>
-+
- 	* libtiff/tif_luv.c: fix potential out-of-bound writes in decode
- 	functions in non debug builds by replacing assert()s by regular if
- 	checks (bugzilla #2522).
-Index: tiff-4.0.4/libtiff/tif_next.c
-===================================================================
---- tiff-4.0.4.orig/libtiff/tif_next.c
-+++ tiff-4.0.4/libtiff/tif_next.c
-@@ -37,7 +37,7 @@
- 	case 0:	op[0]  = (unsigned char) ((v) << 6); break;	\
- 	case 1:	op[0] |= (v) << 4; break;	\
- 	case 2:	op[0] |= (v) << 2; break;	\
--	case 3:	*op++ |= (v);	   break;	\
-+	case 3:	*op++ |= (v);	   op_offset++; break;	\
- 	}					\
- }
- 
-@@ -106,6 +106,7 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize
- 			uint32 imagewidth = tif->tif_dir.td_imagewidth;
-             if( isTiled(tif) )
-                 imagewidth = tif->tif_dir.td_tilewidth;
-+            tmsize_t op_offset = 0;
- 
- 			/*
- 			 * The scanline is composed of a sequence of constant
-@@ -122,10 +123,15 @@ NeXTDecode(TIFF* tif, uint8* buf, tmsize
- 				 * bounds, potentially resulting in a security
- 				 * issue.
- 				 */
--				while (n-- > 0 && npixels < imagewidth)
-+				while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
- 					SETPIXEL(op, grey);
- 				if (npixels >= imagewidth)
- 					break;
-+                if (op_offset >= scanline ) {
-+                    TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
-+                        (long) tif->tif_row);
-+                    return (0);
-+                }
- 				if (cc == 0)
- 					goto bad;
- 				n = *bp++, cc--;
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch
deleted file mode 100644
index 4a08aba..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3186.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Buffer overflow in the readextension function in gif2tiff.c
-allows remote attackers to cause a denial of service via a crafted GIF file.
-
-External References:
-https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3186
-https://bugzilla.redhat.com/show_bug.cgi?id=1319503
-
-CVE: CVE-2016-3186
-Upstream-Status: Backport (RedHat)
-https://bugzilla.redhat.com/attachment.cgi?id=1144235&action=diff
-
-Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
-
---- tiff-4.0.6/tools/gif2tiff.c	2016-04-06 15:43:01.586048341 +0200
-+++ tiff-4.0.6/tools/gif2tiff.c	2016-04-06 15:48:05.523207710 +0200
-@@ -349,7 +349,7 @@
-     int status = 1;
- 
-     (void) getc(infile);
--    while ((count = getc(infile)) && count <= 255)
-+    while ((count = getc(infile)) && count >= 0 && count <= 255)
-         if (fread(buf, 1, count, infile) != (size_t) count) {
-             fprintf(stderr, "short read from file %s (%s)\n",
-                     filename, strerror(errno));
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
deleted file mode 100644
index 0c8b716..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3622.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-From 92d966a5fcfbdca67957c8c5c47b467aa650b286 Mon Sep 17 00:00:00 2001
-From: bfriesen <bfriesen>
-Date: Sat, 24 Sep 2016 23:11:55 +0000
-Subject: [PATCH] * libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts
- to read floating point images.
-
-* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
-requirements of floating point predictor (3).  Fixes CVE-2016-3622
-"Divide By Zero in the tiff2rgba tool."
-
-CVE: CVE-2016-3622
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286
-
-Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
----
- ChangeLog              | 11 ++++++++++-
- libtiff/tif_getimage.c | 38 ++++++++++++++++++++------------------
- libtiff/tif_predict.c  | 11 ++++++++++-
- 3 files changed, 40 insertions(+), 20 deletions(-)
-
-diff --git a/ChangeLog b/ChangeLog
-index 26d6f47..a628277 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,3 +1,12 @@
-+2016-09-24  Bob Friesenhahn  <bfriesen at simple.dallas.tx.us>
-+
-+	* libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
-+	read floating point images.
-+
-+	* libtiff/tif_predict.c (PredictorSetup): Enforce bits-per-sample
-+	requirements of floating point predictor (3).  Fixes CVE-2016-3622
-+	"Divide By Zero in the tiff2rgba tool."
-+
- 2016-08-15 Even Rouault <even.rouault at spatialys.com>
- 
- 	* tools/rgb2ycbcr.c: validate values of -v and -h parameters to
-diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
-index 386cee0..3e689ee 100644
---- a/libtiff/tif_getimage.c
-+++ b/libtiff/tif_getimage.c
-@@ -95,6 +95,10 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
- 			    td->td_bitspersample);
- 			return (0);
- 	}
-+        if (td->td_sampleformat == SAMPLEFORMAT_IEEEFP) {
-+                sprintf(emsg, "Sorry, can not handle images with IEEE floating-point samples");
-+                return (0);
-+        }
- 	colorchannels = td->td_samplesperpixel - td->td_extrasamples;
- 	if (!TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric)) {
- 		switch (colorchannels) {
-@@ -182,27 +186,25 @@ TIFFRGBAImageOK(TIFF* tif, char emsg[1024])
- 				    "Planarconfiguration", td->td_planarconfig);
- 				return (0);
- 			}
--			if( td->td_samplesperpixel != 3 || colorchannels != 3 )
--            {
--                sprintf(emsg,
--                        "Sorry, can not handle image with %s=%d, %s=%d",
--                        "Samples/pixel", td->td_samplesperpixel,
--                        "colorchannels", colorchannels);
--                return 0;
--            }
-+			if ( td->td_samplesperpixel != 3 || colorchannels != 3 ) {
-+                                sprintf(emsg,
-+                                        "Sorry, can not handle image with %s=%d, %s=%d",
-+                                        "Samples/pixel", td->td_samplesperpixel,
-+                                        "colorchannels", colorchannels);
-+                                return 0;
-+                        }
- 			break;
- 		case PHOTOMETRIC_CIELAB:
--            if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
--            {
--                sprintf(emsg,
--                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
--                        "Samples/pixel", td->td_samplesperpixel,
--                        "colorchannels", colorchannels,
--                        "Bits/sample", td->td_bitspersample);
--                return 0;
--            }
-+                        if ( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) {
-+                                sprintf(emsg,
-+                                        "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
-+                                        "Samples/pixel", td->td_samplesperpixel,
-+                                        "colorchannels", colorchannels,
-+                                        "Bits/sample", td->td_bitspersample);
-+                                return 0;
-+                        }
- 			break;
--		default:
-+                default:
- 			sprintf(emsg, "Sorry, can not handle image with %s=%d",
- 			    photoTag, photometric);
- 			return (0);
-diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
-index 081eb11..555f2f9 100644
---- a/libtiff/tif_predict.c
-+++ b/libtiff/tif_predict.c
-@@ -80,6 +80,15 @@ PredictorSetup(TIFF* tif)
- 				    td->td_sampleformat);
- 				return 0;
- 			}
-+                        if (td->td_bitspersample != 16
-+                            && td->td_bitspersample != 24
-+                            && td->td_bitspersample != 32
-+                            && td->td_bitspersample != 64) { /* Should 64 be allowed? */
-+                                TIFFErrorExt(tif->tif_clientdata, module,
-+                                             "Floating point \"Predictor\" not supported with %d-bit samples",
-+                                             td->td_bitspersample);
-+				return 0;
-+                            }
- 			break;
- 		default:
- 			TIFFErrorExt(tif->tif_clientdata, module,
-@@ -174,7 +183,7 @@ PredictorSetupDecode(TIFF* tif)
- 		}
- 		/*
- 		 * Allocate buffer to keep the decoded bytes before
--		 * rearranging in the ight order
-+		 * rearranging in the right order
- 		 */
- 	}
- 
--- 
-2.7.4
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
deleted file mode 100644
index f554ac5..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3623.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From bd024f07019f5d9fea236675607a69f74a66bc7b Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Mon, 15 Aug 2016 21:26:56 +0000
-Subject: [PATCH] * tools/rgb2ycbcr.c: validate values of -v and -h parameters
- to avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
-
-CVE: CVE-2016-3623
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea236675607a69f74a66bc7b
-
-Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
----
- ChangeLog         | 5 +++++
- tools/rgb2ycbcr.c | 4 ++++
- 2 files changed, 9 insertions(+)
-
-diff --git a/ChangeLog b/ChangeLog
-index 5d60608..3e6642a 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,5 +1,10 @@
- 2016-08-15 Even Rouault <even.rouault at spatialys.com>
- 
-+	* tools/rgb2ycbcr.c: validate values of -v and -h parameters to
-+	avoid potential divide by zero. Fixes CVE-2016-3623 (bugzilla #2569)
-+
-+2016-08-15 Even Rouault <even.rouault at spatialys.com>
-+
- 	* tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
- 	From patch libtiff-CVE-2016-3991.patch from
- 	libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
-diff --git a/tools/rgb2ycbcr.c b/tools/rgb2ycbcr.c
-index 3829d6b..51f4259 100644
---- a/tools/rgb2ycbcr.c
-+++ b/tools/rgb2ycbcr.c
-@@ -95,9 +95,13 @@ main(int argc, char* argv[])
- 			break;
- 		case 'h':
- 			horizSubSampling = atoi(optarg);
-+            if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 )
-+                usage(-1);
- 			break;
- 		case 'v':
- 			vertSubSampling = atoi(optarg);
-+            if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 )
-+                usage(-1);
- 			break;
- 		case 'r':
- 			rowsperstrip = atoi(optarg);
--- 
-2.7.4
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch
deleted file mode 100644
index a839250..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3632.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From d3f9829a37661749b200760ad6525f77cf77d77a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro at redhat.com>
-Date: Mon, 11 Jul 2016 16:04:34 +0200
-Subject: [PATCH 4/8] Fix CVE-2016-3632
-
-CVE-2016-3632 libtiff: The _TIFFVGetField function in tif_dirinfo.c in
-LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service
-(out-of-bounds write) or execute arbitrary code via a crafted TIFF image.
-
-CVE: CVE-2016-3632
-Upstream-Status: Backport [RedHat RHEL7]
-
-Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
----
- tools/thumbnail.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/tools/thumbnail.c b/tools/thumbnail.c
-index fd1cba5..75e7009 100644
---- a/tools/thumbnail.c
-+++ b/tools/thumbnail.c
-@@ -253,7 +253,8 @@ static struct cpTag {
-     { TIFFTAG_WHITEPOINT,		2, TIFF_RATIONAL },
-     { TIFFTAG_PRIMARYCHROMATICITIES,	(uint16) -1,TIFF_RATIONAL },
-     { TIFFTAG_HALFTONEHINTS,		2, TIFF_SHORT },
--    { TIFFTAG_BADFAXLINES,		1, TIFF_LONG },
-+    // disable BADFAXLINES, CVE-2016-3632
-+    //{ TIFFTAG_BADFAXLINES,		1, TIFF_LONG },
-     { TIFFTAG_CLEANFAXDATA,		1, TIFF_SHORT },
-     { TIFFTAG_CONSECUTIVEBADFAXLINES,	1, TIFF_LONG },
-     { TIFFTAG_INKSET,			1, TIFF_SHORT },
--- 
-2.7.4
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
deleted file mode 100644
index 6cb12f2..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3658.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From: 45c68450bef8ad876f310b495165c513cad8b67d
-From: Even Rouault <even.rouault at spatialys.com>
-
-* libtiff/tif_dir.c: discard values of SMinSampleValue and
-SMaxSampleValue when they have been read and the value of
-SamplesPerPixel is changed afterwards (like when reading a
-OJPEG compressed image with a missing SamplesPerPixel tag,
-and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
-being 3). Otherwise when rewriting the directory (for example
-with tiffset, we will expect 3 values whereas the array had been
-allocated with just one), thus causing a out of bound read access.
-Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
-(CVE-2014-8127, duplicate: CVE-2016-3658)
-
-* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
-when writing directory, if FIELD_STRIPOFFSETS was artificially set
-for a hack case	in OJPEG case.
-Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
-(CVE-2014-8127, duplicate: CVE-2016-3658)
-
-CVE: CVE-2016-3658
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d
-
-Signed-off-by: Zhixiong.Chi <zhixiong.chi at windriver.com>
-
-Index: tiff-4.0.6/ChangeLog
-===================================================================
---- tiff-4.0.6.orig/ChangeLog	2016-11-14 10:52:10.008748230 +0800
-+++ tiff-4.0.6/ChangeLog	2016-11-14 16:17:46.140884438 +0800
-@@ -1,3 +1,22 @@
-+2016-10-25 Even Rouault <even.rouault at spatialys.com>
-+
-+	* libtiff/tif_dir.c: discard values of SMinSampleValue and
-+	SMaxSampleValue when they have been read and the value of
-+	SamplesPerPixel is changed afterwards (like when reading a
-+	OJPEG compressed image with a missing SamplesPerPixel tag,
-+	and whose photometric is RGB or YCbCr, forcing SamplesPerPixel
-+	being 3). Otherwise when rewriting the directory (for example
-+	with tiffset, we will expect 3 values whereas the array had been
-+	allocated with just one), thus causing a out of bound read access.
-+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
-+	(CVE-2014-8127, duplicate: CVE-2016-3658)
-+
-+	* libtiff/tif_write.c: avoid null pointer dereference on td_stripoffset
-+	when writing directory, if FIELD_STRIPOFFSETS was artificially set
-+	for a hack case	in OJPEG case.
-+	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
-+	(CVE-2014-8127, duplicate: CVE-2016-3658)
-+
- 2016-09-24  Bob Friesenhahn  <bfriesen at simple.dallas.tx.us>
- 
- 	* libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
-Index: tiff-4.0.6/libtiff/tif_dir.c
-===================================================================
---- tiff-4.0.6.orig/libtiff/tif_dir.c	2015-06-01 07:11:43.000000000 +0800
-+++ tiff-4.0.6/libtiff/tif_dir.c	2016-11-14 16:20:17.800885495 +0800
-@@ -254,6 +254,28 @@
- 		v = (uint16) va_arg(ap, uint16_vap);
- 		if (v == 0)
- 			goto badvalue;
-+		if( v != td->td_samplesperpixel )
-+		{
-+		    /* See http://bugzilla.maptools.org/show_bug.cgi?id=2500 */
-+		    if( td->td_sminsamplevalue != NULL )
-+		    {
-+		        TIFFWarningExt(tif->tif_clientdata,module,
-+		            "SamplesPerPixel tag value is changing, "
-+		            "but SMinSampleValue tag was read with a different value. Cancelling it");
-+		        TIFFClrFieldBit(tif,FIELD_SMINSAMPLEVALUE);
-+		        _TIFFfree(td->td_sminsamplevalue);
-+		        td->td_sminsamplevalue = NULL;
-+		    }
-+		    if( td->td_smaxsamplevalue != NULL )
-+		    {
-+		        TIFFWarningExt(tif->tif_clientdata,module,
-+		            "SamplesPerPixel tag value is changing, "
-+		            "but SMaxSampleValue tag was read with a different value. Cancelling it");
-+		        TIFFClrFieldBit(tif,FIELD_SMAXSAMPLEVALUE);
-+		        _TIFFfree(td->td_smaxsamplevalue);
-+		        td->td_smaxsamplevalue = NULL;
-+		    }
-+		}
- 		td->td_samplesperpixel = (uint16) v;
- 		break;
- 	case TIFFTAG_ROWSPERSTRIP:
-Index: tiff-4.0.6/libtiff/tif_dirwrite.c
-===================================================================
---- tiff-4.0.6.orig/libtiff/tif_dirwrite.c	2015-05-31 08:38:46.000000000 +0800
-+++ tiff-4.0.6/libtiff/tif_dirwrite.c	2016-11-14 16:23:54.688887007 +0800
-@@ -542,7 +542,19 @@
- 			{
- 				if (!isTiled(tif))
- 				{
--					if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
-+					/* td_stripoffset might be NULL in an odd OJPEG case. See
-+					 *  tif_dirread.c around line 3634.
-+					 * XXX: OJPEG hack.
-+					 * If a) compression is OJPEG, b) it's not a tiled TIFF,
-+					 * and c) the number of strips is 1,
-+					 * then we tolerate the absence of stripoffsets tag,
-+					 * because, presumably, all required data is in the
-+					 * JpegInterchangeFormat stream.
-+					 * We can get here when using tiffset on such a file.
-+					 * See http://bugzilla.maptools.org/show_bug.cgi?id=2500
-+					*/
-+					if (tif->tif_dir.td_stripoffset != NULL &&
-+					    !TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))
- 						goto bad;
- 				}
- 				else
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
deleted file mode 100644
index 4d965be..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3945.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From 7c39352ccd9060d311d3dc9a1f1bc00133a160e6 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Mon, 15 Aug 2016 20:06:40 +0000
-Subject: [PATCH] * tools/tiff2rgba.c: Fix integer overflow in size of
- allocated buffer, when -b mode is enabled, that could result in out-of-bounds
- write. Based initially on patch tiff-CVE-2016-3945.patch from
- libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for invalid
- tests that rejected valid files.
-
-CVE: CVE-2016-3945
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6
-
-Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
----
- ChangeLog         |  8 ++++++++
- tools/tiff2rgba.c | 34 ++++++++++++++++++++++++++++++----
- 2 files changed, 38 insertions(+), 4 deletions(-)
-
-diff --git a/ChangeLog b/ChangeLog
-index 62dc1b5..9c0ab29 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,3 +1,11 @@
-+2016-08-15 Even Rouault <even.rouault at spatialys.com>
-+
-+	* tools/tiff2rgba.c: Fix integer overflow in size of allocated
-+	buffer, when -b mode is enabled, that could result in out-of-bounds
-+	write. Based initially on patch tiff-CVE-2016-3945.patch from
-+	libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
-+	invalid tests that rejected valid files.
-+
- 2016-07-11 Even Rouault <even.rouault at spatialys.com>
- 
- 	* tools/tiffcrop.c: Avoid access outside of stack allocated array
-diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
-index b7a81eb..16e3dc4 100644
---- a/tools/tiff2rgba.c
-+++ b/tools/tiff2rgba.c
-@@ -147,6 +147,7 @@ cvt_by_tile( TIFF *in, TIFF *out )
-     uint32  row, col;
-     uint32  *wrk_line;
-     int	    ok = 1;
-+    uint32  rastersize, wrk_linesize;
- 
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-@@ -163,7 +164,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
-     /*
-      * Allocate tile buffer
-      */
--    raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
-+    rastersize = tile_width * tile_height * sizeof (uint32);
-+    if (tile_width != (rastersize / tile_height) / sizeof( uint32))
-+    {
-+	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
-+	exit(-1);
-+    }
-+    raster = (uint32*)_TIFFmalloc(rastersize);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -173,7 +180,13 @@ cvt_by_tile( TIFF *in, TIFF *out )
-      * Allocate a scanline buffer for swapping during the vertical
-      * mirroring pass.
-      */
--    wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
-+    wrk_linesize = tile_width * sizeof (uint32);
-+    if (tile_width != wrk_linesize / sizeof (uint32))
-+    {
-+        TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
-+	exit(-1);
-+    }
-+    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
-     if (!wrk_line) {
-         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
-         ok = 0;
-@@ -249,6 +262,7 @@ cvt_by_strip( TIFF *in, TIFF *out )
-     uint32  row;
-     uint32  *wrk_line;
-     int	    ok = 1;
-+    uint32  rastersize, wrk_linesize;
- 
-     TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
-     TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-@@ -263,7 +277,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
-     /*
-      * Allocate strip buffer
-      */
--    raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
-+    rastersize = width * rowsperstrip * sizeof (uint32);
-+    if (width != (rastersize / rowsperstrip) / sizeof( uint32))
-+    {
-+	TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
-+	exit(-1);
-+    }
-+    raster = (uint32*)_TIFFmalloc(rastersize);
-     if (raster == 0) {
-         TIFFError(TIFFFileName(in), "No space for raster buffer");
-         return (0);
-@@ -273,7 +293,13 @@ cvt_by_strip( TIFF *in, TIFF *out )
-      * Allocate a scanline buffer for swapping during the vertical
-      * mirroring pass.
-      */
--    wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
-+    wrk_linesize = width * sizeof (uint32);
-+    if (width != wrk_linesize / sizeof (uint32))
-+    {
-+        TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
-+	exit(-1);
-+    }
-+    wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
-     if (!wrk_line) {
-         TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
-         ok = 0;
--- 
-2.7.4
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch
deleted file mode 100644
index 7bf52ee..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3990.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From 6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Mon, 15 Aug 2016 20:49:48 +0000
-Subject: [PATCH] * libtiff/tif_pixarlog.c: Fix write buffer overflow in
- PixarLogEncode if more input samples are provided than expected by
- PixarLogSetupEncode. Idea based on libtiff-CVE-2016-3990.patch from
- libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
- simpler check. (bugzilla #2544)
-
-invalid tests that rejected valid files. (bugzilla #2545)
-
-CVE: CVE-2016-3990
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1
-
-Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
----
- ChangeLog              | 10 +++++++++-
- libtiff/tif_pixarlog.c |  7 +++++++
- 2 files changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/ChangeLog b/ChangeLog
-index 9c0ab29..db4ea18 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,10 +1,18 @@
- 2016-08-15 Even Rouault <even.rouault at spatialys.com>
- 
-+	* libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode
-+	if more input samples are provided than expected by PixarLogSetupEncode.
-+	Idea based on libtiff-CVE-2016-3990.patch from
-+	libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, but with different and
-+	simpler check. (bugzilla #2544)
-+
-+2016-08-15 Even Rouault <even.rouault at spatialys.com>
-+
- 	* tools/tiff2rgba.c: Fix integer overflow in size of allocated
- 	buffer, when -b mode is enabled, that could result in out-of-bounds
- 	write. Based initially on patch tiff-CVE-2016-3945.patch from
- 	libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro, with correction for
--	invalid tests that rejected valid files.
-+	invalid tests that rejected valid files. (bugzilla #2545)
- 
- 2016-07-11 Even Rouault <even.rouault at spatialys.com>
- 
-diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
-index e78f788..28329d1 100644
---- a/libtiff/tif_pixarlog.c
-+++ b/libtiff/tif_pixarlog.c
-@@ -1141,6 +1141,13 @@ PixarLogEncode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- 	}
- 
- 	llen = sp->stride * td->td_imagewidth;
-+    /* Check against the number of elements (of size uint16) of sp->tbuf */
-+    if( n > td->td_rowsperstrip * llen )
-+    {
-+        TIFFErrorExt(tif->tif_clientdata, module,
-+                     "Too many input bytes provided");
-+        return 0;
-+    }
- 
- 	for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
- 		switch (sp->user_datafmt)  {
--- 
-2.7.4
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch
deleted file mode 100644
index 27dfd37..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-3991.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Mon, 15 Aug 2016 21:05:40 +0000
-Subject: [PATCH 2/2] * tools/tiffcrop.c: Fix out-of-bounds write in
- loadImage(). From patch libtiff-CVE-2016-3991.patch from
- libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
-
-CVE: CVE-2016-3991
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba
-
-Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
----
- ChangeLog        |  6 ++++++
- tools/tiffcrop.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++---
- 2 files changed, 62 insertions(+), 3 deletions(-)
-
-diff --git a/ChangeLog b/ChangeLog
-index db4ea18..5d60608 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,5 +1,11 @@
- 2016-08-15 Even Rouault <even.rouault at spatialys.com>
- 
-+	* tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
-+	From patch libtiff-CVE-2016-3991.patch from
-+	libtiff-4.0.3-25.el7_2.src.rpm by Nikola Forro (bugzilla #2543)
-+
-+2016-08-15 Even Rouault <even.rouault at spatialys.com>
-+
- 	* libtiff/tif_pixarlog.c: Fix write buffer overflow in PixarLogEncode
- 	if more input samples are provided than expected by PixarLogSetupEncode.
- 	Idea based on libtiff-CVE-2016-3990.patch from
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 27abc0b..ddba7b9 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
-     }
- 
-   tile_buffsize = tilesize;
-+  if (tilesize == 0 || tile_rowsize == 0)
-+  {
-+     TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
-+     exit(-1);
-+  }
- 
-   if (tilesize < (tsize_t)(tl * tile_rowsize))
-     {
-@@ -807,7 +812,12 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
-               tilesize, tl * tile_rowsize);
- #endif
-     tile_buffsize = tl * tile_rowsize;
--    } 
-+    if (tl != (tile_buffsize / tile_rowsize))
-+    {
-+    	TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
-+        exit(-1);
-+    }
-+    }
- 
-   tilebuf = _TIFFmalloc(tile_buffsize);
-   if (tilebuf == 0)
-@@ -1210,6 +1220,12 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
-       !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
-       return 1;
- 
-+  if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
-+  {
-+    TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
-+    exit(-1);
-+  }
-+  
-   tile_buffsize = tilesize;
-   if (tilesize < (tsize_t)(tl * tile_rowsize))
-     {
-@@ -1219,6 +1235,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8* buf, uint32 imagelength,
-               tilesize, tl * tile_rowsize);
- #endif
-     tile_buffsize = tl * tile_rowsize;
-+    if (tl != tile_buffsize / tile_rowsize)
-+    {
-+	TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
-+	exit(-1);
-+    }
-     }
- 
-   tilebuf = _TIFFmalloc(tile_buffsize);
-@@ -5945,12 +5966,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
-     TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
- 
-     tile_rowsize  = TIFFTileRowSize(in);      
-+    if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
-+    {
-+	TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
-+	exit(-1);
-+    }
-     buffsize = tlsize * ntiles;
-+    if (tlsize != (buffsize / ntiles))
-+    {
-+	TIFFError("loadImage", "Integer overflow when calculating buffer size");
-+	exit(-1);
-+    }
- 
--        
-     if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
-       {
-       buffsize = ntiles * tl * tile_rowsize;
-+      if (ntiles != (buffsize / tl / tile_rowsize))
-+      {
-+	TIFFError("loadImage", "Integer overflow when calculating buffer size");
-+	exit(-1);
-+      }
-+      
- #ifdef DEBUG2
-       TIFFError("loadImage",
- 	        "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
-@@ -5969,8 +6005,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
-     TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
-     stsize = TIFFStripSize(in);
-     nstrips = TIFFNumberOfStrips(in);
-+    if (nstrips == 0 || stsize == 0)
-+    {
-+	TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
-+	exit(-1);
-+    }
-+
-     buffsize = stsize * nstrips;
--    
-+    if (stsize != (buffsize / nstrips))
-+    {
-+	TIFFError("loadImage", "Integer overflow when calculating buffer size");
-+	exit(-1);
-+    }
-+    uint32 buffsize_check;
-+    buffsize_check = ((length * width * spp * bps) + 7);
-+    if (length != ((buffsize_check - 7) / width / spp / bps))
-+    {
-+	TIFFError("loadImage", "Integer overflow detected.");
-+	exit(-1);
-+    }
-     if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
-       {
-       buffsize =  ((length * width * spp * bps) + 7) / 8;
--- 
-2.7.4
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch
deleted file mode 100644
index 63c6650..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-5321.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From d9783e4a1476b6787a51c5ae9e9b3156527589f0 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Mon, 11 Jul 2016 21:26:03 +0000
-Subject: [PATCH 1/2] * tools/tiffcrop.c: Avoid access outside of stack
- allocated array on a tiled separate TIFF with more than 8 samples per pixel.
- Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
- (CVE-2016-5321, bugzilla #2558)
-
-CVE: CVE-2016-5321
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/d9783e4a1476b6787a51c5ae9e9b3156527589f0
-
-Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
----
- ChangeLog        | 7 +++++++
- tools/tiffcrop.c | 2 +-
- 2 files changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/ChangeLog b/ChangeLog
-index e98d54d..4e0302f 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -1,3 +1,10 @@
-+2016-07-11 Even Rouault <even.rouault at spatialys.com>
-+
-+	* tools/tiffcrop.c: Avoid access outside of stack allocated array
-+	on a tiled separate TIFF with more than 8 samples per pixel.
-+	Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
-+	(CVE-2016-5321, bugzilla #2558)
-+
- 2015-12-27  Even Rouault <even.rouault at spatialys.com>
-
-	* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index d959ae3..6fc8fc1 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -989,7 +989,7 @@ static int  readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf,
-     nrow = (row + tl > imagelength) ? imagelength - row : tl;
-     for (col = 0; col < imagewidth; col += tw)
-       {
--      for (s = 0; s < spp; s++)
-+      for (s = 0; s < spp && s < MAX_SAMPLES; s++)
-         {  /* Read each plane of a tile set into srcbuffs[s] */
- 	tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s);
-         if (tbytes < 0  && !ignore)
--- 
-2.7.4
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch
deleted file mode 100644
index 41eab91..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-5323.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From 2f79856097f423eb33796a15fcf700d2ea41bf31 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Mon, 11 Jul 2016 21:38:31 +0000
-Subject: [PATCH 2/2] (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
-
-CVE: CVE-2016-5323
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/2f79856097f423eb33796a15fcf700d2ea41bf31
-
-Signed-off-by: Yi Zhao <yi.zhao at windirver.com>
----
- ChangeLog        |  2 +-
- tools/tiffcrop.c | 16 ++++++++--------
- 2 files changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/ChangeLog b/ChangeLog
-index 4e0302f..62dc1b5 100644
---- a/ChangeLog
-+++ b/ChangeLog
-@@ -3,7 +3,7 @@
- 	* tools/tiffcrop.c: Avoid access outside of stack allocated array
- 	on a tiled separate TIFF with more than 8 samples per pixel.
- 	Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
--	(CVE-2016-5321, bugzilla #2558)
-+	(CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
- 
- 2016-07-10 Even Rouault <even.rouault at spatialys.com>
- 
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 6fc8fc1..27abc0b 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -3738,7 +3738,7 @@ combineSeparateSamples8bits (uint8 *in[], uint8 *out, uint32 cols,
- 
-       matchbits = maskbits << (8 - src_bit - bps); 
-       /* load up next sample from each plane */
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
-         {
- 	src = in[s] + src_offset + src_byte;
-         buff1 = ((*src) & matchbits) << (src_bit);
-@@ -3837,7 +3837,7 @@ combineSeparateSamples16bits (uint8 *in[], uint8 *out, uint32 cols,
-       src_bit  = bit_offset % 8;
- 
-       matchbits = maskbits << (16 - src_bit - bps); 
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
-         {
- 	src = in[s] + src_offset + src_byte;
-         if (little_endian)
-@@ -3947,7 +3947,7 @@ combineSeparateSamples24bits (uint8 *in[], uint8 *out, uint32 cols,
-       src_bit  = bit_offset % 8;
- 
-       matchbits = maskbits << (32 - src_bit - bps); 
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
-         {
- 	src = in[s] + src_offset + src_byte;
-         if (little_endian)
-@@ -4073,7 +4073,7 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
-       src_bit  = bit_offset % 8;
- 
-       matchbits = maskbits << (64 - src_bit - bps); 
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- 	{
- 	src = in[s] + src_offset + src_byte;
- 	if (little_endian)
-@@ -4263,7 +4263,7 @@ combineSeparateTileSamples8bits (uint8 *in[], uint8 *out, uint32 cols,
- 
-       matchbits = maskbits << (8 - src_bit - bps); 
-       /* load up next sample from each plane */
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
-         {
- 	src = in[s] + src_offset + src_byte;
-         buff1 = ((*src) & matchbits) << (src_bit);
-@@ -4362,7 +4362,7 @@ combineSeparateTileSamples16bits (uint8 *in[], uint8 *out, uint32 cols,
-       src_bit  = bit_offset % 8;
- 
-       matchbits = maskbits << (16 - src_bit - bps); 
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
-         {
- 	src = in[s] + src_offset + src_byte;
-         if (little_endian)
-@@ -4471,7 +4471,7 @@ combineSeparateTileSamples24bits (uint8 *in[], uint8 *out, uint32 cols,
-       src_bit  = bit_offset % 8;
- 
-       matchbits = maskbits << (32 - src_bit - bps); 
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
-         {
- 	src = in[s] + src_offset + src_byte;
-         if (little_endian)
-@@ -4597,7 +4597,7 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
-       src_bit  = bit_offset % 8;
- 
-       matchbits = maskbits << (64 - src_bit - bps); 
--      for (s = 0; s < spp; s++)
-+      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- 	{
- 	src = in[s] + src_offset + src_byte;
- 	if (little_endian)
--- 
-2.7.4
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
deleted file mode 100644
index 26fd0df..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-1.patch
+++ /dev/null
@@ -1,423 +0,0 @@
-From 3ca657a8793dd011bf869695d72ad31c779c3cc1 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Mon, 31 Oct 2016 17:24:26 +0000
-Subject: [PATCH 1/2] Fix CVE-2016-9535
-
-* libtiff/tif_predict.h, libtiff/tif_predict.c: Replace
- assertions by runtime checks to avoid assertions in debug mode, or buffer
- overflows in release mode. Can happen when dealing with unusual tile size
- like YCbCr with subsampling. Reported as MSVR 35105 by Axel Souchet	&
- Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
-
-CVE: CVE-2016-9535
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
-
-Signed-off-by: Mingli Yu <Mingli.Yu at windriver.com>
-
----
- libtiff/tif_predict.c | 153 +++++++++++++++++++++++++++++++++++---------------
- libtiff/tif_predict.h |   6 +-
- 2 files changed, 121 insertions(+), 47 deletions(-)
-
-diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
-index 555f2f9..b829259 100644
---- a/libtiff/tif_predict.c
-+++ b/libtiff/tif_predict.c
-@@ -34,18 +34,18 @@
- 
- #define	PredictorState(tif)	((TIFFPredictorState*) (tif)->tif_data)
- 
--static void horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
--static void fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc);
-+static int fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc);
- static int PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
- static int PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s);
- static int PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s);
-@@ -273,13 +273,19 @@ PredictorSetupEncode(TIFF* tif)
- /* - when storing into the byte stream, we explicitly mask with 0xff so */
- /*   as to make icc -check=conversions happy (not necessary by the standard) */
- 
--static void
-+static int
- horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- 	tmsize_t stride = PredictorState(tif)->stride;
- 
- 	unsigned char* cp = (unsigned char*) cp0;
--	assert((cc%stride)==0);
-+    if((cc%stride)!=0)
-+    {
-+        TIFFErrorExt(tif->tif_clientdata, "horAcc8",
-+                     "%s", "(cc%stride)!=0");
-+        return 0;
-+    }
-+
- 	if (cc > stride) {
- 		/*
- 		 * Pipeline the most common cases.
-@@ -321,26 +327,32 @@ horAcc8(TIFF* tif, uint8* cp0, tmsize_t cc)
- 			} while (cc>0);
- 		}
- 	}
-+	return 1;
- }
- 
--static void
-+static int
- swabHorAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- 	uint16* wp = (uint16*) cp0;
- 	tmsize_t wc = cc / 2;
- 
-         TIFFSwabArrayOfShort(wp, wc);
--        horAcc16(tif, cp0, cc);
-+        return horAcc16(tif, cp0, cc);
- }
- 
--static void
-+static int
- horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- 	tmsize_t stride = PredictorState(tif)->stride;
- 	uint16* wp = (uint16*) cp0;
- 	tmsize_t wc = cc / 2;
- 
--	assert((cc%(2*stride))==0);
-+    if((cc%(2*stride))!=0)
-+    {
-+        TIFFErrorExt(tif->tif_clientdata, "horAcc16",
-+                     "%s", "cc%(2*stride))!=0");
-+        return 0;
-+    }
- 
- 	if (wc > stride) {
- 		wc -= stride;
-@@ -349,26 +361,32 @@ horAcc16(TIFF* tif, uint8* cp0, tmsize_t cc)
- 			wc -= stride;
- 		} while (wc > 0);
- 	}
-+	return 1;
- }
- 
--static void
-+static int
- swabHorAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- 	uint32* wp = (uint32*) cp0;
- 	tmsize_t wc = cc / 4;
- 
-         TIFFSwabArrayOfLong(wp, wc);
--	horAcc32(tif, cp0, cc);
-+	return horAcc32(tif, cp0, cc);
- }
- 
--static void
-+static int
- horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- 	tmsize_t stride = PredictorState(tif)->stride;
- 	uint32* wp = (uint32*) cp0;
- 	tmsize_t wc = cc / 4;
- 
--	assert((cc%(4*stride))==0);
-+    if((cc%(4*stride))!=0)
-+    {
-+        TIFFErrorExt(tif->tif_clientdata, "horAcc32",
-+                     "%s", "cc%(4*stride))!=0");
-+        return 0;
-+    }
- 
- 	if (wc > stride) {
- 		wc -= stride;
-@@ -377,12 +395,13 @@ horAcc32(TIFF* tif, uint8* cp0, tmsize_t cc)
- 			wc -= stride;
- 		} while (wc > 0);
- 	}
-+	return 1;
- }
- 
- /*
-  * Floating point predictor accumulation routine.
-  */
--static void
-+static int
- fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- 	tmsize_t stride = PredictorState(tif)->stride;
-@@ -392,10 +411,15 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
- 	uint8 *cp = (uint8 *) cp0;
- 	uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
- 
--	assert((cc%(bps*stride))==0);
-+    if(cc%(bps*stride)!=0)
-+    {
-+        TIFFErrorExt(tif->tif_clientdata, "fpAcc",
-+                     "%s", "cc%(bps*stride))!=0");
-+        return 0;
-+    }
- 
- 	if (!tmp)
--		return;
-+		return 0;
- 
- 	while (count > stride) {
- 		REPEAT4(stride, cp[stride] =
-@@ -417,6 +441,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
- 		}
- 	}
- 	_TIFFfree(tmp);
-+    return 1;
- }
- 
- /*
-@@ -432,8 +457,7 @@ PredictorDecodeRow(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- 	assert(sp->decodepfunc != NULL);  
- 
- 	if ((*sp->decoderow)(tif, op0, occ0, s)) {
--		(*sp->decodepfunc)(tif, op0, occ0);
--		return 1;
-+		return (*sp->decodepfunc)(tif, op0, occ0);
- 	} else
- 		return 0;
- }
-@@ -456,10 +480,16 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- 	if ((*sp->decodetile)(tif, op0, occ0, s)) {
- 		tmsize_t rowsize = sp->rowsize;
- 		assert(rowsize > 0);
--		assert((occ0%rowsize)==0);
-+		if((occ0%rowsize) !=0)
-+        {
-+            TIFFErrorExt(tif->tif_clientdata, "PredictorDecodeTile",
-+                         "%s", "occ0%rowsize != 0");
-+            return 0;
-+        }
- 		assert(sp->decodepfunc != NULL);
- 		while (occ0 > 0) {
--			(*sp->decodepfunc)(tif, op0, rowsize);
-+			if( !(*sp->decodepfunc)(tif, op0, rowsize) )
-+                return 0;
- 			occ0 -= rowsize;
- 			op0 += rowsize;
- 		}
-@@ -468,14 +498,19 @@ PredictorDecodeTile(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- 		return 0;
- }
- 
--static void
-+static int
- horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- 	TIFFPredictorState* sp = PredictorState(tif);
- 	tmsize_t stride = sp->stride;
- 	unsigned char* cp = (unsigned char*) cp0;
- 
--	assert((cc%stride)==0);
-+    if((cc%stride)!=0)
-+    {
-+        TIFFErrorExt(tif->tif_clientdata, "horDiff8",
-+                     "%s", "(cc%stride)!=0");
-+        return 0;
-+    }
- 
- 	if (cc > stride) {
- 		cc -= stride;
-@@ -513,9 +548,10 @@ horDiff8(TIFF* tif, uint8* cp0, tmsize_t cc)
- 			} while ((cc -= stride) > 0);
- 		}
- 	}
-+	return 1;
- }
- 
--static void
-+static int
- horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- 	TIFFPredictorState* sp = PredictorState(tif);
-@@ -523,7 +559,12 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
- 	uint16 *wp = (uint16*) cp0;
- 	tmsize_t wc = cc/2;
- 
--	assert((cc%(2*stride))==0);
-+    if((cc%(2*stride))!=0)
-+    {
-+        TIFFErrorExt(tif->tif_clientdata, "horDiff8",
-+                     "%s", "(cc%(2*stride))!=0");
-+        return 0;
-+    }
- 
- 	if (wc > stride) {
- 		wc -= stride;
-@@ -533,20 +574,23 @@ horDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
- 			wc -= stride;
- 		} while (wc > 0);
- 	}
-+	return 1;
- }
- 
--static void
-+static int
- swabHorDiff16(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
-     uint16* wp = (uint16*) cp0;
-     tmsize_t wc = cc / 2;
- 
--    horDiff16(tif, cp0, cc);
-+    if( !horDiff16(tif, cp0, cc) )
-+        return 0;
- 
-     TIFFSwabArrayOfShort(wp, wc);
-+    return 1;
- }
- 
--static void
-+static int
- horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- 	TIFFPredictorState* sp = PredictorState(tif);
-@@ -554,7 +598,12 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
- 	uint32 *wp = (uint32*) cp0;
- 	tmsize_t wc = cc/4;
- 
--	assert((cc%(4*stride))==0);
-+    if((cc%(4*stride))!=0)
-+    {
-+        TIFFErrorExt(tif->tif_clientdata, "horDiff32",
-+                     "%s", "(cc%(4*stride))!=0");
-+        return 0;
-+    }
- 
- 	if (wc > stride) {
- 		wc -= stride;
-@@ -564,23 +613,26 @@ horDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
- 			wc -= stride;
- 		} while (wc > 0);
- 	}
-+	return 1;
- }
- 
--static void
-+static int
- swabHorDiff32(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
-     uint32* wp = (uint32*) cp0;
-     tmsize_t wc = cc / 4;
- 
--    horDiff32(tif, cp0, cc);
-+    if( !horDiff32(tif, cp0, cc) )
-+        return 0;
- 
-     TIFFSwabArrayOfLong(wp, wc);
-+    return 1;
- }
- 
- /*
-  * Floating point predictor differencing routine.
-  */
--static void
-+static int
- fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
- {
- 	tmsize_t stride = PredictorState(tif)->stride;
-@@ -590,10 +642,14 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
- 	uint8 *cp = (uint8 *) cp0;
- 	uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
- 
--	assert((cc%(bps*stride))==0);
--
-+    if((cc%(bps*stride))!=0)
-+    {
-+        TIFFErrorExt(tif->tif_clientdata, "fpDiff",
-+                     "%s", "(cc%(bps*stride))!=0");
-+        return 0;
-+    }
- 	if (!tmp)
--		return;
-+		return 0;
- 
- 	_TIFFmemcpy(tmp, cp0, cc);
- 	for (count = 0; count < wc; count++) {
-@@ -613,6 +669,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
- 	cp += cc - stride - 1;
- 	for (count = cc; count > stride; count -= stride)
- 		REPEAT4(stride, cp[stride] = (unsigned char)((cp[stride] - cp[0])&0xff); cp--)
-+    return 1;
- }
- 
- static int
-@@ -625,7 +682,8 @@ PredictorEncodeRow(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- 	assert(sp->encoderow != NULL);
- 
- 	/* XXX horizontal differencing alters user's data XXX */
--	(*sp->encodepfunc)(tif, bp, cc);
-+	if( !(*sp->encodepfunc)(tif, bp, cc) )
-+        return 0;
- 	return (*sp->encoderow)(tif, bp, cc, s);
- }
- 
-@@ -660,7 +718,12 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
- 
- 	rowsize = sp->rowsize;
- 	assert(rowsize > 0);
--	assert((cc0%rowsize)==0);
-+	if((cc0%rowsize)!=0)
-+    {
-+        TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
-+                     "%s", "(cc0%rowsize)!=0");
-+        return 0;
-+    }
- 	while (cc > 0) {
- 		(*sp->encodepfunc)(tif, bp, rowsize);
- 		cc -= rowsize;
-diff --git a/libtiff/tif_predict.h b/libtiff/tif_predict.h
-index 91330cc..9e485a4 100644
---- a/libtiff/tif_predict.h
-+++ b/libtiff/tif_predict.h
-@@ -30,6 +30,8 @@
-  * ``Library-private'' Support for the Predictor Tag
-  */
- 
-+typedef int (*TIFFEncodeDecodeMethod)(TIFF* tif, uint8* buf, tmsize_t size);
-+
- /*
-  * Codecs that want to support the Predictor tag must place
-  * this structure first in their private state block so that
-@@ -43,12 +45,12 @@ typedef struct {
- 	TIFFCodeMethod  encoderow;	/* parent codec encode/decode row */
- 	TIFFCodeMethod  encodestrip;	/* parent codec encode/decode strip */
- 	TIFFCodeMethod  encodetile;	/* parent codec encode/decode tile */ 
--	TIFFPostMethod  encodepfunc;	/* horizontal differencer */
-+	TIFFEncodeDecodeMethod  encodepfunc;	/* horizontal differencer */
- 
- 	TIFFCodeMethod  decoderow;	/* parent codec encode/decode row */
- 	TIFFCodeMethod  decodestrip;	/* parent codec encode/decode strip */
- 	TIFFCodeMethod  decodetile;	/* parent codec encode/decode tile */ 
--	TIFFPostMethod  decodepfunc;	/* horizontal accumulator */
-+	TIFFEncodeDecodeMethod  decodepfunc;	/* horizontal accumulator */
- 
- 	TIFFVGetMethod  vgetparent;	/* super-class method */
- 	TIFFVSetMethod  vsetparent;	/* super-class method */
--- 
-2.9.3
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
deleted file mode 100644
index 977dbf6..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9535-2.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 6a984bf7905c6621281588431f384e79d11a2e33 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Fri, 4 Nov 2016 09:19:13 +0000
-Subject: [PATCH 2/2] Fix CVE-2016-9535
-* libtiff/tif_predic.c: fix memory leaks in error code
- paths added in previous commit (fix for MSVR 35105)
-
-CVE: CVE-2016-9535
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
-
-Signed-off-by: Mingli Yu <Mingli.Yu at windriver.com>
-
----
- libtiff/tif_predict.c | 8 ++++++--
- 1 files changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/libtiff/tif_predict.c b/libtiff/tif_predict.c
-index b829259..3f42f3b 100644
---- a/libtiff/tif_predict.c
-+++ b/libtiff/tif_predict.c
-@@ -409,7 +409,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
- 	tmsize_t wc = cc / bps;
- 	tmsize_t count = cc;
- 	uint8 *cp = (uint8 *) cp0;
--	uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
-+	uint8 *tmp;
- 
-     if(cc%(bps*stride)!=0)
-     {
-@@ -418,6 +418,7 @@ fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
-         return 0;
-     }
- 
-+    tmp = (uint8 *)_TIFFmalloc(cc);
- 	if (!tmp)
- 		return 0;
- 
-@@ -640,7 +641,7 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
- 	tmsize_t wc = cc / bps;
- 	tmsize_t count;
- 	uint8 *cp = (uint8 *) cp0;
--	uint8 *tmp = (uint8 *)_TIFFmalloc(cc);
-+	uint8 *tmp;
- 
-     if((cc%(bps*stride))!=0)
-     {
-@@ -648,6 +649,8 @@ fpDiff(TIFF* tif, uint8* cp0, tmsize_t cc)
-                      "%s", "(cc%(bps*stride))!=0");
-         return 0;
-     }
-+
-+    tmp = (uint8 *)_TIFFmalloc(cc);
- 	if (!tmp)
- 		return 0;
- 
-@@ -722,6 +725,7 @@ PredictorEncodeTile(TIFF* tif, uint8* bp0, tmsize_t cc0, uint16 s)
-     {
-         TIFFErrorExt(tif->tif_clientdata, "PredictorEncodeTile",
-                      "%s", "(cc0%rowsize)!=0");
-+        _TIFFfree( working_copy );
-         return 0;
-     }
- 	while (cc > 0) {
--- 
-2.9.3
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch
deleted file mode 100644
index e1141df..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9538.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 43c0b81a818640429317c80fea1e66771e85024b Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sat, 8 Oct 2016 15:04:31 +0000
-Subject: [PATCH] Fix CVE-2016-9538
-* tools/tiffcp.c: fix read of undefined variable in case of
- missing required tags. Found on test case of MSVR 35100. * tools/tiffcrop.c:
- fix read of undefined buffer in readContigStripsIntoBuffer() due to uint16
- overflow. Probably not a security issue but I can be wrong. Reported as MSVR
- 35100 by Axel Souchet from the MSRC Vulnerabilities & Mitigations team.
-
-CVE: CVE-2016-9538
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f
-
-Signed-off-by: Mingli Yu <Mingli.Yu at windriver.com>
-
----
- tools/tiffcp.c   | 4 ++--
- tools/tiffcrop.c | 9 ++++++---
- 2 files changed, 17 insertions(+), 5 deletions(-)
-
-diff --git a/tools/tiffcp.c b/tools/tiffcp.c
-index ba2b715..4ad74d3 100644
---- a/tools/tiffcp.c
-+++ b/tools/tiffcp.c
-@@ -592,8 +592,8 @@ static	copyFunc pickCopyFunc(TIFF*, TIFF*, uint16, uint16);
- static int
- tiffcp(TIFF* in, TIFF* out)
- {
--	uint16 bitspersample, samplesperpixel;
--	uint16 input_compression, input_photometric;
-+	uint16 bitspersample, samplesperpixel = 1;
-+	uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
- 	copyFunc cf;
- 	uint32 width, length;
- 	struct cpTag* p;
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 7685566..eb6de77 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -3628,7 +3628,7 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
- {
-         uint8* bufp = buf;
-         int32  bytes_read = 0;
--        uint16 strip, nstrips   = TIFFNumberOfStrips(in);
-+        uint32 strip, nstrips   = TIFFNumberOfStrips(in);
-         uint32 stripsize = TIFFStripSize(in);
-         uint32 rows = 0;
-         uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
-@@ -4711,9 +4711,12 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8 *obuf, uint32 length,
-                                          uint32 width, uint16 spp,
-                                          struct dump_opts *dump)
-   {
--  int i, j, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
-+  int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
-+  uint32 j;
-   int32  bytes_read = 0;
--  uint16 bps, nstrips, planar, strips_per_sample;
-+  uint16 bps, planar;
-+  uint32 nstrips;
-+  uint32 strips_per_sample;
-   uint32 src_rowsize, dst_rowsize, rows_processed, rps;
-   uint32 rows_this_strip = 0;
-   tsample_t s;
--- 
-2.9.3
-
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch
deleted file mode 100644
index 1d9be42..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9539.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From ae9365db1b271b62b35ce018eac8799b1d5e8a53 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Fri, 14 Oct 2016 19:13:20 +0000
-Subject: [PATCH ] * tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes
- in readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
- & Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
-
-CVE: CVE-2016-9539
-
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53
-
-Signed-off-by: Zhixiong Chi <zhixiong.chi at windriver.com>
-
----
- ChangeLog        |  6 ++++++
- tools/tiffcrop.c | 11 ++++++++++-
- 2 files changed, 16 insertions(+), 1 deletion(-)
-
-Index: tiff-4.0.6/ChangeLog
-===================================================================
---- tiff-4.0.6.orig/ChangeLog	2016-11-28 14:56:32.109283913 +0800
-+++ tiff-4.0.6/ChangeLog	2016-11-28 16:36:01.805325534 +0800
-@@ -17,6 +17,12 @@
- 	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
- 	(CVE-2014-8127, duplicate: CVE-2016-3658)
- 
-+2016-10-14 Even Rouault <even.rouault at spatialys.com>
-+
-+	* tools/tiffcrop.c: fix out-of-bound read of up to 3 bytes in
-+	readContigTilesIntoBuffer(). Reported as MSVR 35092 by Axel Souchet
-+	& Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team.
-+
- 2016-10-08 Even Rouault <even.rouault at spatialys.com>
- 
- 	* tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
-Index: tiff-4.0.6/tools/tiffcrop.c
-===================================================================
---- tiff-4.0.6.orig/tools/tiffcrop.c	2016-11-28 14:56:31.433283908 +0800
-+++ tiff-4.0.6/tools/tiffcrop.c	2016-11-28 16:42:13.793328128 +0800
-@@ -819,9 +819,18 @@
-     }
-     }
- 
--  tilebuf = _TIFFmalloc(tile_buffsize);
-+  /* Add 3 padding bytes for extractContigSamplesShifted32bits */
-+  if( tile_buffsize > 0xFFFFFFFFU - 3 )
-+  {
-+      TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
-+      exit(-1);
-+  }
-+  tilebuf = _TIFFmalloc(tile_buffsize + 3);
-   if (tilebuf == 0)
-     return 0;
-+  tilebuf[tile_buffsize] = 0;
-+  tilebuf[tile_buffsize+1] = 0;
-+  tilebuf[tile_buffsize+2] = 0;
- 
-   dst_rowsize = ((imagewidth * bps * spp) + 7) / 8;  
-   for (row = 0; row < imagelength; row += tl)
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch b/meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch
deleted file mode 100644
index dddaa0c..0000000
--- a/meta/recipes-multimedia/libtiff/files/CVE-2016-9540.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Sat, 8 Oct 2016 15:54:56 +0000
-Subject: [PATCH] fix CVE-2016-9540
- * tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
- tile width vs image width. Reported as MSVR 35103
- by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
- Mitigations team.
-
-CVE: CVE-2016-9540
-
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3
-
-Signed-off-by: Zhixiong Chi <zhixiong.chi at windriver.com>
----
- ChangeLog      | 7 +++++++
- tools/tiffcp.c | 4 ++--
- 2 files changed, 9 insertions(+), 2 deletions(-)
-
-Index: tiff-4.0.4/ChangeLog
-===================================================================
---- tiff-4.0.4.orig/ChangeLog	2016-11-24 14:40:43.046867737 +0800
-+++ tiff-4.0.4/ChangeLog	2016-11-28 14:38:01.681276171 +0800
-@@ -17,6 +17,13 @@
- 	Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2500
- 	(CVE-2014-8127, duplicate: CVE-2016-3658)
- 
-+2016-10-08 Even Rouault <even.rouault at spatialys.com>
-+
-+	* tools/tiffcp.c: fix out-of-bounds write on tiled images with odd
-+	tile width vs image width. Reported as MSVR 35103
-+	by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities &
-+	Mitigations team.
-+
- 2016-09-24  Bob Friesenhahn  <bfriesen at simple.dallas.tx.us>
-
- 	* libtiff/tif_getimage.c (TIFFRGBAImageOK): Reject attempts to
-Index: tiff-4.0.4/tools/tiffcp.c
-===================================================================
---- tiff-4.0.4.orig/tools/tiffcp.c	2015-06-21 09:09:10.000000000 +0800
-+++ tiff-4.0.4/tools/tiffcp.c	2016-11-28 14:41:02.221277430 +0800
-@@ -1338,7 +1338,7 @@
- 		uint32 colb = 0;
- 		uint32 col;
- 
--		for (col = 0; col < imagewidth; col += tw) {
-+		for (col = 0; col < imagewidth && colb < imagew; col += tw) {
- 			if (TIFFReadTile(in, tilebuf, col, row, 0, 0) < 0
- 			    && !ignore) {
- 				TIFFError(TIFFFileName(in),
-@@ -1523,7 +1523,7 @@
- 		uint32 colb = 0;
- 		uint32 col;
- 
--		for (col = 0; col < imagewidth; col += tw) {
-+		for (col = 0; col < imagewidth && colb < imagew; col += tw) {
- 			/*
- 			 * Tile is clipped horizontally.  Calculate
- 			 * visible portion and skewing factors.
diff --git a/meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch b/meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch
deleted file mode 100644
index bd587e6..0000000
--- a/meta/recipes-multimedia/libtiff/files/Fix_several_CVE_issues.patch
+++ /dev/null
@@ -1,281 +0,0 @@
-From 83a4b92815ea04969d494416eaae3d4c6b338e4a Mon Sep 17 00:00:00 2001
-From: erouault <erouault>
-Date: Fri, 23 Sep 2016 22:12:18 +0000
-Subject: [PATCH] Fix several CVE issues
-
-Fix CVE-2016-9533, CVE-2016-9534, CVE-2016-9536 and CVE-2016-9537
-
-* tools/tiffcrop.c: fix various out-of-bounds write
- vulnerabilities in heap or stack allocated buffers. Reported as MSVR 35093,
- MSVR 35096 and MSVR 35097. Discovered by Axel Souchet and Vishal Chauhan from
- the MSRC Vulnerabilities & Mitigations team. * tools/tiff2pdf.c: fix
- out-of-bounds write vulnerabilities in heap allocate buffer in
- t2p_process_jpeg_strip(). Reported as MSVR 35098. Discovered by Axel Souchet
- and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
- libtiff/tif_pixarlog.c: fix out-of-bounds write vulnerabilities in heap
- allocated buffers. Reported as MSVR 35094. Discovered by Axel Souchet and
- Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. *
- libtiff/tif_write.c: fix issue in error code path of TIFFFlushData1() that
- didn't reset the tif_rawcc and tif_rawcp members. I'm not completely sure if
- that could happen in practice outside of the odd behaviour of t2p_seekproc()
- of tiff2pdf). The report points that a better fix could be to check the
- return value of TIFFFlushData1() in places where it isn't done currently, but
- it seems this patch is enough. Reported as MSVR 35095. Discovered by Axel
- Souchet & Vishal Chauhan & Suha Can from the MSRC Vulnerabilities &
- Mitigations team.
-
-CVE: CVE-2016-9533, CVE-2016-9534, CVE-2016-9536, CVE-2016-9537
-Upstream-Status: Backport
-https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-bdc795f6afeb9558c1012b3cfae729ef
-
-Signed-off-by: Mingli Yu <Mingli.Yu at windriver.com>
-
----
- libtiff/tif_pixarlog.c | 55 +++++++++++++++++++++-----------------------------
- libtiff/tif_write.c    |  7 +++++++
- tools/tiff2pdf.c       | 22 ++++++++++++++++++--
- tools/tiffcrop.c       | 20 +++++++++++++++++-
- 4 files changed, 92 insertions(+), 35 deletions(-)
-
-diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
-index 1fb8f3b..d1246c3 100644
---- a/libtiff/tif_pixarlog.c
-+++ b/libtiff/tif_pixarlog.c
-@@ -983,17 +983,14 @@ horizontalDifferenceF(float *ip, int n, int stride, uint16 *wp, uint16 *FromLT2)
- 		a1 = (int32) CLAMP(ip[3]); wp[3] = (uint16)((a1-a2) & mask); a2 = a1;
- 	    }
- 	} else {
--	    ip += n - 1;	/* point to last one */
--	    wp += n - 1;	/* point to last one */
--	    n -= stride;
--	    while (n > 0) {
--		REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]);
--				wp[stride] -= wp[0];
--				wp[stride] &= mask;
--				wp--; ip--)
--		n -= stride;
--	    }
--	    REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp--; ip--)
-+        REPEAT(stride, wp[0] = (uint16) CLAMP(ip[0]); wp++; ip++)
-+        n -= stride;
-+        while (n > 0) {
-+            REPEAT(stride,
-+                wp[0] = (uint16)(((int32)CLAMP(ip[0])-(int32)CLAMP(ip[-stride])) & mask);
-+                wp++; ip++)
-+            n -= stride;
-+        }
- 	}
-     }
- }
-@@ -1036,17 +1033,14 @@ horizontalDifference16(unsigned short *ip, int n, int stride,
- 		a1 = CLAMP(ip[3]); wp[3] = (uint16)((a1-a2) & mask); a2 = a1;
- 	    }
- 	} else {
--	    ip += n - 1;	/* point to last one */
--	    wp += n - 1;	/* point to last one */
-+        REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
- 	    n -= stride;
- 	    while (n > 0) {
--		REPEAT(stride, wp[0] = CLAMP(ip[0]);
--				wp[stride] -= wp[0];
--				wp[stride] &= mask;
--				wp--; ip--)
--		n -= stride;
--	    }
--	    REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
-+            REPEAT(stride,
-+                wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
-+                wp++; ip++)
-+            n -= stride;
-+        }
- 	}
-     }
- }
-@@ -1089,18 +1083,15 @@ horizontalDifference8(unsigned char *ip, int n, int stride,
- 		ip += 4;
- 	    }
- 	} else {
--	    wp += n + stride - 1;	/* point to last one */
--	    ip += n + stride - 1;	/* point to last one */
--	    n -= stride;
--	    while (n > 0) {
--		REPEAT(stride, wp[0] = CLAMP(ip[0]);
--				wp[stride] -= wp[0];
--				wp[stride] &= mask;
--				wp--; ip--)
--		n -= stride;
--	    }
--	    REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)
--	}
-+        REPEAT(stride, wp[0] = CLAMP(ip[0]); wp++; ip++)
-+        n -= stride;
-+        while (n > 0) {
-+            REPEAT(stride,
-+                wp[0] = (uint16)((CLAMP(ip[0])-CLAMP(ip[-stride])) & mask);
-+                wp++; ip++)
-+            n -= stride;
-+        }
-+    }
-     }
- }
- 
-diff --git a/libtiff/tif_write.c b/libtiff/tif_write.c
-index f9a3fc0..d8fa802 100644
---- a/libtiff/tif_write.c
-+++ b/libtiff/tif_write.c
-@@ -798,7 +798,14 @@ TIFFFlushData1(TIFF* tif)
- 		if (!TIFFAppendToStrip(tif,
- 		    isTiled(tif) ? tif->tif_curtile : tif->tif_curstrip,
- 		    tif->tif_rawdata, tif->tif_rawcc))
-+        {
-+            /* We update those variables even in case of error since there's */
-+            /* code that doesn't really check the return code of this */
-+            /* function */
-+            tif->tif_rawcc = 0;
-+            tif->tif_rawcp = tif->tif_rawdata;
- 			return (0);
-+        }
- 		tif->tif_rawcc = 0;
- 		tif->tif_rawcp = tif->tif_rawdata;
- 	}
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index dcd5a7e..f8df6b5 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -286,7 +286,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P*, TIFF*, TIFF*, ttile_t);
- int t2p_process_ojpeg_tables(T2P*, TIFF*);
- #endif
- #ifdef JPEG_SUPPORT
--int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t*, tstrip_t, uint32);
-+int t2p_process_jpeg_strip(unsigned char*, tsize_t*, unsigned char*, tsize_t, tsize_t*, tstrip_t, uint32);
- #endif
- void t2p_tile_collapse_left(tdata_t, tsize_t, uint32, uint32, uint32);
- void t2p_write_advance_directory(T2P*, TIFF*);
-@@ -2408,7 +2408,8 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p, TIFF* input, TIFF* output){
- 				if(!t2p_process_jpeg_strip(
- 					stripbuffer, 
- 					&striplength, 
--					buffer, 
-+					buffer,
-+                    t2p->tiff_datasize,
- 					&bufferoffset, 
- 					i, 
- 					t2p->tiff_length)){
-@@ -3439,6 +3440,7 @@ int t2p_process_jpeg_strip(
- 	unsigned char* strip, 
- 	tsize_t* striplength, 
- 	unsigned char* buffer, 
-+    tsize_t buffersize,
- 	tsize_t* bufferoffset, 
- 	tstrip_t no, 
- 	uint32 height){
-@@ -3473,6 +3475,8 @@ int t2p_process_jpeg_strip(
- 		}
- 		switch( strip[i] ){
- 			case 0xd8:	/* SOI - start of image */
-+                if( *bufferoffset + 2 > buffersize )
-+                    return(0);
- 				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), 2);
- 				*bufferoffset+=2;
- 				break;
-@@ -3482,12 +3486,18 @@ int t2p_process_jpeg_strip(
- 			case 0xc9:	/* SOF9 */
- 			case 0xca:	/* SOF10 */
- 				if(no==0){
-+                    if( *bufferoffset + datalen + 2 + 6 > buffersize )
-+                        return(0);
- 					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
-+                    if( *bufferoffset + 9 >= buffersize )
-+                        return(0);
- 					ncomp = buffer[*bufferoffset+9];
- 					if (ncomp < 1 || ncomp > 4)
- 						return(0);
- 					v_samp=1;
- 					h_samp=1;
-+                    if( *bufferoffset + 11 + 3*(ncomp-1) >= buffersize )
-+                        return(0);
- 					for(j=0;j<ncomp;j++){
- 						uint16 samp = buffer[*bufferoffset+11+(3*j)];
- 						if( (samp>>4) > h_samp) 
-@@ -3519,20 +3529,28 @@ int t2p_process_jpeg_strip(
- 				break;
- 			case 0xc4: /* DHT */
- 			case 0xdb: /* DQT */
-+                if( *bufferoffset + datalen + 2 > buffersize )
-+                    return(0);
- 				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
- 				*bufferoffset+=datalen+2;
- 				break;
- 			case 0xda: /* SOS */
- 				if(no==0){
-+                    if( *bufferoffset + datalen + 2 > buffersize )
-+                        return(0);
- 					_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i-1]), datalen+2);
- 					*bufferoffset+=datalen+2;
- 				} else {
-+                    if( *bufferoffset + 2 > buffersize )
-+                        return(0);
- 					buffer[(*bufferoffset)++]=0xff;
- 					buffer[(*bufferoffset)++]=
-                                             (unsigned char)(0xd0 | ((no-1)%8));
- 				}
- 				i += datalen + 1;
- 				/* copy remainder of strip */
-+                if( *bufferoffset + *striplength - i > buffersize )
-+                    return(0);
- 				_TIFFmemcpy(&(buffer[*bufferoffset]), &(strip[i]), *striplength - i);
- 				*bufferoffset+= *striplength - i;
- 				return(1);
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index ebc4aba..7685566 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -5758,7 +5758,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
-   {
-   uint32   i;
-   float    xres = 0.0, yres = 0.0;
--  uint16   nstrips = 0, ntiles = 0, planar = 0;
-+  uint32   nstrips = 0, ntiles = 0;
-+  uint16   planar = 0;
-   uint16   bps = 0, spp = 0, res_unit = 0;
-   uint16   orientation = 0;
-   uint16   input_compression = 0, input_photometric = 0;
-@@ -6066,11 +6067,23 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
-   /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
-   /* outside buffer */
-   if (!read_buff)
-+  {
-+    if( buffsize > 0xFFFFFFFFU - 3 )
-+    {
-+        TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
-+        return (-1);
-+    }
-     read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
-+  }
-   else
-     {
-     if (prev_readsize < buffsize)
-+    {
-+      if( buffsize > 0xFFFFFFFFU - 3 )
-       {
-+          TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
-+          return (-1);
-+      }
-       new_buff = _TIFFrealloc(read_buff, buffsize+3);
-       if (!new_buff)
-         {
-@@ -8912,6 +8925,11 @@ reverseSamplesBytes (uint16 spp, uint16 bps, uint32 width,
-     }
- 
-   bytes_per_pixel  = ((bps * spp) + 7) / 8;
-+  if( bytes_per_pixel > sizeof(swapbuff) )
-+  {
-+    TIFFError("reverseSamplesBytes","bytes_per_pixel too large");
-+    return (1);
-+  }
-   switch (bps / 8)
-      {
-      case 8:  /* Use memcpy for multiple bytes per sample data */
--- 
-2.9.3
-
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
similarity index 65%
rename from meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
rename to meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
index 450927d..bbc7389 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.7.bb
@@ -6,29 +6,10 @@ CVE_NAME = "libtiff"
 
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://libtool2.patch \
-           file://CVE-2015-8665_8683.patch \
-           file://CVE-2015-8781.patch \
-           file://CVE-2015-8784.patch \
-           file://CVE-2016-3186.patch \
-           file://CVE-2016-5321.patch \
-           file://CVE-2016-5323.patch \
-           file://CVE-2016-3945.patch \
-           file://CVE-2016-3990.patch \
-           file://CVE-2016-3991.patch \
-           file://CVE-2016-3623.patch \
-           file://CVE-2016-3622.patch \
-           file://CVE-2016-3658.patch \
-           file://CVE-2016-3632.patch \
-           file://CVE-2016-9540.patch \
-           file://CVE-2016-9539.patch \
-           file://CVE-2016-9535-1.patch \
-           file://CVE-2016-9535-2.patch \
-           file://CVE-2016-9538.patch \
-           file://Fix_several_CVE_issues.patch \
           "
 
-SRC_URI[md5sum] = "d1d2e940dea0b5ad435f21f03d96dd72"
-SRC_URI[sha256sum] = "4d57a50907b510e3049a4bba0d7888930fdfc16ce49f1bf693e5b6247370d68c"
+SRC_URI[md5sum] = "77ae928d2c6b7fb46a21c3a29325157b"
+SRC_URI[sha256sum] = "9f43a2cfb9589e5cecaa66e16bf87f814c945f22df7ba600d63aac4632c4f019"
 
 # exclude betas
 UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
-- 
2.7.4




More information about the Openembedded-core mailing list