Import Fedora 17 security patchset for the compability SLOT.

Package-Manager: portage-2.2.0_alpha173/cvs/Linux x86_64
Manifest-Sign-Key: 0x4868F14D

8 files changed, 636 insertions, 7 deletions

diff --git a/media-libs/tiff/ChangeLog b/media-libs/tiff/ChangeLog
index cd6e01ae80a2..ac26067396b8 100644
--- a/media-libs/tiff/ChangeLog
+++ b/media-libs/tiff/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for media-libs/tiff
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/tiff/ChangeLog,v 1.226 2013/05/03 12:00:09 vincent Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-libs/tiff/ChangeLog,v 1.227 2013/05/03 12:13:47 ssuominen Exp $
+
+  03 May 2013; Samuli Suominen <ssuominen@gentoo.org> tiff-3.9.7.ebuild,
+  +files/tiff-3.9.7-CVE-2012-4447.patch, +files/tiff-3.9.7-CVE-2012-4564.patch,
+  +files/tiff-3.9.7-CVE-2012-5581.patch,
+  +files/tiff-3.9.7-printdir-width.patch,
+  +files/tiff-3.9.7-tiffinfo-exif.patch:
+  Import Fedora 17 security patchset for the compability SLOT.
 
   03 May 2013; Vicente Olivert Riera <vincent@gentoo.org> tiff-3.9.7.ebuild,
   tiff-4.0.3-r2.ebuild:
diff --git a/media-libs/tiff/Manifest b/media-libs/tiff/Manifest
index 979a1a2eae09..c15e591b5813 100644
--- a/media-libs/tiff/Manifest
+++ b/media-libs/tiff/Manifest
@@ -2,6 +2,11 @@
 Hash: SHA256
 
 AUX tiff-3.9.5-CVE-2012-1173.patch 1621 SHA256 1697dda50fcd92599f8e567a55783d699d919964df895c5c9098eed41715621f SHA512 262ad17d9fb2c0e03dd5ead72b27d446efb44104db5330a1a0cb4998712b59e70a945eb5bbf4f0216dde475c56ef1d4977cf46ee189619402727921dadacbde6 WHIRLPOOL 2b9dcccd9c0a0285cdbd35ccad2fb0525fba3212b3b84ef9347f47a425ff4c92ed55a2cb2bd3f0af4e93cca3a0e78a76133006e5cab130b53b2dd8e422e51d39
+AUX tiff-3.9.7-CVE-2012-4447.patch 5706 SHA256 373020d6c383778ee40f642d90e5d9f3a878f0c17a529825e43e1647d27332cf SHA512 defb8251401b7d65c2cd8f60df30d35551c1b1d0a1dcf514dd95da89572873177ea116e9373dd07cd260e00434235090e1d8864199d5fdfa84c445cb6905ddd6 WHIRLPOOL ac54215b65806681ae5e337a538ce91357247f28815eee7a29ff5eef179075ec43b473a7f62195056a37318e84ae15a2d503fd94b54a0dee173ac6851858f342
+AUX tiff-3.9.7-CVE-2012-4564.patch 1987 SHA256 525f667e2148229520b50d6136c0ecd345b8db9acc62fde945a5f13dae4d51f3 SHA512 24ebe60ce6361561c15c8c5fb46b47942e58912de5efbf128374defc4382a7e800fae3dc0a9fe04876a5e2f61a109edc1c9533be2f8a15b4b0ed7215d7b08c9b WHIRLPOOL c59dfed1f43b75372e9e6bf3381db608d42291e8613c6f38d8b1310868b4f373b15a279144a8f06cb0d9ba5d147a81ca753b6ef118e23e47893902d1d00cf880
+AUX tiff-3.9.7-CVE-2012-5581.patch 8156 SHA256 f47b30c8fc0578df7285f6cf318f29d410db4b82550b3fbc9582beeb9a834415 SHA512 2e215edeb6f4f5d6e14753874a67d76cfec34b3f6ffc420e1c7ede2007a6b2f64c09505e879e83db1de87f28c82c806c4379b38bf7f8735bb2bae675543683f0 WHIRLPOOL 8f7cdca5ec968eab6ec8749e2185c7416fb2055da56ce3b159a637ede9f296e9a37af7c91ff8da1c743bb05371662725374d3febdde2109f18baa57391ac8e16
+AUX tiff-3.9.7-printdir-width.patch 1523 SHA256 597406f727b26fd06106e1e22a1e4e4620b3ffa54a49c2c4b0b8ee6b1d54908b SHA512 9bf2edcbda2ed5dba01839cf1bb34316801b4c5a2b6c71ed46f8777518cf1bc77084db94eaf1ebde84583fa2e1749a5fc5151e321b4d83975b13c3e9ebe96436 WHIRLPOOL 3f9a830622866cbc1fab8109fa9ad787c50230871286e6bdc3594b0d33c887acdca03b19df8d4537ff0e21a6f6a2e48062ff731616b300ead923d8e61253094b
+AUX tiff-3.9.7-tiffinfo-exif.patch 1847 SHA256 2b333f3161f88aef3f764de316c4e8f10906932d33ee575b98f7723b2bff1db7 SHA512 6f211dc864bfb314a1c7edb8855b68cfbbdbbde1ba9422c1c578acbb15e5769323eec366bef618a8100b0ccb8057b2997762ebbd0f943be10882411861ec72fb WHIRLPOOL 4fb1375cc34c889f2148d8b998929f29f8901c38ac3af0839abcd827adf707045b00e7516e7b92df6cd2968dcbbe98ac135662300bc4fe05fb4b43b30f340baa
 AUX tiff-4.0.2-CVE-2012-3401.patch 296 SHA256 e0fbff1fdcb9189fde303edb378fce999beffb78e1cf3ab955e24accf489e807 SHA512 143aeab0c6008cb107343c757239ad7045a573f157b06b6771514c963405ac8b1a199b0978ca393e312da1587071b74a5e299f67d218e37a85d82e9e978c5d28 WHIRLPOOL 1039df55dac487f748d30670574efa85d24f274f3b750a14f2407a04cb423e8a6e45318e8977feba7be67d3dfcd9707d470f5ca83b40e081801a45126fb58427
 AUX tiff-4.0.2-bigendian.patch 897 SHA256 dfddd377370c4114cde09fed335edd40f4fc5411cf191b0048bb76466e3909f0 SHA512 b94084a6e3750e68fd4cd283bd39491e445b8907a4342e4239a5e4237e1e8847a5759d82636be20d152943bb85fd83f9d84d5de09e68668a67c4b93d9742a0e3 WHIRLPOOL 5cf1342132d7eda75a653bca5f4df71bd9cd8ede2e47bb590fff7485ceaad80d550c882b7f11ddd294abed3dbc666a218f366c94c15a5198d7ddb9a1115c6dbc
 AUX tiff-4.0.3-CVE-2012-4447.patch 1263 SHA256 917187494cd3f80929e4919951637683aaccd98ffa23a6f1f97e49f6db85baa9 SHA512 1377b675cfbeffbe810518053fb2e683f889cf1274d0b1adc6060beb9ef70dcd504038b02d569d08bf497511b99ea9c237e581b4a66676d0a69370b78c98736b WHIRLPOOL 5c17a0026f65ca2ede6b4ec4c1bf174578070cc413aadc411650fe65af4c79476bfdf413927328cac08c1c7688ddc9018d77a2cf73bf815583821b8c4fe7d6b2
@@ -15,17 +20,21 @@ DIST tiff-3.9.7.tar.gz 1468097 SHA256 f5d64dd4ce61c55f5e9f6dc3920fbe5a41e02c2e60
 DIST tiff-4.0.2.tar.gz 2022814 SHA256 aa29f1f5bfe3f443c3eb4dac472ebde15adc8ff0464b83376f35e3b2fef935da SHA512 bfc82b2780f2a7d89b1cd6d73ba45091fc74de996b2dad616cfdba59770b192449d6a9effba305f478a8e527d7246443a4e2bc1c5e2e6673a0037972f4a13413 WHIRLPOOL 1c89f2760413035f37dfde47d7c8884fa899e86b7911fd6b52b2920c830898b8f26f8d9a287ed6dc3820feb7fa21c50fb1dba278c57fb548806e8700c23e1ec9
 DIST tiff-4.0.3.tar.gz 2051630 SHA256 ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872 SHA512 d80e18b00e9e696a30b954c0d92e5f2f773fd9a7a0a944cf6cabb69c1798e671506580daa1cd2ebf493ae922000170c2491dfc6d4c0a9cd0b865684070595a73 WHIRLPOOL 762ace7c66dec7a6f350bc8c000a9e1f4b775e7b148b1d923eb3f7c015f47bda65a54bc0b5974ce665c7d836ec0b275c9307d1f18f3b6bee8b0949a6cceb319e
 EBUILD tiff-3.9.5-r3.ebuild 1799 SHA256 10fc18a8ada9f8763ff295b6f42326b0f6866e235aeac1261f42dd1ad62a12fd SHA512 9434a31ccb4603d0278cfa0b51df4d902a627466f8243045585064db73627418ea871ea4a6f749acbe9f4792bddb6b7f2d28bc3a035da5daea8067338ae8d157 WHIRLPOOL 1cbc9bd3e518d48c8b42420c7db495bd95810ed571dc13ee4be5378c816383f75ae19e2d02f711c61a95642777458840340b15e8e438bc48cd2d72309955ce15
-EBUILD tiff-3.9.7.ebuild 1754 SHA256 a3040b551fa8c53808f13488cb64c98d7132ff0c7605fa3a14c353d84d9f6204 SHA512 66f9bb1969e3c9b5bccf9135ddbc1c7cb6146f75b2e48570e706c23ab370f89ee2304d17316c1686facaf63546a42e191f163a26323ceb5bf1237a872e48bf70 WHIRLPOOL d657c820d00fc6e86ed4f69e23866bc7252a342b15908f4242d322b3cab30307c4a136eed5687918d450e8753ad71ea2f06be60d3b85fae10d5eee14d76aae1a
+EBUILD tiff-3.9.7.ebuild 1907 SHA256 8e90d128b9e71ce70b38c7ccae6244a6a378bcd194a790c6e4e20b9c7cc9b818 SHA512 ed0ced2b2c7afb075cfed1b6615688d998375a3c6a8f6af644fb717e467bdf72b32e01c245c2ce10a89577ccc8acf3330f961e329a579f881ad3f7f98b8204f0 WHIRLPOOL 7aeb075cf0a00378a482deb4d2a758defa01b80b8b6ffb668b122d85a1f850eb821891a35dcae51b58045231eed74857d618c13b40e1486ee81007e0057aa382
 EBUILD tiff-4.0.2-r1.ebuild 1446 SHA256 4301e356a342b75d9425d94ca7fc0f29eb956265136d23219851cbd7532c9c86 SHA512 f3f5ccd83c300a3acd445e9fe420c9c3150ad3933a80db1a315ff55afd73ca0829f6848bca49e0dab44246c506c12d8595eeb6d442cf414f28d20397da8034ea WHIRLPOOL ebe9c1d649335cdedf6630fb943cd916f2a64898a18015c0a389e3299b850b9a2c50ccc54a93519c7f2e72988bfa492969db52afe1068429cbca7b3cab049941
 EBUILD tiff-4.0.3-r1.ebuild 1429 SHA256 2fc720bbe56409b73d782a68bd2476caf5e0eb4449f5df775088cb24e989ada0 SHA512 d53620a858fbd774b36723d33f0c129edd634ef4913647319d76e60d3a87edb3cbe52c42b1e2e7a7155c9ce14540e158a3d1081f2046f6677c03570dae121ee4 WHIRLPOOL 021e573bc100640b1efceac2f42635645bb79bd729d113dd200676decaa863febb45bca37c721575043e23e60aa203419927c7aae7736f01e946ecb35fe10e00
 EBUILD tiff-4.0.3-r2.ebuild 1605 SHA256 72986ee727d64ade7423e3a25025fffd70ef086096f8a6bad968865ddc3ae641 SHA512 e63815a55c4153d5a93e3a88a0affbcfdccb515791266db7f9cc76d46fa76204fb4bcc87d83f996f92c0e01f7cf3b56ff795b3fc5587edeb436d6d6ecf55adc9 WHIRLPOOL 7bc2966842d21290e5e7c1c95fd3bccc56f8292f1ea37fbc580aab7b6e7523e65670826c5669ef7f4cc7fe1ad80f28672e7044c803712f09d070331d13b37657
 EBUILD tiff-4.0.3.ebuild 1353 SHA256 ae60d4451163f8fde953b0ba1120f3a10d01601a23d457ecf05f2ea0007c477f SHA512 a5aabfa782dc9c97e9a93e7f1a224152d7a561d0c8131042ca24e5ab40744125be8fc1e1a892a4f6f808003bd2d8c881ccaafd1165522f829adf15956d9d3689 WHIRLPOOL 4841ce497247a05952c1b83f718983422b819642a133acea9ab5daa6daeccc2ceb6f6faa2b26957fa9f965751d99ed533575c550e93205386d0c427965745eb2
-MISC ChangeLog 31567 SHA256 daacdf164025ea6ce66e00d1415af486caad836528d87a37069001acf2d9258b SHA512 f3805f531d61701a5393e7514cb64638536f337cbb0e13c47efc9920e0de62340df4a45edbd2d61179409b6f106d8d48e32919b3e429708c02c9aa55216e5595 WHIRLPOOL 4e3d79203da0bd5295f84dce1504e440dc056c65202a7f8d7e27aa7fa3316dd210db38fe4ecc905da6af886cd41b773fbd897a20ade04e87c7f28195efea826a
+MISC ChangeLog 31910 SHA256 05db6accb39a653f13a4ca76d36fc26cee990ba72d6cbc57763fa12e8028ef49 SHA512 6dd1c0cb12b852c4dbe13df1e1562b21971c224299b5d315dd27601acb0e6d2ea04e8d6cefc3a8cd939262b7944c4cd4aea942246fe77eda66277d04a9186bd6 WHIRLPOOL bb5695f8f75ee5a5eac40e3ee9df2aab93cb968f9eaef7ba72b6281c7419d4d3a4a41b9b2e3a9455b82e3badd08e587f2e90e3c23555abfbf81a363581aa5280
 MISC metadata.xml 309 SHA256 c1893fd7aaa763da14257353ceca7356500d8c8112f635f587c4ef407bd6ca51 SHA512 435eddb4a4280b37dd5948f305f88c5b3c8d193d50776a4c608132addcff03016fb00b218ad8be93a59dfdde28b57fc9d1327b18dc772344057147a5d3826f4b WHIRLPOOL b3323fa861535082bd475896c3cd5490c584cfe0262ffa25288bcda76e36ee58c42c825811ccc34078ed624e48467842012750cd650cf91398313cf4c6b60892
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
-iEYEAREIAAYFAlGDprcACgkQWunnsum7y6jB2QCfc0tNtjPNBhl5xrlnCTrfF5d8
-jZIAn11ReqPdnPFv6G1Wia8VwpDJkpCj
-=9hmJ
+iQEcBAEBCAAGBQJRg6n3AAoJEEdUh39IaPFNQXsIAJbEP8nABJdyO41P5Gf6zg+j
+Dhjb21vM9SxS9/+CdyOg2SCzcm9nvvDe/vulJ675qZgvSq18l82Qflt+X5US7d9R
+SAYD2pXfnsytguPLxDrW7f0Wglp0KtgZgck2E0WwiB0InTHgSNs5vqFF3CJ6fzS1
+pKtvmBVPb2vkw7xwofNRzmks5xSovuI4vgGglEkEkSA0Zk2gzhcD9xL+wYb0+QBZ
+pk3WX3jBp89GgY+Bj71RJUmG69Jk70p37EY2l3gp5oE7RescKLfpLq/tPBBHpdwJ
+8gH5zASlrmozKSXTUQopbKHopLs/KSEjUR0ewBeB6OXWFw1uOXBRlZUFsArWw7c=
+=UIMq
 -----END PGP SIGNATURE-----
diff --git a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch
new file mode 100644
index 000000000000..6c28dc6ec9a8
--- /dev/null
+++ b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4447.patch
@@ -0,0 +1,191 @@
+Upstream patch for CVE-2012-4447.  This also covers an out-of-bounds-read
+possibility in the same file, which wasn't given a separate CVE.
+
+
+diff -Naur tiff-3.9.4.orig/libtiff/tif_pixarlog.c tiff-3.9.4/libtiff/tif_pixarlog.c
+--- tiff-3.9.4.orig/libtiff/tif_pixarlog.c	2010-06-08 14:50:42.000000000 -0400
++++ tiff-3.9.4/libtiff/tif_pixarlog.c	2012-12-10 15:50:14.421538317 -0500
+@@ -117,9 +117,9 @@
+     if (n >= stride) {
+ 	mask = CODE_MASK;
+ 	if (stride == 3) {
+-	    t0 = ToLinearF[cr = wp[0]];
+-	    t1 = ToLinearF[cg = wp[1]];
+-	    t2 = ToLinearF[cb = wp[2]];
++	    t0 = ToLinearF[cr = (wp[0] & mask)];
++	    t1 = ToLinearF[cg = (wp[1] & mask)];
++	    t2 = ToLinearF[cb = (wp[2] & mask)];
+ 	    op[0] = t0;
+ 	    op[1] = t1;
+ 	    op[2] = t2;
+@@ -136,10 +136,10 @@
+ 		op[2] = t2;
+ 	    }
+ 	} else if (stride == 4) {
+-	    t0 = ToLinearF[cr = wp[0]];
+-	    t1 = ToLinearF[cg = wp[1]];
+-	    t2 = ToLinearF[cb = wp[2]];
+-	    t3 = ToLinearF[ca = wp[3]];
++	    t0 = ToLinearF[cr = (wp[0] & mask)];
++	    t1 = ToLinearF[cg = (wp[1] & mask)];
++	    t2 = ToLinearF[cb = (wp[2] & mask)];
++	    t3 = ToLinearF[ca = (wp[3] & mask)];
+ 	    op[0] = t0;
+ 	    op[1] = t1;
+ 	    op[2] = t2;
+@@ -183,9 +183,9 @@
+     if (n >= stride) {
+ 	mask = CODE_MASK;
+ 	if (stride == 3) {
+-	    t0 = ToLinearF[cr = wp[0]] * SCALE12;
+-	    t1 = ToLinearF[cg = wp[1]] * SCALE12;
+-	    t2 = ToLinearF[cb = wp[2]] * SCALE12;
++	    t0 = ToLinearF[cr = (wp[0] & mask)] * SCALE12;
++	    t1 = ToLinearF[cg = (wp[1] & mask)] * SCALE12;
++	    t2 = ToLinearF[cb = (wp[2] & mask)] * SCALE12;
+ 	    op[0] = CLAMP12(t0);
+ 	    op[1] = CLAMP12(t1);
+ 	    op[2] = CLAMP12(t2);
+@@ -202,10 +202,10 @@
+ 		op[2] = CLAMP12(t2);
+ 	    }
+ 	} else if (stride == 4) {
+-	    t0 = ToLinearF[cr = wp[0]] * SCALE12;
+-	    t1 = ToLinearF[cg = wp[1]] * SCALE12;
+-	    t2 = ToLinearF[cb = wp[2]] * SCALE12;
+-	    t3 = ToLinearF[ca = wp[3]] * SCALE12;
++	    t0 = ToLinearF[cr = (wp[0] & mask)] * SCALE12;
++	    t1 = ToLinearF[cg = (wp[1] & mask)] * SCALE12;
++	    t2 = ToLinearF[cb = (wp[2] & mask)] * SCALE12;
++	    t3 = ToLinearF[ca = (wp[3] & mask)] * SCALE12;
+ 	    op[0] = CLAMP12(t0);
+ 	    op[1] = CLAMP12(t1);
+ 	    op[2] = CLAMP12(t2);
+@@ -247,9 +247,9 @@
+     if (n >= stride) {
+ 	mask = CODE_MASK;
+ 	if (stride == 3) {
+-	    op[0] = ToLinear16[cr = wp[0]];
+-	    op[1] = ToLinear16[cg = wp[1]];
+-	    op[2] = ToLinear16[cb = wp[2]];
++	    op[0] = ToLinear16[cr = (wp[0] & mask)];
++	    op[1] = ToLinear16[cg = (wp[1] & mask)];
++	    op[2] = ToLinear16[cb = (wp[2] & mask)];
+ 	    n -= 3;
+ 	    while (n > 0) {
+ 		wp += 3;
+@@ -260,10 +260,10 @@
+ 		op[2] = ToLinear16[(cb += wp[2]) & mask];
+ 	    }
+ 	} else if (stride == 4) {
+-	    op[0] = ToLinear16[cr = wp[0]];
+-	    op[1] = ToLinear16[cg = wp[1]];
+-	    op[2] = ToLinear16[cb = wp[2]];
+-	    op[3] = ToLinear16[ca = wp[3]];
++	    op[0] = ToLinear16[cr = (wp[0] & mask)];
++	    op[1] = ToLinear16[cg = (wp[1] & mask)];
++	    op[2] = ToLinear16[cb = (wp[2] & mask)];
++	    op[3] = ToLinear16[ca = (wp[3] & mask)];
+ 	    n -= 4;
+ 	    while (n > 0) {
+ 		wp += 4;
+@@ -342,9 +342,9 @@
+     if (n >= stride) {
+ 	mask = CODE_MASK;
+ 	if (stride == 3) {
+-	    op[0] = ToLinear8[cr = wp[0]];
+-	    op[1] = ToLinear8[cg = wp[1]];
+-	    op[2] = ToLinear8[cb = wp[2]];
++	    op[0] = ToLinear8[cr = (wp[0] & mask)];
++	    op[1] = ToLinear8[cg = (wp[1] & mask)];
++	    op[2] = ToLinear8[cb = (wp[2] & mask)];
+ 	    n -= 3;
+ 	    while (n > 0) {
+ 		n -= 3;
+@@ -355,10 +355,10 @@
+ 		op[2] = ToLinear8[(cb += wp[2]) & mask];
+ 	    }
+ 	} else if (stride == 4) {
+-	    op[0] = ToLinear8[cr = wp[0]];
+-	    op[1] = ToLinear8[cg = wp[1]];
+-	    op[2] = ToLinear8[cb = wp[2]];
+-	    op[3] = ToLinear8[ca = wp[3]];
++	    op[0] = ToLinear8[cr = (wp[0] & mask)];
++	    op[1] = ToLinear8[cg = (wp[1] & mask)];
++	    op[2] = ToLinear8[cb = (wp[2] & mask)];
++	    op[3] = ToLinear8[ca = (wp[3] & mask)];
+ 	    n -= 4;
+ 	    while (n > 0) {
+ 		n -= 4;
+@@ -393,9 +393,9 @@
+ 	mask = CODE_MASK;
+ 	if (stride == 3) {
+ 	    op[0] = 0;
+-	    t1 = ToLinear8[cb = wp[2]];
+-	    t2 = ToLinear8[cg = wp[1]];
+-	    t3 = ToLinear8[cr = wp[0]];
++	    t1 = ToLinear8[cb = (wp[2] & mask)];
++	    t2 = ToLinear8[cg = (wp[1] & mask)];
++	    t3 = ToLinear8[cr = (wp[0] & mask)];
+ 	    op[1] = t1;
+ 	    op[2] = t2;
+ 	    op[3] = t3;
+@@ -413,10 +413,10 @@
+ 		op[3] = t3;
+ 	    }
+ 	} else if (stride == 4) {
+-	    t0 = ToLinear8[ca = wp[3]];
+-	    t1 = ToLinear8[cb = wp[2]];
+-	    t2 = ToLinear8[cg = wp[1]];
+-	    t3 = ToLinear8[cr = wp[0]];
++	    t0 = ToLinear8[ca = (wp[3] & mask)];
++	    t1 = ToLinear8[cb = (wp[2] & mask)];
++	    t2 = ToLinear8[cg = (wp[1] & mask)];
++	    t3 = ToLinear8[cr = (wp[0] & mask)];
+ 	    op[0] = t0;
+ 	    op[1] = t1;
+ 	    op[2] = t2;
+@@ -630,10 +630,10 @@
+ 	return guess;
+ }
+ 
+-static uint32
+-multiply(size_t m1, size_t m2)
++static tsize_t
++multiply(tsize_t m1, tsize_t m2)
+ {
+-	uint32	bytes = m1 * m2;
++	tsize_t	bytes = m1 * m2;
+ 
+ 	if (m1 && bytes / m1 != m2)
+ 		bytes = 0;
+@@ -641,6 +641,20 @@
+ 	return bytes;
+ }
+ 
++static tsize_t
++add_ms(tsize_t m1, tsize_t m2)
++{
++	tsize_t bytes = m1 + m2;
++
++	/* if either input is zero, assume overflow already occurred */
++	if (m1 == 0 || m2 == 0)
++		bytes = 0;
++	else if (bytes <= m1 || bytes <= m2)
++		bytes = 0;
++
++	return bytes;
++}
++
+ static int
+ PixarLogSetupDecode(TIFF* tif)
+ {
+@@ -661,6 +675,8 @@
+ 	    td->td_samplesperpixel : 1);
+ 	tbuf_size = multiply(multiply(multiply(sp->stride, td->td_imagewidth),
+ 				      td->td_rowsperstrip), sizeof(uint16));
++	/* add one more stride in case input ends mid-stride */
++	tbuf_size = add_ms(tbuf_size, sizeof(uint16) * sp->stride);
+ 	if (tbuf_size == 0)
+ 		return (0);
+ 	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
diff --git a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch
new file mode 100644
index 000000000000..98a6e6c4409d
--- /dev/null
+++ b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-4564.patch
@@ -0,0 +1,77 @@
+Upstream patch for CVE-2012-4564.
+
+
+diff -Naur tiff-3.9.4.orig/tools/ppm2tiff.c tiff-3.9.4/tools/ppm2tiff.c
+--- tiff-3.9.4.orig/tools/ppm2tiff.c	2010-06-08 14:50:44.000000000 -0400
++++ tiff-3.9.4/tools/ppm2tiff.c	2012-12-10 16:16:05.154045877 -0500
+@@ -68,6 +68,17 @@
+ 	exit(-2);
+ }
+ 
++static tsize_t
++multiply_ms(tsize_t m1, tsize_t m2)
++{
++	tsize_t bytes = m1 * m2;
++
++	if (m1 && bytes / m1 != m2)
++		bytes = 0;
++
++	return bytes;
++}
++
+ int
+ main(int argc, char* argv[])
+ {
+@@ -85,6 +96,7 @@
+ 	int c;
+ 	extern int optind;
+ 	extern char* optarg;
++	tsize_t scanline_size;
+ 
+ 	if (argc < 2) {
+ 	    fprintf(stderr, "%s: Too few arguments\n", argv[0]);
+@@ -217,7 +229,8 @@
+ 	}
+ 	switch (bpp) {
+ 		case 1:
+-			linebytes = (spp * w + (8 - 1)) / 8;
++			/* if round-up overflows, result will be zero, OK */
++			linebytes = (multiply_ms(spp, w) + (8 - 1)) / 8;
+ 			if (rowsperstrip == (uint32) -1) {
+ 				TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, h);
+ 			} else {
+@@ -226,15 +239,31 @@
+ 			}
+ 			break;
+ 		case 8:
+-			linebytes = spp * w;
++			linebytes = multiply_ms(spp, w);
+ 			TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
+ 			    TIFFDefaultStripSize(out, rowsperstrip));
+ 			break;
+ 	}
+-	if (TIFFScanlineSize(out) > linebytes)
++	if (linebytes == 0) {
++		fprintf(stderr, "%s: scanline size overflow\n", infile);
++		(void) TIFFClose(out);
++		exit(-2);					
++	}
++	scanline_size = TIFFScanlineSize(out);
++	if (scanline_size == 0) {
++		/* overflow - TIFFScanlineSize already printed a message */
++		(void) TIFFClose(out);
++		exit(-2);					
++	}
++	if (scanline_size < linebytes)
+ 		buf = (unsigned char *)_TIFFmalloc(linebytes);
+ 	else
+-		buf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
++		buf = (unsigned char *)_TIFFmalloc(scanline_size);
++	if (buf == NULL) {
++		fprintf(stderr, "%s: Not enough memory\n", infile);
++		(void) TIFFClose(out);
++		exit(-2);
++	}
+ 	if (resolution > 0) {
+ 		TIFFSetField(out, TIFFTAG_XRESOLUTION, resolution);
+ 		TIFFSetField(out, TIFFTAG_YRESOLUTION, resolution);
diff --git a/media-libs/tiff/files/tiff-3.9.7-CVE-2012-5581.patch b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-5581.patch
new file mode 100644
index 000000000000..a6bdca137029
--- /dev/null
+++ b/media-libs/tiff/files/tiff-3.9.7-CVE-2012-5581.patch
@@ -0,0 +1,245 @@
+Fix unsafe handling of DotRange and related tags.  Back-port of upstream
+patch for CVE-2012-5581.  (Note: I have not pushed this into upstream CVS
+for the 3.9 branch, because I'm not entirely convinced that it won't create
+application compatibility issues --- tgl)
+
+
+diff -Naur tiff-3.9.7.orig/libtiff/tif_dir.c tiff-3.9.7/libtiff/tif_dir.c
+--- tiff-3.9.7.orig/libtiff/tif_dir.c	2012-09-22 10:48:09.000000000 -0400
++++ tiff-3.9.7/libtiff/tif_dir.c	2012-12-13 13:39:20.448864070 -0500
+@@ -494,32 +494,28 @@
+ 		    goto end;
+ 		}
+ 
+-		if ((fip->field_passcount
++		if (fip->field_tag == TIFFTAG_DOTRANGE 
++		    && strcmp(fip->field_name,"DotRange") == 0) {
++			/* TODO: This is an evil exception and should not have been
++			   handled this way ... likely best if we move it into
++			   the directory structure with an explicit field in 
++			   libtiff 4.1 and assign it a FIELD_ value */
++			uint16 v[2];
++			v[0] = (uint16)va_arg(ap, int);
++			v[1] = (uint16)va_arg(ap, int);
++			_TIFFmemcpy(tv->value, v, 4);
++		}
++		else if (fip->field_passcount
+ 		    || fip->field_writecount == TIFF_VARIABLE
+ 		    || fip->field_writecount == TIFF_VARIABLE2
+ 		    || fip->field_writecount == TIFF_SPP
+-		    || tv->count > 1)
+-		    && fip->field_tag != TIFFTAG_PAGENUMBER
+-		    && fip->field_tag != TIFFTAG_HALFTONEHINTS
+-		    && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+-		    && fip->field_tag != TIFFTAG_DOTRANGE
+-		    && fip->field_tag != TIFFTAG_WHITELEVEL) {
++		    || tv->count > 1) {
+                     _TIFFmemcpy(tv->value, va_arg(ap, void *),
+ 				tv->count * tv_size);
+ 		} else {
+-		    /*
+-		     * XXX: The following loop required to handle
+-		     * TIFFTAG_PAGENUMBER, TIFFTAG_HALFTONEHINTS,
+-		     * TIFFTAG_YCBCRSUBSAMPLING and TIFFTAG_DOTRANGE tags.
+-		     * These tags are actually arrays and should be passed as
+-		     * array pointers to TIFFSetField() function, but actually
+-		     * passed as a list of separate values. This behaviour
+-		     * must be changed in the future!
+-		     */
+-		    int i;
+ 		    char *val = (char *)tv->value;
+ 
+-		    for (i = 0; i < tv->count; i++, val += tv_size) {
++		    assert( tv->count == 1 );
+ 			    switch (fip->field_type) {
+ 				case TIFF_BYTE:
+ 				case TIFF_UNDEFINED:
+@@ -578,7 +574,6 @@
+ 				    status = 0;
+ 				    break;
+ 			    }
+-		    }
+ 		}
+ 	    }
+           }
+@@ -869,24 +864,27 @@
+ 				*va_arg(ap, uint16*) = (uint16)tv->count;
+ 			*va_arg(ap, void **) = tv->value;
+ 			ret_val = 1;
+-                } else {
+-			if ((fip->field_type == TIFF_ASCII
++		} else if (fip->field_tag == TIFFTAG_DOTRANGE
++			   && strcmp(fip->field_name,"DotRange") == 0) {
++			/* TODO: This is an evil exception and should not have been
++			   handled this way ... likely best if we move it into
++			   the directory structure with an explicit field in 
++			   libtiff 4.1 and assign it a FIELD_ value */
++			*va_arg(ap, uint16*) = ((uint16 *)tv->value)[0];
++			*va_arg(ap, uint16*) = ((uint16 *)tv->value)[1];
++			ret_val = 1;
++		} else {
++			if (fip->field_type == TIFF_ASCII
+ 			    || fip->field_readcount == TIFF_VARIABLE
+ 			    || fip->field_readcount == TIFF_VARIABLE2
+ 			    || fip->field_readcount == TIFF_SPP
+-			    || tv->count > 1)
+-			    && fip->field_tag != TIFFTAG_PAGENUMBER
+-			    && fip->field_tag != TIFFTAG_HALFTONEHINTS
+-			    && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+-			    && fip->field_tag != TIFFTAG_DOTRANGE) {
++			    || tv->count > 1) {
+ 				*va_arg(ap, void **) = tv->value;
+ 				ret_val = 1;
+ 			} else {
+-			    int j;
+ 			    char *val = (char *)tv->value;
+ 
+-			    for (j = 0; j < tv->count;
+-				 j++, val += _TIFFDataSize(tv->info->field_type)) {
++			    assert( tv->count == 1 );
+ 				switch (fip->field_type) {
+ 					case TIFF_BYTE:
+ 					case TIFF_UNDEFINED:
+@@ -936,7 +934,6 @@
+ 						ret_val = 0;
+ 						break;
+ 				}
+-			    }
+ 			}
+                 }
+ 		break;
+diff -Naur tiff-3.9.7.orig/libtiff/tif_print.c tiff-3.9.7/libtiff/tif_print.c
+--- tiff-3.9.7.orig/libtiff/tif_print.c	2010-07-08 12:17:59.000000000 -0400
++++ tiff-3.9.7/libtiff/tif_print.c	2012-12-13 13:42:12.773478278 -0500
+@@ -112,16 +112,22 @@
+ }
+ 
+ static int
+-_TIFFPrettyPrintField(TIFF* tif, FILE* fd, ttag_t tag,
++_TIFFPrettyPrintField(TIFF* tif, const TIFFFieldInfo *fip, FILE* fd, ttag_t tag,
+ 		      uint32 value_count, void *raw_data)
+ {
+ 	TIFFDirectory *td = &tif->tif_dir;
+ 
++	/* do not try to pretty print auto-defined fields */
++	if (strncmp(fip->field_name,"Tag ", 4) == 0) {
++		return 0;
++	}
++
+ 	switch (tag)
+ 	{
+ 		case TIFFTAG_INKSET:
+-			fprintf(fd, "  Ink Set: ");
+-			switch (*((uint16*)raw_data)) {
++			if (value_count == 2 && fip->field_type == TIFF_SHORT) {
++				fprintf(fd, "  Ink Set: ");
++				switch (*((uint16*)raw_data)) {
+ 				case INKSET_CMYK:
+ 					fprintf(fd, "CMYK\n");
+ 					break;
+@@ -130,11 +136,18 @@
+ 						*((uint16*)raw_data),
+ 						*((uint16*)raw_data));
+ 					break;
++				}
++				return 1;
+ 			}
+-			return 1;
++			return 0;
++
+ 		case TIFFTAG_WHITEPOINT:
+-			fprintf(fd, "  White Point: %g-%g\n",
+-				((float *)raw_data)[0], ((float *)raw_data)[1]);			return 1;
++			if (value_count == 2 && fip->field_type == TIFF_RATIONAL) {
++				fprintf(fd, "  White Point: %g-%g\n",
++					((float *)raw_data)[0], ((float *)raw_data)[1]);			return 1;
++			}
++			return 0;
++
+ 		case TIFFTAG_REFERENCEBLACKWHITE:
+ 		{
+ 			uint16 i;
+@@ -174,10 +187,13 @@
+ 				(unsigned long) value_count);
+ 			return 1;
+ 		case TIFFTAG_STONITS:
+-			fprintf(fd,
+-				"  Sample to Nits conversion factor: %.4e\n",
+-				*((double*)raw_data));
+-			return 1;
++			if (value_count == 1 && fip->field_type == TIFF_DOUBLE) {
++				fprintf(fd,
++					"  Sample to Nits conversion factor: %.4e\n",
++					*((double*)raw_data));
++				return 1;
++			}
++			return 0;
+         }
+ 
+ 	return 0;
+@@ -524,44 +540,28 @@
+ 				value_count = td->td_samplesperpixel;
+ 			else
+ 				value_count = fip->field_readcount;
+-			if ((fip->field_type == TIFF_ASCII
++			if (fip->field_tag == TIFFTAG_DOTRANGE
++			    && strcmp(fip->field_name,"DotRange") == 0) {
++				/* TODO: This is an evil exception and should not have been
++				   handled this way ... likely best if we move it into
++				   the directory structure with an explicit field in 
++				   libtiff 4.1 and assign it a FIELD_ value */
++				static uint16 dotrange[2];
++				raw_data = dotrange;
++				TIFFGetField(tif, tag, dotrange+0, dotrange+1);
++			} else if (fip->field_type == TIFF_ASCII
+ 			     || fip->field_readcount == TIFF_VARIABLE
+ 			     || fip->field_readcount == TIFF_VARIABLE2
+ 			     || fip->field_readcount == TIFF_SPP
+-			     || value_count > 1)
+-			    && fip->field_tag != TIFFTAG_PAGENUMBER
+-			    && fip->field_tag != TIFFTAG_HALFTONEHINTS
+-			    && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+-			    && fip->field_tag != TIFFTAG_DOTRANGE) {
++			     || value_count > 1) {
+ 				if(TIFFGetField(tif, tag, &raw_data) != 1)
+ 					continue;
+-			} else if (fip->field_tag != TIFFTAG_PAGENUMBER
+-				   && fip->field_tag != TIFFTAG_HALFTONEHINTS
+-				   && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
+-				   && fip->field_tag != TIFFTAG_DOTRANGE) {
+-				raw_data = _TIFFmalloc(
+-					_TIFFDataSize(fip->field_type)
+-					* value_count);
+-				mem_alloc = 1;
+-				if(TIFFGetField(tif, tag, raw_data) != 1) {
+-					_TIFFfree(raw_data);
+-					continue;
+-				}
+ 			} else {
+-				/* 
+-				 * XXX: Should be fixed and removed, see the
+-				 * notes related to TIFFTAG_PAGENUMBER,
+-				 * TIFFTAG_HALFTONEHINTS,
+-				 * TIFFTAG_YCBCRSUBSAMPLING and
+-				 * TIFFTAG_DOTRANGE tags in tif_dir.c. */
+-				char *tmp;
+ 				raw_data = _TIFFmalloc(
+ 					_TIFFDataSize(fip->field_type)
+ 					* value_count);
+-				tmp = raw_data;
+ 				mem_alloc = 1;
+-				if(TIFFGetField(tif, tag, tmp,
+-				tmp + _TIFFDataSize(fip->field_type)) != 1) {
++				if(TIFFGetField(tif, tag, raw_data) != 1) {
+ 					_TIFFfree(raw_data);
+ 					continue;
+ 				}
+@@ -574,7 +574,7 @@
+ 		 * _TIFFPrettyPrintField() fall down and print it as any other
+ 		 * tag.
+ 		 */
+-		if (_TIFFPrettyPrintField(tif, fd, tag, value_count, raw_data)) {
++		if (_TIFFPrettyPrintField(tif, fip, fd, tag, value_count, raw_data)) {
+ 			if(mem_alloc)
+ 				_TIFFfree(raw_data);
+ 			continue;
diff --git a/media-libs/tiff/files/tiff-3.9.7-printdir-width.patch b/media-libs/tiff/files/tiff-3.9.7-printdir-width.patch
new file mode 100644
index 000000000000..6ad7534ac6fe
--- /dev/null
+++ b/media-libs/tiff/files/tiff-3.9.7-printdir-width.patch
@@ -0,0 +1,36 @@
+Make TIFFPrintDirectory cope with both TIFF_VARIABLE and TIFF_VARIABLE2
+conventions for field_passcount fields, ie, either 16- or 32-bit counts.
+This patch is taken from upstream commits dated 2012-05-23 ("fix crash
+with odd 16bit count types for some custom fields") and 2012-12-12 ("Fix
+TIFF_VARIABLE/TIFF_VARIABLE2 confusion in TIFFPrintDirectory").
+
+This doesn't qualify as a security issue in itself, mainly because
+TIFFPrintDirectory is unlikely to be used in any security-exposed
+scenarios; but we need to fix it so that our test case for CVE-2012-5581
+works on all platforms.
+
+
+diff -Naur tiff-3.9.4.orig/libtiff/tif_print.c tiff-3.9.4/libtiff/tif_print.c
+--- tiff-3.9.4.orig/libtiff/tif_print.c	2010-06-08 14:50:42.000000000 -0400
++++ tiff-3.9.4/libtiff/tif_print.c	2012-12-13 12:17:33.726765771 -0500
+@@ -518,8 +518,19 @@
+ 			continue;
+ 
+ 		if(fip->field_passcount) {
+-			if(TIFFGetField(tif, tag, &value_count, &raw_data) != 1)
++			if (fip->field_readcount == TIFF_VARIABLE2 ) {
++				if(TIFFGetField(tif, tag, &value_count, &raw_data) != 1)
++					continue;
++			} else if (fip->field_readcount == TIFF_VARIABLE ) {
++				uint16 small_value_count;
++				if(TIFFGetField(tif, tag, &small_value_count, &raw_data) != 1)
++					continue;
++				value_count = small_value_count;
++			} else {
++				assert (fip->field_readcount == TIFF_VARIABLE
++					|| fip->field_readcount == TIFF_VARIABLE2);
+ 				continue;
++			} 
+ 		} else {
+ 			if (fip->field_readcount == TIFF_VARIABLE
+ 			    || fip->field_readcount == TIFF_VARIABLE2)
diff --git a/media-libs/tiff/files/tiff-3.9.7-tiffinfo-exif.patch b/media-libs/tiff/files/tiff-3.9.7-tiffinfo-exif.patch
new file mode 100644
index 000000000000..a326e21e298b
--- /dev/null
+++ b/media-libs/tiff/files/tiff-3.9.7-tiffinfo-exif.patch
@@ -0,0 +1,59 @@
+Teach "tiffinfo -D" to not try to print image data inside an EXIF subdirectory,
+because there isn't any.  Back-patched from an upstream 4.0.2 fix.
+
+This is not a security issue in itself (it crashes, but with a simple NULL
+pointer dereference).  However, our test case for CVE-2012-5581 tickles this
+bug, so it seems easier to fix this than make a new test case.
+
+
+diff -Naur tiff-3.9.4.orig/tools/tiffinfo.c tiff-3.9.4/tools/tiffinfo.c
+--- tiff-3.9.4.orig/tools/tiffinfo.c	2010-06-08 14:50:44.000000000 -0400
++++ tiff-3.9.4/tools/tiffinfo.c	2012-12-11 16:33:17.062228558 -0500
+@@ -49,7 +49,7 @@
+ int	stoponerr = 1;			/* stop on first read error */
+ 
+ static	void usage(void);
+-static	void tiffinfo(TIFF*, uint16, long);
++static	void tiffinfo(TIFF*, uint16, long, int);
+ 
+ int
+ main(int argc, char* argv[])
+@@ -124,19 +124,20 @@
+ 		if (tif != NULL) {
+ 			if (dirnum != -1) {
+ 				if (TIFFSetDirectory(tif, (tdir_t) dirnum))
+-					tiffinfo(tif, order, flags);
++					tiffinfo(tif, order, flags, 1);
+ 			} else if (diroff != 0) {
+ 				if (TIFFSetSubDirectory(tif, diroff))
+-					tiffinfo(tif, order, flags);
++					tiffinfo(tif, order, flags, 1);
+ 			} else {
+ 				do {
+ 					uint32 offset;
+ 
+-					tiffinfo(tif, order, flags);
++					tiffinfo(tif, order, flags, 1);
+ 					if (TIFFGetField(tif, TIFFTAG_EXIFIFD,
+ 							 &offset)) {
+-						if (TIFFReadEXIFDirectory(tif, offset))
+-							tiffinfo(tif, order, flags);
++						if (TIFFReadEXIFDirectory(tif, offset)) {
++							tiffinfo(tif, order, flags, 0);
++						}
+ 					}
+ 				} while (TIFFReadDirectory(tif));
+ 			}
+@@ -426,10 +427,10 @@
+ }
+ 
+ static void
+-tiffinfo(TIFF* tif, uint16 order, long flags)
++tiffinfo(TIFF* tif, uint16 order, long flags, int is_image)
+ {
+ 	TIFFPrintDirectory(tif, stdout, flags);
+-	if (!readdata)
++	if (!readdata || !is_image)
+ 		return;
+ 	if (rawdata) {
+ 		if (order) {
diff --git a/media-libs/tiff/tiff-3.9.7.ebuild b/media-libs/tiff/tiff-3.9.7.ebuild
index d60113e429b1..378870584738 100644
--- a/media-libs/tiff/tiff-3.9.7.ebuild
+++ b/media-libs/tiff/tiff-3.9.7.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/tiff/tiff-3.9.7.ebuild,v 1.4 2013/05/03 12:00:09 vincent Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-libs/tiff/tiff-3.9.7.ebuild,v 1.5 2013/05/03 12:13:47 ssuominen Exp $
 
 EAPI=5
 
@@ -25,6 +25,11 @@ RDEPEND="jpeg? ( virtual/jpeg )
 DEPEND="${RDEPEND}"
 
 src_prepare() {
+	epatch \
+		"${FILESDIR}"/${P}-CVE-2012-{4447,4564,5581}.patch \
+		"${FILESDIR}"/${P}-tiffinfo-exif.patch \
+		"${FILESDIR}"/${P}-printdir-width.patch
+
 	elibtoolize
 }