Fixed multiple vulnerabilities, as per Gentoo bug ():

http://bugs.gentoo.org/show_bug.cgi?id=142383

libtiff/tif_fax3.c

@@ -1,4 +1,4 @@
-/* $Id: tif_fax3.c,v 1.41 2006-06-08 11:33:00 dron Exp $ */
+/* $Id: tif_fax3.c,v 1.42 2006-09-28 16:26:03 dron Exp $ */
 
 /*
  * Copyright (c) 1990-1997 Sam Leffler
@@ -1138,6 +1138,7 @@ static int
 Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
 {
 	Fax3BaseState* sp = Fax3State(tif);
+	const TIFFFieldInfo* fip;
 
 	assert(sp != 0);
 	assert(sp->vsetparent != 0);
@@ -1145,10 +1146,10 @@ Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
 	switch (tag) {
 	case TIFFTAG_FAXMODE:
 		sp->mode = va_arg(ap, int);
-		return (1);			/* NB: pseudo tag */
+		return 1;			/* NB: pseudo tag */
 	case TIFFTAG_FAXFILLFUNC:
 		DecoderState(tif)->fill = va_arg(ap, TIFFFaxFillFunc);
-		return (1);			/* NB: pseudo tag */
+		return 1;			/* NB: pseudo tag */
 	case TIFFTAG_GROUP3OPTIONS:
 		/* XXX: avoid reading options if compression mismatches. */
 		if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
@@ -1183,9 +1184,14 @@ Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
 	default:
 		return (*sp->vsetparent)(tif, tag, ap);
 	}
-	TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+	
+	if ((fip = _TIFFFieldWithTag(tif, tag)))
+		TIFFSetFieldBit(tif, fip->field_bit);
+	else
+		return 0;
+
 	tif->tif_flags |= TIFF_DIRTYDIRECT;
-	return (1);
+	return 1;
 }
 
 static int

libtiff/tif_next.c

@@ -1,4 +1,4 @@
-/* $Id: tif_next.c,v 1.6 2005-12-21 12:23:13 joris Exp $ */
+/* $Id: tif_next.c,v 1.7 2006-09-28 16:26:03 dron Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -99,17 +99,21 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsize_t occ, tsample_t s)
 			unsigned long imagewidth = tif->tif_dir.td_imagewidth;
 
 			/*
-			 * The scanline is composed of a sequence
-			 * of constant color ``runs''.  We shift
-			 * into ``run mode'' and interpret bytes
-			 * as codes of the form <color><npixels>
-			 * until we've filled the scanline.
+			 * The scanline is composed of a sequence of constant
+			 * color ``runs''.  We shift into ``run mode'' and
+			 * interpret bytes as codes of the form
+			 * <color><npixels> until we've filled the scanline.
 			 */
 			op = row;
 			for (;;) {
 				grey = (n>>6) & 0x3;
 				n &= 0x3f;
-				while (n-- > 0)
+				/*
+				 * Ensure the run does not exceed the scanline
+				 * bounds, potentially resulting in a security
+				 * issue.
+				 */
+				while (n-- > 0 && npixels < imagewidth)
 					SETPIXEL(op, grey);
 				if (npixels >= (int) imagewidth)
 					break;

libtiff/tif_pixarlog.c

@@ -1,4 +1,4 @@
-/* $Id: tif_pixarlog.c,v 1.14 2006-03-16 12:38:24 dron Exp $ */
+/* $Id: tif_pixarlog.c,v 1.15 2006-09-28 16:26:03 dron Exp $ */
 
 /*
  * Copyright (c) 1996-1997 Sam Leffler
@@ -768,6 +768,18 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s)
 	if (tif->tif_flags & TIFF_SWAB)
 		TIFFSwabArrayOfShort(up, nsamples);
 
+	/* 
+	 * if llen is not an exact multiple of nsamples, the decode operation
+	 * may overflow the output buffer, so truncate it enough to prevent
+	 * that but still salvage as much data as possible.
+	 */
+	if (nsamples % llen) { 
+		TIFFWarningExt(tif->tif_clientdata, module,
+			"%s: stride %lu is not a multiple of sample count, "
+			"%lu, data truncated.", tif->tif_name, llen, nsamples);
+		nsamples -= nsamples % llen;
+	}
+
 	for (i = 0; i < nsamples; i += llen, up += llen) {
 		switch (sp->user_datafmt)  {
 		case PIXARLOGDATAFMT_FLOAT: