diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c

index 19a26e2..6667228 100644

--- a/libtiff/tif_dirread.c

+++ b/libtiff/tif_dirread.c

@@ -3881,6 +3881,32 @@ TIFFReadDirectory(TIFF* tif)

if (!TIFFSetField(tif,TIFFTAG_SAMPLESPERPIXEL,1))

goto bad;

}

+ /*

+ * SamplesPerPixel value has changed, adjust SMinSampleValue

+ * and SMaxSampleValue arrays if necessary

+ */

+ {

+ uint32 saved_flags;

+ saved_flags = tif->tif_flags;

+ tif->tif_flags &= ~TIFF_PERSAMPLE;

+ if (TIFFFieldSet(tif,FIELD_SMINSAMPLEVALUE))

+ {

+ if (!TIFFSetField(tif,TIFFTAG_SMINSAMPLEVALUE,tif->tif_dir.td_sminsamplevalue[0]))

+ {

+ tif->tif_flags = saved_flags;

+ goto bad;

+ }

+ }

+ if (TIFFFieldSet(tif,FIELD_SMAXSAMPLEVALUE))

+ {

+ if (!TIFFSetField(tif,TIFFTAG_SMAXSAMPLEVALUE,tif->tif_dir.td_smaxsamplevalue[0]))

+ {

+ tif->tif_flags = saved_flags;

+ goto bad;

+ }

+ }

+ tif->tif_flags = saved_flags;

+ }

}

}

/*

diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c

index fa20609..fa68d1c 100644

--- a/libtiff/tif_dirwrite.c

+++ b/libtiff/tif_dirwrite.c

@@ -542,8 +542,12 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)

{

if (!isTiled(tif))

{

- if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))

- goto bad;

+ /* td_stripoffset can be NULL even if td_nstrips == 1 due to OJPEG hack */

+ if (tif->tif_dir.td_stripoffset)

+ {

+ if (!TIFFWriteDirectoryTagLongLong8Array(tif,&ndir,dir,TIFFTAG_STRIPOFFSETS,tif->tif_dir.td_nstrips,tif->tif_dir.td_stripoffset))

+ goto bad;

+ }

}

else

{

diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c

index 2ba822a..dfc5b07 100644

--- a/libtiff/tif_read.c

+++ b/libtiff/tif_read.c

@@ -458,7 +458,7 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)

return ((tmsize_t)(-1));

}

bytecount = td->td_stripbytecount[strip];

- if (bytecount <= 0) {

+ if ((int64)bytecount <= 0) {

#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))

TIFFErrorExt(tif->tif_clientdata, module,

"%I64u: Invalid strip byte count, strip %lu",

@@ -498,7 +498,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)

if ((tif->tif_flags&TIFF_NOREADRAW)==0)

{

uint64 bytecount = td->td_stripbytecount[strip];

- if (bytecount <= 0) {

+ if ((int64)bytecount <= 0) {

#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))

TIFFErrorExt(tif->tif_clientdata, module,

"Invalid strip byte count %I64u, strip %lu",

@@ -801,7 +801,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)

if ((tif->tif_flags&TIFF_NOREADRAW)==0)

{

uint64 bytecount = td->td_stripbytecount[tile];

- if (bytecount <= 0) {

+ if ((int64)bytecount <= 0) {

#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))

TIFFErrorExt(tif->tif_clientdata, module,

"%I64u: Invalid tile byte count, tile %lu",

diff --git a/tools/bmp2tiff.c b/tools/bmp2tiff.c

index b5ed30b..376f4e6 100644

--- a/tools/bmp2tiff.c

+++ b/tools/bmp2tiff.c

@@ -401,6 +401,24 @@ main(int argc, char* argv[])

return 0;

}

+ if (info_hdr.iCompression == BMPC_RLE4 && info_hdr.iBitCount != 4)

+ {

+ TIFFError(infilename,

+ "Cannot process BMP file with bit count %d and RLE 4-bit/pixel compression",

+ info_hdr.iBitCount);

+ close(fd);

+ return 0;

+ }

+

+ if (info_hdr.iCompression == BMPC_RLE8 && info_hdr.iBitCount != 8)

+ {

+ TIFFError(infilename,

+ "Cannot process BMP file with bit count %d and RLE 8-bit/pixel compression",

+ info_hdr.iBitCount);

+ close(fd);

+ return 0;

+ }

+

width = info_hdr.iWidth;

length = (info_hdr.iHeight > 0) ? info_hdr.iHeight : -info_hdr.iHeight;

if( width <= 0 || length <= 0 )

diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c

index 8608aad..426bbc0 100644

--- a/tools/pal2rgb.c

+++ b/tools/pal2rgb.c

@@ -372,7 +372,8 @@ static struct cpTag {

{ TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },

{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },

{ TIFFTAG_INKSET, 1, TIFF_SHORT },

- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },

+ // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)

+ //{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },

{ TIFFTAG_DOTRANGE, 2, TIFF_SHORT },

{ TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },

{ TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },

diff --git a/tools/thumbnail.c b/tools/thumbnail.c

index fd1cba5..06edf93 100644

--- a/tools/thumbnail.c

+++ b/tools/thumbnail.c

@@ -257,7 +257,8 @@ static struct cpTag {

{ TIFFTAG_CLEANFAXDATA, 1, TIFF_SHORT },

{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, TIFF_LONG },

{ TIFFTAG_INKSET, 1, TIFF_SHORT },

- { TIFFTAG_INKNAMES, 1, TIFF_ASCII },

+ // disable INKNAMES tag, http://bugzilla.maptools.org/show_bug.cgi?id=2484 (CVE-2014-8127)

+ //{ TIFFTAG_INKNAMES, 1, TIFF_ASCII },

{ TIFFTAG_DOTRANGE, 2, TIFF_SHORT },

{ TIFFTAG_TARGETPRINTER, 1, TIFF_ASCII },

{ TIFFTAG_SAMPLEFORMAT, 1, TIFF_SHORT },

@@ -585,7 +586,7 @@ generateThumbnail(TIFF* in, TIFF* out)

rowsize = TIFFScanlineSize(in);

rastersize = sh * rowsize;

fprintf(stderr, "rastersize=%u\n", (unsigned int)rastersize);

- raster = (unsigned char*)_TIFFmalloc(rastersize);

+ raster = (unsigned char*)_TIFFmalloc(rastersize + 3);

if (!raster) {

TIFFError(TIFFFileName(in),

"Can't allocate space for raster buffer.");

diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c

index c5dcb7c..02605df 100644

--- a/tools/tiff2bw.c

+++ b/tools/tiff2bw.c

@@ -171,6 +171,11 @@ main(int argc, char* argv[])

argv[optind], samplesperpixel);

return (-1);

}

+ if( photometric == PHOTOMETRIC_RGB && samplesperpixel != 3) {

+ fprintf(stderr, "%s: Bad samples/pixel %u for PHOTOMETRIC_RGB.\n",

+ argv[optind], samplesperpixel);

+ return (-1);

+ }

TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bitspersample);

if (bitspersample != 8) {

fprintf(stderr,