vars/build.vars:{clzip,expat}{_host,}: updated to v{1.11,2.2.6} (via Redfoxmoon.)

vars/build.vars:libxml2: updated to v2.9.9 (via Redfoxmoon.)
vars/build.vars:libunistring: updated to v0.9.10 (via Redfoxmoon.)
vars/build.vars:libpng: updated to v1.6.36 (via Redfoxmoon.)
vars/build.vars:tiff: updated to v4.0.10 (via Redfoxmoon.)
vars/build.vars:gdbm: updated to v1.18.1 (via Redfoxmoon.)
vars/build.vars:pcre: updated to v8.43 (via Redfoxmoon.)
vars/build.vars:gzip: updated to v1.10 (via Redfoxmoon.)
vars/build.vars:gzip:${PKG_{CFLAGS_CONFIGURE_EXTRA,CONFIGURE_ARGS,MAKEFLAGS_{BUILD,INSTALL}_EXTRA}}: unset (via Redfoxmoon.)
vars/build.vars:libvorbis: updated to v1.3.6 (via Redfoxmoon.)
vars/build.vars:libxslt: updated to v1.1.33 (via Redfoxmoon.)
vars/build.vars:libtirpc: updated to v1.1.4 (via Redfoxmoon.)
patches/expat-2.2.{5,6}.local.patch: updated (via Redfoxmoon.)
patches/libtirpc-1.{0.3,1.4}.local.patch: updated (via Redfoxmoon.)
patches/libvorbis-1.3.5.local.patch: removes obsolete patch (via Redfoxmoon.)
patches/libxslt-1.1.3{2,3}.local.patch: updated (via Redfoxmoon.)
patches/pcre-8.4{2,3}.local.patch: updated (via Redfoxmoon.)
patches/tiff/CVE-{2017-{11613,17095,18013,9935},2018-{10963,5784,7456,8905}}.patch: removes obsolete patches (via Redfoxmoon.)
patches/tiff/CVE-2018-12900.patch: added (via Redfoxmoon.)

9 files changed, 29 insertions, 650 deletions

diff --git a/patches/tiff/CVE-2017-11613.patch b/patches/tiff/CVE-2017-11613.patch
deleted file mode 100644
index b3f600a9..00000000
--- a/patches/tiff/CVE-2017-11613.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 5c3bc1c78dfe05eb5f4224650ad606b75e1f7034 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sun, 11 Mar 2018 11:14:01 +0100
-Subject: [PATCH] ChopUpSingleUncompressedStrip: avoid memory exhaustion
- (CVE-2017-11613)
-
-In ChopUpSingleUncompressedStrip(), if the computed number of strips is big
-enough and we are in read only mode, validate that the file size is consistent
-with that number of strips to avoid useless attempts at allocating a lot of
-memory for the td_stripbytecount and td_stripoffset arrays.
-
-Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more
-cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979.
-Credit to OSS Fuzz
-
-Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724
----
- libtiff/tif_dirread.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
-index 80aaf8d..5896a78 100644
---- a/libtiff/tif_dirread.c
-+++ b/libtiff/tif_dirread.c
-@@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
-         if( nstrips == 0 )
-             return;
- 
-+        /* If we are going to allocate a lot of memory, make sure that the */
-+        /* file is as big as needed */
-+        if( tif->tif_mode == O_RDONLY &&
-+            nstrips > 1000000 &&
-+            (offset >= TIFFGetFileSize(tif) ||
-+             stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
-+        {
-+            return;
-+        }
-+
- 	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
- 				"for chopped \"StripByteCounts\" array");
- 	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
--- 
-2.17.1
-
diff --git a/patches/tiff/CVE-2017-17095.patch b/patches/tiff/CVE-2017-17095.patch
deleted file mode 100644
index 760c9553..00000000
--- a/patches/tiff/CVE-2017-17095.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Based on http://bugzilla.maptools.org/show_bug.cgi?id=2750#c5
-
-diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
-index 7a57800..8443fce 100644
---- a/tools/pal2rgb.c
-+++ b/tools/pal2rgb.c
-@@ -184,8 +184,19 @@ main(int argc, char* argv[])
- 	{ unsigned char *ibuf, *obuf;
- 	  register unsigned char* pp;
- 	  register uint32 x;
--	  ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
--	  obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
-+	  tmsize_t tss_in = TIFFScanlineSize(in);
-+	  tmsize_t tss_out = TIFFScanlineSize(out);
-+	  if (tss_out / tss_in < 3) {
-+		/*
-+		 * BUG 2750: The following code assumes the output buffer is 3x the
-+		 * length of the input buffer due to exploding the palette into
-+		 * RGB tuples. If this doesn't happen, fail now.
-+		*/
-+		fprintf(stderr, "Could not determine correct image size for output. Exiting.\n");
-+		return -1;
-+	  }
-+	  ibuf = (unsigned char*)_TIFFmalloc(tss_in);
-+	  obuf = (unsigned char*)_TIFFmalloc(tss_out);
- 	  switch (config) {
- 	  case PLANARCONFIG_CONTIG:
- 		for (row = 0; row < imagelength; row++) {
diff --git a/patches/tiff/CVE-2017-18013.patch b/patches/tiff/CVE-2017-18013.patch
deleted file mode 100644
index 5f56ff25..00000000
--- a/patches/tiff/CVE-2017-18013.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sun, 31 Dec 2017 15:09:41 +0100
-Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer dereference on corrupted file. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2770
-
----
- libtiff/tif_print.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
-index 9959d35..8deceb2 100644
---- a/libtiff/tif_print.c
-+++ b/libtiff/tif_print.c
-@@ -667,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- 			fprintf(fd, "    %3lu: [%8I64u, %8I64u]\n",
- 			    (unsigned long) s,
--			    (unsigned __int64) td->td_stripoffset[s],
--			    (unsigned __int64) td->td_stripbytecount[s]);
-+			    td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
-+			    td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
- #else
- 			fprintf(fd, "    %3lu: [%8llu, %8llu]\n",
- 			    (unsigned long) s,
--			    (unsigned long long) td->td_stripoffset[s],
--			    (unsigned long long) td->td_stripbytecount[s]);
-+			    td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
-+			    td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
- #endif
- 	}
- }
---
-libgit2 0.26.0
-
diff --git a/patches/tiff/CVE-2017-9935.patch b/patches/tiff/CVE-2017-9935.patch
deleted file mode 100644
index 39327ffb..00000000
--- a/patches/tiff/CVE-2017-9935.patch
+++ /dev/null
@@ -1,164 +0,0 @@
-From e1cd2d7ab032e7fe80b4c13e07895194c8bac85e Mon Sep 17 00:00:00 2001
-From: Brian May <brian@linuxpenguins.xyz>
-Date: Thu, 7 Dec 2017 07:46:47 +1100
-Subject: [PATCH 1/4] [PATCH] tiff2pdf: Fix CVE-2017-9935
-
-Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
-
-This vulnerability - at least for the supplied test case - is because we
-assume that a tiff will only have one transfer function that is the same
-for all pages. This is not required by the TIFF standards.
-
-We than read the transfer function for every page.  Depending on the
-transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
-We allocate this memory after we read in the transfer function for the
-page.
-
-For the first exploit - POC1, this file has 3 pages. For the first page
-we allocate 2 extra extra XREF entries. Then for the next page 2 more
-entries. Then for the last page the transfer function changes and we
-allocate 4 more entries.
-
-When we read the file into memory, we assume we have 4 bytes extra for
-each and every page (as per the last transfer function we read). Which
-is not correct, we only have 2 bytes extra for the first 2 pages. As a
-result, we end up writing past the end of the buffer.
-
-There are also some related issues that this also fixes. For example,
-TIFFGetField can return uninitalized pointer values, and the logic to
-detect a N=3 vs N=1 transfer function seemed rather strange.
-
-It is also strange that we declare the transfer functions to be of type
-float, when the standard says they are unsigned 16 bit values. This is
-fixed in another patch.
-
-This patch will check to ensure that the N value for every transfer
-function is the same for every page. If this changes, we abort with an
-error. In theory, we should perhaps check that the transfer function
-itself is identical for every page, however we don't do that due to the
-confusion of the type of the data in the transfer function.
----
- libtiff/tif_dir.c |  3 +++
- tools/tiff2pdf.c  | 69 +++++++++++++++++++++++++++++++----------------
- 2 files changed, 49 insertions(+), 23 deletions(-)
-
-diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
-index f00f808..c36a5f3 100644
---- a/libtiff/tif_dir.c
-+++ b/libtiff/tif_dir.c
-@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
- 			if (td->td_samplesperpixel - td->td_extrasamples > 1) {
- 				*va_arg(ap, uint16**) = td->td_transferfunction[1];
- 				*va_arg(ap, uint16**) = td->td_transferfunction[2];
-+			} else {
-+				*va_arg(ap, uint16**) = NULL;
-+				*va_arg(ap, uint16**) = NULL;
- 			}
- 			break;
- 		case TIFFTAG_REFERENCEBLACKWHITE:
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index bdb9126..bd23c9e 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -239,7 +239,7 @@ typedef struct {
- 	float tiff_whitechromaticities[2];
- 	float tiff_primarychromaticities[6];
- 	float tiff_referenceblackwhite[2];
--	float* tiff_transferfunction[3];
-+	uint16* tiff_transferfunction[3];
- 	int pdf_image_interpolate;	/* 0 (default) : do not interpolate,
- 					   1 : interpolate */
- 	uint16 tiff_transferfunctioncount;
-@@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
- 	uint16 pagen=0;
- 	uint16 paged=0;
- 	uint16 xuint16=0;
-+	uint16 tiff_transferfunctioncount=0;
-+	uint16* tiff_transferfunction[3];
- 
- 	directorycount=TIFFNumberOfDirectories(input);
- 	if(directorycount > TIFF_DIR_MAX) {
-@@ -1157,26 +1159,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
-                 }
- #endif
- 		if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
--                                 &(t2p->tiff_transferfunction[0]),
--                                 &(t2p->tiff_transferfunction[1]),
--                                 &(t2p->tiff_transferfunction[2]))) {
--			if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
--                           (t2p->tiff_transferfunction[2] != (float*) NULL) &&
--                           (t2p->tiff_transferfunction[1] !=
--                            t2p->tiff_transferfunction[0])) {
--				t2p->tiff_transferfunctioncount = 3;
--				t2p->tiff_pages[i].page_extra += 4;
--				t2p->pdf_xrefcount += 4;
--			} else {
--				t2p->tiff_transferfunctioncount = 1;
--				t2p->tiff_pages[i].page_extra += 2;
--				t2p->pdf_xrefcount += 2;
--			}
--			if(t2p->pdf_minorversion < 2)
--				t2p->pdf_minorversion = 2;
-+                                 &(tiff_transferfunction[0]),
-+                                 &(tiff_transferfunction[1]),
-+                                 &(tiff_transferfunction[2]))) {
-+
-+                        if((tiff_transferfunction[1] != (uint16*) NULL) &&
-+                           (tiff_transferfunction[2] != (uint16*) NULL)
-+                          ) {
-+                            tiff_transferfunctioncount=3;
-+                        } else {
-+                            tiff_transferfunctioncount=1;
-+                        }
-                 } else {
--			t2p->tiff_transferfunctioncount=0;
-+			tiff_transferfunctioncount=0;
- 		}
-+
-+                if (i > 0){
-+                    if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
-+                        TIFFError(
-+                            TIFF2PDF_MODULE,
-+                            "Different transfer function on page %d",
-+                            i);
-+                        t2p->t2p_error = T2P_ERR_ERROR;
-+                        return;
-+                    }
-+                }
-+
-+                t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
-+                t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
-+                t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
-+                t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
-+                if(tiff_transferfunctioncount == 3){
-+                        t2p->tiff_pages[i].page_extra += 4;
-+                        t2p->pdf_xrefcount += 4;
-+                        if(t2p->pdf_minorversion < 2)
-+                                t2p->pdf_minorversion = 2;
-+                } else if (tiff_transferfunctioncount == 1){
-+                        t2p->tiff_pages[i].page_extra += 2;
-+                        t2p->pdf_xrefcount += 2;
-+                        if(t2p->pdf_minorversion < 2)
-+                                t2p->pdf_minorversion = 2;
-+                }
-+
- 		if( TIFFGetField(
- 			input, 
- 			TIFFTAG_ICCPROFILE, 
-@@ -1837,10 +1861,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
- 			 &(t2p->tiff_transferfunction[0]),
- 			 &(t2p->tiff_transferfunction[1]),
- 			 &(t2p->tiff_transferfunction[2]))) {
--		if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
--                   (t2p->tiff_transferfunction[2] != (float*) NULL) &&
--                   (t2p->tiff_transferfunction[1] !=
--                    t2p->tiff_transferfunction[0])) {
-+		if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
-+                   (t2p->tiff_transferfunction[2] != (uint16*) NULL)
-+                  ) {
- 			t2p->tiff_transferfunctioncount=3;
- 		} else {
- 			t2p->tiff_transferfunctioncount=1;
--- 
-2.17.0
-
diff --git a/patches/tiff/CVE-2018-10963.patch b/patches/tiff/CVE-2018-10963.patch
deleted file mode 100644
index 039b7c1a..00000000
--- a/patches/tiff/CVE-2018-10963.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 98ed6179dec22db48f6e235d8ca9e2708bf4e71a Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 12 May 2018 14:24:15 +0200
-Subject: [PATCH 4/4] TIFFWriteDirectorySec: avoid assertion. Fixes
- http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
-
----
- libtiff/tif_dirwrite.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
-index c68d6d2..5d0a669 100644
---- a/libtiff/tif_dirwrite.c
-+++ b/libtiff/tif_dirwrite.c
-@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
- 								}
- 								break;
- 							default:
--								assert(0);   /* we should never get here */
--								break;
-+								TIFFErrorExt(tif->tif_clientdata,module,
-+								            "Cannot write tag %d (%s)",
-+								            TIFFFieldTag(o),
-+                                                                            o->field_name ? o->field_name : "unknown");
-+								goto bad;
- 						}
- 					}
- 				}
--- 
-2.17.0
-
diff --git a/patches/tiff/CVE-2018-12900.patch b/patches/tiff/CVE-2018-12900.patch
new file mode 100644
index 00000000..f95cd06a
--- /dev/null
+++ b/patches/tiff/CVE-2018-12900.patch
@@ -0,0 +1,29 @@
+From 86861b86f26be5301ccfa96f9bf765051f4e644a Mon Sep 17 00:00:00 2001
+From: pgajdos <pgajdos@suse.cz>
+Date: Tue, 13 Nov 2018 09:03:31 +0100
+Subject: [PATCH] prevent integer overflow
+
+---
+ tools/tiffcp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 2f406e2d..ece7ba13 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -1435,6 +1435,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
+             status = 0;
+             goto done;
+         }
++        if (0xFFFFFFFF / tilew < spp)
++        {
++            TIFFError(TIFFFileName(in), "Error, either TileWidth (%u) or BitsPerSample (%u) is too large", tilew, bps);
++            status = 0;
++            goto done;
++        }
+ 	bytes_per_sample = bps/8;
+ 
+ 	for (row = 0; row < imagelength; row += tl) {
+-- 
+2.18.1
+
diff --git a/patches/tiff/CVE-2018-5784.patch b/patches/tiff/CVE-2018-5784.patch
deleted file mode 100644
index 92fc2daf..00000000
--- a/patches/tiff/CVE-2018-5784.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From 473851d211cf8805a161820337ca74cc9615d6ef Mon Sep 17 00:00:00 2001
-From: Nathan Baker <nathanb@lenovo-chrome.com>
-Date: Tue, 6 Feb 2018 10:13:57 -0500
-Subject: [PATCH] Fix for bug 2772
-
-It is possible to craft a TIFF document where the IFD list is circular,
-leading to an infinite loop while traversing the chain. The libtiff
-directory reader has a failsafe that will break out of this loop after
-reading 65535 directory entries, but it will continue processing,
-consuming time and resources to process what is essentially a bogus TIFF
-document.
-
-This change fixes the above behavior by breaking out of processing when
-a TIFF document has >= 65535 directories and terminating with an error.
----
- contrib/addtiffo/tif_overview.c | 14 +++++++++++++-
- tools/tiff2pdf.c                | 10 ++++++++++
- tools/tiffcrop.c                | 13 +++++++++++--
- 3 files changed, 34 insertions(+), 3 deletions(-)
-
-diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
-index c61ffbb..03b3573 100644
---- a/contrib/addtiffo/tif_overview.c
-+++ b/contrib/addtiffo/tif_overview.c
-@@ -65,6 +65,8 @@
- #  define MAX(a,b)      ((a>b) ? a : b)
- #endif
- 
-+#define TIFF_DIR_MAX  65534
-+
- void TIFFBuildOverviews( TIFF *, int, int *, int, const char *,
-                          int (*)(double,void*), void * );
- 
-@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
- {
-     toff_t	nBaseDirOffset;
-     toff_t	nOffset;
-+    tdir_t	iNumDir;
- 
-     (void) bUseSubIFDs;
- 
-@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
-         return 0;
- 
-     TIFFWriteDirectory( hTIFF );
--    TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );
-+    iNumDir = TIFFNumberOfDirectories(hTIFF);
-+    if( iNumDir > TIFF_DIR_MAX )
-+    {
-+        TIFFErrorExt( TIFFClientdata(hTIFF),
-+                      "TIFF_WriteOverview",
-+                      "File `%s' has too many directories.\n",
-+                      TIFFFileName(hTIFF) );
-+        exit(-1);
-+    }
-+    TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );
- 
-     nOffset = TIFFCurrentDirOffset( hTIFF );
- 
-diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
-index 984ef65..832a247 100644
---- a/tools/tiff2pdf.c
-+++ b/tools/tiff2pdf.c
-@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
- 
- #define PS_UNIT_SIZE	72.0F
- 
-+#define TIFF_DIR_MAX    65534
-+
- /* This type is of PDF color spaces. */
- typedef enum {
- 	T2P_CS_BILEVEL = 0x01,	/* Bilevel, black and white */
-@@ -1049,6 +1053,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
- 	uint16* tiff_transferfunction[3];
- 
- 	directorycount=TIFFNumberOfDirectories(input);
-+	if(directorycount > TIFF_DIR_MAX) {
-+		TIFFError(
-+			TIFF2PDF_MODULE,
-+			"TIFF contains too many directories, %s",
-+			TIFFFileName(input));
-+		t2p->t2p_error = T2P_ERR_ERROR;
-+		return;
-+	}
- 	t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
- 	if(t2p->tiff_pages==NULL){
- 		TIFFError(
-diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 91a38f6..e466dae 100644
---- a/tools/tiffcrop.c
-+++ b/tools/tiffcrop.c
-@@ -217,6 +215,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
- #define DUMP_TEXT   1
- #define DUMP_RAW    2
- 
-+#define TIFF_DIR_MAX  65534
-+
- /* Offsets into buffer for margins and fixed width and length segments */
- struct offset {
-   uint32  tmargin;
-@@ -2233,7 +2234,7 @@ main(int argc, char* argv[])
-     pageNum = -1;
-   else
-     total_images = 0;
--  /* read multiple input files and write to output file(s) */
-+  /* Read multiple input files and write to output file(s) */
-   while (optind < argc - 1)
-     {
-     in = TIFFOpen (argv[optind], "r");
-@@ -2241,7 +2242,14 @@ main(int argc, char* argv[])
-       return (-3);
- 
-     /* If only one input file is specified, we can use directory count */
--    total_images = TIFFNumberOfDirectories(in); 
-+    total_images = TIFFNumberOfDirectories(in);
-+    if (total_images > TIFF_DIR_MAX)
-+      {
-+      TIFFError (TIFFFileName(in), "File contains too many directories");
-+      if (out != NULL)
-+        (void) TIFFClose(out);
-+      return (1);
-+      }
-     if (image_count == 0)
-       {
-       dirnum = 0;
---
-libgit2 0.26.0
-
diff --git a/patches/tiff/CVE-2018-7456.patch b/patches/tiff/CVE-2018-7456.patch
deleted file mode 100644
index b2d081a5..00000000
--- a/patches/tiff/CVE-2018-7456.patch
+++ /dev/null
@@ -1,170 +0,0 @@
-From be4c85b16e8801a16eec25e80eb9f3dd6a96731b Mon Sep 17 00:00:00 2001
-From: Hugo Lefeuvre <hle@debian.org>
-Date: Sun, 8 Apr 2018 14:07:08 -0400
-Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory
-
-The TIFFPrintDirectory function relies on the following assumptions,
-supposed to be guaranteed by the specification:
-
-(a) A Transfer Function field is only present if the TIFF file has
-    photometric type < 3.
-
-(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
-    has count SamplesPerPixel - (Color Channels) and contains
-    information about supplementary channels.
-
-While respect of (a) and (b) are essential for the well functioning of
-TIFFPrintDirectory, no checks are realized neither by the callee nor
-by TIFFPrintDirectory itself. Hence, following scenarios might happen
-and trigger the NULL pointer dereference:
-
-(1) TIFF File of photometric type 4 or more has illegal Transfer
-    Function field.
-
-(2) TIFF File has photometric type 3 or less and defines a
-    SamplesPerPixel field such that SamplesPerPixel > Color Channels
-    without defining all extra samples in the ExtraSamples fields.
-
-In this patch, we address both issues with respect of the following
-principles:
-
-(A) In the case of (1), the defined transfer table should be printed
-    safely even if it isn't 'legal'. This allows us to avoid expensive
-    checks in TIFFPrintDirectory. Also, it is quite possible that
-    an alternative photometric type would be developed (not part of the
-    standard) and would allow definition of Transfer Table. We want
-    libtiff to be able to handle this scenario out of the box.
-
-(B) In the case of (2), the transfer table should be printed at its
-    right size, that is if TIFF file has photometric type Palette
-    then the transfer table should have one row and not three, even
-    if two extra samples are declared.
-
-In order to fulfill (A) we simply add a new 'i < 3' end condition to
-the broken TIFFPrintDirectory loop. This makes sure that in any case
-where (b) would be respected but not (a), everything stays fine.
-
-(B) is fulfilled by the loop condition
-'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
-long as (b) is respected.
-
-Naturally, we also make sure (b) is respected. This is done in the
-TIFFReadDirectory function by making sure any non-color channel is
-counted in ExtraSamples.
-
-This commit addresses CVE-2018-7456.
----
- libtiff/tif_dirread.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- libtiff/tif_print.c   |  2 +-
- 2 files changed, 63 insertions(+), 1 deletion(-)
-
-diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
-index 6baa7b3..af5b84a 100644
---- a/libtiff/tif_dirread.c
-+++ b/libtiff/tif_dirread.c
-@@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
- static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
- static void ChopUpSingleUncompressedStrip(TIFF*);
- static uint64 TIFFReadUInt64(const uint8 *value);
-+static int _TIFFGetMaxColorChannels(uint16 photometric);
- 
- static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
- 
-@@ -3505,6 +3506,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c
- }
- 
- /*
-+ * Return the maximum number of color channels specified for a given photometric
-+ * type. 0 is returned if photometric type isn't supported or no default value
-+ * is defined by the specification.
-+ */
-+static int _TIFFGetMaxColorChannels( uint16 photometric )
-+{
-+    switch (photometric) {
-+	case PHOTOMETRIC_PALETTE:
-+	case PHOTOMETRIC_MINISWHITE:
-+	case PHOTOMETRIC_MINISBLACK:
-+            return 1;
-+	case PHOTOMETRIC_YCBCR:
-+	case PHOTOMETRIC_RGB:
-+	case PHOTOMETRIC_CIELAB:
-+            return 3;
-+	case PHOTOMETRIC_SEPARATED:
-+	case PHOTOMETRIC_MASK:
-+            return 4;
-+	case PHOTOMETRIC_LOGL:
-+	case PHOTOMETRIC_LOGLUV:
-+	case PHOTOMETRIC_CFA:
-+	case PHOTOMETRIC_ITULAB:
-+	case PHOTOMETRIC_ICCLAB:
-+	default:
-+            return 0;
-+    }
-+}
-+
-+/*
-  * Read the next TIFF directory from a file and convert it to the internal
-  * format. We read directories sequentially.
-  */
-@@ -3520,6 +3550,7 @@ TIFFReadDirectory(TIFF* tif)
- 	uint32 fii=FAILED_FII;
-         toff_t nextdiroff;
-     int bitspersample_read = FALSE;
-+        int color_channels;
- 
- 	tif->tif_diroff=tif->tif_nextdiroff;
- 	if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
-@@ -4024,6 +4055,37 @@ TIFFReadDirectory(TIFF* tif)
- 			}
- 		}
- 	}
-+
-+	/*
-+	 * Make sure all non-color channels are extrasamples.
-+	 * If it's not the case, define them as such.
-+	 */
-+        color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
-+        if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
-+                uint16 old_extrasamples;
-+                uint16 *new_sampleinfo;
-+
-+                TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
-+                    "color channels and ExtraSamples doesn't match SamplesPerPixel. "
-+                    "Defining non-color channels as ExtraSamples.");
-+
-+                old_extrasamples = tif->tif_dir.td_extrasamples;
-+                tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
-+
-+                // sampleinfo should contain information relative to these new extra samples
-+                new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
-+                if (!new_sampleinfo) {
-+                    TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
-+                                "temporary new sampleinfo array (%d 16 bit elements)",
-+                                tif->tif_dir.td_extrasamples);
-+                    goto bad;
-+                }
-+
-+                memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
-+                _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
-+                _TIFFfree(new_sampleinfo);
-+        }
-+
- 	/*
- 	 * Verify Palette image has a Colormap.
- 	 */
-diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
-index 8deceb2..1d86adb 100644
---- a/libtiff/tif_print.c
-+++ b/libtiff/tif_print.c
-@@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
- 				uint16 i;
- 				fprintf(fd, "    %2ld: %5u",
- 				    l, td->td_transferfunction[0][l]);
--				for (i = 1; i < td->td_samplesperpixel; i++)
-+				for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)
- 					fprintf(fd, " %5u",
- 					    td->td_transferfunction[i][l]);
- 				fputc('\n', fd);
---
-libgit2 0.27.0
-
diff --git a/patches/tiff/CVE-2018-8905.patch b/patches/tiff/CVE-2018-8905.patch
deleted file mode 100644
index f951092c..00000000
--- a/patches/tiff/CVE-2018-8905.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Sat, 12 May 2018 15:32:31 +0200
-Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905
-
-The fix consists in using the similar code LZWDecode() to validate we
-don't write outside of the output buffer.
----
- libtiff/tif_lzw.c | 18 ++++++++++++------
- 1 file changed, 12 insertions(+), 6 deletions(-)
-
-diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
-index 4ccb443..94d85e3 100644
---- a/libtiff/tif_lzw.c
-+++ b/libtiff/tif_lzw.c
-@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- 	char *tp;
- 	unsigned char *bp;
- 	int code, nbits;
-+	int len;
- 	long nextbits, nextdata, nbitsmask;
- 	code_t *codep, *free_entp, *maxcodep, *oldcodep;
- 
-@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
- 				}  while (--occ);
- 				break;
- 			}
--			assert(occ >= codep->length);
--			op += codep->length;
--			occ -= codep->length;
--			tp = op;
-+			len = codep->length;
-+			tp = op + len;
- 			do {
--				*--tp = codep->value;
--			} while( (codep = codep->next) != NULL );
-+				int t;
-+				--tp;
-+				t = codep->value;
-+				codep = codep->next;
-+				*tp = (char)t;
-+			} while (codep && tp > op);
-+			assert(occ >= len);
-+			op += len;
-+			occ -= len;
- 		} else {
- 			*op++ = (char)code;
- 			occ--;
---
-libgit2 0.27.0
-