2007-11-01  Juan Manuel Guerrero  <juan.guerrero@gmx.de>

	* libtiff/tif_jpeg.c (JPEGVSetField): Pacify compiler removeing
	empty body in an if-statement.

	* libtiff/tif_next.c (NeXTDecode): Do not compare between signed
	and unsigned.

	* tools/tiffgt.c [__DJGPP__]: Include /djgpp/stdio.h for the
	declaration of djgpp CVS snprintf.

	* tools/tiffsplit.c [__DJGPP__]: Include /djgpp/stdio.h for the
	declaration of djgpp CVS snprintf.


2007-11-01  Juan Manuel Guerrero  <juan.guerrero@gmx.de>

	Adapted from the patch:
	<http://ftp.de.debian.org/debian/pool/main/t/tiff/tiff_3.8.2-7.diff.gz>

	* tools/tiffsplit.c (main): Use snprintf instead of strcpy for copying
	the user-specified file name into a statically sized buffer.

	* tools/tiff2pdf.c (t2p_write_pdf_string): Fix buffer overflow due
	to wrong printf for octal signed char (it printed a signed integer,
	which overflew the buffer and was wrong anyway).
	(t2p_validate): Fix logic error that caused -q flag to be ignored
	when doing jpeg compression with tiff2pdf.

	* libtiff/tif_read.c (TIFFFillStrip): Verify that offset + bytecount is
	> offset avoiding that the sanity check could potentially overflow,
	causing an OOB read.
	(TIFFFillTile): Verify that offset + bytecount is > offset avoiding
	that the sanity check could potentially overflow, causing an OOB read.

	* libtiff/tif_pixarlog.c (PixarLogDecode): if llen is not an exact
	multiple of nsamples, the decode operation may overflow the output
	buffer, so truncate.

	* libtiff/tif_next.c (NeXTDecode): Ensure that the run does not exceed
	the scanline bounds, potentially resulting in a security issue.

	* libtiff/tif_jpeg.c (JPEGPreDecode): Check that image_width and
	image_height are less that segment_height and segment_width.
	Also check that the sampling factors dont exceed what the limits
	imposed by previously allocated buffers.

	* libtiff/tif_fax3.c (Fax3VSetField): Check fielf width tag
	before setting it.

	* libtiff/tif_dirread.c (TIFFReadDirectory): Check for integer overflow
	when validating the dir_off, otherwise a very high offset may cause an
	OOB read and crash the client.
	(EstimateStripByteCounts): The variable to iterate over td->td_nstrips
	must be at least of the same width (infinite loop).
	(TIFFFetchShortPair): Prevent overflowing the v stack arrays below by
	performing a sanity check on tdir_count.

	* libtiff/tif_dirinfo.c (_TIFFFieldWithTag): Assertion did not hold
	true, resulting in the client application calling abort().
	* (_TIFFFieldWithName): Assertion did not hold true, resulting in
	the client application calling abort().

	* libtiff/tif_dir.c (_TIFFVSetField): Correct range checking operations
	designed to ensure that the offsets specified in tiff directories are
	legitimate.
	

2007-02-20  Juan Manuel Guerrero  <juan.guerrero@gmx.de>

	* libtiff/tiffiop.h [HAVE_SEARCH_H]: New guard HAVE_LFIND added.
	Do not assume that <search.h> provides lfind().

	* test/ascii_tag.c (main): Define variable i as unsigned integer.

	* test/long_tag.c (main): Define variable i as unsigned integer.

	* test/short_tag.c: Add declaration for CheckLongField.
	(main): Define variable i as unsigned integer.

	* test/strip.c (create_image_striped): Adjust printf conversion specifier.
	(read_image_striped): Adjust printf conversion specifier.
	(write_scanlines): Adjust printf conversion specifier.




diff -aprNU5 tiff-3.8.2.orig/contrib/addtiffo/tif_overview.c tiff-3.8.2/contrib/addtiffo/tif_overview.c
--- tiff-3.8.2.orig/contrib/addtiffo/tif_overview.c	2005-12-27 11:28:20 +0000
+++ tiff-3.8.2/contrib/addtiffo/tif_overview.c	2007-11-01 17:31:46 +0000
@@ -3,11 +3,11 @@
  *
  * Project:  TIFF Overview Builder
  * Purpose:  Library function for building overviews in a TIFF file.
  * Author:   Frank Warmerdam, warmerdam@pobox.com
  *
- * Notes:
+ * Notes
  *  o Currently only images with bits_per_sample of a multiple of eight
  *    will work.
  *
  *  o The downsampler currently just takes the top left pixel from the
  *    source rectangle.  Eventually sampling options of averaging, mode, and
diff -aprNU5 tiff-3.8.2.orig/libtiff/tif_dir.c tiff-3.8.2/libtiff/tif_dir.c
--- tiff-3.8.2.orig/libtiff/tif_dir.c	2006-03-21 16:42:50 +0000
+++ tiff-3.8.2/libtiff/tif_dir.c	2007-11-01 17:31:46 +0000
@@ -120,10 +120,11 @@ bad:
 static int
 _TIFFVSetField(TIFF* tif, ttag_t tag, va_list ap)
 {
 	static const char module[] = "_TIFFVSetField";
 	
+	const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
 	TIFFDirectory* td = &tif->tif_dir;
 	int status = 1;
 	uint32 v32, i, v;
 	char* s;
 
@@ -193,14 +194,16 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
 		td->td_fillorder = (uint16) v;
 		break;
 		break;
 	case TIFFTAG_ORIENTATION:
 		v = va_arg(ap, uint32);
+		const TIFFFieldInfo* fip;
 		if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
+			fip = _TIFFFieldWithTag(tif, tag);
 			TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
 			    "Bad value %lu for \"%s\" tag ignored",
-			    v, _TIFFFieldWithTag(tif, tag)->field_name);
+			    v, fip ? fip->field_name : "Unknown");
 		} else
 			td->td_orientation = (uint16) v;
 		break;
 	case TIFFTAG_SAMPLESPERPIXEL:
 		/* XXX should cross check -- e.g. if pallette, then 1 */
@@ -385,15 +388,19 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
 	     * the other. If the client tries to set a tag that is not valid
 	     * for the image's codec then we'll arrive here.  This
 	     * happens, for example, when tiffcp is used to convert between
 	     * compression schemes and codec-specific tags are blindly copied.
              */
+	    /* 
+	     * better not dereference fip if it is NULL.
+	     * -- taviso@google.com 15 Jun 2006
+	     */
             if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
 		TIFFErrorExt(tif->tif_clientdata, module,
 		    "%s: Invalid %stag \"%s\" (not supported by codec)",
 		    tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
-		    _TIFFFieldWithTag(tif, tag)->field_name);
+		    fip ? fip->field_name : "Unknown");
 		status = 0;
 		break;
             }
 
             /*
@@ -466,11 +473,11 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
             
     
 	    if (fip->field_type == TIFF_ASCII)
 		    _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
 	    else {
-                tv->value = _TIFFmalloc(tv_size * tv->count);
+                tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
 		if (!tv->value) {
 		    status = 0;
 		    goto end;
 		}
 
@@ -561,25 +568,25 @@ _TIFFVSetField(TIFF* tif, ttag_t tag, va
 		}
 	    }
           }
 	}
 	if (status) {
-		TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+		TIFFSetFieldBit(tif, fip->field_bit);
 		tif->tif_flags |= TIFF_DIRTYDIRECT;
 	}
 
 end:
 	va_end(ap);
 	return (status);
 badvalue:
 	TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
-		  tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
+		  tif->tif_name, v, fip ? fip->field_name : "Unknown");
 	va_end(ap);
 	return (0);
 badvalue32:
 	TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
-		   tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
+		   tif->tif_name, v32, fip ? fip->field_name : "Unknown");
 	va_end(ap);
 	return (0);
 }
 
 /*
@@ -811,16 +818,20 @@ _TIFFVGetField(TIFF* tif, ttag_t tag, va
              * global tag information table may then have tags
              * that are valid for one file but not the other. 
              * If the client tries to get a tag that is not valid
              * for the image's codec then we'll arrive here.
              */
+	    /*
+	     * dont dereference fip if it's NULL.
+	     * -- taviso@google.com 15 Jun 2006
+	     */
             if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
             {
 				TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
                           "%s: Invalid %stag \"%s\" (not supported by codec)",
                           tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
-                          _TIFFFieldWithTag(tif, tag)->field_name);
+                          fip ? fip->field_name : "Unknown");
                 ret_val = 0;
                 break;
             }
 
             /*
diff -aprNU5 tiff-3.8.2.orig/libtiff/tif_dirinfo.c tiff-3.8.2/libtiff/tif_dirinfo.c
--- tiff-3.8.2.orig/libtiff/tif_dirinfo.c	2006-02-07 13:51:02 +0000
+++ tiff-3.8.2/libtiff/tif_dirinfo.c	2007-11-01 17:31:46 +0000
@@ -773,11 +773,12 @@ _TIFFFieldWithTag(TIFF* tif, ttag_t tag)
 	const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
 	if (!fip) {
 		TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
 			  "Internal error, unknown tag 0x%x",
                           (unsigned int) tag);
-		assert(fip != NULL);
+		/* assert(fip != NULL); */
+
 		/*NOTREACHED*/
 	}
 	return (fip);
 }
 
@@ -787,11 +788,12 @@ _TIFFFieldWithName(TIFF* tif, const char
 	const TIFFFieldInfo* fip =
 		_TIFFFindFieldInfoByName(tif, field_name, TIFF_ANY);
 	if (!fip) {
 		TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
 			  "Internal error, unknown tag %s", field_name);
-		assert(fip != NULL);
+		/* assert(fip != NULL); */
+		
 		/*NOTREACHED*/
 	}
 	return (fip);
 }
 
diff -aprNU5 tiff-3.8.2.orig/libtiff/tif_dirread.c tiff-3.8.2/libtiff/tif_dirread.c
--- tiff-3.8.2.orig/libtiff/tif_dirread.c	2006-03-21 16:42:50 +0000
+++ tiff-3.8.2/libtiff/tif_dirread.c	2007-11-01 17:31:46 +0000
@@ -27,10 +27,13 @@
 /*
  * TIFF Library.
  *
  * Directory Read Support Routines.
  */
+
+#include <limits.h>
+
 #include "tiffiop.h"
 
 #define	IGNORE	0		/* tag placeholder used below */
 
 #ifdef HAVE_IEEEFP
@@ -79,10 +82,11 @@ TIFFReadDirectory(TIFF* tif)
 	const TIFFFieldInfo* fip;
 	size_t fix;
 	uint16 dircount;
 	toff_t nextdiroff;
 	int diroutoforderwarning = 0;
+	int compressionknown = 0;
 	toff_t* new_dirlist;
 
 	tif->tif_diroff = tif->tif_nextdiroff;
 	if (tif->tif_diroff == 0)		/* no more directories */
 		return (0);
@@ -145,17 +149,24 @@ TIFFReadDirectory(TIFF* tif)
 		 */
 		(void) ReadOK(tif, &nextdiroff, sizeof (uint32));
 	} else {
 		toff_t off = tif->tif_diroff;
 
-		if (off + sizeof (uint16) > tif->tif_size) {
-			TIFFErrorExt(tif->tif_clientdata, module,
-			    "%s: Can not read TIFF directory count",
-                            tif->tif_name);
-			return (0);
+		/*
+		 * Check for integer overflow when validating the dir_off, otherwise
+		 * a very high offset may cause an OOB read and crash the client.
+		 * -- taviso@google.com, 14 Jun 2006.
+		 */
+		if (off + sizeof (uint16) > tif->tif_size || 
+			off > (UINT_MAX - sizeof(uint16))) {
+				TIFFErrorExt(tif->tif_clientdata, module,
+				    "%s: Can not read TIFF directory count",
+				    tif->tif_name);
+				return (0);
 		} else
-			_TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
+			_TIFFmemcpy(&dircount, tif->tif_base + off,
+					sizeof (uint16));
 		off += sizeof (uint16);
 		if (tif->tif_flags & TIFF_SWAB)
 			TIFFSwabShort(&dircount);
 		dir = (TIFFDirEntry *)_TIFFCheckMalloc(tif, dircount,
 						       sizeof (TIFFDirEntry),
@@ -252,31 +263,38 @@ TIFFReadDirectory(TIFF* tif)
 			fix = 0;			/* O(n^2) */
 		}
 		while (fix < tif->tif_nfields &&
 		       tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
 			fix++;
+
 		if (fix >= tif->tif_nfields ||
 		    tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
 
 					TIFFWarningExt(tif->tif_clientdata,
 						       module,
                         "%s: unknown field with tag %d (0x%x) encountered",
 						       tif->tif_name,
 						       dp->tdir_tag,
 						       dp->tdir_tag,
 						       dp->tdir_type);
-
-                    TIFFMergeFieldInfo(tif,
-                                       _TIFFCreateAnonFieldInfo(tif,
-						dp->tdir_tag,
-						(TIFFDataType) dp->tdir_type),
-				       1 );
+					/*
+					 * creating anonymous fields prior to knowing the compression
+					 * algorithm (ie, when the field info has been merged) could cause
+					 * crashes with pathological directories.
+					 * -- taviso@google.com 15 Jun 2006
+					 */
+					if (compressionknown)
+			                    TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, 
+						(TIFFDataType) dp->tdir_type), 1 );
+					else goto ignore;
+		    
                     fix = 0;
                     while (fix < tif->tif_nfields &&
                            tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
 			fix++;
 		}
+		
 		/*
 		 * Null out old tags that we ignore.
 		 */
 		if (tif->tif_fieldinfo[fix]->field_bit == FIELD_IGNORE) {
 	ignore:
@@ -324,10 +342,11 @@ TIFFReadDirectory(TIFF* tif)
 			if (dp->tdir_count == 1) {
 				v = TIFFExtractData(tif,
 				    dp->tdir_type, dp->tdir_offset);
 				if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
 					goto bad;
+				else compressionknown++;
 				break;
 			/* XXX: workaround for broken TIFFs */
 			} else if (dp->tdir_type == TIFF_LONG) {
 				if (!TIFFFetchPerSampleLongs(tif, dp, &v) ||
 				    !TIFFSetField(tif, dp->tdir_tag, (uint16)v))
@@ -538,10 +557,11 @@ TIFFReadDirectory(TIFF* tif)
 	}
 	/*
 	 * Attempt to deal with a missing StripByteCounts tag.
 	 */
 	if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
+		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
 		/*
 		 * Some manufacturers violate the spec by not giving
 		 * the size of the strips.  In this case, assume there
 		 * is one uncompressed strip of data.
 		 */
@@ -554,11 +574,11 @@ TIFFReadDirectory(TIFF* tif)
 		}
 		TIFFWarningExt(tif->tif_clientdata, module,
 			"%s: TIFF directory is missing required "
 			"\"%s\" field, calculating from imagelength",
 			tif->tif_name,
-		        _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+		        fip ? fip->field_name : "Unknown");
 		if (EstimateStripByteCounts(tif, dir, dircount) < 0)
 		    goto bad;
 /* 
  * Assume we have wrong StripByteCount value (in case of single strip) in
  * following cases:
@@ -578,35 +598,37 @@ TIFFReadDirectory(TIFF* tif)
        td->td_stripbytecount[0] < TIFFScanlineSize(tif) * td->td_imagelength) )
 
 	} else if (td->td_nstrips == 1 
                    && td->td_stripoffset[0] != 0 
                    && BYTECOUNTLOOKSBAD) {
+		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
 		/*
 		 * XXX: Plexus (and others) sometimes give a value of zero for
 		 * a tag when they don't know what the correct value is!  Try
 		 * and handle the simple case of estimating the size of a one
 		 * strip image.
 		 */
 		TIFFWarningExt(tif->tif_clientdata, module,
 	"%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
                             tif->tif_name,
-		            _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+		            fip ? fip->field_name : "Unknown");
 		if(EstimateStripByteCounts(tif, dir, dircount) < 0)
 		    goto bad;
 	} else if (td->td_planarconfig == PLANARCONFIG_CONTIG
 		   && td->td_nstrips > 2
 		   && td->td_compression == COMPRESSION_NONE
 		   && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
+		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
 		/*
 		 * XXX: Some vendors fill StripByteCount array with absolutely
 		 * wrong values (it can be equal to StripOffset array, for
 		 * example). Catch this case here.
 		 */
 		TIFFWarningExt(tif->tif_clientdata, module,
 	"%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
                             tif->tif_name,
-		            _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
+		            fip ? fip->field_name : "Unknown");
 		if (EstimateStripByteCounts(tif, dir, dircount) < 0)
 		    goto bad;
 	}
 	if (dir) {
 		_TIFFfree((char *)dir);
@@ -868,11 +890,17 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
 {
 	static const char module[] = "EstimateStripByteCounts";
 
 	register TIFFDirEntry *dp;
 	register TIFFDirectory *td = &tif->tif_dir;
-	uint16 i;
+	
+	/* i is used to iterate over td->td_nstrips, so must be
+	 * at least the same width.
+	 * -- taviso@google.com 15 Jun 2006
+	 */
+
+	uint32 i;
 
 	if (td->td_stripbytecount)
 		_TIFFfree(td->td_stripbytecount);
 	td->td_stripbytecount = (uint32*)
 	    _TIFFCheckMalloc(tif, td->td_nstrips, sizeof (uint32),
@@ -945,20 +973,22 @@ MissingRequired(TIFF* tif, const char* t
  * there is a mismatch.
  */
 static int
 CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
 {
+	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+
 	if (count > dir->tdir_count) {
 		TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
 	"incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
-		    _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
+		    fip ? fip->field_name : "Unknown",
 		    dir->tdir_count, count);
 		return (0);
 	} else if (count < dir->tdir_count) {
 		TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
 	"incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
-		    _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
+		    fip ? fip->field_name : "Unknown",
 		    dir->tdir_count, count);
 		return (1);
 	}
 	return (1);
 }
@@ -968,10 +998,11 @@ CheckDirCount(TIFF* tif, TIFFDirEntry* d
  */
 static tsize_t
 TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
 {
 	int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
+	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
 	tsize_t cc = dir->tdir_count * w;
 
 	/* Check for overflow. */
 	if (!dir->tdir_count || !w || cc / w != (tsize_t)dir->tdir_count)
 		goto bad;
@@ -1011,11 +1042,11 @@ TIFFFetchData(TIFF* tif, TIFFDirEntry* d
 	}
 	return (cc);
 bad:
 	TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
 		     "Error fetching data for field \"%s\"",
-		     _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+		     fip ? fip->field_name : "Unknown");
 	return (tsize_t) 0;
 }
 
 /*
  * Fetch an ASCII item from the file.
@@ -1037,14 +1068,16 @@ TIFFFetchString(TIFF* tif, TIFFDirEntry*
  * Convert numerator+denominator to float.
  */
 static int
 cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
 {
+	const TIFFFieldInfo* fip;
 	if (denom == 0) {
+		fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
 		    "%s: Rational with zero denominator (num = %lu)",
-		    _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
+		    fip ? fip->field_name : "Unknown", num);
 		return (0);
 	} else {
 		if (dir->tdir_type == TIFF_RATIONAL)
 			*rv = ((float)num / (float)denom);
 		else
@@ -1157,10 +1190,24 @@ TIFFFetchShortArray(TIFF* tif, TIFFDirEn
  * or SHORT type and this function works with both ones.
  */
 static int
 TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
 {
+	/*
+	 * Prevent overflowing the v stack arrays below by performing a sanity
+	 * check on tdir_count, this should never be greater than two.
+	 * -- taviso@google.com 14 Jun 2006.
+	 */
+	if (dir->tdir_count > 2) {
+		const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
+		TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
+				"unexpected count for field \"%s\", %lu, expected 2; ignored.",
+				fip ? fip->field_name : "Unknown",
+				dir->tdir_count);
+		return 0;
+	}
+
 	switch (dir->tdir_type) {
 		case TIFF_BYTE:
 		case TIFF_SBYTE:
 			{
 			uint8 v[4];
@@ -1327,18 +1374,19 @@ TIFFFetchAnyArray(TIFF* tif, TIFFDirEntr
 		}
 		break;
 	case TIFF_DOUBLE:
 		return (TIFFFetchDoubleArray(tif, dir, (double*) v));
 	default:
+		{ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
 		/* TIFF_NOTYPE */
 		/* TIFF_ASCII */
 		/* TIFF_UNDEFINED */
 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
 			     "cannot read TIFF_ANY type %d for field \"%s\"",
 			     dir->tdir_type,
-			     _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-		return (0);
+			     fip ? fip->field_name : "Unknown");
+		return (0); }
 	}
 	return (1);
 }
 
 /*
@@ -1349,10 +1397,13 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEnt
 {
 	static const char mesg[] = "to fetch tag value";
 	int ok = 0;
 	const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
 
+	if (fip == NULL) {
+		return (0);
+	}
 	if (dp->tdir_count > 1) {		/* array of values */
 		char* cp = NULL;
 
 		switch (dp->tdir_type) {
 		case TIFF_BYTE:
@@ -1491,10 +1542,11 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEnt
  */
 static int
 TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
 {
     uint16 samples = tif->tif_dir.td_samplesperpixel;
+    const TIFFFieldInfo* fip;
     int status = 0;
 
     if (CheckDirCount(tif, dir, (uint32) samples)) {
         uint16 buf[10];
         uint16* v = buf;
@@ -1508,13 +1560,14 @@ TIFFFetchPerSampleShorts(TIFF* tif, TIFF
             if( samples < check_count )
                 check_count = samples;
 
             for (i = 1; i < check_count; i++)
                 if (v[i] != v[0]) {
+				fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
 					TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
                               "Cannot handle different per-sample values for field \"%s\"",
-                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+                              fip ? fip->field_name : "Unknown");
                     goto bad;
                 }
             *pl = v[0];
             status = 1;
         }
@@ -1532,10 +1585,11 @@ TIFFFetchPerSampleShorts(TIFF* tif, TIFF
  */
 static int
 TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
 {
     uint16 samples = tif->tif_dir.td_samplesperpixel;
+    const TIFFFieldInfo* fip;
     int status = 0;
 
     if (CheckDirCount(tif, dir, (uint32) samples)) {
         uint32 buf[10];
         uint32* v = buf;
@@ -1549,13 +1603,14 @@ TIFFFetchPerSampleLongs(TIFF* tif, TIFFD
 
             if( samples < check_count )
                 check_count = samples;
             for (i = 1; i < check_count; i++)
                 if (v[i] != v[0]) {
+				fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
 					TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
                               "Cannot handle different per-sample values for field \"%s\"",
-                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+                              fip ? fip->field_name : "Unknown");
                     goto bad;
                 }
             *pl = v[0];
             status = 1;
         }
@@ -1572,10 +1627,11 @@ TIFFFetchPerSampleLongs(TIFF* tif, TIFFD
  */
 static int
 TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
 {
     uint16 samples = tif->tif_dir.td_samplesperpixel;
+    const TIFFFieldInfo* fip;
     int status = 0;
 
     if (CheckDirCount(tif, dir, (uint32) samples)) {
         double buf[10];
         double* v = buf;
@@ -1589,13 +1645,14 @@ TIFFFetchPerSampleAnys(TIFF* tif, TIFFDi
             if( samples < check_count )
                 check_count = samples;
 
             for (i = 1; i < check_count; i++)
                 if (v[i] != v[0]) {
+		    fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
                     TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
                               "Cannot handle different per-sample values for field \"%s\"",
-                              _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
+                              fip ? fip->field_name : "Unknown");
                     goto bad;
                 }
             *pl = v[0];
             status = 1;
         }
diff -aprNU5 tiff-3.8.2.orig/libtiff/tif_fax3.c tiff-3.8.2/libtiff/tif_fax3.c
--- tiff-3.8.2.orig/libtiff/tif_fax3.c	2006-03-21 16:42:50 +0000
+++ tiff-3.8.2/libtiff/tif_fax3.c	2007-11-01 17:31:46 +0000
@@ -1134,10 +1134,11 @@ static const TIFFFieldInfo fax4FieldInfo
 
 static int
 Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
 {
 	Fax3BaseState* sp = Fax3State(tif);
+	const TIFFFieldInfo* fip;
 
 	assert(sp != 0);
 	assert(sp->vsetparent != 0);
 
 	switch (tag) {
@@ -1179,11 +1180,17 @@ Fax3VSetField(TIFF* tif, ttag_t tag, va_
 		_TIFFsetString(&sp->faxdcs, va_arg(ap, char*));
 		break;
 	default:
 		return (*sp->vsetparent)(tif, tag, ap);
 	}
-	TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+	
+	if ((fip = _TIFFFieldWithTag(tif, tag))) {
+		TIFFSetFieldBit(tif, fip->field_bit);
+	} else {
+		return (0);
+	}
+
 	tif->tif_flags |= TIFF_DIRTYDIRECT;
 	return (1);
 }
 
 static int
diff -aprNU5 tiff-3.8.2.orig/libtiff/tif_jpeg.c tiff-3.8.2/libtiff/tif_jpeg.c
--- tiff-3.8.2.orig/libtiff/tif_jpeg.c	2006-03-21 16:42:50 +0000
+++ tiff-3.8.2/libtiff/tif_jpeg.c	2007-11-01 17:31:46 +0000
@@ -720,19 +720,35 @@ JPEGPreDecode(TIFF* tif, tsample_t s)
 		 * to match a downsampled component
 		 */
 		segment_width = TIFFhowmany(segment_width, sp->h_sampling);
 		segment_height = TIFFhowmany(segment_height, sp->v_sampling);
 	}
-	if (sp->cinfo.d.image_width != segment_width ||
-	    sp->cinfo.d.image_height != segment_height) {
+	if (sp->cinfo.d.image_width < segment_width ||
+	    sp->cinfo.d.image_height < segment_height) {
 		TIFFWarningExt(tif->tif_clientdata, module,
                  "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
                           segment_width, 
                           segment_height,
                           sp->cinfo.d.image_width, 
                           sp->cinfo.d.image_height);
+	} 
+	
+	if (sp->cinfo.d.image_width > segment_width ||
+			sp->cinfo.d.image_height > segment_height) {
+		/*
+		 * This case could be dangerous, if the strip or tile size has been
+		 * reported as less than the amount of data jpeg will return, some
+		 * potential security issues arise. Catch this case and error out.
+		 * -- taviso@google.com 14 Jun 2006
+		 */
+		TIFFErrorExt(tif->tif_clientdata, module, 
+			"JPEG strip/tile size exceeds expected dimensions,"
+			"expected %dx%d, got %dx%d", segment_width, segment_height,
+			sp->cinfo.d.image_width, sp->cinfo.d.image_height);
+		return (0);
 	}
+
 	if (sp->cinfo.d.num_components !=
 	    (td->td_planarconfig == PLANARCONFIG_CONTIG ?
 	     td->td_samplesperpixel : 1)) {
 		TIFFErrorExt(tif->tif_clientdata, module, "Improper JPEG component count");
 		return (0);
@@ -759,10 +775,26 @@ JPEGPreDecode(TIFF* tif, tsample_t s)
                                     "Apparently should be %d,%d.",
                                     sp->cinfo.d.comp_info[0].h_samp_factor,
                                     sp->cinfo.d.comp_info[0].v_samp_factor,
                                     sp->h_sampling, sp->v_sampling);
 
+				/*
+				 * There are potential security issues here for decoders that
+				 * have already allocated buffers based on the expected sampling
+				 * factors. Lets check the sampling factors dont exceed what
+				 * we were expecting.
+				 * -- taviso@google.com 14 June 2006
+				 */
+				if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
+					sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
+						TIFFErrorExt(tif->tif_clientdata, module,
+							"Cannot honour JPEG sampling factors that"
+							" exceed those specified.");
+						return (0);
+				}
+
+
 			    /*
 			     * XXX: Files written by the Intergraph software
 			     * has different sampling factors stored in the
 			     * TIFF tags and in the JPEG structures. We will
 			     * try to deduce Intergraph files by the presense
@@ -1519,19 +1551,22 @@ JPEGPostEncode(TIFF* tif)
 static void
 JPEGCleanup(TIFF* tif)
 {
 	JPEGState *sp = JState(tif);
 	
-	assert(sp != 0);
+	/* assert(sp != 0); */
 
 	tif->tif_tagmethods.vgetfield = sp->vgetparent;
 	tif->tif_tagmethods.vsetfield = sp->vsetparent;
 
-	if( sp->cinfo_initialized )
-	    TIFFjpeg_destroy(sp);	/* release libjpeg resources */
-	if (sp->jpegtables)		/* tag value */
-		_TIFFfree(sp->jpegtables);
+	if (sp != NULL) {
+		if( sp->cinfo_initialized )
+		    TIFFjpeg_destroy(sp);	/* release libjpeg resources */
+		if (sp->jpegtables)		/* tag value */
+			_TIFFfree(sp->jpegtables);
+	}
+
 	_TIFFfree(tif->tif_data);	/* release local state */
 	tif->tif_data = NULL;
 
 	_TIFFSetDefaultCompressionState(tif);
 }
@@ -1539,10 +1574,11 @@ JPEGCleanup(TIFF* tif)
 static int
 JPEGVSetField(TIFF* tif, ttag_t tag, va_list ap)
 {
 	JPEGState* sp = JState(tif);
 	TIFFDirectory* td = &tif->tif_dir;
+	const TIFFFieldInfo* fip;
 	uint32 v32;
 
 	assert(sp != NULL);
 
 	switch (tag) {
@@ -1570,14 +1606,17 @@ JPEGVSetField(TIFF* tif, ttag_t tag, va_
 		tif->tif_flags &= ~TIFF_UPSAMPLED;
 		if (td->td_planarconfig == PLANARCONFIG_CONTIG) {
 		    if (td->td_photometric == PHOTOMETRIC_YCBCR &&
 		      sp->jpegcolormode == JPEGCOLORMODE_RGB) {
 			tif->tif_flags |= TIFF_UPSAMPLED;
+#if 0
+/*  Pacify compiler.  */
 		    } else {
 			if (td->td_ycbcrsubsampling[0] != 1 ||
 			    td->td_ycbcrsubsampling[1] != 1)
 			    ; /* XXX what about up-sampling? */
+#endif
 		    }
 		}
 		/*
 		 * Must recalculate cached tile size
 		 * in case sampling state changed.
@@ -1604,11 +1643,17 @@ JPEGVSetField(TIFF* tif, ttag_t tag, va_
 		_TIFFsetString(&sp->faxdcs, va_arg(ap, char*));
 		break;
 	default:
 		return (*sp->vsetparent)(tif, tag, ap);
 	}
-	TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
+
+	if ((fip = _TIFFFieldWithTag(tif, tag))) {
+		TIFFSetFieldBit(tif, fip->field_bit);
+	} else {
+		return (0);
+	}
+
 	tif->tif_flags |= TIFF_DIRTYDIRECT;
 	return (1);
 }
 
 /*
@@ -1724,11 +1769,15 @@ JPEGVGetField(TIFF* tif, ttag_t tag, va_
 static void
 JPEGPrintDir(TIFF* tif, FILE* fd, long flags)
 {
 	JPEGState* sp = JState(tif);
 
-	assert(sp != NULL);
+	/* assert(sp != NULL); */
+	if (sp == NULL) {
+		TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
+		return;
+	}
 
 	(void) flags;
 	if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
 		fprintf(fd, "  JPEG Tables: (%lu bytes)\n",
 			(unsigned long) sp->jpegtables_length);
diff -aprNU5 tiff-3.8.2.orig/libtiff/tif_next.c tiff-3.8.2/libtiff/tif_next.c
--- tiff-3.8.2.orig/libtiff/tif_next.c	2005-12-21 12:33:56 +0000
+++ tiff-3.8.2/libtiff/tif_next.c	2007-11-01 17:31:46 +0000
@@ -93,25 +93,31 @@ NeXTDecode(TIFF* tif, tidata_t buf, tsiz
 			bp += 4+n;
 			cc -= 4+n;
 			break;
 		}
 		default: {
-			register int npixels = 0, grey;
+			register int grey;
+			register unsigned long npixels = 0;
 			unsigned long imagewidth = tif->tif_dir.td_imagewidth;
 
 			/*
 			 * The scanline is composed of a sequence
 			 * of constant color ``runs''.  We shift
 			 * into ``run mode'' and interpret bytes
 			 * as codes of the form <color><npixels>
 			 * until we've filled the scanline.
 			 */
+			/*
+			 * Ensure the run does not exceed the scanline
+			 * bounds, potentially resulting in a security issue.
+			 * -- taviso@google.com 14 Jun 2006.
+			 */
 			op = row;
 			for (;;) {
 				grey = (n>>6) & 0x3;
 				n &= 0x3f;
-				while (n-- > 0)
+				while (n-- > 0 && npixels < imagewidth)
 					SETPIXEL(op, grey);
 				if (npixels >= (int) imagewidth)
 					break;
 				if (cc == 0)
 					goto bad;
diff -aprNU5 tiff-3.8.2.orig/libtiff/tif_pixarlog.c tiff-3.8.2/libtiff/tif_pixarlog.c
--- tiff-3.8.2.orig/libtiff/tif_pixarlog.c	2006-03-21 16:42:50 +0000
+++ tiff-3.8.2/libtiff/tif_pixarlog.c	2007-11-01 17:31:46 +0000
@@ -766,11 +766,23 @@ PixarLogDecode(TIFF* tif, tidata_t op, t
 	up = sp->tbuf;
 	/* Swap bytes in the data if from a different endian machine. */
 	if (tif->tif_flags & TIFF_SWAB)
 		TIFFSwabArrayOfShort(up, nsamples);
 
-	for (i = 0; i < nsamples; i += llen, up += llen) {
+	/* 
+	 * if llen is not an exact multiple of nsamples, the decode operation
+	 * may overflow the output buffer, so truncate it enough to prevent that
+	 * but still salvage as much data as possible.
+	 * -- taviso@google.com 14th June 2006
+	 */
+	if (nsamples % llen) 
+		TIFFWarningExt(tif->tif_clientdata, module,
+				"%s: stride %lu is not a multiple of sample count, "
+				"%lu, data truncated.", tif->tif_name, llen, nsamples);
+				
+	
+	for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
 		switch (sp->user_datafmt)  {
 		case PIXARLOGDATAFMT_FLOAT:
 			horizontalAccumulateF(up, llen, sp->stride,
 					(float *)op, sp->ToLinearF);
 			op += llen * sizeof(float);
diff -aprNU5 tiff-3.8.2.orig/libtiff/tif_read.c tiff-3.8.2/libtiff/tif_read.c
--- tiff-3.8.2.orig/libtiff/tif_read.c	2005-12-21 12:33:56 +0000
+++ tiff-3.8.2/libtiff/tif_read.c	2007-11-01 17:31:46 +0000
@@ -29,10 +29,12 @@
  * Scanline-oriented Read Support
  */
 #include "tiffiop.h"
 #include <stdio.h>
 
+#include <limits.h>
+
 	int TIFFFillStrip(TIFF*, tstrip_t);
 	int TIFFFillTile(TIFF*, ttile_t);
 static	int TIFFStartStrip(TIFF*, tstrip_t);
 static	int TIFFStartTile(TIFF*, ttile_t);
 static	int TIFFCheckRead(TIFF*, int);
@@ -270,11 +272,17 @@ TIFFFillStrip(TIFF* tif, tstrip_t strip)
 		 * mapped read-only).
 		 */
 		if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
 			_TIFFfree(tif->tif_rawdata);
 		tif->tif_flags &= ~TIFF_MYBUFFER;
-		if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
+		/*
+		 * This sanity check could potentially overflow, causing an OOB read.
+		 * verify that offset + bytecount is > offset.
+		 * -- taviso@google.com 14 Jun 2006
+		 */
+		if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
+			bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
 			/*
 			 * This error message might seem strange, but it's
 			 * what would happen if a read were done instead.
 			 */
 			TIFFErrorExt(tif->tif_clientdata, module,
@@ -468,11 +476,17 @@ TIFFFillTile(TIFF* tif, ttile_t tile)
 		 * mapped read-only).
 		 */
 		if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
 			_TIFFfree(tif->tif_rawdata);
 		tif->tif_flags &= ~TIFF_MYBUFFER;
-		if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
+		/*
+		 * We must check this calculation doesnt overflow, potentially
+		 * causing an OOB read.
+		 * -- taviso@google.com 15 Jun 2006
+		 */
+		if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
+			bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
 			tif->tif_curtile = NOTILE;
 			return (0);
 		}
 		tif->tif_rawdatasize = bytecount;
 		tif->tif_rawdata = tif->tif_base + td->td_stripoffset[tile];
diff -aprNU5 tiff-3.8.2.orig/libtiff/tiffiop.h tiff-3.8.2/libtiff/tiffiop.h
--- tiff-3.8.2.orig/libtiff/tiffiop.h	2006-03-21 16:42:50 +0000
+++ tiff-3.8.2/libtiff/tiffiop.h	2007-11-01 17:31:46 +0000
@@ -48,11 +48,11 @@
 # include <assert.h>
 #else
 # define assert(x) 
 #endif
 
-#ifdef HAVE_SEARCH_H
+#if defined HAVE_SEARCH_H && defined HAVE_LFIND
 # include <search.h>
 #else
 extern void *lfind(const void *, const void *, size_t *, size_t,
 		   int (*)(const void *, const void *));
 #endif
diff -aprNU5 tiff-3.8.2.orig/test/ascii_tag.c tiff-3.8.2/test/ascii_tag.c
--- tiff-3.8.2.orig/test/ascii_tag.c	2006-03-23 14:54:02 +0000
+++ tiff-3.8.2/test/ascii_tag.c	2007-11-01 17:31:46 +0000
@@ -67,11 +67,11 @@ const int ink_names_size = 15;
 
 int
 main(int argc, char **argv)
 {
 	TIFF		*tif;
-	int		i;
+	unsigned int	i;
 	unsigned char	buf[3] = { 0, 127, 255 };
 	char		*value;
 
 	/* Test whether we can write tags. */
 	tif = TIFFOpen(filename, "w");
diff -aprNU5 tiff-3.8.2.orig/test/long_tag.c tiff-3.8.2/test/long_tag.c
--- tiff-3.8.2.orig/test/long_tag.c	2006-03-23 14:54:02 +0000
+++ tiff-3.8.2/test/long_tag.c	2007-11-01 17:31:46 +0000
@@ -58,11 +58,11 @@ const uint32	rows_per_strip = 1;
 
 int
 main(int argc, char **argv)
 {
 	TIFF		*tif;
-	int		i;
+	unsigned int	i;
 	unsigned char	buf[3] = { 0, 127, 255 };
 
 	/* Test whether we can write tags. */
 	tif = TIFFOpen(filename, "w");
 	if (!tif) {
diff -aprNU5 tiff-3.8.2.orig/test/short_tag.c tiff-3.8.2/test/short_tag.c
--- tiff-3.8.2.orig/test/short_tag.c	2006-03-23 14:54:02 +0000
+++ tiff-3.8.2/test/short_tag.c	2007-11-01 17:31:46 +0000
@@ -37,10 +37,11 @@
 # include <unistd.h> 
 #endif 
 
 #include "tiffio.h"
 
+extern int CheckLongField(TIFF *, ttag_t, uint32);
 extern int CheckShortField(TIFF *, ttag_t, uint16);
 
 const char	*filename = "short_test.tiff";
 
 #define	SPP	3		/* Samples per pixel */
@@ -71,11 +72,11 @@ static struct SingleTags {
 
 int
 main(int argc, char **argv)
 {
 	TIFF		*tif;
-	int		i;
+	unsigned int	i;
 	unsigned char	buf[3] = { 0, 127, 255 };
 
 	/* Test whether we can write tags. */
 	tif = TIFFOpen(filename, "w");
 	if (!tif) {
diff -aprNU5 tiff-3.8.2.orig/test/strip.c tiff-3.8.2/test/strip.c
--- tiff-3.8.2.orig/test/strip.c	2006-03-23 14:54:02 +0000
+++ tiff-3.8.2/test/strip.c	2007-11-01 17:31:46 +0000
@@ -169,11 +169,11 @@ create_image_striped(const char *name, u
 
 failure:
 	TIFFClose(tif);
 openfailure:
 	fprintf (stderr, "Can't create test TIFF file %s:\n"
-"    ImageWidth=%ld, ImageLength=%ld, RowsPerStrip=%ld, Compression=%d,\n"
+"    ImageWidth=%d, ImageLength=%d, RowsPerStrip=%d, Compression=%d,\n"
 "    BitsPerSample=%d, SamplesPerPixel=%d, SampleFormat=%d,\n"
 "    PlanarConfiguration=%d, PhotometricInterpretation=%d.\n",
 		 name, width, length, rowsperstrip, compression,
 		 bps, spp, sampleformat, planarconfig,
 		 photometric);
@@ -247,11 +247,11 @@ read_image_striped(const char *name, uin
 
 failure:
 	TIFFClose(tif);
 openfailure:
 	fprintf (stderr, "Can't read test TIFF file %s:\n"
-"    ImageWidth=%ld, ImageLength=%ld, RowsPerStrip=%ld, Compression=%d,\n"
+"    ImageWidth=%d, ImageLength=%d, RowsPerStrip=%d, Compression=%d,\n"
 "    BitsPerSample=%d, SamplesPerPixel=%d, SampleFormat=%d,\n"
 "    PlanarConfiguration=%d, PhotometricInterpretation=%d.\n",
 		 name, width, length, rowsperstrip, compression,
 		 bps, spp, sampleformat, planarconfig,
 		 photometric);
@@ -276,11 +276,11 @@ write_scanlines(TIFF *tif, const tdata_t
 	}
 
 	for (offset = 0, row = 0; row < length; offset+=scanlinesize, row++) {
 		if (TIFFWriteScanline(tif, (char *)array + offset, row, 0) < 0) {
 			fprintf (stderr,
-				 "Can't write image data at row %lu.\n", row);
+				 "Can't write image data at row %u.\n", row);
 			return -1;
 		}
         }
 
 	return 0;
diff -aprNU5 tiff-3.8.2.orig/tools/tiff2pdf.c tiff-3.8.2/tools/tiff2pdf.c
--- tiff-3.8.2.orig/tools/tiff2pdf.c	2006-03-21 16:42:50 +0000
+++ tiff-3.8.2/tools/tiff2pdf.c	2007-11-01 17:31:48 +0000
@@ -935,37 +935,29 @@ void t2p_free(T2P* t2p){
 
 void t2p_validate(T2P* t2p){
 
 #ifdef JPEG_SUPPORT
 	if(t2p->pdf_defaultcompression==T2P_COMPRESS_JPEG){
-		if(t2p->pdf_defaultcompressionquality<100 ||
+		if(t2p->pdf_defaultcompressionquality>100 ||
 			t2p->pdf_defaultcompressionquality<1){
 			t2p->pdf_defaultcompressionquality=0;
 		}
 	}
 #endif
 #ifdef ZIP_SUPPORT
 	if(t2p->pdf_defaultcompression==T2P_COMPRESS_ZIP){
-		switch (t2p->pdf_defaultcompressionquality){
-			case 1: case 10: case 11: case 12: case 13: case 14: case 15:
-			case 101: case 110: case 111: case 112: case 113: case 114: case 115:
-			case 201: case 210: case 211: case 212: case 213: case 214: case 215:
-			case 301: case 310: case 311: case 312: case 313: case 314: case 315:
-			case 401: case 410: case 411: case 412: case 413: case 414: case 415:
-			case 501: case 510: case 511: case 512: case 513: case 514: case 515:
-			case 601: case 610: case 611: case 612: case 613: case 614: case 615:
-			case 701: case 710: case 711: case 712: case 713: case 714: case 715:
-			case 801: case 810: case 811: case 812: case 813: case 814: case 815:
-			case 901: case 910: case 911: case 912: case 913: case 914: case 915:
-				break;
-			default:
-				t2p->pdf_defaultcompressionquality=0;
+ 		uint16 m=t2p->pdf_defaultcompressionquality%100;
+ 		if(t2p->pdf_defaultcompressionquality/100 > 9 ||
+ 			(m>1 && m<10) || m>15){
+ 			t2p->pdf_defaultcompressionquality=0;
 		}
 		if(t2p->pdf_defaultcompressionquality%100 !=0){
+ 			t2p->pdf_defaultcompressionquality/=100;
+ 			t2p->pdf_defaultcompressionquality*=100;
 			TIFFError(
 				TIFF2PDF_MODULE, 
-				"PNG Group predictor differencing not implemented, assuming compresion quality %u", 
+				"PNG Group predictor differencing not implemented, assuming compression quality %u", 
 				t2p->pdf_defaultcompressionquality);
 		}
 		t2p->pdf_defaultcompressionquality%=100;
 		if(t2p->pdf_minorversion<2){t2p->pdf_minorversion=2;}
 	}
@@ -3666,11 +3658,11 @@ tsize_t t2p_write_pdf_string(char* pdfst
 	
 	len=strlen(pdfstr);
 	written += TIFFWriteFile(output, (tdata_t) "(", 1);
 	for (i=0;i<len;i++){
 		if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){
-			sprintf(buffer, "\\%.3o", pdfstr[i]);
+			sprintf(buffer, "\\%.3hho", pdfstr[i]);
 			written += TIFFWriteFile(output, (tdata_t) buffer, 4);
 		} else {
 			switch (pdfstr[i]){
 				case 0x08:
 					written += TIFFWriteFile(output, (tdata_t) "\\b", 2);
diff -aprNU5 tiff-3.8.2.orig/tools/tiffgt.c tiff-3.8.2/tools/tiffgt.c
--- tiff-3.8.2.orig/tools/tiffgt.c	2006-03-23 14:54:02 +0000
+++ tiff-3.8.2/tools/tiffgt.c	2007-11-01 17:40:22 +0000
@@ -24,11 +24,16 @@
  * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE 
  * OF THIS SOFTWARE.
  */
 
 #include "tif_config.h"
+#ifdef __DJGPP__
+/*  Declaration of CVS snprintf().  */
+#include "../djgpp/stdio.h"
+#else
 #include <stdio.h>
+#endif
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 
 #if HAVE_APPLE_OPENGL_FRAMEWORK
diff -aprNU5 tiff-3.8.2.orig/tools/tiffsplit.c tiff-3.8.2/tools/tiffsplit.c
--- tiff-3.8.2.orig/tools/tiffsplit.c	2005-12-07 09:48:32 +0000
+++ tiff-3.8.2/tools/tiffsplit.c	2007-11-01 17:40:22 +0000
@@ -24,11 +24,16 @@
  * OF THIS SOFTWARE.
  */
 
 #include "tif_config.h"
 
+#ifdef __DJGPP__
+/*  Declaration of CVS snprintf().  */
+#include "../djgpp/stdio.h"
+#else
 #include <stdio.h>
+#endif
 #include <stdlib.h>
 #include <string.h>
 
 #include "tiffio.h"
 
@@ -59,18 +64,17 @@ main(int argc, char* argv[])
                 fprintf(stderr, "%s\n\n", TIFFGetVersion());
 		fprintf(stderr, "usage: tiffsplit input.tif [prefix]\n");
 		return (-3);
 	}
 	if (argc > 2)
-		strcpy(fname, argv[2]);
+		snprintf(fname, sizeof(fname), "%s", argv[2]);
 	in = TIFFOpen(argv[1], "r");
 	if (in != NULL) {
 		do {
 			char path[1024+1];
 			newfilename();
-			strcpy(path, fname);
-			strcat(path, ".tif");
+			snprintf(path, sizeof(path), "%s.tif", fname);
 			out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
 			if (out == NULL)
 				return (-2);
 			if (!tiffcp(in, out))
 				return (-1);
