Fix CVE-2017-5225 (Heap based buffer overflow in tools/tiffcp):

http://bugzilla.maptools.org/show_bug.cgi?id=2656
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5225
https://security-tracker.debian.org/tracker/CVE-2017-5225

2017-01-11 Even Rouault <even.rouault at spatialys.com>

        * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and
        cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based
overflow.
        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and
        http://bugzilla.maptools.org/show_bug.cgi?id=2657


less C/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
new revision: 1.1210; previous revision: 1.1209
/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v  <--  tools/tiffcp.c
new revision: 1.61; previous revision: 1.60

Index: libtiff/tools/tiffcp.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v
retrieving revision 1.60
retrieving revision 1.61
diff -u -r1.60 -r1.61
--- libtiff/tools/tiffcp.c	3 Dec 2016 16:50:02 -0000	1.60
+++ libtiff/tools/tiffcp.c	11 Jan 2017 19:26:14 -0000	1.61
#@@ -1,4 +1,4 @@
#-/* $Id: tiffcp.c,v 1.60 2016-12-03 16:50:02 erouault Exp $ */
#+/* $Id: tiffcp.c,v 1.61 2017-01-11 19:26:14 erouault Exp $ */
# 
# /*
#  * Copyright (c) 1988-1997 Sam Leffler
@@ -591,7 +591,7 @@
 static int
 tiffcp(TIFF* in, TIFF* out)
 {
-	uint16 bitspersample, samplesperpixel = 1;
+	uint16 bitspersample = 1, samplesperpixel = 1;
 	uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK;
 	copyFunc cf;
 	uint32 width, length;
@@ -1067,6 +1067,16 @@
 	register uint32 n;
 	uint32 row;
 	tsample_t s;
+        uint16 bps = 0;
+
+        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+        if( bps != 8 )
+        {
+            TIFFError(TIFFFileName(in),
+                      "Error, can only handle BitsPerSample=8 in %s",
+                      "cpContig2SeparateByRow");
+            return 0;
+        }
 
 	inbuf = _TIFFmalloc(scanlinesizein);
 	outbuf = _TIFFmalloc(scanlinesizeout);
@@ -1120,6 +1130,16 @@
 	register uint32 n;
 	uint32 row;
 	tsample_t s;
+        uint16 bps = 0;
+
+        (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps);
+        if( bps != 8 )
+        {
+            TIFFError(TIFFFileName(in),
+                      "Error, can only handle BitsPerSample=8 in %s",
+                      "cpSeparate2ContigByRow");
+            return 0;
+        }
 
 	inbuf = _TIFFmalloc(scanlinesizein);
 	outbuf = _TIFFmalloc(scanlinesizeout);
@@ -1784,7 +1804,7 @@
 	uint32 w, l, tw, tl;
 	int bychunk;
 
-	(void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv);
+	(void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv);
 	if (shortv != config && bitspersample != 8 && samplesperpixel > 1) {
 		fprintf(stderr,
 		    "%s: Cannot handle different planar configuration w/ bits/sample != 8\n",