Fix CVE-2016-5314. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5314 bugzilla.maptools.org/show_bug.cgi?id=2554 Patch extracted from upstream CVS repo with: $ cvs diff -u -r1.43 -r1.44 libtiff/tif_pixarlog.c Index: libtiff/tif_pixarlog.c =================================================================== RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v retrieving revision 1.43 retrieving revision 1.44 diff -u -r1.43 -r1.44 --- libtiff/libtiff/tif_pixarlog.c 27 Dec 2015 20:14:11 -0000 1.43 +++ libtiff/libtiff/tif_pixarlog.c 28 Jun 2016 15:12:19 -0000 1.44 @@ -459,6 +459,7 @@ typedef struct { TIFFPredictorState predict; z_stream stream; + tmsize_t tbuf_size; /* only set/used on reading for now */ uint16 *tbuf; uint16 stride; int state; @@ -694,6 +695,7 @@ sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); if (sp->tbuf == NULL) return (0); + sp->tbuf_size = tbuf_size; if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) sp->user_datafmt = PixarLogGuessDataFmt(td); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { @@ -783,6 +785,12 @@ TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); return (0); } + /* Check that we will not fill more than what was allocated */ + if (sp->stream.avail_out > sp->tbuf_size) + { + TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size"); + return (0); + } do { int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); if (state == Z_STREAM_END) {