diff --git a/share/security/advisories/FreeBSD-EN-14:07.pmap.asc b/share/security/advisories/FreeBSD-EN-14:07.pmap.asc
new file mode 100644
index 0000000000..912f1df1b4
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-14:07.pmap.asc
@@ -0,0 +1,129 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-14:07.pmap                                           Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          Bug with PCID implementation
+
+Category:       core
+Module:         kernel
+Announced:      2014-06-24
+Credits:        Henrik Gulbrandsen
+Affects:        FreeBSD 10.0-RELEASE
+Corrected:      2014-03-04 21:51:09 UTC (stable/10, 10.0-STABLE)
+                2014-06-24 19:05:08 UTC (releng/10.0, 10.0-RELEASE-p6)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:http://security.freebsd.org/>.
+
+I.   Background
+
+Process-context identifiers (PCIDs) are a facility in modern x86
+processors, which tags TLB entries with the Id of the address space
+and allows to avoid TLB invalidation on the context switch.
+
+II.  Problem Description
+
+Due to bug in the handling of the mask of the CPU set where the given
+address space could have cached TLB entries, stale mappings could be
+seen by multithreaded programs.
+
+III. Impact
+
+Applications, most notably Java, which makes heavy use of threads may
+randomly crash due to the inconcistency.
+
+IV.  Workaround
+
+Systems that do not run have a CPU that supports the Process-Context
+Identifiers feature are not affected.
+
+The system administrator can add the following to /boot/loader.conf
+which disables Process-Context Identifiers to workaround this problem:
+
+	vm.pmap.pcid_enabled="0"
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.0]
+# fetch http://security.FreeBSD.org/patches/EN-14:07/pmap.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:07/pmap.patch.asc
+# gpg --verify pmap.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
+system.
+
+3) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r262753
+releng/10.0/                                                      r267829
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The latest revision of this Errata Notice is available at
+http://security.FreeBSD.org/advisories/FreeBSD-EN-14:07.pmap.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnAbYP/iZKU3SSwHwWPzYa03ZwgW4u
+54MigJuV/wyOfJj2ZZuOXTaYZP1miRgFr7mn9OWkA6slWHLAVkmN9fWrUU8tRPjJ
+UDVhnbToVYIcmW2tEH5lZ5y1Stt178NZTeMo26jgkWhj74RZ10OIFdSuNlNUQGSr
+djanCdgpnGL+odml+rQcGAAKKH97PchQ6r9IivNgE6mnGhGvzOjQOSdxioBLew14
+w5Ua3k4nn/4hYi4RMPJ/vAlPdJHVsnZb8kRWhf4Ncj19IkvJ8EO6PmnHCbdGmV1I
+cvqVFxXPGGA/A+O9E+1S+54SWotivpgjSujuQFFmvuzBbPhlt/Hmtn6YwljNG4+e
+V6MsMRPMHVoIhOCBv9xfCHgyajA7jgbRGqQkMWxwKPVLjmk2NWOsbGBjHMFHnqYn
+87Sh7crbFffNGwqGJgn+vXSXeNZ/95EWSBE0/B4KfqPeX6XCJI/C/sMRl0ATKa7C
+k227J0olXKKUInLEq7tS1nLS0IKlWLF5WiRFx7DOa4DKLBcLZkYKTu3ATJySQ4V3
+hDNDpubB3/94ug1slRNWDYGxzaZq0ctUTubxsHW7a0iYQi/PkssCT/8jVAdsx8hq
+S1DjGZiFAKLOiJUSvPfONdwodORyEyMB+z37EfgeHKKqnjJXgSEtmnmI+7sT8hlR
+FhXX1XQOBUtPxF+MY4bT
+=vNzu
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-EN-14:08.heimdal.asc b/share/security/advisories/FreeBSD-EN-14:08.heimdal.asc
new file mode 100644
index 0000000000..ff964cb277
--- /dev/null
+++ b/share/security/advisories/FreeBSD-EN-14:08.heimdal.asc
@@ -0,0 +1,166 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-14:08.heimdal                                        Errata Notice
+                                                          The FreeBSD Project
+
+Topic:          gss_pseudo_random interoperability issue
+
+Category:       contrib
+Module:         heimdal
+Announced:      2014-06-24
+Credits:        Marc Dionne, Nico Williams, and Benjamin Kaduk
+Affects:        All supported versions of FreeBSD prior to 9.2-RELEASE.
+Corrected:	2013-12-16 06:52:30 UTC (stable/9, 9.2-STABLE)
+                2014-06-24 19:05:36 UTC (releng/9.2, 9.2-RELEASE-p9)
+                2014-06-24 19:05:36 UTC (releng/9.1, 9.1-RELEASE-p16)
+                2013-12-16 06:56:38 UTC (stable/8, 8.4-STABLE)
+                2014-06-24 19:05:47 UTC (releng/8.4, 8.4-RELEASE-p13)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+<URL:http://security.freebsd.org/>.
+
+I.   Background
+
+Heimdal provides an implementation of Kerberos 5, the Generic Security
+Service API (GSS-API), and the krb5 GSS-API mechanism.  The GSS-API is
+an abstract API that provides a unified interface for security services
+that wraps many underlying security mechanisms.  Application protocols
+using the GSS-API exchange context tokens to establish a security context.
+Once the security context has successfully been established, it can be
+used to checksum and/or encrypt messages between the two parties of
+the context, securely generate an identical pseudorandom bitstring at
+both endpoints, and other security-related functionality.
+
+Kerberos 5 permits the use of different encryption types for encryption
+keys; part of the specification for each encryption type is a pseudo-random
+function that uses an encryption key and some optional seed data to
+produce a pseudo-random bitstring of a fixed length.  The GSS_Pseudo_random
+function uses an established security context and some optional seed
+data to produce a pseudo-random bitstring of (nearly) arbitrary lengh.
+The specification for GSS_Pseudo_random for the krb5 mechanism (RFC 4402)
+uses a counter mode to produce the arbitrary length output from the
+fixed-length output of the underlying enctype's pseudo-random output.
+
+II.  Problem Description
+
+RFC 4402 specifies that the counter which is prepended to the seed data
+must be encoded in network (big-endian) byte order before being input to the
+encryption type's pseudo-random function.  All released versions of Heimdal
+that include a GSS_Pseudo_random implementation for the krb5 mechanism
+encode the counter as a little-endian integer.
+
+III. Impact
+
+Only applications using the GSS_Pseudo_random functionality with the krb5
+mechanism are affected; the number of such applications is believed to
+be small.  (RFC 4402 was published in 2006.)  Since the first value
+used for the counter is zero, the first block of output is correct, but
+the second and all subsequent blocks of output are incorrect.
+Old versions of Heimdal will interoperate over the network with each
+other, but will not interoperate with MIT krb5 peers or other implementations
+of RFC 4402, if producing more than one block of pseudo-random output.
+For the commonly used AES encryption types, the first 128 bits of output
+are correct but the subsequent output differs.
+
+IV.  Workaround
+
+Applications which do not use the GSS_Pseudo_random functionality
+are not affected.
+
+Applications which can reduce their pseudo-random needs to a single
+block length (e.g., 128 bits for AES) will interoperate with all
+known implementations.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your system to a supported FreeBSD stable or release / security
+branch (releng) dated after the correction date.
+
+2) To update your present system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch http://security.FreeBSD.org/patches/EN-14:08/heimdal.patch
+# fetch http://security.FreeBSD.org/patches/EN-14:08/heimdal.patch.asc
+# gpg --verify heimdal.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all deamons using the library, or reboot the system.
+
+3) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the revision numbers of each file that was
+corrected in FreeBSD.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r259452
+releng/8.4/                                                       r267832
+stable/9/                                                         r259451
+releng/9.1/                                                       r267831
+releng/9.2/                                                       r267831
+stable/10/                                                        r259447
+releng/10.0/                                                      r259758
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+The discussion of this interoperability issue in the IETF kitten working
+group archives may be found here:
+http://www.ietf.org/mail-archive/web/kitten/current/msg04479.html
+
+The latest revision of this Errata Notice is available at
+http://security.FreeBSD.org/advisories/FreeBSD-EN-14:08.heimdal.asc
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnk2wP/RXxr1lgWeKY1wCusB/wlkLO
+6cVsvZwIkvTvKNglkqY4dEvJJ1mdy25xP2yoft+ChM9ugTiGs5gfxsROXLCufobP
+0ycnbl0pxL00aNwU3nXaejPhfblwwLmnwZAb3JuxF795BH/7z4a9vdC0mEn86RbQ
+efeu3hqxJJxDL65xUntlgzWiFSWB+DZUjBU9DAFWlOPnbVR2T3n5w4sFSWMDtmv+
+AxqKjNVLgIHQKECTYjyFV2UjXCn6Np2m0dWHSpYM5MsdSaUolOqDRRxzAK5LKHg0
+ieHTf1OgBpfe/iBuSwybtEv/4cagDvN82Vsni8MbLEeDMa4DSsKorea1SIrCTcBv
+CW4ugln7bBWgm3hnCEIWsy0wwhSVQetGFjYgimZySI5/nO2Jnh1Ung705MPCYpb7
++X+G/oLqp04Bq81sWY4KFN8cfcmM2fQyL0zYOS72VPjXEvwcHnsbjZ/yO8eekO+J
+oxkd8FaXR4b21HCh5cdlwWNNU4mu9wId8CLJW0y9l15zloTQvjW8+MSlEhAm9KUl
+nYq/qHGiLTvxmsHlnQumay8lhtRJf0r3pNih+xchxy7JCVeu84aZHSIDrklZoiAr
+LjOWagYFP9qHqhmmRxVoHKBeHgUaDWiJ9J0a0R44GadowrstYT7cYCzfSQr1KkDz
+HPlEHgAxXm0shG0bbEA5
+=tTXE
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-14:15.iconv.asc b/share/security/advisories/FreeBSD-SA-14:15.iconv.asc
new file mode 100644
index 0000000000..a56d89bfd8
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-14:15.iconv.asc
@@ -0,0 +1,131 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:15.iconv                                      Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          iconv(3) NULL pointer dereference and out-of-bounds array access
+
+Category:       core
+Module:         libc/iconv
+Announced:      2014-06-24
+Credits:        Manuel Mausz, Tijl Coosemans
+Affects:        FreeBSD 10.0
+Corrected:      2014-03-04 12:43:10 UTC (stable/10, 10.0-STABLE)
+                2014-06-24 19:05:08 UTC (releng/10.0, 10.0-RELEASE-p6)
+CVE Name:       CVE-2014-3951
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+The iconv(3) API allows converting text data from one character set
+encoding to another.  Applications first open a converter between two
+encodings using iconv_open(3) and then convert text using iconv(3).
+HZ is an encoding of the GB2312 character set used for simplified
+Chinese characters.  VIQR is an encoding for Vietnamese characters.
+
+II.  Problem Description
+
+A NULL pointer dereference in the initialization code of the HZ module and
+an out of bounds array access in the initialization code of the VIQR module
+make iconv_open(3) calls involving HZ or VIQR result in an application crash.
+
+III. Impact
+
+Services where an attacker can control the arguments of an iconv_open(3)
+call can be caused to crash resulting in a denial-of-service.  For example,
+an email encoded in HZ may cause an email delivery service to crash if it
+converts emails to a more generic encoding like UTF-8 before applying
+filtering rules.
+
+IV.  Workaround
+
+No workaround is available, but systems that do not process untrusted
+Chinese or Vietnamese input are not affected by this vulnerability.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.0]
+# fetch http://security.FreeBSD.org/patches/SA-14:15/iconv.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:15/iconv.patch.asc
+# gpg --verify iconv.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all deamons using the library, or reboot the system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r262731
+releng/10.0/                                                      r267829
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3951>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:15.iconv.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnmqsP/1VXkGjjBB34Qh43HGxmVofB
+8Zfkc19nQtHvQaS+wAUfm10Onu2QJUPPm5OZL+kYYxJs1G4/VLTDTl/7cHBkCoA0
+abdDpRbtG6CMHfnaARpMOAkg+uvHl41pjHgr+mi4TRYivzSNp+qfw8BsPJ21DAS6
+Om6H6m+ggHjTXrtniBtQ+os2wfxbGGMJQzL94QC+tyzzFTEknIt8lgn6hboh99eV
+pQb8WnSRCPuyiw+hKHdOOS7er7ZCIy9l0VWWfyJzcZP3/W5q6qSNCdnMUNZsTk0L
+ruiUrhRjookK6/3VKb+9/YMfpB8xuQad2fk2mbQZkaxdSVJyFIfOI6Y9PJYbx9BP
+Z7Bp0qyEGs+5/CZhiSwr2E/3k7kNe+30dvbPE0SBw9JNS4T0FyzlRUM4Y8s843Lf
+GUcacSLcgCv8DUU517GmTL+UvnE+dajppr/vueRTC2T0mj8OX1qukq1Rjs9RpZkc
+l2ajo3TbMZjwwivEsJEI2706tqv2v7+xON6WrZbUvbXlp4Kw7v01pS2Z3DFIeK8d
+D9H80XuBIM6ZvMUd3NZHBGBjcxYEHvB5hM26ceCAP/ZvOSa4jp8vVQcPVONwj55n
+RvX+K66t3yGiRznjhUUL+/8T9ulcI8TomgKL+U3UXasinYU9F4v55yXRugYvgnig
+jh8e1kgmRt2rt5ZLthe5
+=Wr8S
+-----END PGP SIGNATURE-----
diff --git a/share/security/advisories/FreeBSD-SA-14:16.file.asc b/share/security/advisories/FreeBSD-SA-14:16.file.asc
new file mode 100644
index 0000000000..8282cf4329
--- /dev/null
+++ b/share/security/advisories/FreeBSD-SA-14:16.file.asc
@@ -0,0 +1,161 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-14:16.file                                       Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          Multiple vulnerabilities in file(1) and libmagic(3)
+
+Category:       contrib
+Module:         file
+Announced:      2014-06-24
+Affects:        All supported versions of FreeBSD.
+Corrected:      2014-06-24 19:04:55 UTC (stable/10, 10.0-STABLE)
+                2014-06-24 19:05:08 UTC (releng/10.0, 10.0-RELEASE-p6)
+                2014-06-24 19:04:55 UTC (stable/9, 9.3-PRERELEASE)
+                2014-06-24 19:05:19 UTC (releng/9.3, 9.3-RC2)
+                2014-06-24 19:05:36 UTC (releng/9.2, 9.2-RELEASE-p9)
+                2014-06-24 19:05:36 UTC (releng/9.1, 9.1-RELEASE-p16)
+                2014-06-24 19:04:55 UTC (stable/8, 8.4-STABLE)
+                2014-06-24 19:05:47 UTC (releng/8.4, 8.4-RELEASE-p13)
+CVE Name:       CVE-2012-1571, CVE-2013-7345, CVE-2014-1943, CVE-2014-2270
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:http://security.FreeBSD.org/>.
+
+I.   Background
+
+The file(1) utility attempts to classify file system objects based on
+filesystem, magic number and language tests.
+
+The libmagic(3) library provides most of the functionality of file(1)
+and may be used by other applications.
+
+II.  Problem Description
+
+A specifically crafted Composite Document File (CDF) file can trigger an
+out-of-bounds read or an invalid pointer dereference. [CVE-2012-1571]
+
+A flaw in regular expression in the awk script detector makes use of
+multiple wildcards with unlimited repetitions. [CVE-2013-7345]
+
+A malicious input file could trigger infinite recursion in libmagic(3).
+[CVE-2014-1943]
+
+A specifically crafted Portable Executable (PE) can trigger out-of-bounds
+read. [CVE-2014-2270]
+
+III. Impact
+
+An attacker who can cause file(1) or any other applications using the
+libmagic(3) library to be run on a maliciously constructed input can
+the application to crash or consume excessive CPU resources, resulting
+in a denial-of-service.
+
+IV.  Workaround
+
+No workaround is available, but systems where file(1) and other
+libmagic(3)-using applications are never run on untrusted input are not
+vulnerable.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+2) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 9.1, 9.2, 9.3, 10.0]
+# fetch http://security.FreeBSD.org/patches/SA-14:16/file.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:16/file.patch.asc
+# gpg --verify file.patch.asc
+
+[FreeBSD 8.4]
+# fetch http://security.FreeBSD.org/patches/SA-14:16/file-8.4.patch
+# fetch http://security.FreeBSD.org/patches/SA-14:16/file-8.4.patch.asc
+# gpg --verify file.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all deamons using the library, or reboot the system.
+
+3) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/8/                                                         r267828
+releng/8.4/                                                       r267832
+stable/9/                                                         r267828
+releng/9.1/                                                       r267831
+releng/9.2/                                                       r267831
+releng/9.3/                                                       r267830
+stable/10/                                                        r267828
+releng/10.0/                                                      r267829
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1571>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943>
+
+<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270>
+
+The latest revision of this advisory is available at
+<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:16.file.asc>
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnaLsP/jwrr5b1qZ9tObnN3FXwzEjD
+jNHa3AJKHXgrYGzF8yNrZElhE48f02sr9dEXqIw/E5eElcVhi38RBEkwblE8Nj2H
+M5bzEwVS7kWPcAl1vBno1rFTHutUTOSSopBGgwlNAlWSFnr1iFIIU9dQ6kcGCnBj
+LvMx5kTSyZ707kArRrFjrDeYlPLSE/vSBOC00TqReS+3Q9By1IH5kUWesDWr+3Gk
+lvW/JzSTcyOicrGR6vRHiLn9+NKojd6pV3hqV/uxuth1OxRtiGPeodL6CyvkipMo
+rKjTgXEY2KluBGV9ff+rbeARLfUh2PDJ9Z5BfF7O8ZyMZpKkcw6MFRRfJ0xgtUZK
+vpF0u8NVMIZhHLSJ9q1Roij2POxeOETNXG2bGKtVu8pqhJ14DvMfPgamsQLhzKRX
+vBN1Gw+3RctJrQpF9HvYFOsKlfzcWyka82lw5GSsDYGH2TamU00CTQmx/5PW+WVo
+xV3C17Wj8AkmRYWeC4IzkTiZ8avVOZ+TMyJKRhL6EGBT3ramu8BFdV8oZOcHHpR/
+rAI6eZcFtNuwKuvfqHZmh84GicHDkMHXy6OiyCYUW9uNdWl7nUPMMxp/zEA6gtay
+ozVedGIIrhYkfQAJRcRAcnEBYqcBVkCD/rKXJtdALl3RDQrediRaz0nWE2bJ/qs3
+bHjS6vu9VS/3z0+pEYri
+=5Ihe
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-14:07/pmap.patch b/share/security/patches/EN-14:07/pmap.patch
new file mode 100644
index 0000000000..078d6e0271
--- /dev/null
+++ b/share/security/patches/EN-14:07/pmap.patch
@@ -0,0 +1,13 @@
+Index: sys/amd64/amd64/pmap.c
+===================================================================
+--- sys/amd64/amd64/pmap.c	(revision 267572)
++++ sys/amd64/amd64/pmap.c	(working copy)
+@@ -367,7 +367,7 @@ static int pmap_flags = PMAP_PDE_SUPERPAGE;	/* fla
+ 
+ static struct unrhdr pcid_unr;
+ static struct mtx pcid_mtx;
+-int pmap_pcid_enabled = 1;
++int pmap_pcid_enabled = 0;
+ SYSCTL_INT(_vm_pmap, OID_AUTO, pcid_enabled, CTLFLAG_RDTUN, &pmap_pcid_enabled,
+     0, "Is TLB Context ID enabled ?");
+ int invpcid_works = 0;
diff --git a/share/security/patches/EN-14:07/pmap.patch.asc b/share/security/patches/EN-14:07/pmap.patch.asc
new file mode 100644
index 0000000000..c076f45089
--- /dev/null
+++ b/share/security/patches/EN-14:07/pmap.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQIcBAABCgAGBQJTqc/GAAoJEO1n7NZdz2rnhbEP/2pckDzyxx2dvtY4VXOHwykV
+K8Wb0m8o2x6IpHx/lqvToBX77VneknAmfc6yNxldMTmBq5sLA4kuLp9EkH7iuFtV
+k1XcDWWGaoyLEK6Ur2f/CQOE9t0Qig5i6hVNbWCYzmjNZZGGE4Xd60rSSyQ1QN28
+JNoopI5p/wGWkDlDbw5f+foXBfbuOx1t1XWgEPRbxAXnvc6f3QBi7HQEu7GWWu04
+o5bn7+42zv3ij6aJ/zMb818Ml5cp1zeGT9VkSN17yqEdzmF+5C32caUp4qiiA5+n
+gTR56RISYT+85xK+4AXdv3kZE5ZSQlsA8wLquKDiRVNFvqH7ly6v21JbWEfJBwyz
+4iCA5I9A/Bp8z5ScouupkPimMEKCmSFwpE/Ww914x5bOaYl4xsXUQzBKs2nIWaao
+u7sR7HxW0bq9pK1iVR2kU2md+65vq98HHO1xi1wQ8Aqw9Gt3CKklubiOf36qilUE
+FCxBtumgOkHP8HWSE4oKFqLqx3GPV2j2BMSZiUE/x7gfd86FF6/fyx01NIekMpny
+Osp5rXA5jnKgHJC8M6sF/+Xag1kBaIur5wNtaPSsQASmiXs4yXY29zH3sX4AxA2n
+0fS1fItiM/US30TPGbcT0YEU8FR/CHDchUD2FjbjxntU4VSBUrnsK+ydRWiL+M0e
+q4qZ9kLz2/HzBYG54HiI
+=XjDR
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/EN-14:08/heimdal.patch b/share/security/patches/EN-14:08/heimdal.patch
new file mode 100644
index 0000000000..15e0c90afe
--- /dev/null
+++ b/share/security/patches/EN-14:08/heimdal.patch
@@ -0,0 +1,13 @@
+Index: crypto/heimdal/lib/gssapi/krb5/prf.c
+===================================================================
+--- crypto/heimdal/lib/gssapi/krb5/prf.c	(revision 267806)
++++ crypto/heimdal/lib/gssapi/krb5/prf.c	(working copy)
+@@ -117,7 +117,7 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
+     num = 0;
+     p = prf_out->value;
+     while(desired_output_len > 0) {
+-	_gsskrb5_encode_om_uint32(num, input.data);
++	_gsskrb5_encode_be_om_uint32(num, input.data);
+ 	ret = krb5_crypto_prf(context, crypto, &input, &output);
+ 	if (ret) {
+ 	    OM_uint32 junk;
diff --git a/share/security/patches/EN-14:08/heimdal.patch.asc b/share/security/patches/EN-14:08/heimdal.patch.asc
new file mode 100644
index 0000000000..df4e6ff3d8
--- /dev/null
+++ b/share/security/patches/EN-14:08/heimdal.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQIcBAABCgAGBQJTqc/GAAoJEO1n7NZdz2rneCAP/Ay62O3KiG8sQoCgH/3aTcV2
+k0OhOBxvRsTAaiOy5EVT+BMtZWymDBWiiFZueL6jpYEy3LthqAmguj9KMWC0k6ni
+a6ETu8IzPWjqmYodqcPEM0dfDsovSzDxP2iAdKwcCrY379d/7hPvmhVR2IMt7oXj
+7aeu1zDZtubw5SkpS9Vy6X8yynuz3caxqaUjmRuumonZ+isrQxeC8taXQP/nFIs1
+F71Il7LluEf9Abieh9R1m6mVftABGju9TSvmzHtjuBd0jzInBpegDlxeD3sw4mqa
+TWHKABsd9DqEnghkTN3f0CQ+ba8/KEcN5hR+xpjWGw+8GjilkE5JswIM8W9iQK61
+BIim1dwS4WwLxIxgQtaHwSXrWq5yVrSFwq3sy5yUCa/dZVr4U+vlr4YHZtEw0V+H
+MUh8/3087XlLskNVA7zYQMyjO0f0BUVB5V28VZQJnrywPzHCP/ZHCKboqTmGA5t6
+19MaloslnSpCp73T+ooQ+aiv5j8FGKJfhXOKHkrrj6wocNq1iqsc0coVWv3TtN1J
+GAM00xKyxQLe2nVP+EPQJt1uDdNvcPfXCbNzzQbyW4wnRklBuXqIKKeZn/vYTIYE
+x0oPHPPgAihot6gP2ZZRclT0kpqdJWFGw6fjsBJINBrMPAlClwPUQtelUkueaxtz
+PGj8k8GVtsFOjgvqsRfb
+=QKVG
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-14:15/iconv.patch b/share/security/patches/SA-14:15/iconv.patch
new file mode 100644
index 0000000000..5ac0ac822f
--- /dev/null
+++ b/share/security/patches/SA-14:15/iconv.patch
@@ -0,0 +1,175 @@
+Index: lib/libc/iconv/citrus_prop.c
+===================================================================
+--- lib/libc/iconv/citrus_prop.c	(revision 267591)
++++ lib/libc/iconv/citrus_prop.c	(working copy)
+@@ -339,7 +339,7 @@ name_found:
+ 
+ static int
+ _citrus_prop_parse_element(struct _memstream * __restrict ms,
+-    const _citrus_prop_hint_t * __restrict hints, void ** __restrict context)
++    const _citrus_prop_hint_t * __restrict hints, void * __restrict context)
+ {
+ 	int ch, errnum;
+ #define _CITRUS_PROP_HINT_NAME_LEN_MAX	255
+@@ -435,8 +435,7 @@ _citrus_prop_parse_variable(const _citrus_prop_hin
+ 		if (ch == EOF || ch == '\0')
+ 			break;
+ 		_memstream_ungetc(&ms, ch);
+-		errnum = _citrus_prop_parse_element(
+-		    &ms, hints, (void ** __restrict)context);
++		errnum = _citrus_prop_parse_element(&ms, hints, context);
+ 		if (errnum != 0)
+ 			return (errnum);
+ 	}
+Index: lib/libc/iconv/citrus_prop.h
+===================================================================
+--- lib/libc/iconv/citrus_prop.h	(revision 267591)
++++ lib/libc/iconv/citrus_prop.h	(working copy)
+@@ -42,7 +42,7 @@ typedef struct _citrus_prop_hint_t _citrus_prop_hi
+ 
+ #define _CITRUS_PROP_CB0_T(_func_, _type_) \
+ typedef int (*_citrus_prop_##_func_##_cb_func_t) \
+-    (void ** __restrict, const char *, _type_); \
++    (void * __restrict, const char *, _type_); \
+ typedef struct { \
+ 	_citrus_prop_##_func_##_cb_func_t func; \
+ } _citrus_prop_##_func_##_cb_t;
+@@ -52,7 +52,7 @@ _CITRUS_PROP_CB0_T(str, const char *)
+ 
+ #define _CITRUS_PROP_CB1_T(_func_, _type_) \
+ typedef int (*_citrus_prop_##_func_##_cb_func_t) \
+-    (void ** __restrict, const char *, _type_, _type_); \
++    (void * __restrict, const char *, _type_, _type_); \
+ typedef struct { \
+ 	_citrus_prop_##_func_##_cb_func_t func; \
+ } _citrus_prop_##_func_##_cb_t;
+Index: lib/libiconv_modules/BIG5/citrus_big5.c
+===================================================================
+--- lib/libiconv_modules/BIG5/citrus_big5.c	(revision 267591)
++++ lib/libiconv_modules/BIG5/citrus_big5.c	(working copy)
+@@ -170,7 +170,7 @@ _citrus_BIG5_check_excludes(_BIG5EncodingInfo *ei,
+ }
+ 
+ static int
+-_citrus_BIG5_fill_rowcol(void ** __restrict ctx, const char * __restrict s,
++_citrus_BIG5_fill_rowcol(void * __restrict ctx, const char * __restrict s,
+     uint64_t start, uint64_t end)
+ {
+ 	_BIG5EncodingInfo *ei;
+@@ -189,7 +189,7 @@ static int
+ 
+ static int
+ /*ARGSUSED*/
+-_citrus_BIG5_fill_excludes(void ** __restrict ctx,
++_citrus_BIG5_fill_excludes(void * __restrict ctx,
+     const char * __restrict s __unused, uint64_t start, uint64_t end)
+ {
+ 	_BIG5EncodingInfo *ei;
+@@ -235,7 +235,6 @@ static int
+ _citrus_BIG5_encoding_module_init(_BIG5EncodingInfo * __restrict ei,
+     const void * __restrict var, size_t lenvar)
+ {
+-	void *ctx = (void *)ei;
+ 	const char *s;
+ 	int err;
+ 
+@@ -257,9 +256,9 @@ _citrus_BIG5_encoding_module_init(_BIG5EncodingInf
+ 	}
+ 
+ 	/* fallback Big5-1984, for backward compatibility. */
+-	_citrus_BIG5_fill_rowcol((void **)&ctx, "row", 0xA1, 0xFE);
+-	_citrus_BIG5_fill_rowcol((void **)&ctx, "col", 0x40, 0x7E);
+-	_citrus_BIG5_fill_rowcol((void **)&ctx, "col", 0xA1, 0xFE);
++	_citrus_BIG5_fill_rowcol(ei, "row", 0xA1, 0xFE);
++	_citrus_BIG5_fill_rowcol(ei, "col", 0x40, 0x7E);
++	_citrus_BIG5_fill_rowcol(ei, "col", 0xA1, 0xFE);
+ 
+ 	return (0);
+ }
+Index: lib/libiconv_modules/HZ/citrus_hz.c
+===================================================================
+--- lib/libiconv_modules/HZ/citrus_hz.c	(revision 267591)
++++ lib/libiconv_modules/HZ/citrus_hz.c	(working copy)
+@@ -65,8 +65,8 @@ typedef enum {
+ } charset_t;
+ 
+ typedef struct {
++	int	 start;
+ 	int	 end;
+-	int	 start;
+ 	int	 width;
+ } range_t;
+ 
+@@ -503,12 +503,12 @@ _citrus_HZ_encoding_module_uninit(_HZEncodingInfo
+ }
+ 
+ static int
+-_citrus_HZ_parse_char(void **context, const char *name __unused, const char *s)
++_citrus_HZ_parse_char(void *context, const char *name __unused, const char *s)
+ {
+ 	escape_t *escape;
+ 	void **p;
+ 
+-	p = (void **)*context;
++	p = (void **)context;
+ 	escape = (escape_t *)p[0];
+ 	if (escape->ch != '\0')
+ 		return (EINVAL);
+@@ -520,7 +520,7 @@ static int
+ }
+ 
+ static int
+-_citrus_HZ_parse_graphic(void **context, const char *name, const char *s)
++_citrus_HZ_parse_graphic(void *context, const char *name, const char *s)
+ {
+ 	_HZEncodingInfo *ei;
+ 	escape_t *escape;
+@@ -527,7 +527,7 @@ static int
+ 	graphic_t *graphic;
+ 	void **p;
+ 
+-	p = (void **)*context;
++	p = (void **)context;
+ 	escape = (escape_t *)p[0];
+ 	ei = (_HZEncodingInfo *)p[1];
+ 	graphic = malloc(sizeof(*graphic));
+@@ -589,13 +589,13 @@ _CITRUS_PROP_HINT_END
+ };
+ 
+ static int
+-_citrus_HZ_parse_escape(void **context, const char *name, const char *s)
++_citrus_HZ_parse_escape(void *context, const char *name, const char *s)
+ {
+ 	_HZEncodingInfo *ei;
+ 	escape_t *escape;
+ 	void *p[2];
+ 
+-	ei = (_HZEncodingInfo *)*context;
++	ei = (_HZEncodingInfo *)context;
+ 	escape = malloc(sizeof(*escape));
+ 	if (escape == NULL)
+ 		return (EINVAL);
+Index: lib/libiconv_modules/VIQR/citrus_viqr.c
+===================================================================
+--- lib/libiconv_modules/VIQR/citrus_viqr.c	(revision 267591)
++++ lib/libiconv_modules/VIQR/citrus_viqr.c	(working copy)
+@@ -431,7 +431,6 @@ static int
+ _citrus_VIQR_encoding_module_init(_VIQREncodingInfo * __restrict ei,
+     const void * __restrict var __unused, size_t lenvar __unused)
+ {
+-	const mnemonic_def_t *p;
+ 	const char *s;
+ 	size_t i, n;
+ 	int errnum;
+@@ -455,7 +454,10 @@ _citrus_VIQR_encoding_module_init(_VIQREncodingInf
+ 			return (errnum);
+ 		}
+ 	}
+-	for (i = 0;; ++i) {
++	/* a + 1 < b + 1 here to silence gcc warning about unsigned < 0. */
++	for (i = 0; i + 1 < mnemonic_ext_size + 1; ++i) {
++		const mnemonic_def_t *p;
++
+ 		p = &mnemonic_ext[i];
+ 		n = strlen(p->name);
+ 		if (ei->mb_cur_max < n)
diff --git a/share/security/patches/SA-14:15/iconv.patch.asc b/share/security/patches/SA-14:15/iconv.patch.asc
new file mode 100644
index 0000000000..6a6932e09b
--- /dev/null
+++ b/share/security/patches/SA-14:15/iconv.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQIcBAABCgAGBQJTqc+xAAoJEO1n7NZdz2rnGpkP/0rm6huVPDIo3qTvfuXyKVvX
+MGbc8+35EfDSUxAYLkQIJxiEF88+chJrEqyivP311+IMFUXdyplQvXQiZcTKXdPp
+hYVa7wCeC7BbdXILiw+hi9J5TI4QiE+b4Kmn83DIS/iYols4tRpUVXN4OCFaO3BR
+oW5RuCI/VBVqwUm+3pZhz1GuzPOmZo+8KxdHk3nmSmoad6SNvPB0W3QY53P2J96E
+8euOJGM/38QWav2g7QsQeI+MAx2jcxUmRIQVfCblfXG1O0izNjuC8hjqJptSvBpc
+uvJAhQxptludfAa7/ZnW4ws/dJz4ekNSlerjRpNiXE0Hr2r2TAM8cFwG9AbVThga
+wZ8+rHFOC30kIJ6uvZbpTPHNSHxu4pVyOOoh4Tfr1xpDqb/3ktSXfXX6bgXPrhMI
+PdBVVACYGbdurQU8Z65JbMmNx96Sl79w8mOHrMSeVS3pRL7FtJ4J+c8sOLyiaouM
+kIf+vbqSPHRqpkCtmmKP6QM+qrfhrlzmYwyNTE2pKautaGNCyAMY3lrKhbEr7llK
+L4YZ9/9Z6ivZZZDhAZbzcJrWQOuW0wmt7E2CyC1TOHOBjI6202J/++ZWSmmsexWF
+mWNai/3IqCGd24unHHxdrTUSw+b99pL+HAgAdTQZ2dg3Qh/qC0PAcICBoWDgS0sM
+Q34JUXT4cVpCqHeFhPkp
+=gJzF
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-14:16/file-8.4.patch b/share/security/patches/SA-14:16/file-8.4.patch
new file mode 100644
index 0000000000..179c84851c
--- /dev/null
+++ b/share/security/patches/SA-14:16/file-8.4.patch
@@ -0,0 +1,1891 @@
+Index: contrib/file/ascmagic.c
+===================================================================
+--- contrib/file/ascmagic.c	(revision 267806)
++++ contrib/file/ascmagic.c	(working copy)
+@@ -151,7 +151,7 @@ file_ascmagic_with_encoding(struct magic_set *ms,
+ 	if ((utf8_end = encode_utf8(utf8_buf, mlen, ubuf, ulen)) == NULL)
+ 		goto done;
+ 	if ((rv = file_softmagic(ms, utf8_buf, (size_t)(utf8_end - utf8_buf),
+-	    TEXTTEST)) != 0)
++	    0, TEXTTEST)) != 0)
+ 		goto done;
+ 	else
+ 		rv = -1;
+Index: contrib/file/cdf.c
+===================================================================
+--- contrib/file/cdf.c	(revision 267806)
++++ contrib/file/cdf.c	(working copy)
+@@ -24,15 +24,18 @@
+  * POSSIBILITY OF SUCH DAMAGE.
+  */
+ /*
+- * Parse composite document files, the format used in Microsoft Office
+- * document files before they switched to zipped xml.
++ * Parse Composite Document Files, the format used in Microsoft Office
++ * document files before they switched to zipped XML.
+  * Info from: http://sc.openoffice.org/compdocfileformat.pdf
++ *
++ * N.B. This is the "Composite Document File" format, and not the
++ * "Compound Document Format", nor the "Channel Definition Format".
+  */
+ 
+ #include "file.h"
+ 
+ #ifndef lint
+-FILE_RCSID("@(#)$File: cdf.c,v 1.30 2009/05/06 14:29:47 christos Exp $")
++FILE_RCSID("@(#)$File: cdf.c,v 1.49 2012/02/20 20:04:37 christos Exp $")
+ #endif
+ 
+ #include <assert.h>
+@@ -44,6 +47,9 @@
+ #include <string.h>
+ #include <time.h>
+ #include <ctype.h>
++#ifdef HAVE_LIMITS_H
++#include <limits.h>
++#endif
+ 
+ #ifndef EFTYPE
+ #define EFTYPE EINVAL
+@@ -51,10 +57,6 @@
+ 
+ #include "cdf.h"
+ 
+-#ifndef __arraycount
+-#define __arraycount(a) (sizeof(a) / sizeof(a[0]))
+-#endif
+-
+ #ifdef CDF_DEBUG
+ #define DPRINTF(a) printf a, fflush(stdout)
+ #else
+@@ -68,19 +70,21 @@ static union {
+ 
+ #define NEED_SWAP	(cdf_bo.u == (uint32_t)0x01020304)
+ 
+-#define CDF_TOLE8(x)	(NEED_SWAP ? cdf_tole8(x) : (uint64_t)(x))
+-#define CDF_TOLE4(x)	(NEED_SWAP ? cdf_tole4(x) : (uint32_t)(x))
+-#define CDF_TOLE2(x)	(NEED_SWAP ? cdf_tole2(x) : (uint16_t)(x))
++#define CDF_TOLE8(x)	((uint64_t)(NEED_SWAP ? _cdf_tole8(x) : (uint64_t)(x)))
++#define CDF_TOLE4(x)	((uint32_t)(NEED_SWAP ? _cdf_tole4(x) : (uint32_t)(x)))
++#define CDF_TOLE2(x)	((uint16_t)(NEED_SWAP ? _cdf_tole2(x) : (uint16_t)(x)))
++#define CDF_GETUINT32(x, y)	cdf_getuint32(x, y)
+ 
++
+ /*
+  * swap a short
+  */
+-uint16_t
+-cdf_tole2(uint16_t sv)
++static uint16_t
++_cdf_tole2(uint16_t sv)
+ {
+ 	uint16_t rv;
+-	uint8_t *s = (uint8_t *)(void *)&sv; 
+-	uint8_t *d = (uint8_t *)(void *)&rv; 
++	uint8_t *s = (uint8_t *)(void *)&sv;
++	uint8_t *d = (uint8_t *)(void *)&rv;
+ 	d[0] = s[1];
+ 	d[1] = s[0];
+ 	return rv;
+@@ -89,12 +93,12 @@ static union {
+ /*
+  * swap an int
+  */
+-uint32_t
+-cdf_tole4(uint32_t sv)
++static uint32_t
++_cdf_tole4(uint32_t sv)
+ {
+ 	uint32_t rv;
+-	uint8_t *s = (uint8_t *)(void *)&sv; 
+-	uint8_t *d = (uint8_t *)(void *)&rv; 
++	uint8_t *s = (uint8_t *)(void *)&sv;
++	uint8_t *d = (uint8_t *)(void *)&rv;
+ 	d[0] = s[3];
+ 	d[1] = s[2];
+ 	d[2] = s[1];
+@@ -105,12 +109,12 @@ static union {
+ /*
+  * swap a quad
+  */
+-uint64_t
+-cdf_tole8(uint64_t sv)
++static uint64_t
++_cdf_tole8(uint64_t sv)
+ {
+ 	uint64_t rv;
+-	uint8_t *s = (uint8_t *)(void *)&sv; 
+-	uint8_t *d = (uint8_t *)(void *)&rv; 
++	uint8_t *s = (uint8_t *)(void *)&sv;
++	uint8_t *d = (uint8_t *)(void *)&rv;
+ 	d[0] = s[7];
+ 	d[1] = s[6];
+ 	d[2] = s[5];
+@@ -122,11 +126,41 @@ static union {
+ 	return rv;
+ }
+ 
++/*
++ * grab a uint32_t from a possibly unaligned address, and return it in
++ * the native host order.
++ */
++static uint32_t
++cdf_getuint32(const uint8_t *p, size_t offs)
++{
++	uint32_t rv;
++	(void)memcpy(&rv, p + offs * sizeof(uint32_t), sizeof(rv));
++	return CDF_TOLE4(rv);
++}
++
+ #define CDF_UNPACK(a)	\
+     (void)memcpy(&(a), &buf[len], sizeof(a)), len += sizeof(a)
+ #define CDF_UNPACKA(a)	\
+     (void)memcpy((a), &buf[len], sizeof(a)), len += sizeof(a)
+ 
++uint16_t
++cdf_tole2(uint16_t sv)
++{
++	return CDF_TOLE2(sv);
++}
++
++uint32_t
++cdf_tole4(uint32_t sv)
++{
++	return CDF_TOLE4(sv);
++}
++
++uint64_t
++cdf_tole8(uint64_t sv)
++{
++	return CDF_TOLE8(sv);
++}
++
+ void
+ cdf_swap_header(cdf_header_t *h)
+ {
+@@ -145,15 +179,15 @@ cdf_swap_header(cdf_header_t *h)
+ 	h->h_min_size_standard_stream =
+ 	    CDF_TOLE4(h->h_min_size_standard_stream);
+ 	h->h_secid_first_sector_in_short_sat =
+-	    CDF_TOLE4(h->h_secid_first_sector_in_short_sat);
++	    CDF_TOLE4((uint32_t)h->h_secid_first_sector_in_short_sat);
+ 	h->h_num_sectors_in_short_sat =
+ 	    CDF_TOLE4(h->h_num_sectors_in_short_sat);
+ 	h->h_secid_first_sector_in_master_sat =
+-	    CDF_TOLE4(h->h_secid_first_sector_in_master_sat);
++	    CDF_TOLE4((uint32_t)h->h_secid_first_sector_in_master_sat);
+ 	h->h_num_sectors_in_master_sat =
+ 	    CDF_TOLE4(h->h_num_sectors_in_master_sat);
+ 	for (i = 0; i < __arraycount(h->h_master_sat); i++)
+-		h->h_master_sat[i] = CDF_TOLE4(h->h_master_sat[i]);
++		h->h_master_sat[i] = CDF_TOLE4((uint32_t)h->h_master_sat[i]);
+ }
+ 
+ void
+@@ -186,15 +220,15 @@ void
+ cdf_swap_dir(cdf_directory_t *d)
+ {
+ 	d->d_namelen = CDF_TOLE2(d->d_namelen);
+-	d->d_left_child = CDF_TOLE4(d->d_left_child);
+-	d->d_right_child = CDF_TOLE4(d->d_right_child);
+-	d->d_storage = CDF_TOLE4(d->d_storage);
++	d->d_left_child = CDF_TOLE4((uint32_t)d->d_left_child);
++	d->d_right_child = CDF_TOLE4((uint32_t)d->d_right_child);
++	d->d_storage = CDF_TOLE4((uint32_t)d->d_storage);
+ 	d->d_storage_uuid[0] = CDF_TOLE8(d->d_storage_uuid[0]);
+ 	d->d_storage_uuid[1] = CDF_TOLE8(d->d_storage_uuid[1]);
+ 	d->d_flags = CDF_TOLE4(d->d_flags);
+-	d->d_created = CDF_TOLE8(d->d_created);
+-	d->d_modified = CDF_TOLE8(d->d_modified);
+-	d->d_stream_first_sector = CDF_TOLE4(d->d_stream_first_sector);
++	d->d_created = CDF_TOLE8((uint64_t)d->d_created);
++	d->d_modified = CDF_TOLE8((uint64_t)d->d_modified);
++	d->d_stream_first_sector = CDF_TOLE4((uint32_t)d->d_stream_first_sector);
+ 	d->d_size = CDF_TOLE4(d->d_size);
+ }
+ 
+@@ -228,14 +262,18 @@ cdf_unpack_dir(cdf_directory_t *d, char *buf)
+ }
+ 
+ static int
+-cdf_check_stream_offset(const cdf_stream_t *sst, const void *p, size_t tail)
++cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h,
++    const void *p, size_t tail, int line)
+ {
+ 	const char *b = (const char *)sst->sst_tab;
+ 	const char *e = ((const char *)p) + tail;
+-	if (e >= b && (size_t)(e - b) < sst->sst_dirlen * sst->sst_len)
++	(void)&line;
++	if (e >= b && (size_t)(e - b) < CDF_SEC_SIZE(h) * sst->sst_len)
+ 		return 0;
+-	DPRINTF((stderr, "offset begin %p end %p %zu >= %zu\n", b, e,
+-	    (size_t)(e - b), sst->sst_dirlen * sst->sst_len));
++	DPRINTF(("%d: offset begin %p end %p %" SIZE_T_FORMAT "u"
++	    " >= %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %"
++	    SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b),
++	    CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len));
+ 	errno = EFTYPE;
+ 	return -1;
+ }
+@@ -278,7 +316,8 @@ cdf_read_header(const cdf_info_t *info, cdf_header
+ 	cdf_unpack_header(h, buf);
+ 	cdf_swap_header(h);
+ 	if (h->h_magic != CDF_MAGIC) {
+-		DPRINTF(("Bad magic 0x%llx != 0x%llx\n",
++		DPRINTF(("Bad magic 0x%" INT64_T_FORMAT "x != 0x%"
++		    INT64_T_FORMAT "x\n",
+ 		    (unsigned long long)h->h_magic,
+ 		    (unsigned long long)CDF_MAGIC));
+ 		goto out;
+@@ -303,9 +342,10 @@ ssize_t
+ cdf_read_sector(const cdf_info_t *info, void *buf, size_t offs, size_t len,
+     const cdf_header_t *h, cdf_secid_t id)
+ {
+-	assert((size_t)CDF_SEC_SIZE(h) == len);
+-	return cdf_read(info, (off_t)CDF_SEC_POS(h, id),
+-	    ((char *)buf) + offs, len);
++	size_t ss = CDF_SEC_SIZE(h);
++	size_t pos = CDF_SEC_POS(h, id);
++	assert(ss == len);
++	return cdf_read(info, (off_t)pos, ((char *)buf) + offs, len);
+ }
+ 
+ ssize_t
+@@ -312,9 +352,17 @@ ssize_t
+ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
+     size_t len, const cdf_header_t *h, cdf_secid_t id)
+ {
+-	assert((size_t)CDF_SHORT_SEC_SIZE(h) == len);
++	size_t ss = CDF_SHORT_SEC_SIZE(h);
++	size_t pos = CDF_SHORT_SEC_POS(h, id);
++	assert(ss == len);
++	if (pos > CDF_SEC_SIZE(h) * sst->sst_len) {
++		DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
++		    SIZE_T_FORMAT "u\n",
++		    pos, CDF_SEC_SIZE(h) * sst->sst_len));
++		return -1;
++	}
+ 	(void)memcpy(((char *)buf) + offs,
+-	    ((const char *)sst->sst_tab) + CDF_SHORT_SEC_POS(h, id), len);
++	    ((const char *)sst->sst_tab) + pos, len);
+ 	return len;
+ }
+ 
+@@ -334,17 +382,20 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t
+ 			break;
+ 
+ #define CDF_SEC_LIMIT (UINT32_MAX / (4 * ss))
+-	if (h->h_num_sectors_in_master_sat > CDF_SEC_LIMIT / nsatpersec ||
++	if ((nsatpersec > 0 &&
++	    h->h_num_sectors_in_master_sat > CDF_SEC_LIMIT / nsatpersec) ||
+ 	    i > CDF_SEC_LIMIT) {
+-		DPRINTF(("Number of sectors in master SAT too big %u %zu\n",
+-		    h->h_num_sectors_in_master_sat, i));
++		DPRINTF(("Number of sectors in master SAT too big %u %"
++		    SIZE_T_FORMAT "u\n", h->h_num_sectors_in_master_sat, i));
+ 		errno = EFTYPE;
+ 		return -1;
+ 	}
+ 
+ 	sat->sat_len = h->h_num_sectors_in_master_sat * nsatpersec + i;
+-	DPRINTF(("sat_len = %zu ss = %zu\n", sat->sat_len, ss));
+-	if ((sat->sat_tab = calloc(sat->sat_len, ss)) == NULL)
++	DPRINTF(("sat_len = %" SIZE_T_FORMAT "u ss = %" SIZE_T_FORMAT "u\n",
++	    sat->sat_len, ss));
++	if ((sat->sat_tab = CAST(cdf_secid_t *, calloc(sat->sat_len, ss)))
++	    == NULL)
+ 		return -1;
+ 
+ 	for (i = 0; i < __arraycount(h->h_master_sat); i++) {
+@@ -357,7 +408,7 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t
+ 		}
+ 	}
+ 
+-	if ((msa = calloc(1, ss)) == NULL)
++	if ((msa = CAST(cdf_secid_t *, calloc(1, ss))) == NULL)
+ 		goto out1;
+ 
+ 	mid = h->h_secid_first_sector_in_master_sat;
+@@ -374,12 +425,12 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t
+ 			goto out2;
+ 		}
+ 		for (k = 0; k < nsatpersec; k++, i++) {
+-			sec = CDF_TOLE4(msa[k]);
++			sec = CDF_TOLE4((uint32_t)msa[k]);
+ 			if (sec < 0)
+ 				goto out;
+ 			if (i >= sat->sat_len) {
+-			    DPRINTF(("Out of bounds reading MSA %u >= %u",
+-				i, sat->sat_len));
++			    DPRINTF(("Out of bounds reading MSA %" SIZE_T_FORMAT
++				"u >= %" SIZE_T_FORMAT "u", i, sat->sat_len));
+ 			    errno = EFTYPE;
+ 			    goto out2;
+ 			}
+@@ -390,7 +441,7 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t
+ 				goto out2;
+ 			}
+ 		}
+-		mid = CDF_TOLE4(msa[nsatpersec]);
++		mid = CDF_TOLE4((uint32_t)msa[nsatpersec]);
+ 	}
+ out:
+ 	sat->sat_len = i;
+@@ -422,7 +473,7 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t
+ 			errno = EFTYPE;
+ 			return (size_t)-1;
+ 		}
+-		sid = CDF_TOLE4(sat->sat_tab[sid]);
++		sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]);
+ 	}
+ 	DPRINTF(("\n"));
+ 	return i;
+@@ -452,7 +503,8 @@ cdf_read_long_sector_chain(const cdf_info_t *info,
+ 		}
+ 		if (i >= scn->sst_len) {
+ 			DPRINTF(("Out of bounds reading long sector chain "
+-			    "%u > %u\n", i, scn->sst_len));
++			    "%" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", i,
++			    scn->sst_len));
+ 			errno = EFTYPE;
+ 			goto out;
+ 		}
+@@ -465,7 +517,7 @@ cdf_read_long_sector_chain(const cdf_info_t *info,
+ 			DPRINTF(("Reading long sector chain %d", sid));
+ 			goto out;
+ 		}
+-		sid = CDF_TOLE4(sat->sat_tab[sid]);
++		sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]);
+ 	}
+ 	return 0;
+ out:
+@@ -497,7 +549,8 @@ cdf_read_short_sector_chain(const cdf_header_t *h,
+ 		}
+ 		if (i >= scn->sst_len) {
+ 			DPRINTF(("Out of bounds reading short sector chain "
+-			    "%u > %u\n", i, scn->sst_len));
++			    "%" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n",
++			    i, scn->sst_len));
+ 			errno = EFTYPE;
+ 			goto out;
+ 		}
+@@ -506,7 +559,7 @@ cdf_read_short_sector_chain(const cdf_header_t *h,
+ 			DPRINTF(("Reading short sector chain %d", sid));
+ 			goto out;
+ 		}
+-		sid = CDF_TOLE4(ssat->sat_tab[sid]);
++		sid = CDF_TOLE4((uint32_t)ssat->sat_tab[sid]);
+ 	}
+ 	return 0;
+ out:
+@@ -520,7 +573,7 @@ cdf_read_sector_chain(const cdf_info_t *info, cons
+     cdf_secid_t sid, size_t len, cdf_stream_t *scn)
+ {
+ 
+-	if (len < h->h_min_size_standard_stream)
++	if (len < h->h_min_size_standard_stream && sst->sst_tab != NULL)
+ 		return cdf_read_short_sector_chain(h, ssat, sst, sid, len,
+ 		    scn);
+ 	else
+@@ -543,11 +596,12 @@ cdf_read_dir(const cdf_info_t *info, const cdf_hea
+ 	nd = ss / CDF_DIRECTORY_SIZE;
+ 
+ 	dir->dir_len = ns * nd;
+-	dir->dir_tab = calloc(dir->dir_len, sizeof(dir->dir_tab[0]));
++	dir->dir_tab = CAST(cdf_directory_t *,
++	    calloc(dir->dir_len, sizeof(dir->dir_tab[0])));
+ 	if (dir->dir_tab == NULL)
+ 		return -1;
+ 
+-	if ((buf = malloc(ss)) == NULL) {
++	if ((buf = CAST(char *, malloc(ss))) == NULL) {
+ 		free(dir->dir_tab);
+ 		return -1;
+ 	}
+@@ -566,7 +620,7 @@ cdf_read_dir(const cdf_info_t *info, const cdf_hea
+ 			cdf_unpack_dir(&dir->dir_tab[i * nd + j],
+ 			    &buf[j * CDF_DIRECTORY_SIZE]);
+ 		}
+-		sid = CDF_TOLE4(sat->sat_tab[sid]);
++		sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]);
+ 	}
+ 	if (NEED_SWAP)
+ 		for (i = 0; i < dir->dir_len; i++)
+@@ -592,7 +646,7 @@ cdf_read_ssat(const cdf_info_t *info, const cdf_he
+ 	if (ssat->sat_len == (size_t)-1)
+ 		return -1;
+ 
+-	ssat->sat_tab = calloc(ssat->sat_len, ss);
++	ssat->sat_tab = CAST(cdf_secid_t *, calloc(ssat->sat_len, ss));
+ 	if (ssat->sat_tab == NULL)
+ 		return -1;
+ 
+@@ -604,7 +658,8 @@ cdf_read_ssat(const cdf_info_t *info, const cdf_he
+ 		}
+ 		if (i >= ssat->sat_len) {
+ 			DPRINTF(("Out of bounds reading short sector chain "
+-			    "%u > %u\n", i, ssat->sat_len));
++			    "%" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", i,
++			    ssat->sat_len));
+ 			errno = EFTYPE;
+ 			goto out;
+ 		}
+@@ -613,7 +668,7 @@ cdf_read_ssat(const cdf_info_t *info, const cdf_he
+ 			DPRINTF(("Reading short sat sector %d", sid));
+ 			goto out;
+ 		}
+-		sid = CDF_TOLE4(sat->sat_tab[sid]);
++		sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]);
+ 	}
+ 	return 0;
+ out:
+@@ -641,7 +696,7 @@ cdf_read_short_stream(const cdf_info_t *info, cons
+ 	if (d->d_stream_first_sector < 0)
+ 		goto out;
+ 
+-	return  cdf_read_long_sector_chain(info, h, sat,
++	return	cdf_read_long_sector_chain(info, h, sat,
+ 	    d->d_stream_first_sector, d->d_size, scn);
+ out:
+ 	scn->sst_tab = NULL;
+@@ -668,29 +723,29 @@ cdf_read_summary_info(const cdf_info_t *info, cons
+ 	const cdf_directory_t *d;
+ 	static const char name[] = "\05SummaryInformation";
+ 
+-	for (i = 0; i < dir->dir_len; i++)
+-		if (dir->dir_tab[i].d_type == CDF_DIR_TYPE_USER_STREAM &&
+-		    cdf_namecmp(name, dir->dir_tab[i].d_name, sizeof(name))
++	for (i = dir->dir_len; i > 0; i--)
++		if (dir->dir_tab[i - 1].d_type == CDF_DIR_TYPE_USER_STREAM &&
++		    cdf_namecmp(name, dir->dir_tab[i - 1].d_name, sizeof(name))
+ 		    == 0)
+ 			break;
+ 
+-	if (i == dir->dir_len) {
++	if (i == 0) {
+ 		DPRINTF(("Cannot find summary information section\n"));
+-		errno = EFTYPE;
++		errno = ESRCH;
+ 		return -1;
+ 	}
+-	d = &dir->dir_tab[i];
++	d = &dir->dir_tab[i - 1];
+ 	return cdf_read_sector_chain(info, h, sat, ssat, sst,
+ 	    d->d_stream_first_sector, d->d_size, scn);
+ }
+ 
+ int
+-cdf_read_property_info(const cdf_stream_t *sst, uint32_t offs,
+-    cdf_property_info_t **info, size_t *count, size_t *maxcount)
++cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
++    uint32_t offs, cdf_property_info_t **info, size_t *count, size_t *maxcount)
+ {
+ 	const cdf_section_header_t *shp;
+ 	cdf_section_header_t sh;
+-	const uint32_t *p, *q, *e;
++	const uint8_t *p, *q, *e;
+ 	int16_t s16;
+ 	int32_t s32;
+ 	uint32_t u32;
+@@ -697,7 +752,7 @@ int
+ 	int64_t s64;
+ 	uint64_t u64;
+ 	cdf_timestamp_t tp;
+-	size_t i, o, nelements, j;
++	size_t i, o, o4, nelements, j;
+ 	cdf_property_info_t *inp;
+ 
+ 	if (offs > UINT32_MAX / 4) {
+@@ -704,8 +759,9 @@ int
+ 		errno = EFTYPE;
+ 		goto out;
+ 	}
+-	shp = (const void *)((const char *)sst->sst_tab + offs);
+-	if (cdf_check_stream_offset(sst, shp, sizeof(*shp)) == -1)
++	shp = CAST(const cdf_section_header_t *, (const void *)
++	    ((const char *)sst->sst_tab + offs));
++	if (cdf_check_stream_offset(sst, h, shp, sizeof(*shp), __LINE__) == -1)
+ 		goto out;
+ 	sh.sh_len = CDF_TOLE4(shp->sh_len);
+ #define CDF_SHLEN_LIMIT (UINT32_MAX / 8)
+@@ -723,10 +779,12 @@ int
+ 		if (*maxcount > CDF_PROP_LIMIT)
+ 			goto out;
+ 		*maxcount += sh.sh_properties;
+-		inp = realloc(*info, *maxcount * sizeof(*inp));
++		inp = CAST(cdf_property_info_t *,
++		    realloc(*info, *maxcount * sizeof(*inp)));
+ 	} else {
+ 		*maxcount = sh.sh_properties;
+-		inp = malloc(*maxcount * sizeof(*inp));
++		inp = CAST(cdf_property_info_t *,
++		    malloc(*maxcount * sizeof(*inp)));
+ 	}
+ 	if (inp == NULL)
+ 		goto out;
+@@ -733,65 +791,87 @@ int
+ 	*info = inp;
+ 	inp += *count;
+ 	*count += sh.sh_properties;
+-	p = (const void *)((const char *)sst->sst_tab + offs + sizeof(sh));
+-	e = (const void *)(((const char *)shp) + sh.sh_len);
+-	if (cdf_check_stream_offset(sst, e, 0) == -1)
++	p = CAST(const uint8_t *, (const void *)
++	    ((const char *)(const void *)sst->sst_tab +
++	    offs + sizeof(sh)));
++	e = CAST(const uint8_t *, (const void *)
++	    (((const char *)(const void *)shp) + sh.sh_len));
++	if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
+ 		goto out;
+ 	for (i = 0; i < sh.sh_properties; i++) {
+-		q = (const uint32_t *)((const char *)p +
+-		    CDF_TOLE4(p[(i << 1) + 1])) - 2;
++		size_t ofs = CDF_GETUINT32(p, (i << 1) + 1);
++		q = (const uint8_t *)(const void *)
++		    ((const char *)(const void *)p + ofs
++		    - 2 * sizeof(uint32_t));
+ 		if (q > e) {
+ 			DPRINTF(("Ran of the end %p > %p\n", q, e));
+ 			goto out;
+ 		}
+-		inp[i].pi_id = CDF_TOLE4(p[i << 1]);
+-		inp[i].pi_type = CDF_TOLE4(q[0]);
+-		DPRINTF(("%d) id=%x type=%x offs=%x\n", i, inp[i].pi_id,
+-		    inp[i].pi_type, (const char *)q - (const char *)p));
++		inp[i].pi_id = CDF_GETUINT32(p, i << 1);
++		inp[i].pi_type = CDF_GETUINT32(q, 0);
++		DPRINTF(("%" SIZE_T_FORMAT "u) id=%x type=%x offs=0x%tx,0x%x\n",
++		    i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
+ 		if (inp[i].pi_type & CDF_VECTOR) {
+-			nelements = CDF_TOLE4(q[1]);
++			nelements = CDF_GETUINT32(q, 1);
+ 			o = 2;
+ 		} else {
+ 			nelements = 1;
+ 			o = 1;
+ 		}
++		o4 = o * sizeof(uint32_t);
+ 		if (inp[i].pi_type & (CDF_ARRAY|CDF_BYREF|CDF_RESERVED))
+ 			goto unknown;
+ 		switch (inp[i].pi_type & CDF_TYPEMASK) {
++		case CDF_NULL:
+ 		case CDF_EMPTY:
+ 			break;
+ 		case CDF_SIGNED16:
+ 			if (inp[i].pi_type & CDF_VECTOR)
+ 				goto unknown;
+-			(void)memcpy(&s16, &q[o], sizeof(s16));
++			(void)memcpy(&s16, &q[o4], sizeof(s16));
+ 			inp[i].pi_s16 = CDF_TOLE2(s16);
+ 			break;
+ 		case CDF_SIGNED32:
+ 			if (inp[i].pi_type & CDF_VECTOR)
+ 				goto unknown;
+-			(void)memcpy(&s32, &q[o], sizeof(s32));
+-			inp[i].pi_s32 = CDF_TOLE4(s32);
++			(void)memcpy(&s32, &q[o4], sizeof(s32));
++			inp[i].pi_s32 = CDF_TOLE4((uint32_t)s32);
+ 			break;
+ 		case CDF_BOOL:
+ 		case CDF_UNSIGNED32:
+ 			if (inp[i].pi_type & CDF_VECTOR)
+ 				goto unknown;
+-			(void)memcpy(&u32, &q[o], sizeof(u32));
++			(void)memcpy(&u32, &q[o4], sizeof(u32));
+ 			inp[i].pi_u32 = CDF_TOLE4(u32);
+ 			break;
+ 		case CDF_SIGNED64:
+ 			if (inp[i].pi_type & CDF_VECTOR)
+ 				goto unknown;
+-			(void)memcpy(&s64, &q[o], sizeof(s64));
+-			inp[i].pi_s64 = CDF_TOLE4(s64);
++			(void)memcpy(&s64, &q[o4], sizeof(s64));
++			inp[i].pi_s64 = CDF_TOLE8((uint64_t)s64);
+ 			break;
+ 		case CDF_UNSIGNED64:
+ 			if (inp[i].pi_type & CDF_VECTOR)
+ 				goto unknown;
+-			(void)memcpy(&u64, &q[o], sizeof(u64));
+-			inp[i].pi_u64 = CDF_TOLE4(u64);
++			(void)memcpy(&u64, &q[o4], sizeof(u64));
++			inp[i].pi_u64 = CDF_TOLE8((uint64_t)u64);
+ 			break;
++		case CDF_FLOAT:
++			if (inp[i].pi_type & CDF_VECTOR)
++				goto unknown;
++			(void)memcpy(&u32, &q[o4], sizeof(u32));
++			u32 = CDF_TOLE4(u32);
++			memcpy(&inp[i].pi_f, &u32, sizeof(inp[i].pi_f));
++			break;
++		case CDF_DOUBLE:
++			if (inp[i].pi_type & CDF_VECTOR)
++				goto unknown;
++			(void)memcpy(&u64, &q[o4], sizeof(u64));
++			u64 = CDF_TOLE8((uint64_t)u64);
++			memcpy(&inp[i].pi_d, &u64, sizeof(inp[i].pi_d));
++			break;
+ 		case CDF_LENGTH32_STRING:
++		case CDF_LENGTH32_WSTRING:
+ 			if (nelements > 1) {
+ 				size_t nelem = inp - *info;
+ 				if (*maxcount > CDF_PROP_LIMIT
+@@ -798,22 +878,30 @@ int
+ 				    || nelements > CDF_PROP_LIMIT)
+ 					goto out;
+ 				*maxcount += nelements;
+-				inp = realloc(*info, *maxcount * sizeof(*inp));
++				inp = CAST(cdf_property_info_t *,
++				    realloc(*info, *maxcount * sizeof(*inp)));
+ 				if (inp == NULL)
+ 					goto out;
+ 				*info = inp;
+ 				inp = *info + nelem;
+ 			}
+-			DPRINTF(("nelements = %d\n", nelements));
++			DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
++			    nelements));
+ 			for (j = 0; j < nelements; j++, i++) {
+-				uint32_t l = CDF_TOLE4(q[o]);
++				uint32_t l = CDF_GETUINT32(q, o);
+ 				inp[i].pi_str.s_len = l;
+-				inp[i].pi_str.s_buf = (const char *)(&q[o+1]);
+-				DPRINTF(("l = %d, r = %d, s = %s\n", l,
++				inp[i].pi_str.s_buf = (const char *)
++				    (const void *)(&q[o4 + sizeof(l)]);
++				DPRINTF(("l = %d, r = %" SIZE_T_FORMAT
++				    "u, s = %s\n", l,
+ 				    CDF_ROUND(l, sizeof(l)),
+ 				    inp[i].pi_str.s_buf));
+-				l = 4 + CDF_ROUND(l, sizeof(l));
+-				o += l >> 2;
++				if (l & 1)
++					l++;
++				o += l >> 1;
++				if (q + o >= e)
++					goto out;
++				o4 = o * sizeof(uint32_t);
+ 			}
+ 			i--;
+ 			break;
+@@ -820,8 +908,8 @@ int
+ 		case CDF_FILETIME:
+ 			if (inp[i].pi_type & CDF_VECTOR)
+ 				goto unknown;
+-			(void)memcpy(&tp, &q[o], sizeof(tp));
+-			inp[i].pi_tp = CDF_TOLE8(tp);
++			(void)memcpy(&tp, &q[o4], sizeof(tp));
++			inp[i].pi_tp = CDF_TOLE8((uint64_t)tp);
+ 			break;
+ 		case CDF_CLIPBOARD:
+ 			if (inp[i].pi_type & CDF_VECTOR)
+@@ -831,7 +919,7 @@ int
+ 		unknown:
+ 			DPRINTF(("Don't know how to deal with %x\n",
+ 			    inp[i].pi_type));
+-			goto out;
++			break;
+ 		}
+ 	}
+ 	return 0;
+@@ -841,16 +929,18 @@ out:
+ }
+ 
+ int
+-cdf_unpack_summary_info(const cdf_stream_t *sst, cdf_summary_info_header_t *ssi,
+-    cdf_property_info_t **info, size_t *count)
++cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h,
++    cdf_summary_info_header_t *ssi, cdf_property_info_t **info, size_t *count)
+ {
+ 	size_t i, maxcount;
+-	const cdf_summary_info_header_t *si = sst->sst_tab;
+-	const cdf_section_declaration_t *sd = (const void *)
+-	    ((const char *)sst->sst_tab + CDF_SECTION_DECLARATION_OFFSET);
++	const cdf_summary_info_header_t *si =
++	    CAST(const cdf_summary_info_header_t *, sst->sst_tab);
++	const cdf_section_declaration_t *sd =
++	    CAST(const cdf_section_declaration_t *, (const void *)
++	    ((const char *)sst->sst_tab + CDF_SECTION_DECLARATION_OFFSET));
+ 
+-	if (cdf_check_stream_offset(sst, si, sizeof(*si)) == -1 ||
+-	    cdf_check_stream_offset(sst, sd, sizeof(*sd)) == -1)
++	if (cdf_check_stream_offset(sst, h, si, sizeof(*si), __LINE__) == -1 ||
++	    cdf_check_stream_offset(sst, h, sd, sizeof(*sd), __LINE__) == -1)
+ 		return -1;
+ 	ssi->si_byte_order = CDF_TOLE2(si->si_byte_order);
+ 	ssi->si_os_version = CDF_TOLE2(si->si_os_version);
+@@ -867,9 +957,10 @@ int
+ 			errno = EFTYPE;
+ 			return -1;
+ 		}
+-		if (cdf_read_property_info(sst, CDF_TOLE4(sd->sd_offset),
+-		    info, count, &maxcount) == -1)
++		if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset),
++		    info, count, &maxcount) == -1) {
+ 			return -1;
++		}
+ 	}
+ 	return 0;
+ }
+@@ -926,32 +1017,32 @@ cdf_print_property_name(char *buf, size_t bufsiz,
+ int
+ cdf_print_elapsed_time(char *buf, size_t bufsiz, cdf_timestamp_t ts)
+ {
+-	size_t len = 0;
++	int len = 0;
+ 	int days, hours, mins, secs;
+ 
+ 	ts /= CDF_TIME_PREC;
+-	secs = ts % 60;
++	secs = (int)(ts % 60);
+ 	ts /= 60;
+-	mins = ts % 60;
++	mins = (int)(ts % 60);
+ 	ts /= 60;
+-	hours = ts % 24;
++	hours = (int)(ts % 24);
+ 	ts /= 24;
+-	days = ts;
++	days = (int)ts;
+ 
+ 	if (days) {
+ 		len += snprintf(buf + len, bufsiz - len, "%dd+", days);
+-		if (len >= bufsiz)
++		if ((size_t)len >= bufsiz)
+ 			return len;
+ 	}
+ 
+ 	if (days || hours) {
+ 		len += snprintf(buf + len, bufsiz - len, "%.2d:", hours);
+-		if (len >= bufsiz)
++		if ((size_t)len >= bufsiz)
+ 			return len;
+ 	}
+ 
+ 	len += snprintf(buf + len, bufsiz - len, "%.2d:", mins);
+-	if (len >= bufsiz)
++	if ((size_t)len >= bufsiz)
+ 		return len;
+ 
+ 	len += snprintf(buf + len, bufsiz - len, "%.2d", secs);
+@@ -994,13 +1085,14 @@ cdf_dump_sat(const char *prefix, const cdf_sat_t *
+ 	size_t i, j, s = size / sizeof(cdf_secid_t);
+ 
+ 	for (i = 0; i < sat->sat_len; i++) {
+-		(void)fprintf(stderr, "%s[%zu]:\n%.6d: ", prefix, i, i * s);
++		(void)fprintf(stderr, "%s[%" SIZE_T_FORMAT "u]:\n%.6"
++		    SIZE_T_FORMAT "u: ", prefix, i, i * s);
+ 		for (j = 0; j < s; j++) {
+ 			(void)fprintf(stderr, "%5d, ",
+ 			    CDF_TOLE4(sat->sat_tab[s * i + j]));
+ 			if ((j + 1) % 10 == 0)
+-				(void)fprintf(stderr, "\n%.6d: ",
+-				    i * s + j + 1);
++				(void)fprintf(stderr, "\n%.6" SIZE_T_FORMAT
++				    "u: ", i * s + j + 1);
+ 		}
+ 		(void)fprintf(stderr, "\n");
+ 	}
+@@ -1019,7 +1111,8 @@ cdf_dump(void *v, size_t len)
+ 		if (j == 16) {
+ 			j = 0;
+ 			abuf[15] = '\0';
+-			(void)fprintf(stderr, "%s\n%.4x: ", abuf, i + 1);
++			(void)fprintf(stderr, "%s\n%.4" SIZE_T_FORMAT "x: ",
++			    abuf, i + 1);
+ 		}
+ 	}
+ 	(void)fprintf(stderr, "\n");
+@@ -1051,7 +1144,8 @@ cdf_dump_dir(const cdf_info_t *info, const cdf_hea
+ 		d = &dir->dir_tab[i];
+ 		for (j = 0; j < sizeof(name); j++)
+ 			name[j] = (char)CDF_TOLE2(d->d_name[j]);
+-		(void)fprintf(stderr, "Directory %zu: %s\n", i, name);
++		(void)fprintf(stderr, "Directory %" SIZE_T_FORMAT "u: %s\n",
++		    i, name);
+ 		if (d->d_type < __arraycount(types))
+ 			(void)fprintf(stderr, "Type: %s\n", types[d->d_type]);
+ 		else
+@@ -1062,9 +1156,9 @@ cdf_dump_dir(const cdf_info_t *info, const cdf_hea
+ 		(void)fprintf(stderr, "Right child: %d\n", d->d_right_child);
+ 		(void)fprintf(stderr, "Flags: 0x%x\n", d->d_flags);
+ 		cdf_timestamp_to_timespec(&ts, d->d_created);
+-		(void)fprintf(stderr, "Created %s", ctime(&ts.tv_sec));
++		(void)fprintf(stderr, "Created %s", cdf_ctime(&ts.tv_sec));
+ 		cdf_timestamp_to_timespec(&ts, d->d_modified);
+-		(void)fprintf(stderr, "Modified %s", ctime(&ts.tv_sec));
++		(void)fprintf(stderr, "Modified %s", cdf_ctime(&ts.tv_sec));
+ 		(void)fprintf(stderr, "Stream %d\n", d->d_stream_first_sector);
+ 		(void)fprintf(stderr, "Size %d\n", d->d_size);
+ 		switch (d->d_type) {
+@@ -1086,7 +1180,7 @@ cdf_dump_dir(const cdf_info_t *info, const cdf_hea
+ 		default:
+ 			break;
+ 		}
+-			
++
+ 	}
+ }
+ 
+@@ -1096,12 +1190,14 @@ cdf_dump_property_info(const cdf_property_info_t *
+ 	cdf_timestamp_t tp;
+ 	struct timespec ts;
+ 	char buf[64];
+-	size_t i;
++	size_t i, j;
+ 
+ 	for (i = 0; i < count; i++) {
+ 		cdf_print_property_name(buf, sizeof(buf), info[i].pi_id);
+-		(void)fprintf(stderr, "%zu) %s: ", i, buf); 
++		(void)fprintf(stderr, "%" SIZE_T_FORMAT "u) %s: ", i, buf);
+ 		switch (info[i].pi_type) {
++		case CDF_NULL:
++			break;
+ 		case CDF_SIGNED16:
+ 			(void)fprintf(stderr, "signed 16 [%hd]\n",
+ 			    info[i].pi_s16);
+@@ -1114,11 +1210,26 @@ cdf_dump_property_info(const cdf_property_info_t *
+ 			(void)fprintf(stderr, "unsigned 32 [%u]\n",
+ 			    info[i].pi_u32);
+ 			break;
++		case CDF_FLOAT:
++			(void)fprintf(stderr, "float [%g]\n",
++			    info[i].pi_f);
++			break;
++		case CDF_DOUBLE:
++			(void)fprintf(stderr, "double [%g]\n",
++			    info[i].pi_d);
++			break;
+ 		case CDF_LENGTH32_STRING:
+ 			(void)fprintf(stderr, "string %u [%.*s]\n",
+ 			    info[i].pi_str.s_len,
+ 			    info[i].pi_str.s_len, info[i].pi_str.s_buf);
+ 			break;
++		case CDF_LENGTH32_WSTRING:
++			(void)fprintf(stderr, "string %u [",
++			    info[i].pi_str.s_len);
++			for (j = 0; j < info[i].pi_str.s_len - 1; j++)
++			    (void)fputc(info[i].pi_str.s_buf[j << 1], stderr);
++			(void)fprintf(stderr, "]\n");
++			break;
+ 		case CDF_FILETIME:
+ 			tp = info[i].pi_tp;
+ 			if (tp < 1000000000000000LL) {
+@@ -1127,7 +1238,7 @@ cdf_dump_property_info(const cdf_property_info_t *
+ 			} else {
+ 				cdf_timestamp_to_timespec(&ts, tp);
+ 				(void)fprintf(stderr, "timestamp %s",
+-				    ctime(&ts.tv_sec));
++				    cdf_ctime(&ts.tv_sec));
+ 			}
+ 			break;
+ 		case CDF_CLIPBOARD:
+@@ -1151,7 +1262,7 @@ cdf_dump_summary_info(const cdf_header_t *h, const
+ 	size_t count;
+ 
+ 	(void)&h;
+-	if (cdf_unpack_summary_info(sst, &ssi, &info, &count) == -1)
++	if (cdf_unpack_summary_info(sst, h, &ssi, &info, &count) == -1)
+ 		return;
+ 	(void)fprintf(stderr, "Endian: %x\n", ssi.si_byte_order);
+ 	(void)fprintf(stderr, "Os Version %d.%d\n", ssi.si_os_version & 0xff,
+@@ -1203,7 +1314,7 @@ main(int argc, char *argv[])
+ 		if (cdf_read_ssat(&info, &h, &sat, &ssat) == -1)
+ 			err(1, "Cannot read ssat");
+ #ifdef CDF_DEBUG
+-		cdf_dump_sat("SSAT", &h, &ssat, CDF_SHORT_SEC_SIZE(&h));
++		cdf_dump_sat("SSAT", &ssat, CDF_SHORT_SEC_SIZE(&h));
+ #endif
+ 
+ 		if (cdf_read_dir(&info, &h, &sat, &dir) == -1)
+Index: contrib/file/cdf.h
+===================================================================
+--- contrib/file/cdf.h	(revision 267806)
++++ contrib/file/cdf.h	(working copy)
+@@ -24,12 +24,27 @@
+  * POSSIBILITY OF SUCH DAMAGE.
+  */
+ /*
+- * Info from: http://sc.openoffice.org/compdocfileformat.pdf 
++ * Parse Composite Document Files, the format used in Microsoft Office
++ * document files before they switched to zipped XML.
++ * Info from: http://sc.openoffice.org/compdocfileformat.pdf
++ *
++ * N.B. This is the "Composite Document File" format, and not the
++ * "Compound Document Format", nor the "Channel Definition Format".
+  */
+ 
+ #ifndef _H_CDF_
+ #define _H_CDF_
+ 
++#ifdef WIN32
++#include <winsock2.h>
++#define timespec timeval
++#define tv_nsec tv_usec
++#endif
++#ifdef __DJGPP__
++#define timespec timeval
++#define tv_nsec tv_usec
++#endif
++
+ typedef int32_t cdf_secid_t;
+ 
+ #define CDF_LOOP_LIMIT					10000
+@@ -36,8 +51,8 @@ typedef int32_t cdf_secid_t;
+ 
+ #define CDF_SECID_NULL					0
+ #define CDF_SECID_FREE					-1
+-#define	CDF_SECID_END_OF_CHAIN				-2
+-#define	CDF_SECID_SECTOR_ALLOCATION_TABLE		-3
++#define CDF_SECID_END_OF_CHAIN				-2
++#define CDF_SECID_SECTOR_ALLOCATION_TABLE		-3
+ #define CDF_SECID_MASTER_SECTOR_ALLOCATION_TABLE	-4
+ 
+ typedef struct {
+@@ -61,15 +76,15 @@ typedef struct {
+ 	cdf_secid_t	h_master_sat[436/4];
+ } cdf_header_t;
+ 
+-#define CDF_SEC_SIZE(h)	(1 << (h)->h_sec_size_p2)
++#define CDF_SEC_SIZE(h) ((size_t)(1 << (h)->h_sec_size_p2))
+ #define CDF_SEC_POS(h, secid) (CDF_SEC_SIZE(h) + (secid) * CDF_SEC_SIZE(h))
+-#define CDF_SHORT_SEC_SIZE(h)	(1 << (h)->h_short_sec_size_p2)
++#define CDF_SHORT_SEC_SIZE(h)	((size_t)(1 << (h)->h_short_sec_size_p2))
+ #define CDF_SHORT_SEC_POS(h, secid) ((secid) * CDF_SHORT_SEC_SIZE(h))
+ 
+-typedef int32_t	cdf_dirid_t;
++typedef int32_t cdf_dirid_t;
+ #define CDF_DIRID_NULL	-1
+ 
+-typedef int64_t	cdf_timestamp_t;
++typedef int64_t cdf_timestamp_t;
+ #define CDF_BASE_YEAR	1601
+ #define CDF_TIME_PREC	10000000
+ 
+@@ -78,11 +93,11 @@ typedef struct {
+ 	uint16_t	d_namelen;
+ 	uint8_t		d_type;
+ #define CDF_DIR_TYPE_EMPTY		0
+-#define	CDF_DIR_TYPE_USER_STORAGE	1
+-#define	CDF_DIR_TYPE_USER_STREAM	2
+-#define	CDF_DIR_TYPE_LOCKBYTES		3
+-#define	CDF_DIR_TYPE_PROPERTY		4
+-#define	CDF_DIR_TYPE_ROOT_STORAGE	5
++#define CDF_DIR_TYPE_USER_STORAGE	1
++#define CDF_DIR_TYPE_USER_STREAM	2
++#define CDF_DIR_TYPE_LOCKBYTES		3
++#define CDF_DIR_TYPE_PROPERTY		4
++#define CDF_DIR_TYPE_ROOT_STORAGE	5
+ 	uint8_t		d_color;
+ #define CDF_DIR_COLOR_READ	0
+ #define CDF_DIR_COLOR_BLACK	1
+@@ -91,8 +106,8 @@ typedef struct {
+ 	cdf_dirid_t	d_storage;
+ 	uint64_t	d_storage_uuid[2];
+ 	uint32_t	d_flags;
+-	cdf_timestamp_t	d_created;
+-	cdf_timestamp_t	d_modified;
++	cdf_timestamp_t d_created;
++	cdf_timestamp_t d_modified;
+ 	cdf_secid_t	d_stream_first_sector;
+ 	uint32_t	d_size;
+ 	uint32_t	d_unused0;
+@@ -154,7 +169,9 @@ typedef struct {
+ 		int32_t		_pi_s32;
+ 		uint64_t	_pi_u64;
+ 		int64_t		_pi_s64;
+-		cdf_timestamp_t	_pi_tp;
++		cdf_timestamp_t _pi_tp;
++		float		_pi_f;
++		double		_pi_d;
+ 		struct {
+ 			uint32_t s_len;
+ 			const char *s_buf;
+@@ -166,6 +183,8 @@ typedef struct {
+ #define pi_s32	pi_val._pi_s32
+ #define pi_u16	pi_val._pi_u16
+ #define pi_s16	pi_val._pi_s16
++#define pi_f	pi_val._pi_f
++#define pi_d	pi_val._pi_d
+ #define pi_tp	pi_val._pi_tp
+ #define pi_str	pi_val._pi_str
+ } cdf_property_info_t;
+@@ -174,13 +193,13 @@ typedef struct {
+ 
+ /* Variant type definitions */
+ #define CDF_EMPTY		0x00000000
+-#define	CDF_NULL		0x00000001
++#define CDF_NULL		0x00000001
+ #define CDF_SIGNED16		0x00000002
+ #define CDF_SIGNED32		0x00000003
+ #define CDF_FLOAT		0x00000004
+ #define CDF_DOUBLE		0x00000005
+ #define CDF_CY			0x00000006
+-#define	CDF_DATE		0x00000007
++#define CDF_DATE		0x00000007
+ #define CDF_BSTR		0x00000008
+ #define CDF_DISPATCH		0x00000009
+ #define CDF_ERROR		0x0000000a
+@@ -191,7 +210,7 @@ typedef struct {
+ #define CDF_SIGNED8		0x00000010
+ #define CDF_UNSIGNED8		0x00000011
+ #define CDF_UNSIGNED16		0x00000012
+-#define	CDF_UNSIGNED32		0x00000013
++#define CDF_UNSIGNED32		0x00000013
+ #define CDF_SIGNED64		0x00000014
+ #define CDF_UNSIGNED64		0x00000015
+ #define CDF_INT			0x00000016
+@@ -226,7 +245,7 @@ typedef struct {
+ #define CDF_PROPERTY_SUBJECT			0x00000003
+ #define CDF_PROPERTY_AUTHOR			0x00000004
+ #define CDF_PROPERTY_KEYWORDS			0x00000005
+-#define CDF_PROPERTY_COMMENTS 			0x00000006
++#define CDF_PROPERTY_COMMENTS			0x00000006
+ #define CDF_PROPERTY_TEMPLATE			0x00000007
+ #define CDF_PROPERTY_LAST_SAVED_BY		0x00000008
+ #define CDF_PROPERTY_REVISION_NUMBER		0x00000009
+@@ -276,13 +295,13 @@ int cdf_read_ssat(const cdf_info_t *, const cdf_he
+     cdf_sat_t *);
+ int cdf_read_short_stream(const cdf_info_t *, const cdf_header_t *,
+     const cdf_sat_t *, const cdf_dir_t *, cdf_stream_t *);
+-int cdf_read_property_info(const cdf_stream_t *, uint32_t,
++int cdf_read_property_info(const cdf_stream_t *, const cdf_header_t *, uint32_t,
+     cdf_property_info_t **, size_t *, size_t *);
+ int cdf_read_summary_info(const cdf_info_t *, const cdf_header_t *,
+     const cdf_sat_t *, const cdf_sat_t *, const cdf_stream_t *,
+     const cdf_dir_t *, cdf_stream_t *);
+-int cdf_unpack_summary_info(const cdf_stream_t *, cdf_summary_info_header_t *,
+-    cdf_property_info_t **, size_t *);
++int cdf_unpack_summary_info(const cdf_stream_t *, const cdf_header_t *,
++    cdf_summary_info_header_t *, cdf_property_info_t **, size_t *);
+ int cdf_print_classid(char *, size_t, const cdf_classid_t *);
+ int cdf_print_property_name(char *, size_t, uint32_t);
+ int cdf_print_elapsed_time(char *, size_t, cdf_timestamp_t);
+@@ -289,6 +308,7 @@ int cdf_print_elapsed_time(char *, size_t, cdf_tim
+ uint16_t cdf_tole2(uint16_t);
+ uint32_t cdf_tole4(uint32_t);
+ uint64_t cdf_tole8(uint64_t);
++char *cdf_ctime(const time_t *);
+ 
+ #ifdef CDF_DEBUG
+ void cdf_dump_header(const cdf_header_t *);
+Index: contrib/file/cdf_time.c
+===================================================================
+--- contrib/file/cdf_time.c	(revision 267806)
++++ contrib/file/cdf_time.c	(working copy)
+@@ -27,7 +27,7 @@
+ #include "file.h"
+ 
+ #ifndef lint
+-FILE_RCSID("@(#)$File: cdf_time.c,v 1.6 2009/03/10 11:44:29 christos Exp $")
++FILE_RCSID("@(#)$File: cdf_time.c,v 1.10 2011/02/10 17:03:16 christos Exp $")
+ #endif
+ 
+ #include <time.h>
+@@ -108,22 +108,22 @@ cdf_timestamp_to_timespec(struct timespec *ts, cdf
+ 	ts->tv_nsec = (t % CDF_TIME_PREC) * 100;
+ 
+ 	t /= CDF_TIME_PREC;
+-	tm.tm_sec = t % 60;
++	tm.tm_sec = (int)(t % 60);
+ 	t /= 60;
+ 
+-	tm.tm_min = t % 60;
++	tm.tm_min = (int)(t % 60);
+ 	t /= 60;
+ 
+-	tm.tm_hour = t % 24;
++	tm.tm_hour = (int)(t % 24);
+ 	t /= 24;
+ 
+ 	// XXX: Approx
+-	tm.tm_year = CDF_BASE_YEAR + (t / 365);
++	tm.tm_year = (int)(CDF_BASE_YEAR + (t / 365));
+ 
+ 	rdays = cdf_getdays(tm.tm_year);
+-	t -= rdays;
+-	tm.tm_mday = cdf_getday(tm.tm_year, t);
+-	tm.tm_mon = cdf_getmonth(tm.tm_year, t);
++	t -= rdays - 1;
++	tm.tm_mday = cdf_getday(tm.tm_year, (int)t);
++	tm.tm_mon = cdf_getmonth(tm.tm_year, (int)t);
+ 	tm.tm_wday = 0;
+ 	tm.tm_yday = 0;
+ 	tm.tm_isdst = 0;
+@@ -143,10 +143,13 @@ cdf_timestamp_to_timespec(struct timespec *ts, cdf
+ }
+ 
+ int
++/*ARGSUSED*/
+ cdf_timespec_to_timestamp(cdf_timestamp_t *t, const struct timespec *ts)
+ {
++#ifndef __lint__
+ 	(void)&t;
+ 	(void)&ts;
++#endif
+ #ifdef notyet
+ 	struct tm tm;
+ 	if (gmtime_r(&ts->ts_sec, &tm) == NULL) {
+@@ -162,7 +165,19 @@ cdf_timespec_to_timestamp(cdf_timestamp_t *t, cons
+ 	return 0;
+ }
+ 
++char *
++cdf_ctime(const time_t *sec)
++{
++	static char ctbuf[26];
++	char *ptr = ctime(sec);
++	if (ptr != NULL)
++		return ptr;
++	(void)snprintf(ctbuf, sizeof(ctbuf), "*Bad* 0x%16.16llx\n",
++	    (long long)*sec);
++	return ctbuf;
++}
+ 
++
+ #ifdef TEST
+ int
+ main(int argc, char *argv[])
+@@ -173,7 +188,7 @@ main(int argc, char *argv[])
+ 	char *p, *q;
+ 
+ 	cdf_timestamp_to_timespec(&ts, tst);
+-	p = ctime(&ts.tv_sec);
++	p = cdf_ctime(&ts.tv_sec);
+ 	if ((q = strchr(p, '\n')) != NULL)
+ 		*q = '\0';
+ 	if (strcmp(ref, p) != 0)
+Index: contrib/file/file.h
+===================================================================
+--- contrib/file/file.h	(revision 267806)
++++ contrib/file/file.h	(working copy)
+@@ -71,6 +71,10 @@
+ #endif
+ #define public
+ 
++#ifndef __arraycount
++#define __arraycount(a) (sizeof(a) / sizeof(a[0]))
++#endif
++
+ #ifndef __GNUC_PREREQ__
+ #ifdef __GNUC__
+ #define	__GNUC_PREREQ__(x, y)						\
+@@ -367,7 +371,7 @@ protected int file_encoding(struct magic_set *, co
+     unichar **, size_t *, const char **, const char **, const char **);
+ protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
+ protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
+-    int);
++    size_t, int);
+ protected struct mlist *file_apprentice(struct magic_set *, const char *, int);
+ protected uint64_t file_signextend(struct magic_set *, struct magic *,
+     uint64_t);
+Index: contrib/file/funcs.c
+===================================================================
+--- contrib/file/funcs.c	(revision 267806)
++++ contrib/file/funcs.c	(working copy)
+@@ -227,7 +227,7 @@ file_buffer(struct magic_set *ms, int fd, const ch
+ 
+ 	/* try soft magic tests */
+ 	if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
+-		if ((m = file_softmagic(ms, ubuf, nb, BINTEST)) != 0) {
++		if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST)) != 0) {
+ 			if ((ms->flags & MAGIC_DEBUG) != 0)
+ 				(void)fprintf(stderr, "softmagic %d\n", m);
+ #ifdef BUILTIN_ELF
+Index: contrib/file/readcdf.c
+===================================================================
+--- contrib/file/readcdf.c	(revision 267806)
++++ contrib/file/readcdf.c	(working copy)
+@@ -26,7 +26,7 @@
+ #include "file.h"
+ 
+ #ifndef lint
+-FILE_RCSID("@(#)$File: readcdf.c,v 1.18 2009/05/06 20:48:22 christos Exp $")
++FILE_RCSID("@(#)$File: readcdf.c,v 1.28 2012/02/17 05:27:45 christos Exp $")
+ #endif
+ 
+ #include <stdlib.h>
+@@ -44,145 +44,168 @@ private int
+ cdf_file_property_info(struct magic_set *ms, const cdf_property_info_t *info,
+     size_t count)
+ {
+-	size_t i;
+-	cdf_timestamp_t tp;
+-	struct timespec ts;
+-	char buf[64];
+-	const char *str = "vnd.ms-office";
+-	const char *s;
+-	int len;
++        size_t i;
++        cdf_timestamp_t tp;
++        struct timespec ts;
++        char buf[64];
++        const char *str = NULL;
++        const char *s;
++        int len;
+ 
+-	for (i = 0; i < count; i++) {
+-		cdf_print_property_name(buf, sizeof(buf), info[i].pi_id);
+-		switch (info[i].pi_type) {
+-		case CDF_SIGNED16:
+-			if (NOTMIME(ms) && file_printf(ms, ", %s: %hd", buf,
+-			    info[i].pi_s16) == -1)
+-				return -1;
+-			break;
+-		case CDF_SIGNED32:
+-			if (NOTMIME(ms) && file_printf(ms, ", %s: %d", buf,
+-			    info[i].pi_s32) == -1)
+-				return -1;
+-			break;
+-		case CDF_UNSIGNED32:
+-			if (NOTMIME(ms) && file_printf(ms, ", %s: %u", buf,
+-			    info[i].pi_u32) == -1)
+-				return -1;
+-			break;
+-		case CDF_LENGTH32_STRING:
+-			len = info[i].pi_str.s_len;
+-			if (len > 1) {
+-				s = info[i].pi_str.s_buf;
+-				if (NOTMIME(ms)) {
+-					char vbuf[1024];
+-					size_t j;
+-					for (j = 0; j < sizeof(vbuf) && len--;
+-					    j++, s++) {
+-						if (*s == '\0')
+-							break;
+-						if (isprint((unsigned char)*s))
+-							vbuf[j] = *s;
+-					}
+-					if (j == sizeof(vbuf))
+-						--j;
+-					vbuf[j] = '\0';
+-					if (vbuf[0]) {
+-						if (file_printf(ms, ", %s: %s",
+-						    buf, vbuf) == -1)
+-							return -1;
+-					}
+-				} else if (info[i].pi_id == 
+-					CDF_PROPERTY_NAME_OF_APPLICATION) {
+-					if (strstr(s, "Word"))
+-						str = "msword";
+-					else if (strstr(s, "Excel"))
+-						str = "vnd.ms-excel";
+-					else if (strstr(s, "Powerpoint"))
+-						str = "vnd.ms-powerpoint";
+-				}
+-			}
+-			break;
+-		case CDF_FILETIME:
+-			tp = info[i].pi_tp;
+-			if (tp != 0) {
+-				if (tp < 1000000000000000LL) {
+-					char tbuf[64];
+-					cdf_print_elapsed_time(tbuf,
+-					    sizeof(tbuf), tp);
+-					if (NOTMIME(ms) && file_printf(ms,
+-					    ", %s: %s", buf, tbuf) == -1)
+-						return -1;
+-				} else {
+-					char *c, *ec;
+-					cdf_timestamp_to_timespec(&ts, tp);
+-					c = ctime(&ts.tv_sec);
+-					if ((ec = strchr(c, '\n')) != NULL)
+-						*ec = '\0';
++        for (i = 0; i < count; i++) {
++                cdf_print_property_name(buf, sizeof(buf), info[i].pi_id);
++                switch (info[i].pi_type) {
++                case CDF_NULL:
++                        break;
++                case CDF_SIGNED16:
++                        if (NOTMIME(ms) && file_printf(ms, ", %s: %hd", buf,
++                            info[i].pi_s16) == -1)
++                                return -1;
++                        break;
++                case CDF_SIGNED32:
++                        if (NOTMIME(ms) && file_printf(ms, ", %s: %d", buf,
++                            info[i].pi_s32) == -1)
++                                return -1;
++                        break;
++                case CDF_UNSIGNED32:
++                        if (NOTMIME(ms) && file_printf(ms, ", %s: %u", buf,
++                            info[i].pi_u32) == -1)
++                                return -1;
++                        break;
++                case CDF_FLOAT:
++                        if (NOTMIME(ms) && file_printf(ms, ", %s: %g", buf,
++                            info[i].pi_f) == -1)
++                                return -1;
++                        break;
++                case CDF_DOUBLE:
++                        if (NOTMIME(ms) && file_printf(ms, ", %s: %g", buf,
++                            info[i].pi_d) == -1)
++                                return -1;
++                        break;
++                case CDF_LENGTH32_STRING:
++                case CDF_LENGTH32_WSTRING:
++                        len = info[i].pi_str.s_len;
++                        if (len > 1) {
++                                char vbuf[1024];
++                                size_t j, k = 1;
+ 
+-					if (NOTMIME(ms) && file_printf(ms,
+-					    ", %s: %s", buf, c) == -1)
+-						return -1;
+-				}
+-			}
+-			break;
+-		case CDF_CLIPBOARD:
+-			break;
+-		default:
+-			return -1;
+-		}
+-	}
+-	if (!NOTMIME(ms)) {
+-		if (file_printf(ms, "application/%s", str) == -1)
+-			return -1;
+-	}
+-	return 1;
++                                if (info[i].pi_type == CDF_LENGTH32_WSTRING)
++                                    k++;
++                                s = info[i].pi_str.s_buf;
++                                for (j = 0; j < sizeof(vbuf) && len--;
++                                    j++, s += k) {
++                                        if (*s == '\0')
++                                                break;
++                                        if (isprint((unsigned char)*s))
++                                                vbuf[j] = *s;
++                                }
++                                if (j == sizeof(vbuf))
++                                        --j;
++                                vbuf[j] = '\0';
++                                if (NOTMIME(ms)) {
++                                        if (vbuf[0]) {
++                                                if (file_printf(ms, ", %s: %s",
++                                                    buf, vbuf) == -1)
++                                                        return -1;
++                                        }
++                                } else if (info[i].pi_id ==
++                                        CDF_PROPERTY_NAME_OF_APPLICATION) {
++                                        if (strstr(vbuf, "Word"))
++                                                str = "msword";
++                                        else if (strstr(vbuf, "Excel"))
++                                                str = "vnd.ms-excel";
++                                        else if (strstr(vbuf, "Powerpoint"))
++                                                str = "vnd.ms-powerpoint";
++                                        else if (strstr(vbuf,
++                                            "Crystal Reports"))
++                                                str = "x-rpt";
++                                }
++                        }
++                        break;
++                case CDF_FILETIME:
++                        tp = info[i].pi_tp;
++                        if (tp != 0) {
++                                if (tp < 1000000000000000LL) {
++                                        char tbuf[64];
++                                        cdf_print_elapsed_time(tbuf,
++                                            sizeof(tbuf), tp);
++                                        if (NOTMIME(ms) && file_printf(ms,
++                                            ", %s: %s", buf, tbuf) == -1)
++                                                return -1;
++                                } else {
++                                        char *c, *ec;
++                                        cdf_timestamp_to_timespec(&ts, tp);
++                                        c = cdf_ctime(&ts.tv_sec);
++                                        if ((ec = strchr(c, '\n')) != NULL)
++                                                *ec = '\0';
++
++                                        if (NOTMIME(ms) && file_printf(ms,
++                                            ", %s: %s", buf, c) == -1)
++                                                return -1;
++                                }
++                        }
++                        break;
++                case CDF_CLIPBOARD:
++                        break;
++                default:
++                        return -1;
++                }
++        }
++        if (!NOTMIME(ms)) {
++		if (str == NULL)
++			return 0;
++                if (file_printf(ms, "application/%s", str) == -1)
++                        return -1;
++        }
++        return 1;
+ }
+ 
+ private int
+-cdf_file_summary_info(struct magic_set *ms, const cdf_stream_t *sst)
++cdf_file_summary_info(struct magic_set *ms, const cdf_header_t *h,
++    const cdf_stream_t *sst)
+ {
+-	cdf_summary_info_header_t si;
+-	cdf_property_info_t *info;
+-	size_t count;
+-	int m;
++        cdf_summary_info_header_t si;
++        cdf_property_info_t *info;
++        size_t count;
++        int m;
+ 
+-	if (cdf_unpack_summary_info(sst, &si, &info, &count) == -1)
+-		return -1;
++        if (cdf_unpack_summary_info(sst, h, &si, &info, &count) == -1)
++                return -1;
+ 
+-	if (NOTMIME(ms)) {
+-		if (file_printf(ms, "CDF V2 Document") == -1)
+-			return -1;
++        if (NOTMIME(ms)) {
++                if (file_printf(ms, "CDF V2 Document")
++		    == -1)
++                        return -1;
+ 
+-		if (file_printf(ms, ", %s Endian",
+-		    si.si_byte_order == 0xfffe ?  "Little" : "Big") == -1)
+-			return -1;
+-		switch (si.si_os) {
+-		case 2:
+-			if (file_printf(ms, ", Os: Windows, Version %d.%d",
+-			    si.si_os_version & 0xff, si.si_os_version >> 8)
+-			    == -1)
+-				return -1;
+-			break;
+-		case 1:
+-			if (file_printf(ms, ", Os: MacOS, Version %d.%d",
+-			    si.si_os_version >> 8, si.si_os_version & 0xff)
+-			    == -1)
+-				return -1;
+-			break;
+-		default:
+-			if (file_printf(ms, ", Os %d, Version: %d.%d", si.si_os,
+-			    si.si_os_version & 0xff, si.si_os_version >> 8)
+-			    == -1)
+-				return -1;
+-			break;
+-		}
+-	}
++                if (file_printf(ms, ", %s Endian",
++                    si.si_byte_order == 0xfffe ?  "Little" : "Big") == -1)
++                        return -2;
++                switch (si.si_os) {
++                case 2:
++                        if (file_printf(ms, ", Os: Windows, Version %d.%d",
++                            si.si_os_version & 0xff,
++                            (uint32_t)si.si_os_version >> 8) == -1)
++                                return -2;
++                        break;
++                case 1:
++                        if (file_printf(ms, ", Os: MacOS, Version %d.%d",
++                            (uint32_t)si.si_os_version >> 8,
++                            si.si_os_version & 0xff) == -1)
++                                return -2;
++                        break;
++                default:
++                        if (file_printf(ms, ", Os %d, Version: %d.%d", si.si_os,
++                            si.si_os_version & 0xff,
++                            (uint32_t)si.si_os_version >> 8) == -1)
++                                return -2;
++                        break;
++                }
++        }
+ 
+-	m = cdf_file_property_info(ms, info, count);
+-	free(info);
++        m = cdf_file_property_info(ms, info, count);
++        free(info);
+ 
+-	return m;
++        return m == -1 ? -2 : m;
+ }
+ 
+ protected int
+@@ -189,81 +212,107 @@ protected int
+ file_trycdf(struct magic_set *ms, int fd, const unsigned char *buf,
+     size_t nbytes)
+ {
+-	cdf_info_t info;
+-	cdf_header_t h;
+-	cdf_sat_t sat, ssat;
+-	cdf_stream_t sst, scn;
+-	cdf_dir_t dir;
+-	int i;
+-	const char *expn = "";
++        cdf_info_t info;
++        cdf_header_t h;
++        cdf_sat_t sat, ssat;
++        cdf_stream_t sst, scn;
++        cdf_dir_t dir;
++        int i;
++        const char *expn = "";
++        const char *corrupt = "corrupt: ";
+ 
+-	info.i_fd = fd;
+-	info.i_buf = buf;
+-	info.i_len = nbytes;
+-	if (ms->flags & MAGIC_APPLE)
+-		return 0;
+-	if (cdf_read_header(&info, &h) == -1)
+-		return 0;
++        info.i_fd = fd;
++        info.i_buf = buf;
++        info.i_len = nbytes;
++        if (ms->flags & MAGIC_APPLE)
++                return 0;
++        if (cdf_read_header(&info, &h) == -1)
++                return 0;
+ #ifdef CDF_DEBUG
+-	cdf_dump_header(&h);
++        cdf_dump_header(&h);
+ #endif
+ 
+-	if ((i = cdf_read_sat(&info, &h, &sat)) == -1) {
+-		expn = "Can't read SAT";
+-		goto out0;
+-	}
++        if ((i = cdf_read_sat(&info, &h, &sat)) == -1) {
++                expn = "Can't read SAT";
++                goto out0;
++        }
+ #ifdef CDF_DEBUG
+-	cdf_dump_sat("SAT", &sat, CDF_SEC_SIZE(&h));
++        cdf_dump_sat("SAT", &sat, CDF_SEC_SIZE(&h));
+ #endif
+ 
+-	if ((i = cdf_read_ssat(&info, &h, &sat, &ssat)) == -1) {
+-		expn = "Can't read SSAT";
+-		goto out1;
+-	}
++        if ((i = cdf_read_ssat(&info, &h, &sat, &ssat)) == -1) {
++                expn = "Can't read SSAT";
++                goto out1;
++        }
+ #ifdef CDF_DEBUG
+-	cdf_dump_sat("SSAT", &ssat, CDF_SHORT_SEC_SIZE(&h));
++        cdf_dump_sat("SSAT", &ssat, CDF_SHORT_SEC_SIZE(&h));
+ #endif
+ 
+-	if ((i = cdf_read_dir(&info, &h, &sat, &dir)) == -1) {
+-		expn = "Can't read directory";
+-		goto out2;
+-	}
++        if ((i = cdf_read_dir(&info, &h, &sat, &dir)) == -1) {
++                expn = "Can't read directory";
++                goto out2;
++        }
+ 
+-	if ((i = cdf_read_short_stream(&info, &h, &sat, &dir, &sst)) == -1) {
+-		expn = "Cannot read short stream";
+-		goto out3;
+-	}
++        if ((i = cdf_read_short_stream(&info, &h, &sat, &dir, &sst)) == -1) {
++                expn = "Cannot read short stream";
++                goto out3;
++        }
+ #ifdef CDF_DEBUG
+-	cdf_dump_dir(&info, &h, &sat, &ssat, &sst, &dir);
++        cdf_dump_dir(&info, &h, &sat, &ssat, &sst, &dir);
+ #endif
+ 
+-	if ((i = cdf_read_summary_info(&info, &h, &sat, &ssat, &sst, &dir,
+-	    &scn)) == -1) {
+-		expn = "Cannot read summary info";
+-		goto out4;
+-	}
++        if ((i = cdf_read_summary_info(&info, &h, &sat, &ssat, &sst, &dir,
++            &scn)) == -1) {
++                if (errno == ESRCH) {
++                        corrupt = expn;
++                        expn = "No summary info";
++                } else {
++                        expn = "Cannot read summary info";
++                }
++                goto out4;
++        }
+ #ifdef CDF_DEBUG
+-	cdf_dump_summary_info(&h, &scn);
++        cdf_dump_summary_info(&h, &scn);
+ #endif
+-	if ((i = cdf_file_summary_info(ms, &scn)) == -1)
+-		expn = "Can't expand summary_info";
+-	free(scn.sst_tab);
++        if ((i = cdf_file_summary_info(ms, &h, &scn)) < 0)
++                expn = "Can't expand summary_info";
++	if (i == 0) {
++		const char *str = "vnd.ms-office";
++		cdf_directory_t *d;
++		char name[__arraycount(d->d_name)];
++		size_t j, k;
++		for (j = 0; j < dir.dir_len; j++) {
++		    d = &dir.dir_tab[j];
++		    for (k = 0; k < sizeof(name); k++)
++			name[k] = (char)cdf_tole2(d->d_name[k]);
++		    if (strstr(name, "WordDocument") != 0) {
++			str = "msword";
++			break;
++		    }
++		}
++                if (file_printf(ms, "application/%s", str) == -1)
++                        return -1;
++		i = 1;
++	}
++        free(scn.sst_tab);
+ out4:
+-	free(sst.sst_tab);
++        free(sst.sst_tab);
+ out3:
+-	free(dir.dir_tab);
++        free(dir.dir_tab);
+ out2:
+-	free(ssat.sat_tab);
++        free(ssat.sat_tab);
+ out1:
+-	free(sat.sat_tab);
++        free(sat.sat_tab);
+ out0:
+-	if (i != 1) {
+-		if (file_printf(ms, "CDF V2 Document") == -1)
+-			return -1;
+-		if (*expn)
+-			if (file_printf(ms, ", corrupt: %s", expn) == -1)
+-				return -1;
+-		i = 1;
+-	}
+-	return i;
++        if (i != 1) {
++		if (i == -1)
++		    if (file_printf(ms, "CDF V2 Document")
++			== -1)
++			    return -1;
++                if (*expn)
++                        if (file_printf(ms, ", %s%s", corrupt, expn) == -1)
++                                return -1;
++                i = 1;
++        }
++        return i;
+ }
+Index: contrib/file/softmagic.c
+===================================================================
+--- contrib/file/softmagic.c	(revision 267806)
++++ contrib/file/softmagic.c	(working copy)
+@@ -43,9 +43,9 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.135 2009/03
+ 
+ 
+ private int match(struct magic_set *, struct magic *, uint32_t,
+-    const unsigned char *, size_t, int);
++    const unsigned char *, size_t, int, int);
+ private int mget(struct magic_set *, const unsigned char *,
+-    struct magic *, size_t, unsigned int);
++    struct magic *, size_t, unsigned int, int);
+ private int magiccheck(struct magic_set *, struct magic *);
+ private int32_t mprint(struct magic_set *, struct magic *);
+ private int32_t moffset(struct magic_set *, struct magic *);
+@@ -60,6 +60,7 @@ private void cvt_16(union VALUETYPE *, const struc
+ private void cvt_32(union VALUETYPE *, const struct magic *);
+ private void cvt_64(union VALUETYPE *, const struct magic *);
+ 
++#define OFFSET_OOB(n, o, i)	((n) < (o) || (i) > ((n) - (o)))
+ /*
+  * softmagic - lookup one file in parsed, in-memory copy of database
+  * Passed the name and FILE * of one file to be typed.
+@@ -66,12 +67,13 @@ private void cvt_64(union VALUETYPE *, const struc
+  */
+ /*ARGSUSED1*/		/* nbytes passed for regularity, maybe need later */
+ protected int
+-file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes, int mode)
++file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
++	       size_t level, int mode)
+ {
+ 	struct mlist *ml;
+ 	int rv;
+ 	for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
+-		if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode)) != 0)
++		if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode, level)) != 0)
+ 			return rv;
+ 
+ 	return 0;
+@@ -106,7 +108,7 @@ protected int
+  */
+ private int
+ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
+-    const unsigned char *s, size_t nbytes, int mode)
++    const unsigned char *s, size_t nbytes, int mode, int recursion_level)
+ {
+ 	uint32_t magindex = 0;
+ 	unsigned int cont_level = 0;
+@@ -135,7 +137,7 @@ match(struct magic_set *ms, struct magic *magic, u
+ 		ms->line = m->lineno;
+ 
+ 		/* if main entry matches, print it... */
+-		switch (mget(ms, s, m, nbytes, cont_level)) {
++		switch (mget(ms, s, m, nbytes, cont_level, recursion_level + 1)) {
+ 		case -1:
+ 			return -1;
+ 		case 0:
+@@ -218,7 +220,7 @@ match(struct magic_set *ms, struct magic *magic, u
+ 					continue;
+ 			}
+ #endif
+-			switch (mget(ms, s, m, nbytes, cont_level)) {
++			switch (mget(ms, s, m, nbytes, cont_level, recursion_level + 1)) {
+ 			case -1:
+ 				return -1;
+ 			case 0:
+@@ -1022,12 +1024,17 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, in
+ 
+ private int
+ mget(struct magic_set *ms, const unsigned char *s,
+-    struct magic *m, size_t nbytes, unsigned int cont_level)
++    struct magic *m, size_t nbytes, unsigned int cont_level, int recursion_level)
+ {
+ 	uint32_t offset = ms->offset;
+ 	uint32_t count = m->str_range;
+ 	union VALUETYPE *p = &ms->ms_value;
+ 
++	if (recursion_level >= 20) {
++		file_error(ms, 0, "recursion nesting exceeded");
++		return -1;
++	}
++
+ 	if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
+ 		return -1;
+ 
+@@ -1077,7 +1084,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 		}
+ 		switch (m->in_type) {
+ 		case FILE_BYTE:
+-			if (nbytes < (offset + 1))
++			if (OFFSET_OOB(nbytes, offset, 1))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1112,7 +1119,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_BESHORT:
+-			if (nbytes < (offset + 2))
++			if (OFFSET_OOB(nbytes, offset, 2))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1164,7 +1171,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_LESHORT:
+-			if (nbytes < (offset + 2))
++			if (OFFSET_OOB(nbytes, offset, 2))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1216,7 +1223,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_SHORT:
+-			if (nbytes < (offset + 2))
++			if (OFFSET_OOB(nbytes, offset, 2))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1253,7 +1260,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 			break;
+ 		case FILE_BELONG:
+ 		case FILE_BEID3:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1324,7 +1331,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 			break;
+ 		case FILE_LELONG:
+ 		case FILE_LEID3:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1394,7 +1401,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_MELONG:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1464,7 +1471,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_LONG:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1531,7 +1538,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 	/* Verify we have enough data to match magic type */
+ 	switch (m->type) {
+ 	case FILE_BYTE:
+-		if (nbytes < (offset + 1)) /* should alway be true */
++		if (OFFSET_OOB(nbytes, offset, 1))
+ 			return 0;
+ 		break;
+ 
+@@ -1538,7 +1545,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 	case FILE_SHORT:
+ 	case FILE_BESHORT:
+ 	case FILE_LESHORT:
+-		if (nbytes < (offset + 2))
++		if (OFFSET_OOB(nbytes, offset, 2))
+ 			return 0;
+ 		break;
+ 
+@@ -1557,7 +1564,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 	case FILE_FLOAT:
+ 	case FILE_BEFLOAT:
+ 	case FILE_LEFLOAT:
+-		if (nbytes < (offset + 4))
++		if (OFFSET_OOB(nbytes, offset, 4))
+ 			return 0;
+ 		break;
+ 
+@@ -1564,7 +1571,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 	case FILE_DOUBLE:
+ 	case FILE_BEDOUBLE:
+ 	case FILE_LEDOUBLE:
+-		if (nbytes < (offset + 8))
++		if (OFFSET_OOB(nbytes, offset, 8))
+ 			return 0;
+ 		break;
+ 
+@@ -1571,23 +1578,25 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 	case FILE_STRING:
+ 	case FILE_PSTRING:
+ 	case FILE_SEARCH:
+-		if (nbytes < (offset + m->vallen))
++		if (OFFSET_OOB(nbytes, offset, m->vallen))
+ 			return 0;
+ 		break;
+ 
+ 	case FILE_REGEX:
+-		if (nbytes < offset)
++		if (OFFSET_OOB(nbytes, offset, 0))
+ 			return 0;
+ 		break;
+ 
+ 	case FILE_INDIRECT:
++		if (offset == 0)
++			return 0;
+ 	  	if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
+ 		    file_printf(ms, m->desc) == -1)
+ 			return -1;
+-		if (nbytes < offset)
++		if (OFFSET_OOB(nbytes, offset, 0))
+ 			return 0;
+ 		return file_softmagic(ms, s + offset, nbytes - offset,
+-		    BINTEST);
++		    recursion_level, BINTEST);
+ 
+ 	case FILE_DEFAULT:	/* nothing to check */
+ 	default:
diff --git a/share/security/patches/SA-14:16/file-8.4.patch.asc b/share/security/patches/SA-14:16/file-8.4.patch.asc
new file mode 100644
index 0000000000..1c1ce5730c
--- /dev/null
+++ b/share/security/patches/SA-14:16/file-8.4.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQIcBAABCgAGBQJTqc+xAAoJEO1n7NZdz2rnwYEQAJ2tsC+x3C539+wx8HQVDyzn
+YArD9qa9vccrISU0BBvBRDwnEEJ2jm/57EMpA9vc8drrWnz29gxYtIDeFWAkosM/
+CTR0M3ZSMaTSnHQWoM8VxlMPWDfQBzokJB5H3qNUCJZV/QdQo7kSHdMvzeqdiqbG
+jkuVuifm5TgxEQVaznK9E0PoL/gVGfndUg9N5MJnO/XEO0wy4gqDE6SSn9zE4Rxc
+uWa34gZwh33eJWi9tE6sNAbekZuwEtK7smw+wkcUvUdfdUqTsp8j05ZY/PMAG97z
+SeYZ3rXk4sKXE4NSM8QxFxbfQNcFmKv7viQoPqTJDu63ctJdcyN6vv8hH9j73+mN
+W3NQOdfnKQblqgqC6bkXUV4A3YAUirWfcBiHo02PBfhspwBI+CA7VJbNxPxdmGn9
+r9F9SP114afHz/2W62yDagXPc39TJ/T7e8sqEbw2Up5a1Rd7PzpQCDMYALspx4tS
+FQqR61aTfpSDXdQYLPgyTPiBNrDcUA0WdAWpm2KAteUOUt5K7Z5N59IbxJU51VpL
+dPdJsTkCN84HY6ynng4nrxaeH6ImPmv3wd34cxVIgrEzfDbteYr2qn6tNM+4AAhg
+bbFbqbXPp3qyn3ryDskdkeEbNIBK0Dw41ATtvfsolVPI+xWVT996R16uvqwu2hhl
+HaPZcO4HUyyDsdKzLNk+
+=Kg8r
+-----END PGP SIGNATURE-----
diff --git a/share/security/patches/SA-14:16/file.patch b/share/security/patches/SA-14:16/file.patch
new file mode 100644
index 0000000000..43d93418e4
--- /dev/null
+++ b/share/security/patches/SA-14:16/file.patch
@@ -0,0 +1,276 @@
+Index: contrib/file/Magdir/commands
+===================================================================
+--- contrib/file/Magdir/commands	(revision 267806)
++++ contrib/file/Magdir/commands	(working copy)
+@@ -49,7 +49,8 @@
+ !:mime	text/x-awk
+ 0	string/wt	#!\ /usr/bin/awk	awk script text executable
+ !:mime	text/x-awk
+-0	regex		=^\\s*BEGIN\\s*[{]	awk script text
++0	regex		=^\\s{0,100}BEGIN\\s{0,100}[{]	awk script text
++!:strength - 12
+ 
+ # AT&T Bell Labs' Plan 9 shell
+ 0	string/wt	#!\ /bin/rc	Plan 9 rc shell script text executable
+Index: contrib/file/ascmagic.c
+===================================================================
+--- contrib/file/ascmagic.c	(revision 267806)
++++ contrib/file/ascmagic.c	(working copy)
+@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic_set *ms,
+ 		    == NULL)
+ 			goto done;
+ 		if ((rv = file_softmagic(ms, utf8_buf,
+-		    (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0)
++		    (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0)
+ 			rv = -1;
+ 	}
+ 
+Index: contrib/file/file.h
+===================================================================
+--- contrib/file/file.h	(revision 267806)
++++ contrib/file/file.h	(working copy)
+@@ -414,7 +414,7 @@ protected int file_encoding(struct magic_set *, co
+     unichar **, size_t *, const char **, const char **, const char **);
+ protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
+ protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
+-    int, int);
++    size_t, int, int);
+ protected struct mlist *file_apprentice(struct magic_set *, const char *, int);
+ protected uint64_t file_signextend(struct magic_set *, struct magic *,
+     uint64_t);
+Index: contrib/file/funcs.c
+===================================================================
+--- contrib/file/funcs.c	(revision 267806)
++++ contrib/file/funcs.c	(working copy)
+@@ -228,7 +228,7 @@ file_buffer(struct magic_set *ms, int fd, const ch
+ 
+ 	/* try soft magic tests */
+ 	if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
+-		if ((m = file_softmagic(ms, ubuf, nb, BINTEST,
++		if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST,
+ 		    looks_text)) != 0) {
+ 			if ((ms->flags & MAGIC_DEBUG) != 0)
+ 				(void)fprintf(stderr, "softmagic %d\n", m);
+Index: contrib/file/softmagic.c
+===================================================================
+--- contrib/file/softmagic.c	(revision 267806)
++++ contrib/file/softmagic.c	(working copy)
+@@ -43,9 +43,9 @@ FILE_RCSID("@(#)$File: softmagic.c,v 1.147 2011/11
+ 
+ 
+ private int match(struct magic_set *, struct magic *, uint32_t,
+-    const unsigned char *, size_t, int, int);
++    const unsigned char *, size_t, int, int, int);
+ private int mget(struct magic_set *, const unsigned char *,
+-    struct magic *, size_t, unsigned int, int);
++    struct magic *, size_t, unsigned int, int, int);
+ private int magiccheck(struct magic_set *, struct magic *);
+ private int32_t mprint(struct magic_set *, struct magic *);
+ private int32_t moffset(struct magic_set *, struct magic *);
+@@ -60,6 +60,7 @@ private void cvt_16(union VALUETYPE *, const struc
+ private void cvt_32(union VALUETYPE *, const struct magic *);
+ private void cvt_64(union VALUETYPE *, const struct magic *);
+ 
++#define OFFSET_OOB(n, o, i)	((n) < (o) || (i) > ((n) - (o)))
+ /*
+  * softmagic - lookup one file in parsed, in-memory copy of database
+  * Passed the name and FILE * of one file to be typed.
+@@ -67,13 +68,13 @@ private void cvt_64(union VALUETYPE *, const struc
+ /*ARGSUSED1*/		/* nbytes passed for regularity, maybe need later */
+ protected int
+ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
+-    int mode, int text)
++    size_t level, int mode, int text)
+ {
+ 	struct mlist *ml;
+ 	int rv;
+ 	for (ml = ms->mlist->next; ml != ms->mlist; ml = ml->next)
+ 		if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, mode,
+-		    text)) != 0)
++		    text, level)) != 0)
+ 			return rv;
+ 
+ 	return 0;
+@@ -108,7 +109,8 @@ file_softmagic(struct magic_set *ms, const unsigne
+  */
+ private int
+ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
+-    const unsigned char *s, size_t nbytes, int mode, int text)
++    const unsigned char *s, size_t nbytes, int mode, int text,
++    int recursion_level)
+ {
+ 	uint32_t magindex = 0;
+ 	unsigned int cont_level = 0;
+@@ -140,7 +142,7 @@ match(struct magic_set *ms, struct magic *magic, u
+ 		ms->line = m->lineno;
+ 
+ 		/* if main entry matches, print it... */
+-		switch (mget(ms, s, m, nbytes, cont_level, text)) {
++		switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {
+ 		case -1:
+ 			return -1;
+ 		case 0:
+@@ -223,7 +225,7 @@ match(struct magic_set *ms, struct magic *magic, u
+ 					continue;
+ 			}
+ #endif
+-			switch (mget(ms, s, m, nbytes, cont_level, text)) {
++			switch (mget(ms, s, m, nbytes, cont_level, text, recursion_level + 1)) {
+ 			case -1:
+ 				return -1;
+ 			case 0:
+@@ -1018,12 +1020,18 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, in
+ 
+ private int
+ mget(struct magic_set *ms, const unsigned char *s,
+-    struct magic *m, size_t nbytes, unsigned int cont_level, int text)
++    struct magic *m, size_t nbytes, unsigned int cont_level, int text,
++    int recursion_level)
+ {
+ 	uint32_t offset = ms->offset;
+ 	uint32_t count = m->str_range;
+ 	union VALUETYPE *p = &ms->ms_value;
+ 
++        if (recursion_level >= 20) {
++                file_error(ms, 0, "recursion nesting exceeded");
++                return -1;
++        }
++
+ 	if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
+ 		return -1;
+ 
+@@ -1073,7 +1081,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 		}
+ 		switch (m->in_type) {
+ 		case FILE_BYTE:
+-			if (nbytes < (offset + 1))
++			if (OFFSET_OOB(nbytes, offset, 1))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1108,7 +1116,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_BESHORT:
+-			if (nbytes < (offset + 2))
++			if (OFFSET_OOB(nbytes, offset, 2))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1160,7 +1168,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_LESHORT:
+-			if (nbytes < (offset + 2))
++			if (OFFSET_OOB(nbytes, offset, 2))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1212,7 +1220,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_SHORT:
+-			if (nbytes < (offset + 2))
++			if (OFFSET_OOB(nbytes, offset, 2))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1249,7 +1257,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 			break;
+ 		case FILE_BELONG:
+ 		case FILE_BEID3:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1320,7 +1328,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 			break;
+ 		case FILE_LELONG:
+ 		case FILE_LEID3:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1390,7 +1398,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_MELONG:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1460,7 +1468,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_LONG:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1527,7 +1535,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 	/* Verify we have enough data to match magic type */
+ 	switch (m->type) {
+ 	case FILE_BYTE:
+-		if (nbytes < (offset + 1)) /* should alway be true */
++		if (OFFSET_OOB(nbytes, offset, 1))
+ 			return 0;
+ 		break;
+ 
+@@ -1534,7 +1542,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 	case FILE_SHORT:
+ 	case FILE_BESHORT:
+ 	case FILE_LESHORT:
+-		if (nbytes < (offset + 2))
++		if (OFFSET_OOB(nbytes, offset, 2))
+ 			return 0;
+ 		break;
+ 
+@@ -1553,7 +1561,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 	case FILE_FLOAT:
+ 	case FILE_BEFLOAT:
+ 	case FILE_LEFLOAT:
+-		if (nbytes < (offset + 4))
++		if (OFFSET_OOB(nbytes, offset, 4))
+ 			return 0;
+ 		break;
+ 
+@@ -1560,7 +1568,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 	case FILE_DOUBLE:
+ 	case FILE_BEDOUBLE:
+ 	case FILE_LEDOUBLE:
+-		if (nbytes < (offset + 8))
++		if (OFFSET_OOB(nbytes, offset, 8))
+ 			return 0;
+ 		break;
+ 
+@@ -1567,7 +1575,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 	case FILE_STRING:
+ 	case FILE_PSTRING:
+ 	case FILE_SEARCH:
+-		if (nbytes < (offset + m->vallen))
++		if (OFFSET_OOB(nbytes, offset, m->vallen))
+ 			return 0;
+ 		break;
+ 
+@@ -1577,6 +1585,8 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 		break;
+ 
+ 	case FILE_INDIRECT:
++		if (offset == 0)
++			return 0;
+ 	  	if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
+ 		    file_printf(ms, "%s", m->desc) == -1)
+ 			return -1;
+@@ -1583,7 +1593,7 @@ mget(struct magic_set *ms, const unsigned char *s,
+ 		if (nbytes < offset)
+ 			return 0;
+ 		return file_softmagic(ms, s + offset, nbytes - offset,
+-		    BINTEST, text);
++		    recursion_level, BINTEST, text);
+ 
+ 	case FILE_DEFAULT:	/* nothing to check */
+ 	default:
diff --git a/share/security/patches/SA-14:16/file.patch.asc b/share/security/patches/SA-14:16/file.patch.asc
new file mode 100644
index 0000000000..941e5dda8b
--- /dev/null
+++ b/share/security/patches/SA-14:16/file.patch.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQIcBAABCgAGBQJTqc+xAAoJEO1n7NZdz2rnE0YP/A+Q3jwyWJW7f4UQCN1funJ0
+XZwDYYD/aVXUmQcegpDDDlJ9Ol3Rr2K6CXKJHN+2kH1NvjD2W82+trJiiAetTBwI
+OqsgtyiJM8k3Pa67lRNoBPkYRaoZ7MgXurDzY8lclz0bb+n2OLQr4gvXQ8gEbZZE
+ZETzFGlOhDw22gWOFzU7fMbg+WZr1yQBPEzEtJ5DR2WAS/eiAEzW9D8+HgBvR1T9
+X8jE6OEblJ3xBHkGByX9t9r+0klwOHdjx6Y54P+b1gFmgaIGLOPulNVE1d7oyRbt
+Lhcrd1OUWuohz7nOfC+L29bYn0AiIVt/bZekKNyILiKuZbo01JmMLB+Ekn+R4Hv+
+fXjcc4qVVwTveJMPZ8HDNnpKusMXhqMAYDLblA4c6LnFdpwuKMMK9D9KCTNe0N17
+hGeJXHXAaeewdhsaXUA5VpLR1bZjQgLRIO3kKSrgIJVQWpPn+U5q0uuKl/JEo4O7
+hnble23XfiqfRnkaZ9Cs8Gw16g/XFhDKSu6ppVMCSTALwvmppVtQpw8tfq+W1EmW
+9OlwLN5FAjYuMS2GbuZr4o53cFJD0a/3OdeMIZdTP9zstU/AMx1zauAHfUinDAKN
+p7zriJB3gz0XQSSXwtlAHJpOapvMYob/axhToy+TcnxiHPa9oQEAbJWtfar0NQVR
+t4TETAxIo1YT7cW7w87U
+=nVM9
+-----END PGP SIGNATURE-----
diff --git a/share/xml/advisories.xml b/share/xml/advisories.xml
index 2a51708459..0c10939c97 100644
--- a/share/xml/advisories.xml
+++ b/share/xml/advisories.xml
@@ -10,6 +10,18 @@
     <month>
       <name>6</name>
 
+      <day>
+	<name>24</name>
+
+	<advisory>
+	  <name>FreeBSD-SA-14:16.file</name>
+	</advisory>
+
+	<advisory>
+	  <name>FreeBSD-SA-14:15.iconv</name>
+	</advisory>
+      </day>
+
       <day>
 	<name>5</name>
 
diff --git a/share/xml/notices.xml b/share/xml/notices.xml
index e6f382655f..f5bf2594a5 100644
--- a/share/xml/notices.xml
+++ b/share/xml/notices.xml
@@ -10,6 +10,18 @@
     <month>
       <name>6</name>
 
+      <day>
+	<name>24</name>
+
+	<notice>
+	  <name>FreeBSD-EN-14:08.heimdal</name>
+	</notice>
+
+	<notice>
+	  <name>FreeBSD-EN-14:07.pmap</name>
+	</notice>
+      </day>
+
       <day>
 	<name>3</name>
 
@@ -26,7 +38,7 @@
 	<name>13</name>
 
 	<notice>
-	  <name>FreeBSD-EN-14:03.pkg</name>
+	  <name>FreeBSD-EN-14:05.ciss</name>
 	</notice>
 
 	<notice>
@@ -34,7 +46,7 @@
 	</notice>
 
 	<notice>
-	  <name>FreeBSD-EN-14:05.ciss</name>
+	  <name>FreeBSD-EN-14:03.pkg</name>
 	</notice>
       </day>
     </month>