diff options
| author | erouault <erouault> | 2017-05-20 11:29:02 +0000 |
|---|---|---|
| committer | erouault <erouault> | 2017-05-20 11:29:02 +0000 |
| commit | 60cd9839a31166fe83310f37f91ec5c4006d65de (patch) | |
| tree | f24223b9d1da166b772702d792552218f91abd34 | |
| parent | 604c848d0323f738be59d9a3de860c831c98c880 (diff) | |
| download | libtiff-60cd9839a31166fe83310f37f91ec5c4006d65de.tar.gz | |
* libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for
refBlackWhite coefficients values. To avoid invalid float->int32 conversion.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1718
Credit to OSS Fuzz
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663
| -rw-r--r-- | ChangeLog | 9 | ||||
| -rw-r--r-- | libtiff/tif_getimage.c | 19 |
2 files changed, 20 insertions, 8 deletions
@@ -1,3 +1,10 @@ +2017-05-20 Even Rouault <even.rouault at spatialys.com> + + * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for + refBlackWhite coefficients values. To avoid invalid float->int32 conversion. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1718 + Credit to OSS Fuzz + 2017-05-18 Even Rouault <even.rouault at spatialys.com> * libtiff/tif_getimage.c: initYCbCrConversion(): check luma[1] is not zero @@ -16,7 +23,7 @@ * libtiff/tif_getimage.c: initYCbCrConversion(): add basic validation of luma and refBlackWhite coefficients (just check they are not NaN for now), to avoid potential float to int overflows. - Fixes ://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663 + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663 Credit to OSS Fuzz 2017-05-17 Even Rouault <even.rouault at spatialys.com> diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c index 1d5f3046..571cd184 100644 --- a/libtiff/tif_getimage.c +++ b/libtiff/tif_getimage.c @@ -1,4 +1,4 @@ -/* $Id: tif_getimage.c,v 1.105 2017-05-18 06:44:35 erouault Exp $ */ +/* $Id: tif_getimage.c,v 1.106 2017-05-20 11:29:02 erouault Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -2239,6 +2239,11 @@ DECLARESepPutFunc(putseparate8bitYCbCr11tile) } #undef YCbCrtoRGB +static int isInRefBlackWhiteRange(float f) +{ + return f >= (float)(-0x7FFFFFFF + 128) && f <= (float)0x7FFFFFFF; +} + static int initYCbCrConversion(TIFFRGBAImage* img) { @@ -2276,12 +2281,12 @@ initYCbCrConversion(TIFFRGBAImage* img) return (0); } - if( refBlackWhite[0] != refBlackWhite[0] || - refBlackWhite[1] != refBlackWhite[1] || - refBlackWhite[2] != refBlackWhite[2] || - refBlackWhite[3] != refBlackWhite[3] || - refBlackWhite[4] != refBlackWhite[4] || - refBlackWhite[5] != refBlackWhite[5] ) + if( !isInRefBlackWhiteRange(refBlackWhite[0]) || + !isInRefBlackWhiteRange(refBlackWhite[1]) || + !isInRefBlackWhiteRange(refBlackWhite[2]) || + !isInRefBlackWhiteRange(refBlackWhite[3]) || + !isInRefBlackWhiteRange(refBlackWhite[4]) || + !isInRefBlackWhiteRange(refBlackWhite[5]) ) { TIFFErrorExt(img->tif->tif_clientdata, module, "Invalid values for ReferenceBlackWhite tag"); |