* libtiff/tif_color.c: prevent crash in handling bad TIFFs

        resolves CVE-2010-2595
        http://bugzilla.maptools.org/show_bug.cgi?id=2208

2 files changed, 16 insertions, 5 deletions

diff --git a/ChangeLog b/ChangeLog
index c2fa93ed..cc1b9790 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 2010-12-13  Lee Howard <faxguy@howardsilvan.com>
 
+	* libtiff/tif_color.c: prevent crash in handling bad TIFFs
+	resolves CVE-2010-2595
+	http://bugzilla.maptools.org/show_bug.cgi?id=2208
+
+2010-12-13  Lee Howard <faxguy@howardsilvan.com>
+
 	* tools/tiffcrop.c: new release by Richard Nolde
 	http://bugzilla.maptools.org/show_bug.cgi?id=2004
 
diff --git a/libtiff/tif_color.c b/libtiff/tif_color.c
index 02eb346b..da140030 100644
--- a/libtiff/tif_color.c
+++ b/libtiff/tif_color.c
@@ -1,4 +1,4 @@
-/* $Id: tif_color.c,v 1.12.2.1 2010-06-08 18:50:41 bfriesen Exp $ */
+/* $Id: tif_color.c,v 1.12.2.2 2010-12-14 02:23:09 faxguy Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -183,13 +183,18 @@ void
 TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr,
 	       uint32 *r, uint32 *g, uint32 *b)
 {
+	int32 i;
+
 	/* XXX: Only 8-bit YCbCr input supported for now */
 	Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255);
 
-	*r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]];
-	*g = ycbcr->clamptab[ycbcr->Y_tab[Y]
-	    + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)];
-	*b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]];
+	i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr];
+	*r = CLAMP(i, 0, 255);
+	i = ycbcr->Y_tab[Y]
+	    + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT);
+	*g = CLAMP(i, 0, 255);
+	i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb];
+	*b = CLAMP(i, 0, 255);
 }
 
 /*