* libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for

refBlackWhite coefficients values. To avoid invalid float->int32 conversion
(when refBlackWhite[0] == 2147483648.f)
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907
Credit to OSS Fuzz

2 files changed, 10 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index a2ddaac2..04881ba7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
 2017-05-29  Even Rouault <even.rouault at spatialys.com>
 
+	* libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for
+	refBlackWhite coefficients values. To avoid invalid float->int32 conversion
+	(when refBlackWhite[0] == 2147483648.f)
+	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907
+	Credit to OSS Fuzz
+
+2017-05-29  Even Rouault <even.rouault at spatialys.com>
+
 	* libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid
 	int32 overflow in TIFFYCbCrtoRGB().
 	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index 571cd184..d44a93c1 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -1,4 +1,4 @@
-/* $Id: tif_getimage.c,v 1.106 2017-05-20 11:29:02 erouault Exp $ */
+/* $Id: tif_getimage.c,v 1.107 2017-05-29 11:29:06 erouault Exp $ */
 
 /*
  * Copyright (c) 1991-1997 Sam Leffler
@@ -2241,7 +2241,7 @@ DECLARESepPutFunc(putseparate8bitYCbCr11tile)
 
 static int isInRefBlackWhiteRange(float f)
 {
-    return f >= (float)(-0x7FFFFFFF + 128) && f <= (float)0x7FFFFFFF;
+    return f > (float)(-0x7FFFFFFF + 128) && f < (float)0x7FFFFFFF;
 }
 
 static int