diff options
author | erouault <erouault> | 2017-05-29 11:29:06 +0000 |
---|---|---|
committer | erouault <erouault> | 2017-05-29 11:29:06 +0000 |
commit | 71ecc236e5fcc1a7eede04445b23f5d1101fab6f (patch) | |
tree | 03581ed7a34f66633980f8729dfc370f2ac59d0d | |
parent | 8803bb1f955d9a534d8c415b383c0334ac728686 (diff) | |
download | libtiff-71ecc236e5fcc1a7eede04445b23f5d1101fab6f.tar.gz |
* libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for
refBlackWhite coefficients values. To avoid invalid float->int32 conversion
(when refBlackWhite[0] == 2147483648.f)
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907
Credit to OSS Fuzz
-rw-r--r-- | ChangeLog | 8 | ||||
-rw-r--r-- | libtiff/tif_getimage.c | 4 |
2 files changed, 10 insertions, 2 deletions
@@ -1,5 +1,13 @@ 2017-05-29 Even Rouault <even.rouault at spatialys.com> + * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for + refBlackWhite coefficients values. To avoid invalid float->int32 conversion + (when refBlackWhite[0] == 2147483648.f) + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907 + Credit to OSS Fuzz + +2017-05-29 Even Rouault <even.rouault at spatialys.com> + * libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid int32 overflow in TIFFYCbCrtoRGB(). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844 diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c index 571cd184..d44a93c1 100644 --- a/libtiff/tif_getimage.c +++ b/libtiff/tif_getimage.c @@ -1,4 +1,4 @@ -/* $Id: tif_getimage.c,v 1.106 2017-05-20 11:29:02 erouault Exp $ */ +/* $Id: tif_getimage.c,v 1.107 2017-05-29 11:29:06 erouault Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -2241,7 +2241,7 @@ DECLARESepPutFunc(putseparate8bitYCbCr11tile) static int isInRefBlackWhiteRange(float f) { - return f >= (float)(-0x7FFFFFFF + 128) && f <= (float)0x7FFFFFFF; + return f > (float)(-0x7FFFFFFF + 128) && f < (float)0x7FFFFFFF; } static int |