diff options
| author | erouault <erouault> | 2017-05-17 13:48:34 +0000 |
|---|---|---|
| committer | erouault <erouault> | 2017-05-17 13:48:34 +0000 |
| commit | 4a48d3846f4570c832754d38425a6792bf74cec3 (patch) | |
| tree | cd322f658f597cbb771ce8a388a1ead456719761 | |
| parent | c13da5f909f928d600b0c041d107fc3f0fb64cb9 (diff) | |
| download | libtiff-4a48d3846f4570c832754d38425a6792bf74cec3.tar.gz | |
* libtiff/tif_getimage.c: initYCbCrConversion(): add basic validation of
luma and refBlackWhite coefficients (just check they are not NaN for now),
to avoid potential float to int overflows.
Fixes ://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663
Credit to OSS Fuzz
| -rw-r--r-- | ChangeLog | 8 | ||||
| -rw-r--r-- | libtiff/tif_getimage.c | 25 |
2 files changed, 32 insertions, 1 deletions
@@ -1,5 +1,13 @@ 2017-05-17 Even Rouault <even.rouault at spatialys.com> + * libtiff/tif_getimage.c: initYCbCrConversion(): add basic validation of + luma and refBlackWhite coefficients (just check they are not NaN for now), + to avoid potential float to int overflows. + Fixes ://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663 + Credit to OSS Fuzz + +2017-05-17 Even Rouault <even.rouault at spatialys.com> + * libtiff/tif_pixarlog.c: PixarLogDecode(): resync tif_rawcp with next_in and tif_rawcc with avail_in at beginning and end of function, similarly to what is done in LZWDecode(). Likely needed so that it diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c index 58d7fc43..b1363cc6 100644 --- a/libtiff/tif_getimage.c +++ b/libtiff/tif_getimage.c @@ -1,4 +1,4 @@ -/* $Id: tif_getimage.c,v 1.103 2017-02-25 17:05:12 erouault Exp $ */ +/* $Id: tif_getimage.c,v 1.104 2017-05-17 13:48:35 erouault Exp $ */ /* * Copyright (c) 1991-1997 Sam Leffler @@ -2263,6 +2263,29 @@ initYCbCrConversion(TIFFRGBAImage* img) TIFFGetFieldDefaulted(img->tif, TIFFTAG_YCBCRCOEFFICIENTS, &luma); TIFFGetFieldDefaulted(img->tif, TIFFTAG_REFERENCEBLACKWHITE, &refBlackWhite); + + /* Do some validation to avoid later issues. Detect NaN for now */ + if( luma[0] != luma[0] || + luma[1] != luma[1] || + luma[2] != luma[2] ) + { + TIFFErrorExt(img->tif->tif_clientdata, module, + "Invalid values for YCbCrCoefficients tag"); + return (0); + } + + if( refBlackWhite[0] != refBlackWhite[0] || + refBlackWhite[1] != refBlackWhite[1] || + refBlackWhite[2] != refBlackWhite[2] || + refBlackWhite[3] != refBlackWhite[3] || + refBlackWhite[4] != refBlackWhite[4] || + refBlackWhite[5] != refBlackWhite[5] ) + { + TIFFErrorExt(img->tif->tif_clientdata, module, + "Invalid values for ReferenceBlackWhite tag"); + return (0); + } + if (TIFFYCbCrToRGBInit(img->ycbcr, luma, refBlackWhite) < 0) return(0); return (1); |