From 4a48d3846f4570c832754d38425a6792bf74cec3 Mon Sep 17 00:00:00 2001
From: erouault <erouault>
Date: Wed, 17 May 2017 13:48:34 +0000
Subject: * libtiff/tif_getimage.c: initYCbCrConversion(): add basic validation
 of luma and refBlackWhite coefficients (just check they are not NaN for now),
 to avoid potential float to int overflows. Fixes
 ://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663 Credit to OSS Fuzz

---
 ChangeLog              |  8 ++++++++
 libtiff/tif_getimage.c | 25 ++++++++++++++++++++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index d5eb6874..6e642bb0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2017-05-17 Even Rouault <even.rouault at spatialys.com>
+
+	* libtiff/tif_getimage.c: initYCbCrConversion(): add basic validation of
+	luma and refBlackWhite coefficients (just check they are not NaN for now),
+	to avoid potential float to int overflows.
+	Fixes ://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1663
+	Credit to OSS Fuzz
+
 2017-05-17 Even Rouault <even.rouault at spatialys.com>
 
 	* libtiff/tif_pixarlog.c: PixarLogDecode(): resync tif_rawcp with
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index 58d7fc43..b1363cc6 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -1,4 +1,4 @@
-/* $Id: tif_getimage.c,v 1.103 2017-02-25 17:05:12 erouault Exp $ */
+/* $Id: tif_getimage.c,v 1.104 2017-05-17 13:48:35 erouault Exp $ */
 
 /*
  * Copyright (c) 1991-1997 Sam Leffler
@@ -2263,6 +2263,29 @@ initYCbCrConversion(TIFFRGBAImage* img)
 	TIFFGetFieldDefaulted(img->tif, TIFFTAG_YCBCRCOEFFICIENTS, &luma);
 	TIFFGetFieldDefaulted(img->tif, TIFFTAG_REFERENCEBLACKWHITE,
 	    &refBlackWhite);
+
+        /* Do some validation to avoid later issues. Detect NaN for now */
+        if( luma[0] != luma[0] ||
+            luma[1] != luma[1] ||
+            luma[2] != luma[2] )
+        {
+            TIFFErrorExt(img->tif->tif_clientdata, module,
+                "Invalid values for YCbCrCoefficients tag");
+            return (0);
+        }
+
+        if( refBlackWhite[0] != refBlackWhite[0] ||
+            refBlackWhite[1] != refBlackWhite[1] ||
+            refBlackWhite[2] != refBlackWhite[2] ||
+            refBlackWhite[3] != refBlackWhite[3] ||
+            refBlackWhite[4] != refBlackWhite[4] ||
+            refBlackWhite[5] != refBlackWhite[5] )
+        {
+            TIFFErrorExt(img->tif->tif_clientdata, module,
+                "Invalid values for ReferenceBlackWhite tag");
+            return (0);
+        }
+
 	if (TIFFYCbCrToRGBInit(img->ycbcr, luma, refBlackWhite) < 0)
 		return(0);
 	return (1);
-- 
cgit v1.2.1