cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

* libtiff/tif_color.c: avoid potential int32 overflow in

Browse Source 
TIFFYCbCrToRGBInit()
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533
Credit to OSS-Fuzz
This commit is contained in:
Even Rouault 2017-05-13 18:17:34 +00:00
parent 0a5c524577
commit 0a6763b5a0
2 changed files with 37 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ChangeLog
View File

@ -1,3 +1,10 @@
2017-05-13 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_color.c: avoid potential int32 overflow in
TIFFYCbCrToRGBInit()
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1533
Credit to OSS-Fuzz
2017-05-13 Even Rouault <even.rouault at spatialys.com> 2017-05-13 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_read.c: update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT * libtiff/tif_read.c: update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT

40
libtiff/tif_color.c
View File

@ -1,4 +1,4 @@
/* $Id: tif_color.c,v 1.22 2016-09-04 21:32:56 erouault Exp $ */ /* $Id: tif_color.c,v 1.23 2017-05-13 18:17:34 erouault Exp $ */
/* /*
* Copyright (c) 1988-1997 Sam Leffler * Copyright (c) 1988-1997 Sam Leffler
@ -199,6 +199,23 @@ TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr,
*b = CLAMP(i, 0, 255); *b = CLAMP(i, 0, 255);
} }
/* Clamp function for sanitization purposes. Normally clamping should not */
/* occur for well behaved chroma and refBlackWhite coefficients */
static float CLAMPw(float v, float vmin, float vmax)
{
if( v < vmin )
{
/* printf("%f clamped to %f\n", v, vmin); */
return vmin;
}
if( v > vmax )
{
/* printf("%f clamped to %f\n", v, vmax); */
return vmax;
}
return v;
}
/* /*
* Initialize the YCbCr->RGB conversion tables. The conversion * Initialize the YCbCr->RGB conversion tables. The conversion
* is done according to the 6.0 spec: * is done according to the 6.0 spec:
@ -238,10 +255,10 @@ TIFFYCbCrToRGBInit(TIFFYCbCrToRGB* ycbcr, float *luma, float *refBlackWhite)
ycbcr->Cb_g_tab = ycbcr->Cr_g_tab + 256; ycbcr->Cb_g_tab = ycbcr->Cr_g_tab + 256;
ycbcr->Y_tab = ycbcr->Cb_g_tab + 256; ycbcr->Y_tab = ycbcr->Cb_g_tab + 256;
{ float f1 = 2-2*LumaRed; int32 D1 = FIX(f1); { float f1 = 2-2*LumaRed; int32 D1 = FIX(CLAMP(f1,0.0F,2.0F));
float f2 = LumaRed*f1/LumaGreen; int32 D2 = -FIX(f2); float f2 = LumaRed*f1/LumaGreen; int32 D2 = -FIX(CLAMP(f2,0.0F,2.0F));
float f3 = 2-2*LumaBlue; int32 D3 = FIX(f3); float f3 = 2-2*LumaBlue; int32 D3 = FIX(CLAMP(f3,0.0F,2.0F));
float f4 = LumaBlue*f3/LumaGreen; int32 D4 = -FIX(f4); float f4 = LumaBlue*f3/LumaGreen; int32 D4 = -FIX(CLAMP(f4,0.0F,2.0F));
int x; int x;
#undef LumaBlue #undef LumaBlue
@ -256,17 +273,20 @@ TIFFYCbCrToRGBInit(TIFFYCbCrToRGB* ycbcr, float *luma, float *refBlackWhite)
* constructing tables indexed by the raw pixel data. * constructing tables indexed by the raw pixel data.
*/ */
for (i = 0, x = -128; i < 256; i++, x++) { for (i = 0, x = -128; i < 256; i++, x++) {
int32 Cr = (int32)Code2V(x, refBlackWhite[4] - 128.0F, int32 Cr = (int32)CLAMPw(Code2V(x, refBlackWhite[4] - 128.0F,
refBlackWhite[5] - 128.0F, 127); refBlackWhite[5] - 128.0F, 127),
int32 Cb = (int32)Code2V(x, refBlackWhite[2] - 128.0F, -128.0F * 64, 128.0F * 64);
refBlackWhite[3] - 128.0F, 127); int32 Cb = (int32)CLAMPw(Code2V(x, refBlackWhite[2] - 128.0F,
refBlackWhite[3] - 128.0F, 127),
-128.0F * 64, 128.0F * 64);
ycbcr->Cr_r_tab[i] = (int32)((D1*Cr + ONE_HALF)>>SHIFT); ycbcr->Cr_r_tab[i] = (int32)((D1*Cr + ONE_HALF)>>SHIFT);
ycbcr->Cb_b_tab[i] = (int32)((D3*Cb + ONE_HALF)>>SHIFT); ycbcr->Cb_b_tab[i] = (int32)((D3*Cb + ONE_HALF)>>SHIFT);
ycbcr->Cr_g_tab[i] = D2*Cr; ycbcr->Cr_g_tab[i] = D2*Cr;
ycbcr->Cb_g_tab[i] = D4*Cb + ONE_HALF; ycbcr->Cb_g_tab[i] = D4*Cb + ONE_HALF;
ycbcr->Y_tab[i] = ycbcr->Y_tab[i] =
(int32)Code2V(x + 128, refBlackWhite[0], refBlackWhite[1], 255); (int32)CLAMPw(Code2V(x + 128, refBlackWhite[0], refBlackWhite[1], 255),
-128.0F * 64, 128.0F * 64);
} }
} }