* libtiff/tif_luv.c: validate that for COMPRESSION_SGILOG and

PHOTOMETRIC_LOGL, there is only one sample per pixel. Avoid
potential invalid memory write on corrupted/unexpected images when
using the TIFFRGBAImageBegin() interface (reported by
Clay Wood)

(CVE-2016-587)

ChangeLog

@@ -1,7 +1,16 @@
+2016-07-01  Even Rouault <even.rouault at spatialys.com>
+
+	* libtiff/tif_luv.c: validate that for COMPRESSION_SGILOG and
+	PHOTOMETRIC_LOGL, there is only one sample per pixel. Avoid
+	potential invalid memory write on corrupted/unexpected images when
+	using the TIFFRGBAImageBegin() interface (reported by
+	Clay Wood)
+
 2016-06-28  Even Rouault <even.rouault at spatialys.com>
 
 	* libtiff/tif_pixarlog.c: fix potential buffer write overrun in
 	PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson)
+	(CVE-2016-587)
 
 2016-06-15  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
 

libtiff/tif_luv.c

@@ -1,4 +1,4 @@
-/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */
+/* $Id: tif_luv.c,v 1.42 2016-07-01 11:06:04 erouault Exp $ */
 
 /*
  * Copyright (c) 1997 Greg Ward Larson
@@ -1276,6 +1276,14 @@ LogL16InitState(TIFF* tif)
 	assert(sp != NULL);
 	assert(td->td_photometric == PHOTOMETRIC_LOGL);
 
+	if( td->td_samplesperpixel != 1 )
+	{
+		TIFFErrorExt(tif->tif_clientdata, module,
+		             "Sorry, can not handle LogL image with %s=%d",
+			     "Samples/pixel", td->td_samplesperpixel);
+		return 0;
+	}
+
 	/* for some reason, we can't do this in TIFFInitLogL16 */
 	if (sp->user_datafmt == SGILOGDATAFMT_UNKNOWN)
 		sp->user_datafmt = LogL16GuessDataFmt(td);