Bug 2208 - Bogus ReferenceBlackWhite values can crash libtiff
: Bogus ReferenceBlackWhite values can crash libtiff
Status: RESOLVED FIXED
: libtiff
default
: 3.9.0
: All All
: P2 normal
: ---
Assigned To:
: https://bugzilla.redhat.com/show_bug....
:
:
:
:
  Show dependency treegraph
 
Reported: 2010-06-10 15:24 by
Modified: 2016-07-10 07:54 (History)


Attachments
patch (1001 bytes, patch)
2010-06-10 15:24, Tom Lane
Details | Diff


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2010-06-10 15:24:31
Created an attachment (id=387) [details]
patch

The test image shown at https://bugzilla.redhat.com/show_bug.cgi?id=583081 can
result in a crash in TIFFYCbCrtoRGB.  The problem is that the
ReferenceBlackWhite values are out of the range the code is expecting, leading
to values put into the various Cb_b_tab[] etc arrays that are also wildly out
of range,
leading to crashing while trying to index clamptab[].

I am not sure whether the file's values for ReferenceBlackWhite should be
considered valid; maybe there is a bug in the way libtiff is
processing/interpreting them.  However, what I'm on about right now is not
crashing on a file containing bogus values.

I suggest that the safest thing is to abandon clamptab[] altogether and just
use the CLAMP macro, as in the attached minimal patch.  It's not clear that the
array indexing is even saving anything, and if we can't put a sure limit on the
range of the input values we may as well not bother with it.  I didn't go so
far as to remove the array from the data structure altogether, but that would
be a reasonable further change.
------- Comment #1 From 2010-10-18 15:54:45 -------
*** Bug 2240 has been marked as a duplicate of this bug. ***
------- Comment #3 From 2010-12-13 21:23:27 -------
Thanks.  I've applied the patch to both 3.9 and HEAD (4.0) branches.