You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=387) [details] patch The test image shown at https://bugzilla.redhat.com/show_bug.cgi?id=583081 can result in a crash in TIFFYCbCrtoRGB. The problem is that the ReferenceBlackWhite values are out of the range the code is expecting, leading to values put into the various Cb_b_tab[] etc arrays that are also wildly out of range, leading to crashing while trying to index clamptab[]. I am not sure whether the file's values for ReferenceBlackWhite should be considered valid; maybe there is a bug in the way libtiff is processing/interpreting them. However, what I'm on about right now is not crashing on a file containing bogus values. I suggest that the safest thing is to abandon clamptab[] altogether and just use the CLAMP macro, as in the attached minimal patch. It's not clear that the array indexing is even saving anything, and if we can't put a sure limit on the range of the input values we may as well not bother with it. I didn't go so far as to remove the array from the data structure altogether, but that would be a reasonable further change.
*** Bug 2240 has been marked as a duplicate of this bug. ***
Was also reported as http://bugzilla.maptools.org/show_bug.cgi?id=2240 and reproducable with http://alt.swiecki.net/j/t/ycbcrtorgb.tif Has been assigned to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2595 Fixed in downstream releases : http://pkgs.fedoraproject.org/gitweb/?p=libtiff.git;a=blob;f=libtiff-ycbcr-clamp.patch;h=fbd10bb576a19c49936c2e5b67ff0177211c230b;hb=8a8bf6704497c5165ec5233eb1b8ce8992173d94
Thanks. I've applied the patch to both 3.9 and HEAD (4.0) branches.