https://github.com/libsdl-org/libtiff/commit/9036804e856bd8740acad9232af55b1eccab6e54
From 9036804e856bd8740acad9232af55b1eccab6e54 Mon Sep 17 00:00:00 2001
From: Lee Howard <[EMAIL REDACTED]>
Date: Tue, 14 Dec 2010 02:23:09 +0000
Subject: [PATCH] * libtiff/tif_color.c: prevent crash in handling bad
TIFFs resolves CVE-2010-2595
http://bugzilla.maptools.org/show_bug.cgi?id=2208
---
ChangeLog | 6 ++++++
libtiff/tif_color.c | 15 ++++++++++-----
2 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index c2fa93ed..cc1b9790 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2010-12-13 Lee Howard <faxguy@howardsilvan.com>
+
+ * libtiff/tif_color.c: prevent crash in handling bad TIFFs
+ resolves CVE-2010-2595
+ http://bugzilla.maptools.org/show_bug.cgi?id=2208
+
2010-12-13 Lee Howard <faxguy@howardsilvan.com>
* tools/tiffcrop.c: new release by Richard Nolde
diff --git a/libtiff/tif_color.c b/libtiff/tif_color.c
index 02eb346b..da140030 100644
--- a/libtiff/tif_color.c
+++ b/libtiff/tif_color.c
@@ -1,4 +1,4 @@
-/* $Id: tif_color.c,v 1.12.2.1 2010-06-08 18:50:41 bfriesen Exp $ */
+/* $Id: tif_color.c,v 1.12.2.2 2010-12-14 02:23:09 faxguy Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -183,13 +183,18 @@ void
TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr,
uint32 *r, uint32 *g, uint32 *b)
{
+ int32 i;
+
/* XXX: Only 8-bit YCbCr input supported for now */
Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255);
- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]];
- *g = ycbcr->clamptab[ycbcr->Y_tab[Y]
- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)];
- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]];
+ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr];
+ *r = CLAMP(i, 0, 255);
+ i = ycbcr->Y_tab[Y]
+ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT);
+ *g = CLAMP(i, 0, 255);
+ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb];
+ *b = CLAMP(i, 0, 255);
}
/*