unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
blob 060740d9532aa06bc395afb58ef5871381189106 2240 bytes (raw)
name: gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch 	 # note: path name is non-authoritative(*)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

 
Fix an integer overflow TIFFYCbCrtoRGB():

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844

3rd party Git reference:

https://github.com/vadz/libtiff/commit/02669064e927074819ce1ed39aba0fccaa167717

2017-05-29  Even Rouault <even.rouault at spatialys.com>

        * libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid
        int32 overflow in TIFFYCbCrtoRGB().
        Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844
        Credit to OSS Fuzz


/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
new revision: 1.1241; previous revision: 1.1240
/cvs/maptools/cvsroot/libtiff/libtiff/tif_color.c,v  <--  libtiff/tif_color.c
new revision: 1.24; previous revision: 1.23

Index: libtiff/libtiff/tif_color.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_color.c,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- libtiff/libtiff/tif_color.c	13 May 2017 18:17:34 -0000	1.23
+++ libtiff/libtiff/tif_color.c	29 May 2017 10:12:54 -0000	1.24
@@ -1,4 +1,4 @@
-/* $Id: tif_color.c,v 1.23 2017-05-13 18:17:34 erouault Exp $ */
+/* $Id: tif_color.c,v 1.24 2017-05-29 10:12:54 erouault Exp $ */
 
 /*
  * Copyright (c) 1988-1997 Sam Leffler
@@ -275,10 +275,10 @@
       for (i = 0, x = -128; i < 256; i++, x++) {
 	    int32 Cr = (int32)CLAMPw(Code2V(x, refBlackWhite[4] - 128.0F,
 			    refBlackWhite[5] - 128.0F, 127),
-                            -128.0F * 64, 128.0F * 64);
+                            -128.0F * 32, 128.0F * 32);
 	    int32 Cb = (int32)CLAMPw(Code2V(x, refBlackWhite[2] - 128.0F,
 			    refBlackWhite[3] - 128.0F, 127),
-                            -128.0F * 64, 128.0F * 64);
+                            -128.0F * 32, 128.0F * 32);
 
 	    ycbcr->Cr_r_tab[i] = (int32)((D1*Cr + ONE_HALF)>>SHIFT);
 	    ycbcr->Cb_b_tab[i] = (int32)((D3*Cb + ONE_HALF)>>SHIFT);
@@ -286,7 +286,7 @@
 	    ycbcr->Cb_g_tab[i] = D4*Cb + ONE_HALF;
 	    ycbcr->Y_tab[i] =
 		    (int32)CLAMPw(Code2V(x + 128, refBlackWhite[0], refBlackWhite[1], 255),
-                                  -128.0F * 64, 128.0F * 64);
+                                  -128.0F * 32, 128.0F * 32);
       }
     }
 

debug log:

solving 060740d95 ...
found 060740d95 in https://git.savannah.gnu.org/cgit/guix.git

(*) Git path names are given by the tree(s) the blob belongs to.
    Blobs themselves have no identifier aside from the hash of its contents.^
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).