36 lines
1.4 KiB
Diff
36 lines
1.4 KiB
Diff
Using an array to clamp translated YCbCr values is insecure, because if the
|
|
TIFF file contains bogus ReferenceBlackWhite parameters, the computed RGB
|
|
values could be very far out of range (much further than the current array
|
|
size, anyway), possibly resulting in SIGSEGV. Just drop the whole idea in
|
|
favor of using a comparison-based macro to clamp. See RH bug #583081.
|
|
|
|
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2208
|
|
|
|
|
|
diff -Naur tiff-3.9.2.orig/libtiff/tif_color.c tiff-3.9.2/libtiff/tif_color.c
|
|
--- tiff-3.9.2.orig/libtiff/tif_color.c 2006-02-09 10:42:20.000000000 -0500
|
|
+++ tiff-3.9.2/libtiff/tif_color.c 2010-06-10 15:53:24.000000000 -0400
|
|
@@ -183,13 +183,18 @@
|
|
TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr,
|
|
uint32 *r, uint32 *g, uint32 *b)
|
|
{
|
|
+ int32 i;
|
|
+
|
|
/* XXX: Only 8-bit YCbCr input supported for now */
|
|
Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255);
|
|
|
|
- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]];
|
|
- *g = ycbcr->clamptab[ycbcr->Y_tab[Y]
|
|
- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)];
|
|
- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]];
|
|
+ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr];
|
|
+ *r = CLAMP(i, 0, 255);
|
|
+ i = ycbcr->Y_tab[Y]
|
|
+ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT);
|
|
+ *g = CLAMP(i, 0, 255);
|
|
+ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb];
|
|
+ *b = CLAMP(i, 0, 255);
|
|
}
|
|
|
|
/*
|