Hugo Lefeuvre writes:
> So, in fact it may very well be that the size of the TransferFunction table
> is always at most 3 rows and this definition is right.
Is the code that loads the transfer function safe? Is there any
possibility of tricking the loading function to try and
Hugo Lefeuvre writes:
> So, after some debugging on CVE-2018-7456, I start to get the feeling to
> understand the issue.
>
> Here are my conclusions for the moment:
>
> * In any case, the transfer function should not care about other
> channels defined by ExtraSamples (see 2nd
Hugo Lefeuvre writes:
> Sure ? To me it looked like three entries are provided, but the fourth
> (td->td_transferfunction[3]) isn't.
I was about to write justification for how I was absolutely sure of
this.
Then I realized the loop is:
for (i = 1; i < td->td_samplesperpixel;
So, after some debugging on CVE-2018-7456, I start to get the feeling to
understand the issue.
Here are my conclusions for the moment:
* In any case, the transfer function should not care about other
channels defined by ExtraSamples (see 2nd and 3rd paragraphs of
TransferFunction entry, page