Re: tiff / CVE-2018-7456

Hugo Lefeuvre writes: > So, in fact it may very well be that the size of the TransferFunction table > is always at most 3 rows and this definition is right. Is the code that loads the transfer function safe? Is there any possibility of tricking the loading function to try and

Re: tiff / CVE-2018-7456

Hugo Lefeuvre writes: > So, after some debugging on CVE-2018-7456, I start to get the feeling to > understand the issue. > > Here are my conclusions for the moment: > > * In any case, the transfer function should not care about other > channels defined by ExtraSamples (see 2nd

Re: tiff / CVE-2018-7456

Hugo Lefeuvre writes: > Sure ? To me it looked like three entries are provided, but the fourth > (td->td_transferfunction[3]) isn't. I was about to write justification for how I was absolutely sure of this. Then I realized the loop is: for (i = 1; i < td->td_samplesperpixel;

Re: tiff / CVE-2018-7456

So, after some debugging on CVE-2018-7456, I start to get the feeling to understand the issue. Here are my conclusions for the moment: * In any case, the transfer function should not care about other channels defined by ExtraSamples (see 2nd and 3rd paragraphs of TransferFunction entry, page