In November I spent my 10 hours mainly working on CVE-2017-9935 /
tiff. I have understood the problem and I have changes that should fix
the problem now, that I am currently testing. A multi image tiff
function can have multiple transfer functions, but we assume it only has
My current fix involves checking the N value for the transfer table, and
aborting with an error if it changes.
In coming to this point, I discovered two additional problems:
* Pointers to transfer tables are used even though they may not have
been initialized. I have posted patch to fix this.
* The transfer tables themselves appear to be arrays of unsigned 16 bit
integers. We define the pointer, however, as pointing to a
float. Which looks wrong.
I am hesistant to fix this problem without more proof. Maybe this code
for processing transfer functions was never tested? It is starting to
seem like that. I have left feedback on the upstream bug report, however
so far not received any responses.
My fix for the first problem should ideally check the transfer function
tables are identical, however I left this off for now due to the
confusion over what type this data is.
As I am out of hours for this month, if anybody would like to take over,
please let me know and I will present you with all my work. Otherwise I
will continue next month.
Brian May <email@example.com>