pull in roundtrip thresholds much more tightly
There are all sorts of dangerous values to work with up there near
INT_MAX, see associated bug. We can just check we fall in the table.
Bug: oss-fuzz:8142
Change-Id: I3cc6844a6efbe5351d6714664faf39d3ded5bca7
Reviewed-on: https://skia-review.googlesource.com/125861
Auto-Submit: Mike Klein <mtklein@chromium.org>
Commit-Queue: Brian Osman <brianosman@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
diff --git a/profiles/fuzz/polytf_big_float_to_int_cast.icc b/profiles/fuzz/polytf_big_float_to_int_cast.icc
new file mode 100644
index 0000000..ad5c184
--- /dev/null
+++ b/profiles/fuzz/polytf_big_float_to_int_cast.icc
Binary files differ
diff --git a/profiles/fuzz/polytf_big_float_to_int_cast.icc.txt b/profiles/fuzz/polytf_big_float_to_int_cast.icc.txt
new file mode 100644
index 0000000..065f4aa
--- /dev/null
+++ b/profiles/fuzz/polytf_big_float_to_int_cast.icc.txt
@@ -0,0 +1,37 @@
+ Size : 0x0000020C : 524
+ Data color space : 0x20202020 : ' '
+ PCS : 0x58595A20 : 'XYZ '
+ Tag count : 0x0000000A : 10
+
+ Tag : Type : Size : Offset
+ ------ : ------ : ------ : --------
+ ' ' : ' ' : 32 : 32
+ ' ' : ' ' : 32 : 288
+ ' ' : ' ' : 32 : 288
+ ' ' : ' ' : 32 : 288
+ 'rXYZ' : 'XYZ ' : 32 : 400
+ 'gXYZ' : 'XYZ ' : 32 : 420
+ 'bXYZ' : 'XYZ ' : 32 : 440
+ 'rTRC' : 'para' : 32 : 456
+ 'gTRC' : 'para' : 32 : 456
+ 'bTRC' : 'curv' : 32 : 460
+
+rTRC : 1.525879e-05, 0.003890991, -32768, 8224.125, 0, 0, 0
+gTRC : 1.525879e-05, 0.003890991, -32768, 8224.125, 0, 0, 0
+bTRC : 0, 1, 0, 0, 0, 0, 0
+ XYZ : | 8224.125000000 8224.125000000 8224.125000000 |
+ | 8224.125000000 8224.125000000 8224.125000000 |
+ | 8224.125000000 -223.874511719 28769.447265625 |
+252 random bytes transformed to linear XYZD50 bytes:
+ ffffff ffffff ffffff ffffff ffffff ffffff ffffff
+ ffffff ffffff ffffff ffffff ffffff ffffff ffffff
+ ffffff ffffff ffffff ffffff ffffff ffffff ffffff
+ ffffff ffffff ffffff ffffff ffffff ffffff ffffff
+ ffffff ffffff ffffff ffffff ffffff ffffff ffffff
+ ffffff ffffff ffffff ffffff ffffff ffffff ffffff
+ ffffff ffffff ffffff ffffff ffffff ffffff ffffff
+ ffffff ffffff ffffff ffffff ffffff ffffff ffffff
+ ffffff ffffff ffffff ffffff ffffff ffffff ffffff
+ ffffff ffffff ffffff ffffff ffffff ffffff ffffff
+ ffffff ffffff ffffff ffffff ffffff ffffff ffffff
+ ffffff ffffff ffffff ffffff ffffff ffffff ffffff
diff --git a/src/PolyTF.c b/src/PolyTF.c
index 62da2d4..6ffbc50 100644
--- a/src/PolyTF.c
+++ b/src/PolyTF.c
@@ -149,7 +149,7 @@
float rt = skcms_TransferFunction_eval(&inv, eval_poly_tf(x, A,B,C,D))
* (N-1) + 0.5f;
- if (!isfinitef_(rt) || rt > INT_MAX || rt < -INT_MAX) {
+ if (!isfinitef_(rt) || rt >= N || rt < 0) {
return false;
}
diff --git a/tests.c b/tests.c
index 6015db1..d1f1e41 100644
--- a/tests.c
+++ b/tests.c
@@ -511,8 +511,9 @@
"profiles/fuzz/mangled_trc_tags.icc", // chromium:835666
"profiles/fuzz/negative_g_para.icc", // chromium:836634
- // Once caused skcms_PolyTF fit to round trip an index to infinity.
+ // Caused skcms_PolyTF fit to round trip indices outside the range of int.
"profiles/fuzz/infinite_roundtrip.icc", // oss-fuzz:8101
+ "profiles/fuzz/polytf_big_float_to_int_cast.icc", // oss-fuzz:8142
// Caused skcms_ApproximateCurve to violate the a*d+b >= 0 constraint.
"profiles/fuzz/inverse_tf_adb_negative.icc", // oss-fuzz:8130
