Bug 701176

Summary: Integer overflow in source/fitz/load-tiff.c:272
Product: MuPDF Reporter: Fulin Liu <sfpskywood>
Component: fitzAssignee: MuPDF bugs <mupdf-bugs>
Severity: normal CC: sebastian.rasmussen
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Windows 10   
Customer: Word Size: ---

Description Fulin Liu 2019-06-06 15:32:43 UTC
In source/fitz/load-tiff.c Line:272

272 *dst++ = a << (8 - tiff->bitspersample); 

if tiff->bitspersample = 16, 8 - tiff->bitspersample will revert to a very large value 4294967288, which is not our expectation.

I think it is an integer overflow issue.
Comment 1 Sebastian Rasmussen 2019-06-06 16:07:22 UTC
Do you have a file that can be used to reproduce the issue?
Comment 2 Fulin Liu 2019-06-06 18:29:46 UTC
Sorry, I just reviewed the source code. No POC now.
Comment 3 Sebastian Rasmussen 2019-06-10 13:48:51 UTC
Fixed in

commit b7892cdc7fae62aa57d63ae62144e1f11b5f9275
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Mon Jun 10 13:58:28 2019 +0200

    Bug 701176: Handle TIFFs with alpha that have more than 8 bits per sample.