| Summary: | Buffer Overflow in tiff_expand_colormap() function | ||
|---|---|---|---|
| Product: | MuPDF | Reporter: | cylin <cylin.cs> |
| Component: | mupdf | Assignee: | MuPDF bugs <mupdf-bugs> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | normal | CC: | robin.watts |
| Priority: | P4 | ||
| Version: | 1.18.0 | ||
| Hardware: | PC | ||
| OS: | All | ||
| Customer: | Word Size: | --- | |
*** This bug has been marked as a duplicate of bug 703076 *** |
In function tiff_expand_colormap(), malloc a buffer to save the colormap data in follow: stride = tiff->imagewidth * (tiff->samplesperpixel + 2) * 2; samples = Memento_label(fz_malloc(ctx, (size_t)stride * tiff->imagelength), "tiff_samples"); /* lcy: Target buffer */ and fill this buffer like follows: for (y = 0; y < tiff->imagelength; y++) { src = tiff->samples + (unsigned int)(tiff->stride * y); dst = samples + (unsigned int)(stride * y); for (x = 0; x < tiff->imagewidth; x++) { if (tiff->extrasamples) { int c = tiff_getcomp(src, x * 2, tiff->bitspersample); int a = tiff_getcomp(src, x * 2 + 1, tiff->bitspersample); *dst++ = tiff->colormap[c + 0] >> 8; *dst++ = tiff->colormap[c + 0]; *dst++ = tiff->colormap[c + maxval] >> 8; *dst++ = tiff->colormap[c + maxval]; *dst++ = tiff->colormap[c + maxval * 2] >> 8; *dst++ = tiff->colormap[c + maxval * 2]; if (tiff->bitspersample <= 16) *dst++ = a << (16 - tiff->bitspersample); else *dst++ = a >> (tiff->bitspersample - 16); } //...... } //...... } So, if samplesperpixel=1, but extrasamples != 0, this will cause buffer overflow.