Bug 703076

Created attachment 20086 [details]
A tiff file whose samplesperpixel == 1 and extrasamples == 4

Hello,

There is a buffer overflow in tiff_expand_colormap() function in file source/fitz/load-tiff.c. In this function, a buffer is allocated from heap to store the colormap information:

> stride = tiff->imagewidth * (tiff->samplesperpixel + 2) * 2;
> samples = Memento_label(fz_malloc(ctx, (size_t)stride * tiff->imagelength), "tiff_samples");

But during the follow loop, if the extrasamples of tiff is not equal to 0, this can cause an overflow:

> for (y = 0; y < tiff->imagelength; y++)  // 32
> {
>     src = tiff->samples + (unsigned int)(tiff->stride * y);
>     dst = samples + (unsigned int)(stride * y);
> 
>     for (x = 0; x < tiff->imagewidth; x++)
>     {
>         if (tiff->extrasamples)
>         {
>             int c = tiff_getcomp(src, x * 2, tiff->bitspersample);
>             int a = tiff_getcomp(src, x * 2 + 1, tiff->bitspersample);
>             *dst++ = tiff->colormap[c + 0] >> 8;
>             *dst++ = tiff->colormap[c + 0];
>             *dst++ = tiff->colormap[c + maxval] >> 8;
>             *dst++ = tiff->colormap[c + maxval];
>             *dst++ = tiff->colormap[c + maxval * 2] >> 8;
>             *dst++ = tiff->colormap[c + maxval * 2];
>             if (tiff->bitspersample <= 16)
>                 *dst++ = a << (16 - tiff->bitspersample);
>             else
>                 *dst++ = a >> (tiff->bitspersample - 16);
>         }
>         // ...
>     }
>     // ...
> }