Bug 703076

Summary: Buffer Overflow in tiff_expand_colormap() function in source/fitz/load-tiff.c:256:25
Product: MuPDF Reporter: cylin <cylin.cs>
Component: mupdfAssignee: muPDF bugs <mupdf-bugs>
Status: RESOLVED FIXED QA Contact: Bug traffic <tech>
Severity: normal    
Priority: P4 CC: dushistov, robin.watts, sam
Version: 1.18.0   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: A tiff file whose samplesperpixel == 1 and extrasamples == 4

Description cylin 2020-10-30 12:35:30 UTC
Created attachment 20086 [details]
A tiff file whose samplesperpixel == 1 and extrasamples == 4

Hello,

There is a buffer overflow in tiff_expand_colormap() function in file source/fitz/load-tiff.c. In this function, a buffer is allocated from heap to store the colormap information:

> stride = tiff->imagewidth * (tiff->samplesperpixel + 2) * 2;
> samples = Memento_label(fz_malloc(ctx, (size_t)stride * tiff->imagelength), "tiff_samples");

But during the follow loop, if the extrasamples of tiff is not equal to 0, this can cause an overflow:

> for (y = 0; y < tiff->imagelength; y++)  // 32
> {
>     src = tiff->samples + (unsigned int)(tiff->stride * y);
>     dst = samples + (unsigned int)(stride * y);
> 
>     for (x = 0; x < tiff->imagewidth; x++)
>     {
>         if (tiff->extrasamples)
>         {
>             int c = tiff_getcomp(src, x * 2, tiff->bitspersample);
>             int a = tiff_getcomp(src, x * 2 + 1, tiff->bitspersample);
>             *dst++ = tiff->colormap[c + 0] >> 8;
>             *dst++ = tiff->colormap[c + 0];
>             *dst++ = tiff->colormap[c + maxval] >> 8;
>             *dst++ = tiff->colormap[c + maxval];
>             *dst++ = tiff->colormap[c + maxval * 2] >> 8;
>             *dst++ = tiff->colormap[c + maxval * 2];
>             if (tiff->bitspersample <= 16)
>                 *dst++ = a << (16 - tiff->bitspersample);
>             else
>                 *dst++ = a >> (tiff->bitspersample - 16);
>         }
>         // ...
>     }
>     // ...
> }
Comment 2 Robin Watts 2021-02-26 16:20:53 UTC
*** Bug 703075 has been marked as a duplicate of this bug. ***