701176 – Integer overflow in source/fitz/load-tiff.c:272

Bug 701176 - Integer overflow in source/fitz/load-tiff.c:272

Summary: Integer overflow in source/fitz/load-tiff.c:272

Status:	RESOLVED FIXED

Alias:	None

Product:	MuPDF
Classification:	Unclassified
Component:	fitz (show other bugs)
Version:	unspecified
Hardware:	PC Windows 10

Importance:	P4 normal
Assignee:	MuPDF bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-06-06 15:32 UTC by Fulin Liu
Modified:	2019-06-10 13:48 UTC (History)
CC List:	1 user (show)

See Also:
Customer:
Word Size:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fulin Liu 2019-06-06 15:32:43 UTC

In source/fitz/load-tiff.c Line:272

272 *dst++ = a << (8 - tiff->bitspersample); 

if tiff->bitspersample = 16, 8 - tiff->bitspersample will revert to a very large value 4294967288, which is not our expectation.

I think it is an integer overflow issue.

Comment 1 Sebastian Rasmussen 2019-06-06 16:07:22 UTC

Do you have a file that can be used to reproduce the issue?

Comment 2 Fulin Liu 2019-06-06 18:29:46 UTC

Sorry, I just reviewed the source code. No POC now.

Comment 3 Sebastian Rasmussen 2019-06-10 13:48:51 UTC

Fixed in

commit b7892cdc7fae62aa57d63ae62144e1f11b5f9275
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Mon Jun 10 13:58:28 2019 +0200

    Bug 701176: Handle TIFFs with alpha that have more than 8 bits per sample.