Bug 701176 - Integer overflow in source/fitz/load-tiff.c:272
Summary: Integer overflow in source/fitz/load-tiff.c:272
Alias: None
Product: MuPDF
Classification: Unclassified
Component: fitz (show other bugs)
Version: unspecified
Hardware: PC Windows 10
: P4 normal
Assignee: MuPDF bugs
Depends on:
Reported: 2019-06-06 15:32 UTC by Fulin Liu
Modified: 2019-06-10 13:48 UTC (History)
1 user (show)

See Also:
Word Size: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Fulin Liu 2019-06-06 15:32:43 UTC
In source/fitz/load-tiff.c Line:272

272 *dst++ = a << (8 - tiff->bitspersample); 

if tiff->bitspersample = 16, 8 - tiff->bitspersample will revert to a very large value 4294967288, which is not our expectation.

I think it is an integer overflow issue.
Comment 1 Sebastian Rasmussen 2019-06-06 16:07:22 UTC
Do you have a file that can be used to reproduce the issue?
Comment 2 Fulin Liu 2019-06-06 18:29:46 UTC
Sorry, I just reviewed the source code. No POC now.
Comment 3 Sebastian Rasmussen 2019-06-10 13:48:51 UTC
Fixed in

commit b7892cdc7fae62aa57d63ae62144e1f11b5f9275
Author: Sebastian Rasmussen <sebras@gmail.com>
Date:   Mon Jun 10 13:58:28 2019 +0200

    Bug 701176: Handle TIFFs with alpha that have more than 8 bits per sample.