Bug 703075 - Buffer Overflow in tiff_expand_colormap() function
Summary: Buffer Overflow in tiff_expand_colormap() function
Status: RESOLVED DUPLICATE of bug 703076
Alias: None
Product: MuPDF
Classification: Unclassified
Component: mupdf (show other bugs)
Version: 1.18.0
Hardware: PC All
: P4 normal
Assignee: MuPDF bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-30 12:25 UTC by cylin
Modified: 2021-02-26 16:20 UTC (History)
1 user (show)

See Also:
Customer:
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description cylin 2020-10-30 12:25:20 UTC
In function tiff_expand_colormap(), malloc a buffer to save the colormap data in follow:


stride = tiff->imagewidth * (tiff->samplesperpixel + 2) * 2;
samples = Memento_label(fz_malloc(ctx, (size_t)stride * tiff->imagelength), "tiff_samples");  /* lcy: Target buffer */

and fill this buffer like follows:

for (y = 0; y < tiff->imagelength; y++)
{
    src = tiff->samples + (unsigned int)(tiff->stride * y);
    dst = samples + (unsigned int)(stride * y);

    for (x = 0; x < tiff->imagewidth; x++)
    {
        if (tiff->extrasamples)
        {
            int c = tiff_getcomp(src, x * 2, tiff->bitspersample);
            int a = tiff_getcomp(src, x * 2 + 1, tiff->bitspersample);
            *dst++ = tiff->colormap[c + 0] >> 8;
            *dst++ = tiff->colormap[c + 0];
            *dst++ = tiff->colormap[c + maxval] >> 8;
            *dst++ = tiff->colormap[c + maxval];
            *dst++ = tiff->colormap[c + maxval * 2] >> 8;
            *dst++ = tiff->colormap[c + maxval * 2];
            if (tiff->bitspersample <= 16)
                *dst++ = a << (16 - tiff->bitspersample);
            else
                *dst++ = a >> (tiff->bitspersample - 16);
        }
        //......
    }
    //......
}

So, if samplesperpixel=1, but extrasamples != 0, this will cause buffer overflow.
Comment 1 Robin Watts 2021-02-26 16:20:53 UTC

*** This bug has been marked as a duplicate of bug 703076 ***