In function tiff_expand_colormap(), malloc a buffer to save the colormap data in follow: stride = tiff->imagewidth * (tiff->samplesperpixel + 2) * 2; samples = Memento_label(fz_malloc(ctx, (size_t)stride * tiff->imagelength), "tiff_samples"); /* lcy: Target buffer */ and fill this buffer like follows: for (y = 0; y < tiff->imagelength; y++) { src = tiff->samples + (unsigned int)(tiff->stride * y); dst = samples + (unsigned int)(stride * y); for (x = 0; x < tiff->imagewidth; x++) { if (tiff->extrasamples) { int c = tiff_getcomp(src, x * 2, tiff->bitspersample); int a = tiff_getcomp(src, x * 2 + 1, tiff->bitspersample); *dst++ = tiff->colormap[c + 0] >> 8; *dst++ = tiff->colormap[c + 0]; *dst++ = tiff->colormap[c + maxval] >> 8; *dst++ = tiff->colormap[c + maxval]; *dst++ = tiff->colormap[c + maxval * 2] >> 8; *dst++ = tiff->colormap[c + maxval * 2]; if (tiff->bitspersample <= 16) *dst++ = a << (16 - tiff->bitspersample); else *dst++ = a >> (tiff->bitspersample - 16); } //...... } //...... } So, if samplesperpixel=1, but extrasamples != 0, this will cause buffer overflow.
*** This bug has been marked as a duplicate of bug 703076 ***