Created attachment 20086 [details] A tiff file whose samplesperpixel == 1 and extrasamples == 4 Hello, There is a buffer overflow in tiff_expand_colormap() function in file source/fitz/load-tiff.c. In this function, a buffer is allocated from heap to store the colormap information: > stride = tiff->imagewidth * (tiff->samplesperpixel + 2) * 2; > samples = Memento_label(fz_malloc(ctx, (size_t)stride * tiff->imagelength), "tiff_samples"); But during the follow loop, if the extrasamples of tiff is not equal to 0, this can cause an overflow: > for (y = 0; y < tiff->imagelength; y++) // 32 > { > src = tiff->samples + (unsigned int)(tiff->stride * y); > dst = samples + (unsigned int)(stride * y); > > for (x = 0; x < tiff->imagewidth; x++) > { > if (tiff->extrasamples) > { > int c = tiff_getcomp(src, x * 2, tiff->bitspersample); > int a = tiff_getcomp(src, x * 2 + 1, tiff->bitspersample); > *dst++ = tiff->colormap[c + 0] >> 8; > *dst++ = tiff->colormap[c + 0]; > *dst++ = tiff->colormap[c + maxval] >> 8; > *dst++ = tiff->colormap[c + maxval]; > *dst++ = tiff->colormap[c + maxval * 2] >> 8; > *dst++ = tiff->colormap[c + maxval * 2]; > if (tiff->bitspersample <= 16) > *dst++ = a << (16 - tiff->bitspersample); > else > *dst++ = a >> (tiff->bitspersample - 16); > } > // ... > } > // ... > }
Fix in testing: https://git.ghostscript.com/?p=user/robin/mupdf.git;a=commitdiff;h=8b0120cfd51b7f8db2409a4cdcc4d916df590160
*** Bug 703075 has been marked as a duplicate of this bug. ***