CPRID-2108
Information
File: source/fitz/load-tiff.c
Function: tiff_paste_subsampled_tile()
There is a stack-based buffer overflow in function tiff_paste_subsamples_tile().
To reproduce, use fz_load_tiff on data from the attached document.
Crash Trace:
=================================================================
==25501==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffed5a0bfb0 at pc 0x5626baf21c33 bp 0x7ffed5a0be50 sp 0x7ffed5a0be40
WRITE of size 4 at 0x7ffed5a0bfb0 thread T0
#0 0x5626baf21c32 in tiff_paste_subsampled_tile source/fitz/load-tiff.c:509
#1 0x5626baf234e1 in tiff_decode_strips source/fitz/load-tiff.c:686
#2 0x5626baf286e8 in tiff_decode_samples source/fitz/load-tiff.c:1310
#3 0x5626baf29306 in fz_load_tiff_subimage source/fitz/load-tiff.c:1391
#4 0x5626baf29b97 in fz_load_tiff source/fitz/load-tiff.c:1431
Attachments:
poc.tiff
References: