Bug 2110 – Fax3Encode2DRow reads memory after refline's end

Bug 2110 - Fax3Encode2DRow reads memory after refline's end

Summary:

Fax3Encode2DRow reads memory after refline's end

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	3.9.0
Platform:	PC Windows NT

Importance:	P2 normal
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2009-10-25 22:14 by sergius.bobrovsky@gmail.com
Modified:	2019-10-01 14:19 (History)

Attachments
test image for a code in Description (1.35 KB, image/tiff) 2009-10-25 22:14, sergius.bobrovsky@gmail.com	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From sergius.bobrovsky@gmail.com 2009-10-25 22:14:02

Created an attachment (id=345) [details]
test image for a code in Description

In some cases PIXEL(buf,ix) macro reads memory at indices after buf's end.

You can check this by running tiff2pdf with following command:
tiff2pdf -o out.pdf tiger-minisblack-tile-01.tif (see attached image)

At one point PIXEL will be called with ix==16 and buf==rp, so (ix)>>3 will
evaluate in 2. At the same time refline (rp) has length == 2. So, PIXEL will
read memory after refline's end.

------- Comment #1 From Even Rouault 2019-10-01 14:19:20 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.