[Bug 48927] New: Heap buffer underflow in TiffFrameDecode_ReadTile when decoding 1x1 4bpp RGBA image

[WineHQ Bugzilla]

https://bugs.winehq.org/show_bug.cgi?id=48927

            Bug ID: 48927
           Summary: Heap buffer underflow in TiffFrameDecode_ReadTile when
                    decoding 1x1 4bpp RGBA image
           Product: Wine-staging
           Version: unspecified
          Hardware: x86
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: -unknown
          Assignee: wine-bugs at winehq.org
          Reporter: thomas.faber at reactos.org
                CC: leslie_alistair at hotmail.com, z.figura12 at gmail.com
      Distribution: ---

Created attachment 66887
  --> https://bugs.winehq.org/attachment.cgi?id=66887
Debugger info from ReactOS

ReactOS bug for reference: https://jira.reactos.org/browse/CORE-16796

Apologies for not reproducing this on Wine; the bug & fix are pretty simple
though.

The gdiplus:image test tries to decode a 1x1 TIFF image, and
TiffFrameDecode_ReadTile assumes that the cached_tile is large enough for an
even number of output pixels (i.e. a full number of input bytes).

The issue appears to be with this Staging patch:
https://github.com/wine-staging/wine-staging/blob/master/patches/windowscodecs-TIFF_Support/0012-windowscodecs-Add-support-for-4bpp-RGBA-format-to-TI.patch

The attachment has a backtrace and relevant variables. The line numbers may not
match but the underflow got caught at:
            dst[0] = (b & 0x20) ? 0xff : 0; /* B */

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.