You need to log in before you can comment on or make changes to this bug.
In tif_getimage.c, in function putagreytile, there is a shift of unsigned char by 24: *(pp+1) << 24. Since there is no cast, *(pp+1) is treated as int, so UndefinedBehaviorSanitizer says: runtime error: left shift of 134 by 24 places cannot be represented in type 'int' Maybe we could have something like: *cp++ = BWmap[*pp][0] & ((uint32)*(pp+1) << 24 | ~A1); I'll send test case on request.
Fixed per 2017-01-11 Even Rouault <even.rouault at spatialys.com> * libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to avoid UndefinedBehaviorSanitizer warning. Patch by Nicolás Peña. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2658 /cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog new revision: 1.1207; previous revision: 1.1206 /cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v <-- libtiff/tif_getimage.c new revision: 1.102; previous revision: 1.101
this is CVE-2017-7592