Bug 2658 - Left shift by 24 places cannot be represented in type 'int' in tif_getimage.c
: Left shift by 24 places cannot be represented in type 'int' in tif_getimage.c
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P2 enhancement
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2017-01-09 15:21 by
Modified: 2017-04-10 02:02 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2017-01-09 15:21:03
In tif_getimage.c, in function putagreytile, there is a shift of unsigned char
by 24:
*(pp+1) << 24.

Since there is no cast, *(pp+1) is treated as int, so
UndefinedBehaviorSanitizer says:
runtime error: left shift of 134 by 24 places cannot be represented in type
'int'

Maybe we could have something like:

*cp++ = BWmap[*pp][0] & ((uint32)*(pp+1) << 24 | ~A1);

I'll send test case on request.
------- Comment #1 From 2017-01-11 11:38:45 -------
Fixed per

2017-01-11 Even Rouault <even.rouault at spatialys.com>

        * libtiff/tif_getimage.c: add explicit uint32 cast in putagreytile to
        avoid UndefinedBehaviorSanitizer warning.
        Patch by Nicolás Peña.
        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2658


/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
new revision: 1.1207; previous revision: 1.1206
/cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v  <-- 
libtiff/tif_getimage.c
new revision: 1.102; previous revision: 1.101
------- Comment #2 From 2017-04-10 02:02:21 -------
this is CVE-2017-7592