[cairo-bugs] [Bug 10730] potential controllable integer overflow in cairo-png.c

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Apr 23 17:39:04 PDT 2007


------- Comment #4 from freedesktop at behdad.org  2007-04-23 17:38 PST -------
(In reply to comment #3)
> (In reply to comment #2)
> > I think what is meant is that "png_width * png_height * pixel_size" may
> > overflow an integer.
> Thanks for the explanation. This got mentioned to me as a potential security
> bug so I kept reading overflow as overrun instead of as *overflow* for some
> reasons.
> /me smacks forehead
> So, do we do the multiply into a uint64_t, shift off 32 bits, and check that
> it's zero? Or what's the best way to check for overflow here?

Best way to check overflow of a single multiplication of two unsigned integers
is to check that the result is not less than any of them.  In fact, just
checking one is enough.  That is, x * y has overflowed iff the result is < x. 
For three, we can go by ((x * y) * z).

> -Carl

Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the cairo-bugs mailing list