[cairo-bugs] [Bug 10730] New: potential controllable integer overflow in cairo-png.c

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Apr 23 14:25:00 PDT 2007


           Summary: potential controllable integer overflow in cairo-png.c
           Product: cairo
           Version: 1.4.5
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: png functions
        AssignedTo: cworth at cworth.org
        ReportedBy: gavin.sharp at gmail.com
         QAContact: cairo-bugs at cairographics.org

This bug was originally reported at
https://bugzilla.mozilla.org/show_bug.cgi?id=324008 by Georgi Guninski.

Quoting his comment 0 in that bug:

this seems like potential controllable integer overflow, though the code
does not seem used:
read_png (png_rw_ptr    read_func,
          void          *closure)
png_get_IHDR (png, info,
              &png_width, &png_height, &depth,
              &color_type, &interlace, NULL, NULL);
^^^^^^^^ this does not seem to validate enough.
pixel_size = 4;
data = malloc (png_width * png_height * pixel_size);
^^^^^^^^^^^^^^^ this may eventually overflow

can the above code be reached?

Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the cairo-bugs mailing list