[cairo-bugs] [Bug 10730] New: potential controllable integer
overflow in cairo-png.c
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Mon Apr 23 14:25:00 PDT 2007
http://bugs.freedesktop.org/show_bug.cgi?id=10730
Summary: potential controllable integer overflow in cairo-png.c
Product: cairo
Version: 1.4.5
Platform: Other
OS/Version: All
Status: NEW
Severity: normal
Priority: medium
Component: png functions
AssignedTo: cworth at cworth.org
ReportedBy: gavin.sharp at gmail.com
QAContact: cairo-bugs at cairographics.org
This bug was originally reported at
https://bugzilla.mozilla.org/show_bug.cgi?id=324008 by Georgi Guninski.
Quoting his comment 0 in that bug:
this seems like potential controllable integer overflow, though the code
does not seem used:
"gfx/cairo/cairo/src/cairo-png.c"
read_png (png_rw_ptr read_func,
void *closure)
png_get_IHDR (png, info,
&png_width, &png_height, &depth,
&color_type, &interlace, NULL, NULL);
^^^^^^^^ this does not seem to validate enough.
pixel_size = 4;
data = malloc (png_width * png_height * pixel_size);
^^^^^^^^^^^^^^^ this may eventually overflow
can the above code be reached?
--
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the cairo-bugs
mailing list