[cairo-bugs] [Bug 10730] potential controllable integer overflow in
cairo-png.c
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Mon Apr 23 16:06:41 PDT 2007
http://bugs.freedesktop.org/show_bug.cgi?id=10730
------- Comment #1 from cworth at cworth.org 2007-04-23 16:06 PST -------
(In reply to comment #0)
> this seems like potential controllable integer overflow, though the code
> does not seem used:
I don't understand the description of "controllable integer overflow" here.
> png_get_IHDR (png, info,
> &png_width, &png_height, &depth,
> &color_type, &interlace, NULL, NULL);
> ^^^^^^^^ this does not seem to validate enough.
What kind of validation would you expect to see here? Is it just width or
height of 0 that you are concerned about?
> pixel_size = 4;
> data = malloc (png_width * png_height * pixel_size);
> ^^^^^^^^^^^^^^^ this may eventually overflow
Overflow where? We use the width and height that we read from png_get_IHDR as
the width and height of the image surface being created. Do you know of some
code path in cairo-image-surface.c where it exceeds those bounds?
Or is it within png_read_image that you are concerned about overflow? (In which
case there would be a bug in libpng, not cairo.)
Thanks,
Carl
--
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the cairo-bugs
mailing list