[cairo-bugs] [Bug 10730] potential controllable integer overflow in cairo-png.c

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Apr 23 16:06:41 PDT 2007


------- Comment #1 from cworth at cworth.org  2007-04-23 16:06 PST -------
(In reply to comment #0)
> this seems like potential controllable integer overflow, though the code
> does not seem used:

I don't understand the description of "controllable integer overflow" here.

> png_get_IHDR (png, info,
>               &png_width, &png_height, &depth,
>               &color_type, &interlace, NULL, NULL);
> ^^^^^^^^ this does not seem to validate enough.

What kind of validation would you expect to see here? Is it just width or
height of 0 that you are concerned about?

> pixel_size = 4;
> data = malloc (png_width * png_height * pixel_size);
> ^^^^^^^^^^^^^^^ this may eventually overflow

Overflow where? We use the width and height that we read from  png_get_IHDR as
the width and height of the image surface being created. Do you know of some
code path in cairo-image-surface.c where it exceeds those bounds?

Or is it within png_read_image that you are concerned about overflow? (In which
case there would be a bug in libpng, not cairo.)



Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the cairo-bugs mailing list