[cairo-bugs] [Bug 10730] potential controllable integer overflow in cairo-png.c

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Apr 23 16:33:06 PDT 2007 

http://bugs.freedesktop.org/show_bug.cgi?id=10730





------- Comment #2 from freedesktop at behdad.org  2007-04-23 16:32 PST -------
(In reply to comment #1)
> > pixel_size = 4;
> > data = malloc (png_width * png_height * pixel_size);
> > ^^^^^^^^^^^^^^^ this may eventually overflow
> 
> Overflow where? We use the width and height that we read from  png_get_IHDR as
> the width and height of the image surface being created. Do you know of some
> code path in cairo-image-surface.c where it exceeds those bounds?

I think what is meant is that "png_width * png_height * pixel_size" may
overflow an integer.  This can become a denial of service attach in that for
example you browse to a site in firefox and that causes a crash...  We've been
fixing similar issues in freetype.  Probably a more severe hypothetical case
can be to set png width and height such that the malloced size becomes smaller
than what it really should be, and then trying to load the png can overwrite
the heap.  The fix in cairo is easy: check that the expression doesn't
overflow.  We had to fix a similar issue in freetype except that the mallocator
was a public macro/function, so we went for a very hackish way that reads:

+/* Yes, I really mean to not put brackets around x. */
+#define _FT_OVERFLOWS(x) (((long long)x) != (long long) (FT_Long) (x))
+
+#define _FT_CHECK_OVERFLOW(_size_, _action_if_true_, _action_if_false_)     \
+       (_FT_OVERFLOWS (_size_) ? (_action_if_true_), FT_Err_Array_Too_Large\
+                               : (_action_if_false_))

 #define FT_MEM_ALLOC( _pointer_, _size_ )                            \
+       _FT_CHECK_OVERFLOW (_size_, (_pointer_) = NULL,              \
           FT_Alloc_Debug( memory, _size_,                            \
-                          (void**)&(_pointer_), __FILE__, __LINE__ )
+                          (void**)&(_pointer_), __FILE__, __LINE__ ) )


> Or is it within png_read_image that you are concerned about overflow? (In which
> case there would be a bug in libpng, not cairo.)
> 
> Thanks,
> 
> Carl
> 


-- 
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the cairo-bugs mailing list