[cairo-bugs] [Bug 10730] potential controllable integer overflow in cairo-png.c

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Apr 23 17:15:30 PDT 2007


------- Comment #3 from cworth at cworth.org  2007-04-23 17:15 PST -------
(In reply to comment #2)
> I think what is meant is that "png_width * png_height * pixel_size" may
> overflow an integer.

Thanks for the explanation. This got mentioned to me as a potential security
bug so I kept reading overflow as overrun instead of as *overflow* for some

/me smacks forehead

So, do we do the multiply into a uint64_t, shift off 32 bits, and check that
it's zero? Or what's the best way to check for overflow here?


Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the cairo-bugs mailing list