[cairo-bugs] [Bug 10730] potential controllable integer overflow in
cairo-png.c
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Mon Apr 23 17:39:04 PDT 2007
http://bugs.freedesktop.org/show_bug.cgi?id=10730
------- Comment #4 from freedesktop at behdad.org 2007-04-23 17:38 PST -------
(In reply to comment #3)
> (In reply to comment #2)
> > I think what is meant is that "png_width * png_height * pixel_size" may
> > overflow an integer.
>
> Thanks for the explanation. This got mentioned to me as a potential security
> bug so I kept reading overflow as overrun instead of as *overflow* for some
> reasons.
>
> /me smacks forehead
>
> So, do we do the multiply into a uint64_t, shift off 32 bits, and check that
> it's zero? Or what's the best way to check for overflow here?
Best way to check overflow of a single multiplication of two unsigned integers
is to check that the result is not less than any of them. In fact, just
checking one is enough. That is, x * y has overflowed iff the result is < x.
For three, we can go by ((x * y) * z).
> -Carl
--
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the cairo-bugs
mailing list