[cups.bugs] [MOD] STR #2974: potential int overflow in cupsImageReadPNG()
ilja
ilja at netric.org
Fri Oct 17 10:10:36 PDT 2008
hm, yea, that would probably work.
--------- Oorspronkelijk bericht --------
Van: Michael R Sweet <msweet at apple.com>
Naar: ilja <ilja at netric.org>, Mirror of cups.bugs Newsgroup
<cups-bugs at easysw.com>
Onderwerp: Re: [cups.bugs] [MOD] STR #2974: potential int overflow
in _cupsImageReadPNG()
Datum: 17/10/08 21:01
>
> ilja wrote:
> > I don't think that's correct.
> >
> > if (width == 0 || width > CUPS_IMAGE_MAX_WIDTH || <-- this
one can be
> > 2^27-1
> > height == 0 || height > CUPS_IMAGE_MAX_HEIGHT) <-- this
one can be
> > 2^31-1
> > {
> > fprintf(stderr, "DEBUG: PNG image has invalid dimensions
%ux%u!n",
> > (unsigned)width, (unsigned)height);
> > fclose(fp);
> > return (1);
> > }
> > ...
> > img->ysize = height;
> > ...
>
> OK, you're right. Re-opening the bug...
>
> The simple fix appears to be:
>
> if ((bufsize / (img->xsize * 3)) != img->ysize)
>
>
> > --------- Oorspronkelijk bericht --------
> > Van: cups-bugs at easysw.com
> > Naar: ilja <ilja at netric.org>
> > Cc: ilja <ilja at netric.org>, cups-bugs at easysw.com
> > Onderwerp: Re: [MOD] STR #2974: potential int overflow in
> > _cupsImageReadPNG()
> > Datum: 17/10/08 08:55
> >
> >>
> >> [STR Closed w/o Resolution]
> >>
> >> The maximum dimensions of an image are 2^27-1, so it is
impossible for
> >> &quot;img-&gt;ysize * 3&quot; to overflow a 32-bit
integer. See the range
> > checks prior
> >> to the buffer size check...
> >>
> >> Link: http://www.cups.org/str.php?L2974
> >> Version: 1.3.9
> >> Fix Version: None
> >>
> >>
> >
> >
> > _______________________________________________
> > cups-bugs mailing list
> > cups-bugs at easysw.com
> > http://lists.easysw.com/mailman/listinfo/cups-bugs
>
>
> --
> ______________________________________________________________________
> Michael R Sweet Senior Printing System Engineer
>
More information about the cups-devel
mailing list