[cups.bugs] [MOD] STR #2805: issue with image.c
kssingvo.suse
kssingvo at suse.de
Thu Apr 17 05:58:03 PDT 2008
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
[STR New]
Ludwig Nussel asked me to report this issue:
What happened with the following problem? AFAICS the sample image
causes a crash due to a NULL deref. However, the calloc returning
that NULL just does that due to a silly value that is the result of
a multiplication (image.c, get_tile()):
xtiles = (img->xsize + CUPS_TILE_SIZE - 1) / CUPS_TILE_SIZE;
ytiles = (img->ysize + CUPS_TILE_SIZE - 1) / CUPS_TILE_SIZE;
....
tile = calloc(sizeof(cups_itile_t), xtiles * ytiles);
....
for (tilex = xtiles; tilex > 0; tilex --, tile ++)
tile->pos = -1;
Couldn't xtiles and xtiles theoretically be constructed in a way
that xtiles*ytiles < xtiles so that the loop overwrites memory?
Link: http://www.cups.org/str.php?L2805
Version: 1.3.7
More information about the cups
mailing list