[cups.bugs] [MOD] STR #2974: potential int overflow in _cupsImageReadPNG()

ilja ilja at netric.org
Fri Oct 17 09:11:58 PDT 2008


I don't think that's correct.

  if (width == 0 || width > CUPS_IMAGE_MAX_WIDTH || <-- this one can be
2^27-1
      height == 0 || height > CUPS_IMAGE_MAX_HEIGHT)  <-- this one can be
2^31-1
  {
    fprintf(stderr, "DEBUG: PNG image has invalid dimensions %ux%u!\n",
            (unsigned)width, (unsigned)height);
    fclose(fp);
    return (1);
  }
....
  img->ysize = height;
....

--------- Oorspronkelijk bericht --------
Van: cups-bugs at easysw.com
Naar: ilja <ilja at netric.org>
Cc: ilja <ilja at netric.org>, cups-bugs at easysw.com
Onderwerp: Re: [MOD] STR #2974: potential int overflow in
_cupsImageReadPNG()
Datum: 17/10/08 08:55

> 
> 
> [STR Closed w/o Resolution]
> 
> The maximum dimensions of an image are 2^27-1, so it is impossible for
> "img->ysize * 3" to overflow a 32-bit integer.  See the range
checks prior
> to the buffer size check...
> 
> Link: http://www.cups.org/str.php?L2974
> Version: 1.3.9
> Fix Version: None
> 
> 






More information about the cups mailing list