[cups.bugs] [MOD] STR #2974: potential int overflow in _cupsImageReadPNG()
ilja
ilja at netric.org
Fri Oct 17 09:11:58 PDT 2008
I don't think that's correct.
if (width == 0 || width > CUPS_IMAGE_MAX_WIDTH || <-- this one can be
2^27-1
height == 0 || height > CUPS_IMAGE_MAX_HEIGHT) <-- this one can be
2^31-1
{
fprintf(stderr, "DEBUG: PNG image has invalid dimensions %ux%u!\n",
(unsigned)width, (unsigned)height);
fclose(fp);
return (1);
}
....
img->ysize = height;
....
--------- Oorspronkelijk bericht --------
Van: cups-bugs at easysw.com
Naar: ilja <ilja at netric.org>
Cc: ilja <ilja at netric.org>, cups-bugs at easysw.com
Onderwerp: Re: [MOD] STR #2974: potential int overflow in
_cupsImageReadPNG()
Datum: 17/10/08 08:55
>
>
> [STR Closed w/o Resolution]
>
> The maximum dimensions of an image are 2^27-1, so it is impossible for
> "img->ysize * 3" to overflow a 32-bit integer. See the range
checks prior
> to the buffer size check...
>
> Link: http://www.cups.org/str.php?L2974
> Version: 1.3.9
> Fix Version: None
>
>
More information about the cups
mailing list