Closed
Bug 324008
Opened 18 years ago
Closed 17 years ago
potential controllable integer overflow in cairo-png.c
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: guninski, Unassigned)
Details
(Whiteboard: [sg:nse] cairo bug, not used in Mozilla code)
this seems like potential controllable integer overflow, though the code does not seem used: "gfx/cairo/cairo/src/cairo-png.c" read_png (png_rw_ptr read_func, void *closure) png_get_IHDR (png, info, &png_width, &png_height, &depth, &color_type, &interlace, NULL, NULL); ^^^^^^^^ this does not seem to validate enough. pixel_size = 4; data = malloc (png_width * png_height * pixel_size); ^^^^^^^^^^^^^^^ this may eventually overflow can the above code be reached?
Updated•18 years ago
|
Assignee: nobody → vladimir
Whiteboard: [sg:investigate]
We don't build cairo-png.c; the file is there to keep the source in sync with the cairo dist/CVS. I doubt we'll build with it in the future, but I'll try to get a patch for thiis in to cairo itself.
Comment 2•17 years ago
|
||
Vlad: Does it make sense to keep a bmo bug open for this? Sounds like this would be better tracked in whatever bug tracker Cairo uses, given that we're not using this file.
Assignee: vladimir → nobody
Component: General → GFX: Thebes
Product: Firefox → Core
QA Contact: general → thebes
Yeah, it really doesn't affect us at all, and I haven't had a chance to poke the cairo guys about this. Filing this directly in bugzilla.freedesktop.org is probably the best way to go.
Comment 4•17 years ago
|
||
I filed a Cairo bug: https://bugs.freedesktop.org/show_bug.cgi?id=10730 .
Group: security
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
Updated•17 years ago
|
Whiteboard: [sg:investigate] → [sg:nse] cairo bug, not used in Mozilla code
You need to log in
before you can comment on or make changes to this bug.
Description
•