Closed Bug 324008 Opened 18 years ago Closed 17 years ago

potential controllable integer overflow in cairo-png.c

Categories

(Core :: Graphics, defect)

x86
Linux
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: guninski, Unassigned)

Details

(Whiteboard: [sg:nse] cairo bug, not used in Mozilla code)

this seems like potential controllable integer overflow, though the code
does not seem used:
"gfx/cairo/cairo/src/cairo-png.c"
read_png (png_rw_ptr	read_func,
	  void		*closure)
png_get_IHDR (png, info,
              &png_width, &png_height, &depth,
              &color_type, &interlace, NULL, NULL);
^^^^^^^^ this does not seem to validate enough.
pixel_size = 4;
data = malloc (png_width * png_height * pixel_size);
^^^^^^^^^^^^^^^ this may eventually overflow

can the above code be reached?
Assignee: nobody → vladimir
Whiteboard: [sg:investigate]
We don't build cairo-png.c; the file is there to keep the source in sync with the cairo dist/CVS.  I doubt we'll build with it in the future, but I'll try to get a patch for thiis in to cairo itself.
Vlad: Does it make sense to keep a bmo bug open for this? Sounds like this would be better tracked in whatever bug tracker Cairo uses, given that we're not using this file.
Assignee: vladimir → nobody
Component: General → GFX: Thebes
Product: Firefox → Core
QA Contact: general → thebes
Yeah, it really doesn't affect us at all, and I haven't had a chance to poke the cairo guys about this.  Filing this directly in bugzilla.freedesktop.org is probably the best way to go.
I filed a Cairo bug: https://bugs.freedesktop.org/show_bug.cgi?id=10730 .
Group: security
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
Whiteboard: [sg:investigate] → [sg:nse] cairo bug, not used in Mozilla code
You need to log in before you can comment on or make changes to this bug.