Closed Bug 324008 Opened 20 years ago Closed 18 years ago

potential controllable integer overflow in cairo-png.c

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: guninski, Unassigned)

Details

(Whiteboard: [sg:nse] cairo bug, not used in Mozilla code)

this seems like potential controllable integer overflow, though the code does not seem used: "gfx/cairo/cairo/src/cairo-png.c" read_png (png_rw_ptr read_func, void *closure) png_get_IHDR (png, info, &png_width, &png_height, &depth, &color_type, &interlace, NULL, NULL); ^^^^^^^^ this does not seem to validate enough. pixel_size = 4; data = malloc (png_width * png_height * pixel_size); ^^^^^^^^^^^^^^^ this may eventually overflow can the above code be reached?
Assignee: nobody → vladimir
Whiteboard: [sg:investigate]
We don't build cairo-png.c; the file is there to keep the source in sync with the cairo dist/CVS. I doubt we'll build with it in the future, but I'll try to get a patch for thiis in to cairo itself.
Vlad: Does it make sense to keep a bmo bug open for this? Sounds like this would be better tracked in whatever bug tracker Cairo uses, given that we're not using this file.
Assignee: vladimir → nobody
Component: General → GFX: Thebes
Product: Firefox → Core
QA Contact: general → thebes
Yeah, it really doesn't affect us at all, and I haven't had a chance to poke the cairo guys about this. Filing this directly in bugzilla.freedesktop.org is probably the best way to go.
I filed a Cairo bug: https://bugs.freedesktop.org/show_bug.cgi?id=10730 .
Group: security
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
Whiteboard: [sg:investigate] → [sg:nse] cairo bug, not used in Mozilla code
You need to log in before you can comment on or make changes to this bug.