potential cairo int overflow in {pdf,ps}_surface

RESOLVED FIXED

Status

P1
normal
RESOLVED FIXED
11 years ago
7 years ago

People

(Reporter: guninski, Assigned: vlad)

Tracking

Trunk
x86
Linux
Bug Flags:
blocking1.9 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:investigate])

in _cairo_{pdf,ps}_surface_emit_image there is identical code:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/gfx/cairo/cairo/src/cairo-ps-surface.c&rev=1.25&mark=2003-2004#2003
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/gfx/cairo/cairo/src/cairo-pdf-surface.c&rev=1.26&mark=1438-1439#1438
1438 rgb_size = image->height * image->width * 3;
1439 rgb = malloc (rgb_size);

_cairo_pdf_surface_emit_smask is similar:
alpha_size = image->height * image->width;
alpha = malloc (alpha_size);


height * width * 3 potentially may overflow and probably should be replaced with |malloc_abc|

even if this is dead code now it may be used some day
(Reporter)

Updated

11 years ago
Component: General → GFX
Product: Firefox → Core
QA Contact: general → general
this code is classical int overflow by inspection.

mainstream cairo probably should be aware of this.

marking [sg:investigate] because can't hit the code.
Whiteboard: [sg:investigate]
Sigh, someone isn't using the safe-alloc macros that are in cairo.
Assignee: nobody → vladimir
Flags: blocking1.9+
Priority: -- → P1
We have this bug marked as a P1 blocker for Gecko 1.9.  Have we been able to make any progress here?
As marked in the dependency list, this will be fixed by the dependent cairo upgrade bug.

Comment 5

11 years ago
There's no information in that bug.  What's the status?
Just needs to be checked in; I've been waiting for the tree to quiet down because it's been closed for most of the time the last few days =/
Update was checked in.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard
Group: core-security
You need to log in before you can comment on or make changes to this bug.