Closed Bug 407677 Opened 17 years ago Closed 17 years ago

potential cairo int overflow in {pdf,ps}_surface

Categories

(Core Graveyard :: GFX, defect, P1)

Product:
Core Graveyard
Component:
GFX
Platform:
x86
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: guninski, Assigned: vlad)

References

Details

(Whiteboard: [sg:investigate])

in _cairo_{pdf,ps}_surface_emit_image there is identical code: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/gfx/cairo/cairo/src/cairo-ps-surface.c&rev=1.25&mark=2003-2004#2003 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/gfx/cairo/cairo/src/cairo-pdf-surface.c&rev=1.26&mark=1438-1439#1438 1438 rgb_size = image->height * image->width * 3; 1439 rgb = malloc (rgb_size); _cairo_pdf_surface_emit_smask is similar: alpha_size = image->height * image->width; alpha = malloc (alpha_size); height * width * 3 potentially may overflow and probably should be replaced with |malloc_abc| even if this is dead code now it may be used some day
Component: General → GFX
Product: Firefox → Core
QA Contact: general → general
this code is classical int overflow by inspection. mainstream cairo probably should be aware of this. marking [sg:investigate] because can't hit the code.
Whiteboard: [sg:investigate]
Sigh, someone isn't using the safe-alloc macros that are in cairo.
Assignee: nobody → vladimir
Flags: blocking1.9+
Priority: -- → P1
We have this bug marked as a P1 blocker for Gecko 1.9. Have we been able to make any progress here?
As marked in the dependency list, this will be fixed by the dependent cairo upgrade bug.
There's no information in that bug. What's the status?
Just needs to be checked in; I've been waiting for the tree to quiet down because it's been closed for most of the time the last few days =/
Update was checked in.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard
Group: core-security
You need to log in before you can comment on or make changes to this bug.