Closed Bug 504888 Opened 15 years ago Closed 15 years ago

Integer overflow in qcms

Categories

(Core :: Graphics: Color Management, defect)

Product:
Core
Component:
Graphics: Color Management
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking1.9.1 --- .4+
status1.9.1 --- .4-fixed

People

(Reporter: jrmuizel, Assigned: jrmuizel)

Details

(Whiteboard: [sg:dos])

Attachments

(1 file, 1 obsolete file)

Fix the integer overflow
1.88 KB, patch
bholley
: review+
samuel.sidler+old
: approval1.9.1.2-
dveditz
: approval1.9.1.4+
Details | Diff | Splinter Review 
From Chris Evans:

I saw a possible (but harmless) integer overflow in read_u32() and
similar functions:

static uint32_t read_u32(struct mem_source *mem, size_t offset)
{
 if (offset + 4 > mem->size) {
   invalid_source(mem, "Invalid offset");
   return 0;
 } else {
   return be32_to_cpu(*(__be32*)(mem->buf + offset));
 }
}

On 32-bit platforms where size_t is 32-bits, that first addition could
overflow if offset >= 0xfffffffc (from a tag being declared with such
an offset in the tag table). The impact would seem to be a 4-byte
out-of-bounds read before the "buf" buffer. I know, lame :)

        Attachment #389179 -
        Flags: review?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Test for Nino (obsolete)
        — Splinter Review
      

    


  

        Attachment #389180 -
        Flags: review?

    
  

        Attachment #389180 -
        Attachment is obsolete: true

        Attachment #389180 -
        Flags: review?

    
  
Whiteboard: [sg:dos]

    
  

        Attachment #389179 -
        Flags: review? → review?(bobbyholley)

    
    

    
  
Comment on attachment 389179 [details] [diff] [review]
Fix the integer overflow

looks good. r=bholley

        Attachment #389179 -
        Flags: review?(bobbyholley) → review+

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/8b4c3179b68f
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
  
Group: core-security

    
    

    
  
I'm guessing we need this on 1.9.1 as well. Jeff, can you work up a patch (or just check if the current one applies) and request approval?
blocking1.9.1: --- → needed

          status1.9.1:
          --- → wanted

    
  

        Attachment #389179 -
        Flags: approval1.9.1.2?

    
    

    
  
Comment on attachment 389179 [details] [diff] [review]
Fix the integer overflow

Approved for 1.9.1.2. a=ss for release-drivers

Please land on mozilla-1.9.1 and use the ".2-fixed" option of the "status1.9.1" flag.

        Attachment #389179 -
        Flags: approval1.9.1.2? → approval1.9.1.2+

    
    

    
  
Comment on attachment 389179 [details] [diff] [review]
Fix the integer overflow

This didn't land in time for 1.9.1.2.

        Attachment #389179 -
        Flags: approval1.9.1.3?

        Attachment #389179 -
        Flags: approval1.9.1.2-

        Attachment #389179 -
        Flags: approval1.9.1.2+

    
    

    
  
Comment on attachment 389179 [details] [diff] [review]
Fix the integer overflow

Approved for 1.9.1.4, a=dveditz for release-drivers

        Attachment #389179 -
        Flags: approval1.9.1.3? → approval1.9.1.4+
blocking1.9.1: needed → .4+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: