Closed
Bug 504888
Opened 16 years ago
Closed 16 years ago
Integer overflow in qcms
Categories
(Core :: Graphics: Color Management, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jrmuizel, Assigned: jrmuizel)
Details
(Whiteboard: [sg:dos])
Attachments
(1 file, 1 obsolete file)
|
1.88 KB,
patch
|
bholley
:
review+
samuel.sidler+old
:
approval1.9.1.2-
dveditz
:
approval1.9.1.4+
|
Details | Diff | Splinter Review |
From Chris Evans:
I saw a possible (but harmless) integer overflow in read_u32() and
similar functions:
static uint32_t read_u32(struct mem_source *mem, size_t offset)
{
if (offset + 4 > mem->size) {
invalid_source(mem, "Invalid offset");
return 0;
} else {
return be32_to_cpu(*(__be32*)(mem->buf + offset));
}
}
On 32-bit platforms where size_t is 32-bits, that first addition could
overflow if offset >= 0xfffffffc (from a tag being declared with such
an offset in the tag table). The impact would seem to be a 4-byte
out-of-bounds read before the "buf" buffer. I know, lame :)
|
Assignee | |
Comment 1•16 years ago
|
||
Attachment #389179 -
Flags: review?
|
|
Assignee | |
Comment 2•16 years ago
|
||
Attachment #389180 -
Flags: review?
|
|
Assignee | |
Updated•16 years ago
|
Attachment #389180 -
Attachment is obsolete: true
Attachment #389180 -
Flags: review?
|
|
Assignee | |
Updated•16 years ago
|
Whiteboard: [sg:dos]
|
|
Assignee | |
Updated•16 years ago
|
Attachment #389179 -
Flags: review? → review?(bobbyholley)
|
||
Comment 3•16 years ago
|
||
Comment on attachment 389179 [details] [diff] [review]
Fix the integer overflow
looks good. r=bholley
Attachment #389179 -
Flags: review?(bobbyholley) → review+
|
|
Assignee | |
Comment 4•16 years ago
|
||
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Updated•16 years ago
|
Group: core-security
|
||
Comment 5•16 years ago
|
||
I'm guessing we need this on 1.9.1 as well. Jeff, can you work up a patch (or just check if the current one applies) and request approval?
blocking1.9.1: --- → needed
status1.9.1:
--- → wanted
|
|
Assignee | |
Updated•16 years ago
|
Attachment #389179 -
Flags: approval1.9.1.2?
|
|
||
Comment 6•16 years ago
|
||
Comment on attachment 389179 [details] [diff] [review]
Fix the integer overflow
Approved for 1.9.1.2. a=ss for release-drivers
Please land on mozilla-1.9.1 and use the ".2-fixed" option of the "status1.9.1" flag.
Attachment #389179 -
Flags: approval1.9.1.2? → approval1.9.1.2+
|
|
||
Comment 7•16 years ago
|
||
Comment on attachment 389179 [details] [diff] [review]
Fix the integer overflow
This didn't land in time for 1.9.1.2.
Attachment #389179 -
Flags: approval1.9.1.3?
Attachment #389179 -
Flags: approval1.9.1.2-
Attachment #389179 -
Flags: approval1.9.1.2+
|
||
Comment 8•16 years ago
|
||
Comment on attachment 389179 [details] [diff] [review]
Fix the integer overflow
Approved for 1.9.1.4, a=dveditz for release-drivers
Attachment #389179 -
Flags: approval1.9.1.3? → approval1.9.1.4+
|
|
||
Updated•16 years ago
|
blocking1.9.1: needed → .4+
|
|
Assignee | |
Comment 9•16 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•