img->xsize * img->ysize may overflow (CUPS_IMAGE_MAX_WIDTH and CUPS_IMAGE_MAX_HEIGHT are too big for multiplication).
malloc(img->xsize * img->ysize * 3) can result in a buffer that's too small. Also, the return codes of alot of the mallocs aren't checked, when a NULL pointer is passed to png_read_row, it may be possible to corrupt memory this way as well. I have a .png that does this.
2)filter/image-zoom.c
there are a couple of mallocs in this file that look equally dangerous:
malloc(z->xsize * z->depth)
I haven't crashed it but by looking at the code it seems there is no check for the multiplication to overflow (the checks for MAX_WIDTH and MAX_HEIGHT are insufficient when width and height are used in multiplication)
If you need more information, please let me know.
Regards,
Thomas Pollet
The text was updated successfully, but these errors were encountered:
michaelrsweet commentedApr 8, 2008
Version: 1.3-current
CUPS.org User: thomaspollet
1)filter/image-png.c
img->xsize * img->ysize may overflow (CUPS_IMAGE_MAX_WIDTH and CUPS_IMAGE_MAX_HEIGHT are too big for multiplication).
malloc(img->xsize * img->ysize * 3) can result in a buffer that's too small. Also, the return codes of alot of the mallocs aren't checked, when a NULL pointer is passed to png_read_row, it may be possible to corrupt memory this way as well. I have a .png that does this.
2)filter/image-zoom.c
there are a couple of mallocs in this file that look equally dangerous:
malloc(z->xsize * z->depth)
I haven't crashed it but by looking at the code it seems there is no check for the multiplication to overflow (the checks for MAX_WIDTH and MAX_HEIGHT are insufficient when width and height are used in multiplication)
If you need more information, please let me know.
Regards,
Thomas Pollet
The text was updated successfully, but these errors were encountered: