potential int overflow in _cupsImageReadPNG() #2974

Closed
michaelrsweet opened this Issue Oct 17, 2008 · 3 comments

Comments

Projects
None yet
1 participant
Collaborator

michaelrsweet commented Oct 17, 2008

Version: 1.3.9
CUPS.org User: iljavs

in _cupsImageReadPNG() the following calculation is made:

  bufsize = img->xsize * img->ysize * 3;

  if ((bufsize / (img->ysize * 3)) != img->xsize)
  {
fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
    (unsigned)width, (unsigned)height);
fclose(fp);
return (1);
  }

there is a potential integer overflow in the validation code that could render the whole validation useless. (img->ysize * 3) on itself could overflow.

Collaborator

michaelrsweet commented Oct 17, 2008

CUPS.org User: mike

The maximum dimensions of an image are 2^27-1, so it is impossible for "img->ysize * 3" to overflow a 32-bit integer. See the range checks prior to the buffer size check...

Collaborator

michaelrsweet commented Oct 17, 2008

CUPS.org User: mike

Reopening since IMAGE_MAX_HEIGHT is 2^31-1, not 2^27-1.

Patch attached that fixes it.

Collaborator

michaelrsweet commented Oct 17, 2008

"str2974.patch":

Index: filter/image-png.c

--- filter/image-png.c (revision 8062)
+++ filter/image-png.c (working copy)
@@ -178,7 +178,7 @@
{
bufsize = img->xsize * img->ysize;

  •  if ((bufsize / img->ysize) != img->xsize)
    
  •  if ((bufsize / img->xsize) != img->ysize)
    

    {
    fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
    (unsigned)width, (unsigned)height);
    @@ -190,7 +190,7 @@
    {
    bufsize = img->xsize * img->ysize * 3;

  •  if ((bufsize / (img->ysize * 3)) != img->xsize)
    
  •  if ((bufsize / (img->xsize \* 3)) != img->ysize)
    

    {
    fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
    (unsigned)width, (unsigned)height);

michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment