potential int overflow in _cupsImageReadPNG()

[michaelrsweet]

Version: 1.3.9
CUPS.org User: iljavs

in _cupsImageReadPNG() the following calculation is made:

  bufsize = img->xsize * img->ysize * 3;

  if ((bufsize / (img->ysize * 3)) != img->xsize)
  {
fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
    (unsigned)width, (unsigned)height);
fclose(fp);
return (1);
  }

there is a potential integer overflow in the validation code that could render the whole validation useless. (img->ysize * 3) on itself could overflow.

[michaelrsweet]

CUPS.org User: mike

The maximum dimensions of an image are 2^27-1, so it is impossible for "img->ysize * 3" to overflow a 32-bit integer. See the range checks prior to the buffer size check...

[michaelrsweet]

CUPS.org User: mike

Reopening since IMAGE_MAX_HEIGHT is 2^31-1, not 2^27-1.

Patch attached that fixes it.

[michaelrsweet]

"str2974.patch":

Index: filter/image-png.c

--- filter/image-png.c (revision 8062)
+++ filter/image-png.c (working copy)
@@ -178,7 +178,7 @@
{
bufsize = img->xsize * img->ysize;

•  if ((bufsize / img->ysize) != img->xsize)
  

•  if ((bufsize / img->xsize) != img->ysize)
  

  {
  fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
  (unsigned)width, (unsigned)height);
  @@ -190,7 +190,7 @@
  {
  bufsize = img->xsize * img->ysize * 3;

•  if ((bufsize / (img->ysize * 3)) != img->xsize)
  

•  if ((bufsize / (img->xsize \* 3)) != img->ysize)
  

  {
  fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
  (unsigned)width, (unsigned)height);