Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 25 Nov 2008 18:52:36 +0100
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: rea-sec@...elabs.ru, "Steven M. Christey" <coley@...re.org>,
        Michael
 Sweet <mike@...ysw.com>
Subject: Re: CVE request: cups - potential integer overflow
 in PNG image reader [was: CUPS DoS via RSS subscriptions]

On Tue, 25 Nov 2008 15:38:30 +0300 Eygene Ryabinkin
<rea-sec@...elabs.ru> wrote:

> > Advisory: http://www.cups.org/str.php?L2974
> > Patch: http://www.cups.org/strfiles/2974/str2974.patch
> 
> Hmm, my brains aren't in a perfect shape today, so I could be missing
> some important point, but I don't understand how swapping 'xsize' and
> 'ysize' can help to fix anything.  IIRC, the order of multiplication
> isn't guaranteed and multiplication is commutative, so 'xsize' and
> 'ysize' both are equally good or bad and one can not prefer either.

The bug suggests that xsize and ysize values use different upper
bounds.  So ysize * 3 can overflow (upper bound 2^31-1), while xsize * 3
can't (2^27-1).

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ