Date: Tue, 2 Dec 2008 15:43:45 +0100 From: Tomas Hoger <thoger@...hat.com> To: Michael Sweet <mike@...ysw.com> Cc: Eygene Ryabinkin <rea-sec@...elabs.ru>, oss-security@...ts.openwall.com, "Steven M. Christey" <coley@...re.org> Subject: Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions] On Wed, 26 Nov 2008 14:20:11 -0800 Michael Sweet <mike@...ysw.com> wrote: > >> The range of values allowed for xsize is smaller than ysize. > > > > OK, thanks for the clarification! But then the first hunk is just > > a no-op, or I am still missing something? And I am just curious: > > will it be legitimate to rewrite the second check as > > (bufsize / img->xsize) / 3 != img->ysize > > or it is still unsafe due to the possible compiler optimizations? > > That should be just fine, although I'd still use an extra set > of parenthesis to ensure the intended order of operations. Btw, this issue should not affect any system with recent libpng (in this case, recent seems to be at least 1.2.6rc1 from Aug 2004), as that versions adds (quoting CHANGES file): Imposed default one million column, one-million row limits on the image dimensions, and added png_set_user_limits() function to override them. So if you have recent libpng with those limits unchanged and image with width or height over 1 million (still quite far from what you need for integer overflow when multiplied by 3), you will get: libpng error: image size exceeds user limits in IHDR and libpng calls abort(). That happens before the problematic check is reached (_cupsImageReadPNG() in cups/filter/image-png.c calls png_read_info() in libpng/pngread.c and later png_handle_IHDR() and png_set_IHDR() get called). HTH -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.