Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions]

[Tomas Hoger <thoger () redhat com>]

On Tue, 25 Nov 2008 15:38:30 +0300 Eygene Ryabinkin
<rea-sec () codelabs ru> wrote:

> > Advisory: http://www.cups.org/str.php?L2974
> > Patch: http://www.cups.org/strfiles/2974/str2974.patch
>
> Hmm, my brains aren't in a perfect shape today, so I could be missing
> some important point, but I don't understand how swapping 'xsize' and
> 'ysize' can help to fix anything.  IIRC, the order of multiplication
> isn't guaranteed and multiplication is commutative, so 'xsize' and
> 'ysize' both are equally good or bad and one can not prefer either.

The bug suggests that xsize and ysize values use different upper
bounds.  So ysize * 3 can overflow (upper bound 2^31-1), while xsize * 3
can't (2^27-1).

-- 
Tomas Hoger / Red Hat Security Response Team