oss-sec mailing list archives

Re: [Pixman] create_bits(): Cast the result of height * stride to size_t

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Wed, 24 Feb 2016 10:26:40 -0800

On 02/24/16 04:10 AM, Gustavo Grieco wrote:

  Hi,

There is an (old) integer overflow in create_bits in the pixman library.
Patch and details are available here:

https://web.archive.org/web/20141227044037/http://lists.freedesktop.org/archives/pixman/2014-April/003244.html


The quoted patch was applied to the master branch of the pixman git repo as:

https://cgit.freedesktop.org/pixman/commit/?id=857e40f3d2bc2cfb714913e0cd7e6184cf69aca3

and to the pixman-0.32 branch as:

https://cgit.freedesktop.org/pixman/commit/?id=50d7b5fa8ea2ae119f35c20ab0dd0413d5103cbb

It is included in pixman 0.32.6 and later releases.

--
        -Alan Coopersmith-              alan.coopersmith () oracle com
         Oracle Solaris Engineering - http://blogs.oracle.com/alanc

Current thread:

[Pixman] create_bits(): Cast the result of height * stride to size_t Gustavo Grieco (Feb 24)
- Re: [Pixman] create_bits(): Cast the result of height * stride to size_t cve-assign (Feb 24)
- Re: [Pixman] create_bits(): Cast the result of height * stride to size_t Alan Coopersmith (Feb 25)