Re: CVE request: cups - potential integer overflow in PNG image reader [was: CUPS DoS via RSS subscriptions]

[Tomas Hoger <thoger () redhat com>]

On Wed, 26 Nov 2008 14:20:11 -0800 Michael Sweet <mike () easysw com>
wrote:

> > > The range of values allowed for xsize is smaller than ysize.
> >
> > OK, thanks for the clarification!  But then the first hunk is just
> > a no-op, or I am still missing something?  And I am just curious:
> > will it be legitimate to rewrite the second check as
> >   (bufsize / img->xsize) / 3 != img->ysize
> > or it is still unsafe due to the possible compiler optimizations?
>
> That should be just fine, although I'd still use an extra set
> of parenthesis to ensure the intended order of operations.

Btw, this issue should not affect any system with recent libpng (in
this case, recent seems to be at least 1.2.6rc1 from Aug 2004), as that
versions adds (quoting CHANGES file):

  Imposed default one million column, one-million row limits on the image 
    dimensions, and added png_set_user_limits() function to override them.

So if you have recent libpng with those limits unchanged and image with
width or height over 1 million (still quite far from what you need for
integer overflow when multiplied by 3), you will get:

  libpng error: image size exceeds user limits in IHDR

and libpng calls abort().  That happens before the problematic check
is reached (_cupsImageReadPNG() in cups/filter/image-png.c calls
png_read_info() in libpng/pngread.c and later png_handle_IHDR() and
png_set_IHDR() get called).

HTH

-- 
Tomas Hoger / Red Hat Security Response Team