[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Bug 509531] CVE-2009-2295 ocaml-camlimages: PNG reader multiple integer overflows (oCERT-2009-009)



Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=509531





--- Comment #10 from Tomas Hoger <thoger redhat com>  2009-07-03 10:37:51 EDT ---
I also see two occurrences of this in pngread.c:

  row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);

While sizeof(png_bytep) is fixed, height comes from the file and it seems
possible for it to be 2^32/4 or larger.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]