Bug#838650: pixman: rowstride integer overflow
On Fri, Sep 23, 2016 at 12:00:54 +0200, Alessandro Vesely wrote:
> Source: pixman
> Version: pixman-0.32.6
> Severity: normal
> Tags: upstream patch
>
> Dear Maintainer,
>
> it is wrong to compute offsets like so:
>
> int rowstride = something;
> char *buffer = base_ptr + y*rowstride + x*4;
>
> That idiom fails in 64bit architecture where integers are 32 bit. Consider a
> not-so-uncommon A0 poster at 600 dpi. It results in a 19860x28080 image.
> While width and heights are 16 bit numbers, their product multiplied by a bpp
> of 4 results in a negative integer.
>
> Strides should be type size_t, or, if they can be negative, long integer.
>
> The patch I attach just avoids crashes in various clients (inkscape, evince).
> Package authors may want to carry out a clearer change.
>
Hi,
thanks for the report and the patch. Would you mind sending it to
pixman@lists.freedesktop.org, or reporting to
https://bugs.freedesktop.org/enter_bug.cgi?product=pixman ?
Thanks,
Julien
Reply to: