Bug#838650: pixman: rowstride integer overflow

To: Alessandro Vesely <vesely@tana.it>, 838650@bugs.debian.org
Subject: Bug#838650: pixman: rowstride integer overflow
From: Julien Cristau <jcristau@debian.org>
Date: Fri, 23 Sep 2016 12:32:18 +0200
Message-id: <[🔎] 20160923103218.sai4esxjoexf7khj@betterave.cristau.org>
Reply-to: Julien Cristau <jcristau@debian.org>, 838650@bugs.debian.org
In-reply-to: <[🔎] 20160923100054.29439.48076.reportbug@pcale.tana>
References: <[🔎] 20160923100054.29439.48076.reportbug@pcale.tana>

On Fri, Sep 23, 2016 at 12:00:54 +0200, Alessandro Vesely wrote:

> Source: pixman
> Version: pixman-0.32.6
> Severity: normal
> Tags: upstream patch
> 
> Dear Maintainer,
> 
> it is wrong to compute offsets like so:
> 
>    int rowstride = something;
>    char *buffer = base_ptr + y*rowstride + x*4;
> 
> That idiom fails in 64bit architecture where integers are 32 bit.  Consider a
> not-so-uncommon A0 poster at 600 dpi.  It results in a 19860x28080 image.
> While width and heights are 16 bit numbers, their product multiplied by a bpp
> of 4 results in a negative integer.
> 
> Strides should be type size_t, or, if they can be negative, long integer.
> 
> The patch I attach just avoids crashes in various clients (inkscape, evince).
> Package authors may want to carry out a clearer change.
> 
Hi,

thanks for the report and the patch.  Would you mind sending it to
pixman@lists.freedesktop.org, or reporting to
https://bugs.freedesktop.org/enter_bug.cgi?product=pixman ?

Thanks,
Julien

Reply to:

References:
- Bug#838650: pixman: rowstride integer overflow
  - From: Alessandro Vesely <vesely@tana.it>

Prev by Date: Bug#832579: pixman: SIGSEGV after rowstride overflow in large image
Next by Date: Bug#833132: closed by Michael Gilbert <mgilbert@debian.org> (Re: steam: Steam randomly crashes)
Previous by thread: Bug#838650: pixman: rowstride integer overflow
Next by thread: Bug#832579: pixman: SIGSEGV after rowstride overflow in large image
Index(es):
- Date
- Thread