Bug 11627

Summary: Saving image surface to PNG SEGVs
Product: pixman Reporter: Dom Lachowicz <domlachowicz>
Component: pixmanAssignee: Carl Worth <cworth>
Status: RESOLVED FIXED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: major    
Priority: medium    
Version: 0.1.3   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Protect pixel allocation from integer overflow.

Description Dom Lachowicz 2007-07-16 12:44:16 UTC 
Copied from http://bugzilla.gnome.org/show_bug.cgi?id=456850

Using rsvg-convert to convert this SVG to a PNG, you get a SEGV with the following stack trace:

#0  0xb79d534c in memcpy () from /lib/tls/i686/cmov/libc.so.6
#1  0xb7be4fbb in png_memcpy_check () from /usr/lib/libpng12.so.0
#2  0xb7bdc723 in png_write_row () from /usr/lib/libpng12.so.0
#3  0xb7bdc98d in png_write_image () from /usr/lib/libpng12.so.0
#4  0xb7c19450 in write_png () from /usr/lib/libcairo.so.2
#5  0xb7c194cd in cairo_surface_write_to_png_stream ()
#6  0x08049e8c in main (argc=1, argv=0xbfc2de64) at rsvg-convert.c:293
Comment 1 Chris Wilson 2007-08-16 14:11:06 UTC 
Created attachment 11155 [details] [review]
Protect pixel allocation from integer overflow.
Comment 2 Dom Lachowicz 2007-08-16 14:44:57 UTC 
(In reply to comment #1)
> Created an attachment (id=11155) [details]
> Protect pixel allocation from integer overflow.
> 

Is this something that might benefit from Vlad's malloc wrappers that check for overflow?
Comment 3 Chris Wilson 2007-08-16 23:55:44 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> > Created an attachment (id=11155) [details] [details]
> > Protect pixel allocation from integer overflow.
> > 
> 
> Is this something that might benefit from Vlad's malloc wrappers that check for
> overflow?

No this is one was a call to calloc and was missed during the wrapping - I too had the same thought and had to double check my source tree!

[Transferring to libpixman.]
Comment 4 Chris Wilson 2007-10-05 11:20:51 UTC 
Fixed in:

commit 958a650b8eb1b61143122c3ad1f9b637b6467984
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Thu Sep 27 12:40:59 2007 +0100

    [pixman-image] Avoid integer overflow when allocating bits.
    
    Check for potential overflows at every step of the calculation of the
    buffer size required for the pixels.
    
    (Fixes https://bugs.freedesktop.org/show_bug.cgi?id=11627)

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.