issue with image.c

[michaelrsweet]

Version: 1.3.7
CUPS.org User: kssingvo.suse

Ludwig Nussel asked me to report this issue:

What happened with the following problem? AFAICS the sample image
causes a crash due to a NULL deref. However, the calloc returning
that NULL just does that due to a silly value that is the result of
a multiplication (image.c, get_tile()):

xtiles = (img->xsize + CUPS_TILE_SIZE - 1) / CUPS_TILE_SIZE;
ytiles = (img->ysize + CUPS_TILE_SIZE - 1) / CUPS_TILE_SIZE;
...
tile = calloc(sizeof(cups_itile_t), xtiles * ytiles);
...
for (tilex = xtiles; tilex > 0; tilex --, tile ++)
tile->pos = -1;

Couldn't xtiles and xtiles theoretically be constructed in a way
that xtiles*ytiles < xtiles so that the loop overwrites memory?

[michaelrsweet]

CUPS.org User: mike

Fixed in Subversion repository.

Please verify the attached patch - basically I've rearranged the multiplications so that calloc() will be able to check for overflow.

xtiles and ytiles will always be less than 2^24, and the _cups_itile_t structure is 12 bytes on 32-bit archs (where this overflow is an issue).

[michaelrsweet]

CUPS.org User: mike

This STR has not been updated by the submitter for two or more weeks and has been closed as required by the CUPS Configuration Management Plan. If the issue still requires resolution, please re-submit a new STR.

[michaelrsweet]

"str2805.patch":

Index: image.c

--- image.c (revision 7471)
+++ image.c (working copy)
@@ -725,7 +725,7 @@
if ((img->tiles = calloc(sizeof(cups_itile_t *), ytiles)) == NULL)
return (NULL);

• if ((tile = calloc(sizeof(cups_itile_t), xtiles * ytiles)) == NULL)
• if ((tile = calloc(xtiles * sizeof(cups_itile_t), ytiles)) == NULL)
  return (NULL);

for (tiley = 0; tiley < ytiles; tiley ++)