Summary: | crash on loading certain png (attached) | ||
---|---|---|---|
Product: | [Applications] kfile-plugins | Reporter: | Christian Spitzlay <cmueller> |
Component: | PNG | Assignee: | Carsten Pfeiffer <pfeiffer> |
Status: | RESOLVED FIXED | ||
Severity: | crash | CC: | maksim |
Priority: | NOR | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | Compiled Sources | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | ||
Attachments: | The png that causes the crash |
Description
Christian Spitzlay
2003-09-30 11:46:43 UTC
Created attachment 2644 [details]
The png that causes the crash
Confirm a bug in the PNG metainfo plugin. (Affects a lot more than Kuickshow -- konq too) Subject: kdegraphics/kfile-plugins/png CVS commit by orlovich: Fix range check for some extremely bogus size values. CCMAIL: 65224-done@bugs.kde.org M +8 -5 kfile_png.cpp 1.21 --- kdegraphics/kfile-plugins/png/kfile_png.cpp #1.20:1.21 @@ -220,8 +220,12 @@ bool KPngPlugin::readInfo( KFileMetaInfo // the text comes after the key, but isn't null terminated uchar* text = &CHUNK_DATA(data,index, keysize+1); - int textsize = CHUNK_SIZE(data, index)-keysize-1; + uint textsize = CHUNK_SIZE(data, index)-keysize-1; - // security check - if ( (uint)(text - data) + textsize > f.size()) + // security check, also considering overflow wraparound from the addition -- + // we may endup with a /smaller/ index if we wrap all the way around + uint firstIndex = (uint)(text - data); + uint onePastLastIndex = firstIndex + textsize; + + if ( onePastLastIndex > f.size() || onePastLastIndex <= firstIndex) goto end; |