[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: cups - potential integer overflow
From:       Tomas Hoger <thoger () redhat ! com>
Date:       2008-11-25 17:52:36
Message-ID: 20081125185236.5868de90 () redhat ! com
[Download RAW message or body]

On Tue, 25 Nov 2008 15:38:30 +0300 Eygene Ryabinkin
<rea-sec@codelabs.ru> wrote:

> > Advisory: http://www.cups.org/str.php?L2974
> > Patch: http://www.cups.org/strfiles/2974/str2974.patch
> 
> Hmm, my brains aren't in a perfect shape today, so I could be missing
> some important point, but I don't understand how swapping 'xsize' and
> 'ysize' can help to fix anything.  IIRC, the order of multiplication
> isn't guaranteed and multiplication is commutative, so 'xsize' and
> 'ysize' both are equally good or bad and one can not prefer either.

The bug suggests that xsize and ysize values use different upper
bounds.  So ysize * 3 can overflow (upper bound 2^31-1), while xsize * 3
can't (2^27-1).

-- 
Tomas Hoger / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]