[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: cups - potential integer overflow
From: Tomas Hoger <thoger () redhat ! com>
Date: 2008-11-25 17:52:36
Message-ID: 20081125185236.5868de90 () redhat ! com
[Download RAW message or body]
On Tue, 25 Nov 2008 15:38:30 +0300 Eygene Ryabinkin
<rea-sec@codelabs.ru> wrote:
> > Advisory: http://www.cups.org/str.php?L2974
> > Patch: http://www.cups.org/strfiles/2974/str2974.patch
>
> Hmm, my brains aren't in a perfect shape today, so I could be missing
> some important point, but I don't understand how swapping 'xsize' and
> 'ysize' can help to fix anything. IIRC, the order of multiplication
> isn't guaranteed and multiplication is commutative, so 'xsize' and
> 'ysize' both are equally good or bad and one can not prefer either.
The bug suggests that xsize and ysize values use different upper
bounds. So ysize * 3 can overflow (upper bound 2^31-1), while xsize * 3
can't (2^27-1).
--
Tomas Hoger / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic