[Bug 509531] CVE-2009-2295 ocaml-camlimages: PNG reader multiple integer overflows (oCERT-2009-009)
bugzilla at redhat.com
bugzilla at redhat.com
Fri Jul 3 14:37:52 UTC 2009
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509531
--- Comment #10 from Tomas Hoger <thoger at redhat.com> 2009-07-03 10:37:51 EDT ---
I also see two occurrences of this in pngread.c:
row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
While sizeof(png_bytep) is fixed, height comes from the file and it seems
possible for it to be 2^32/4 or larger.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the Fedora-ocaml-list
mailing list