[issue1179] [CVE-2007-4965] Integer overflow in imageop module
James Antill
report at bugs.python.org
Thu Sep 20 03:30:23 CEST 2007
James Antill added the comment:
Guido: It's true that that len can be slightly bigger than x*y, the big
thing is that it can't be smaller so we can malloc(len) and use upto x*y
(which was my main focus).
I first looked at any of this code today, but I didn't see any reason
that having len be slightly larger would be a problem ... and in pretty
much all cases it'll be len == x*y.
However we could have both cases covered by doing:
if ( (len != x*y) || (x != (len / y)) )
...but esp. at that point it seems like we'd want some interface so that
we could just do something like:
if ( check_mutliplies2(len, x, y) )
__________________________________
Tracker <report at bugs.python.org>
<http://bugs.python.org/issue1179>
__________________________________
More information about the Python-bugs-list
mailing list