Skip Menu |

This queue is for tickets about the Imager CPAN distribution.

Report information
The Basics
Id: 8213
Status: resolved
Priority: 10/
Queue: Imager
People
Owner: TONYC [...] cpan.org
Requestors: TONYC [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue Nov 02 09:16:57 2004 TONYC [...] cpan.org - Ticket created
Date: Wed, 3 Nov 2004 01:12:08 +1100
From: tonyc [...] cpan.org
To: bug-Imager [...] rt.cpan.org
Subject: integer overflows while allocating images not handled
The following code causes a segmentation fault: # check for handling of memory allocation of very large images use Config; my $uint_range = 256 ** $Config{ivsize}; print "# range $uint_range\n"; my $dim1 = int(sqrt($uint_range)); my $im_b = Imager->new(xsize=>$dim1, ysize=>$dim1, channels=>1); $im_b->box(filled=>1, color=>'#000000'); which seems to be due to incorrect handling of the multiplication when calculating the space needed for image data. The log shows: [2004/11/02 23:48:01] image.c:270 1: ((nil)) <- IIM_new [2004/11/02 23:48:01] image.c:266 1: IIM_new(x 65536,y 65536,ch 1) [2004/11/02 23:48:01] image.c:351 1: i_img_empty_ch(*im (nil), x 65536, y 65536, ch 1) [2004/11/02 23:48:01] io.c:236 1: mymalloc(size 128) -> 0x83d2860 [2004/11/02 23:48:01] io.c:236 1: mymalloc(size 0) -> 0x83d28e8 [2004/11/02 23:48:01] image.c:378 1: (0x83d2860) <- i_img_empty_ch [2004/11/02 23:48:01] image.c:270 1: (0x83d2860) <- IIM_new when creating the image - so the size allocated is zero bytes.
  Wed Nov 03 09:16:23 2004 TONYC [...] cpan.org - Correspondence added
Code for each of the image types has been changed to check that the multiplcation doesn't overflow, and then fail image creation if it does. Various pieces of code that create new image objects (especially the file readers) need to handle the possibility of failure. In some cases they should also have checks added for similar integer overflows (eg. for buffers they use).
  Mon Nov 08 23:10:26 2004 TONYC [...] cpan.org - Correspondence added
Need to check that other image data allocations allocate the correct amount, for example the quantization image allocation
  Wed Mar 16 09:09:39 2005 TONYC [...] cpan.org - Severity Critical added
  Wed Mar 16 09:09:45 2005 TONYC [...] cpan.org - Taken
  Wed Jan 18 02:13:11 2006 TONYC [...] cpan.org - Subject changed from 'integer overflows while allocating images not handled' to 'audits for allocationb integer overflows in progress over time'
  Sun May 20 21:21:27 2007 TONYC [...] cpan.org - Subject changed from 'audits for allocationb integer overflows in progress over time' to 'audits for allocation integer overflows in progress over time'
  Thu Oct 18 01:14:02 2007 TONYC [...] cpan.org - Priority changed from (no value) to '10'
  Mon Aug 15 05:26:21 2011 TONYC [...] cpan.org - Correspondence added
The types code review covered this.
  Mon Aug 15 05:26:23 2011 TONYC [...] cpan.org - Status changed from 'new' to 'patched'
  Mon Aug 29 18:47:25 2011 TONYC [...] cpan.org - Correspondence added
Fixed in 0.85
  Mon Aug 29 18:47:26 2011 The RT System itself - Status changed from 'patched' to 'open'
  Mon Aug 29 18:47:26 2011 TONYC [...] cpan.org - Status changed from 'open' to 'resolved'