From: Po Lu via "Bug reports for GNU Emacs, the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
To: Stefan Kangas <stefankangas@gmail.com>
Cc: 72245@debbugs.gnu.org
Subject: bug#72245: [PATCH] Fix integer overflow when reading XPM
Date: Tue, 23 Jul 2024 11:41:01 +0800 [thread overview]
Message-ID: <87frs0ydv6.fsf@yahoo.com> (raw)
In-Reply-To: <CADwFkmnbt2xGfZ+J4i4x=hBxNAiCJg80_hSMy8Yafe9EPNoEBA@mail.gmail.com> (Stefan Kangas's message of "Mon, 22 Jul 2024 20:04:23 -0700")
Stefan Kangas <stefankangas@gmail.com> writes:
> Po Lu <luangruo@yahoo.com> writes:
>
>> Stefan Kangas <stefankangas@gmail.com> writes:
>>
>>> Severity: minor
>>>
>>> Since XPM files are untrusted input, I think we'd better handle
>>> integer
>>> overflow when parsing it, in case the file is malformed.
>>>
>>> Proposed patch attached.
>>
>> What are the security implications of accepting whatever scanf produces
>> in the event of an overflow?
>
> There is a good summary here:
>
> https://cwe.mitre.org/data/definitions/190.html
I'm asking which component of xpm_load_image is not adequately prepared
to reject excessive values of these image dimension fields, for the
immediately adjacent statements verify that width, height, num_colors,
and chars_per_pixel are not invalid. Otherwise I can find no reason to
substantially reinvent the wheel and complicate image.c with a pedantic
10-line function for reading numbers with overflow checking,
implementations of which already abound in that file in one shape or
another.
next prev parent reply other threads:[~2024-07-23 3:41 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-22 14:35 bug#72245: [PATCH] Fix integer overflow when reading XPM Stefan Kangas
2024-07-22 15:01 ` Eli Zaretskii
2024-07-22 15:39 ` Paul Eggert
2024-07-22 15:48 ` Stefan Kangas
2024-07-23 2:06 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-07-23 3:04 ` Stefan Kangas
2024-07-23 3:41 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors [this message]
2024-07-23 4:12 ` Stefan Kangas
2024-07-23 4:45 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-07-23 14:51 ` Stefan Kangas
2024-07-23 15:15 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2024-07-23 15:39 ` Eli Zaretskii
2024-07-23 15:33 ` Eli Zaretskii
2024-07-23 17:39 ` Andreas Schwab
2024-07-23 17:54 ` Eli Zaretskii
2024-07-23 21:39 ` Stefan Kangas
2024-09-01 11:20 ` Stefan Kangas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87frs0ydv6.fsf@yahoo.com \
--to=bug-gnu-emacs@gnu.org \
--cc=72245@debbugs.gnu.org \
--cc=luangruo@yahoo.com \
--cc=stefankangas@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.