REDHAT-BUG-387431: Integer Overflow

Published Nov 16, 2007
·
Updated

Peter Valchev from the Google Security Team told the Cairo upstream project of an integer overflow in the way Cairo decodes PNG image data. To quote the mail from Peter:

As an example, cairo supports creating a new image surface from a PNG image file - see cairo-png.c, function cairoimagesurfacecreatefrompng(). It calls readpng(), where the input filename is parsed, and memory is allocated to hold the resulting surface as follows:

cairo-png.c: readpng() .. pnggetIHDR (png, info, &pngwidth, &pngheight, &depth, &colortype, &interlace, NULL, NULL); .. pixelsize = 4; data = malloc (pngwidth pngheight pixelsize); ..

Note that pngwidth and pngheight come from libpng's IHDR. The image width and height are restricted in libpng's pngconf.h, and by default the restrictions are as follows: # define PNGUSERWIDTHMAX 1000000L # define PNGUSERHEIGHTMAX 1000000L

so any width < 1000000 and height < 1000000 will pass through libpng, allowing an integer overflow in cairo's readpng() function above.

The upstream fix can be found here: http://gitweb.freedesktop.org/?p=cairo;a=commitdiff;h=5c7d2d14d78e4dfb1ef6d2c40f0910f177e07360 http://gitweb.freedesktop.org/?p=cairo;a=commitdiff;h=e49bcde27f88e21d5b8037a0089a226096f6514b

Affected Software

1 affected component
Cairo Cairo

Event History

Nov 16, 2007
Data Sourced
via Red Hat·07:10 PM
DescriptionSeverityAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of REDHAT-BUG-387431?

The severity of REDHAT-BUG-387431 is classified as a critical vulnerability.

2

How do I fix REDHAT-BUG-387431?

To fix REDHAT-BUG-387431, update to the latest version of the Cairo library that addresses the integer overflow issue.

3

What systems are affected by REDHAT-BUG-387431?

REDHAT-BUG-387431 affects versions of the Cairo graphics library used in various applications that decode PNG image data.

4

What types of vulnerabilities does REDHAT-BUG-387431 represent?

REDHAT-BUG-387431 represents an integer overflow vulnerability that can lead to further exploitation in software using the Cairo library.

5

Who reported REDHAT-BUG-387431?

REDHAT-BUG-387431 was reported by Peter Valchev from the Google Security Team.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203