Peter Valchev from the Google Security Team told the Cairo upstream project of an integer overflow in the way Cairo decodes PNG image data. To quote the mail from Peter: As an example, cairo supports creating a new image surface from a PNG image file - see cairo-png.c, function cairo_image_surface_create_from_png(). It calls read_png(), where the input filename is parsed, and memory is allocated to hold the resulting surface as follows: cairo-png.c: read_png() .. png_get_IHDR (png, info, &png_width, &png_height, &depth, &color_type, &interlace, NULL, NULL); .. pixel_size = 4; data = malloc (png_width * png_height * pixel_size); .. Note that png_width and png_height come from libpng's IHDR. The image width and height are restricted in libpng's pngconf.h, and by default the restrictions are as follows: # define PNG_USER_WIDTH_MAX 1000000L # define PNG_USER_HEIGHT_MAX 1000000L so any width < 1000000 and height < 1000000 will pass through libpng, allowing an integer overflow in cairo's read_png() function above. The upstream fix can be found here: http://gitweb.freedesktop.org/?p=cairo;a=commitdiff;h=5c7d2d14d78e4dfb1ef6d2c40f0910f177e07360 http://gitweb.freedesktop.org/?p=cairo;a=commitdiff;h=e49bcde27f88e21d5b8037a0089a226096f6514b
Lifting embargo
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-1078.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-3818 https://admin.fedoraproject.org/updates/F8/FEDORA-2007-3913
cairo-1.4.14-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.