Message115536
I am able to reproduce the crash with z > 4:
# (magic, type (rle, bpp), dim, x, y, z)
open('image', 'wb').write(struct.pack('>hhhhhh', 0732, 1, 1, 1, 1, 10))
rgbimg.longimagedata('image')
--
But not the "xsize = ysize = 0x8000" integer overflow. longimagedata() begins by checking that xsize * ysize * zsize * sizeof(Py_Int32) doesn't overflow:
tablen = xsize * ysize * zsize * sizeof(Py_Int32);
if (xsize != (((tablen / ysize) / zsize) / sizeof(Py_Int32))) {
PyErr_NoMemory();
goto finally;
}
If xsize * ysize * zsize * sizeof(Py_Int32) doesn't overflow, there is no reason that xsize * ysize * sizeof(Py_Int32) does overflow.
--
I am too tired to check the two RLE bugs. |
|
Date |
User |
Action |
Args |
2010-09-03 23:02:12 | vstinner | set | recipients:
+ vstinner, loewis, brett.cannon, Arfrever, thoger |
2010-09-03 23:02:12 | vstinner | set | messageid: <1283554932.48.0.240030577776.issue8678@psf.upfronthosting.co.za> |
2010-09-03 23:02:11 | vstinner | link | issue8678 messages |
2010-09-03 23:02:10 | vstinner | create | |
|