This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients Arfrever, brett.cannon, loewis, thoger, vstinner
Date 2010-09-03.23:02:10
SpamBayes Score 5.1175657e-06
Marked as misclassified No
Message-id <1283554932.48.0.240030577776.issue8678@psf.upfronthosting.co.za>
In-reply-to
Content 
I am able to reproduce the crash with z > 4:

# (magic, type (rle, bpp), dim, x, y, z)
open('image', 'wb').write(struct.pack('>hhhhhh', 0732, 1, 1, 1, 1, 10))
rgbimg.longimagedata('image')

--

But not the "xsize = ysize = 0x8000" integer overflow. longimagedata() begins by checking that xsize * ysize * zsize * sizeof(Py_Int32) doesn't overflow:

	tablen = xsize * ysize * zsize * sizeof(Py_Int32);
        if (xsize != (((tablen / ysize) / zsize) / sizeof(Py_Int32))) {
		PyErr_NoMemory();
		goto finally;
        }

If xsize * ysize * zsize * sizeof(Py_Int32) doesn't overflow, there is no reason that xsize * ysize * sizeof(Py_Int32) does overflow.

--

I am too tired to check the two RLE bugs.
History
Date User Action Args
2010-09-03 23:02:12vstinnersetrecipients: + vstinner, loewis, brett.cannon, Arfrever, thoger
2010-09-03 23:02:12vstinnersetmessageid: <1283554932.48.0.240030577776.issue8678@psf.upfronthosting.co.za>
2010-09-03 23:02:11vstinnerlinkissue8678 messages
2010-09-03 23:02:10vstinnercreate