[issue8678] crashers in rgbimg

STINNER Victor report at bugs.python.org
Sat Sep 4 01:02:12 CEST 2010


STINNER Victor <victor.stinner at haypocalc.com> added the comment:

I am able to reproduce the crash with z > 4:

# (magic, type (rle, bpp), dim, x, y, z)
open('image', 'wb').write(struct.pack('>hhhhhh', 0732, 1, 1, 1, 1, 10))
rgbimg.longimagedata('image')

--

But not the "xsize = ysize = 0x8000" integer overflow. longimagedata() begins by checking that xsize * ysize * zsize * sizeof(Py_Int32) doesn't overflow:

	tablen = xsize * ysize * zsize * sizeof(Py_Int32);
        if (xsize != (((tablen / ysize) / zsize) / sizeof(Py_Int32))) {
		PyErr_NoMemory();
		goto finally;
        }

If xsize * ysize * zsize * sizeof(Py_Int32) doesn't overflow, there is no reason that xsize * ysize * sizeof(Py_Int32) does overflow.

--

I am too tired to check the two RLE bugs.

----------

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue8678>
_______________________________________


More information about the Python-bugs-list mailing list