STINNER Victor <[email protected]> added the comment:
I am able to reproduce the crash with z > 4:
# (magic, type (rle, bpp), dim, x, y, z)
open('image', 'wb').write(struct.pack('>hhhhhh', 0732, 1, 1, 1, 1, 10))
rgbimg.longimagedata('image')
--
But not the "xsize = ysize = 0x8000" integer overflow. longimagedata() begins
by checking that xsize * ysize * zsize * sizeof(Py_Int32) doesn't overflow:
tablen = xsize * ysize * zsize * sizeof(Py_Int32);
if (xsize != (((tablen / ysize) / zsize) / sizeof(Py_Int32))) {
PyErr_NoMemory();
goto finally;
}
If xsize * ysize * zsize * sizeof(Py_Int32) doesn't overflow, there is no
reason that xsize * ysize * sizeof(Py_Int32) does overflow.
--
I am too tired to check the two RLE bugs.
----------
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue8678>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
