Page History

The Mozilla Scalable Vector Graphics (SVG) viewer contains a heap buffer wrapoverflow vulnerability resulting from an unsigned integer wrap during the multiplication of the {{signed int}} value {{pen->num_vertices}} and the {{size_t}} value {{sizeof(cairo_pen_vertex_t)}} \[[VU#551436|AA. C References#VU551436]\].  The {{signed int}} operand is converted to {{unsigned int}} prior to the multiplication operation (see [INT02-C. Understand integer conversion rules]).