rpms/ocaml-camlimages/EL-5 camlimages-oversized-png-check-CVE-2009-2295.patch, 1.1, 1.2

Richard W.M. Jones rjones at fedoraproject.org
Fri Jul 3 18:29:18 UTC 2009


Author: rjones

Update of /cvs/pkgs/rpms/ocaml-camlimages/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20504/EL-5

Modified Files:
	camlimages-oversized-png-check-CVE-2009-2295.patch 
Log Message:
Updated patch from https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11

camlimages-oversized-png-check-CVE-2009-2295.patch:

Index: camlimages-oversized-png-check-CVE-2009-2295.patch
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/EL-5/camlimages-oversized-png-check-CVE-2009-2295.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- camlimages-oversized-png-check-CVE-2009-2295.patch	3 Jul 2009 13:59:10 -0000	1.1
+++ camlimages-oversized-png-check-CVE-2009-2295.patch	3 Jul 2009 18:28:47 -0000	1.2
@@ -1,6 +1,15 @@
---- camlimages-3.0.1/src/pngread.c	2007-01-18 10:29:57.000000000 +0000
-+++ camlimages-3.0.1-oversized-png-checks/src/pngread.c	2009-07-03 14:19:42.000000000 +0100
-@@ -26,6 +26,12 @@
+--- camlimages-3.0.1.orig/src/pngread.c	2007-01-18 10:29:57.000000000 +0000
++++ camlimages-3.0.1.oversized/src/pngread.c	2009-07-03 15:51:00.000000000 +0100
+@@ -15,6 +15,8 @@
+ #include "config.h"
+ #endif
+ 
++#include <limits.h>
++
+ #include <png.h>
+ 
+ #include <caml/mlvalues.h>
+@@ -26,6 +28,12 @@
  #define PNG_TAG_INDEX16 2
  #define PNG_TAG_INDEX4 3
  
@@ -8,12 +17,12 @@
 + * arithmetic overflow.
 + */
 +#define oversized(x, y)						\
-+  ((x) < 0 || (y) < 0 || (x) * (y) < (x) || (x) * (y) < (y))
++  ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
 +
  value read_png_file_as_rgb24( name )
       value name;
  {
-@@ -81,6 +87,9 @@
+@@ -81,6 +89,9 @@
    png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
  	       &interlace_type, NULL, NULL);
  
@@ -23,7 +32,7 @@
    if ( color_type == PNG_COLOR_TYPE_GRAY ||
         color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { 
      png_set_gray_to_rgb(png_ptr); 
-@@ -102,6 +111,9 @@
+@@ -102,10 +113,16 @@
  
    rowbytes = png_get_rowbytes(png_ptr, info_ptr);
  
@@ -33,7 +42,14 @@
    {
      int i;
      png_bytep *row_pointers;
-@@ -235,6 +247,9 @@
+ 
++    if (oversized (sizeof (png_bytep), height))
++      failwith ("png error: image contains oversized or bogus height");
++
+     row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
+ 
+     res = alloc_tuple(3);
+@@ -235,6 +252,9 @@
    png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
  	       &interlace_type, NULL, NULL);
  
@@ -43,7 +59,7 @@
    if ( color_type == PNG_COLOR_TYPE_GRAY ||
         color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { 
      png_set_gray_to_rgb(png_ptr); 
-@@ -251,6 +266,9 @@
+@@ -251,6 +271,9 @@
  
    rowbytes = png_get_rowbytes(png_ptr, info_ptr);
  
@@ -53,3 +69,13 @@
  /*
  fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
  */
+@@ -259,6 +282,9 @@
+     png_bytep *row_pointers;
+     char mesg[256];
+  
++    if (oversized (sizeof (png_bytep), height))
++      failwith ("png error: image contains oversized or bogus height");
++
+     row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height);
+     res = alloc_tuple(3);
+ 




More information about the fedora-extras-commits mailing list