[Bug 509531] CVE-2009-2295 ocaml-camlimages: PNG reader multiple integer overflows (oCERT-2009-009)
bugzilla at redhat.com
bugzilla at redhat.com
Fri Jul 3 14:08:42 UTC 2009
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509531
--- Comment #8 from Richard W.M. Jones <rjones at redhat.com> 2009-07-03 10:08:41 EDT ---
(In reply to comment #5)
> (In reply to comment #4)
> > Created an attachment (id=350433)
--> (https://bugzilla.redhat.com/attachment.cgi?id=350433) [details] [details]
> > camlimages-oversized-png-check.patch
>
> One note from a very quick look... in general, test like:
>
> (x) * (y) < (x) || (x) * (y) < (y)
>
> is not sufficient to catch all possible integer overflows in multiplication.
> Think of x == y == 0x10001, x * y == 0x100020001, which is 0x20001 in 32bit
> world. This can still result in small buffer that may be overflown later.
>
> The test is usually written as:
>
> y != 0 && x > (TYPE)_MAX / y
>
> (first part is needed if y can be 0, not needed in cases where y is
> sizeof(sometype)).
Yup, someone just found a counterexample on #ocaml.
I'll change the patch and rebuild in a moment.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the Fedora-ocaml-list
mailing list