[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/ocaml-camlimages/EL-4 camlimages-oversized-tiff-check-CVE-2009-3296.patch, NONE, 1.1 camlimages-oversized-png-check-CVE-2009-2295.patch, 1.2, 1.3 ocaml-camlimages.spec, 1.3, 1.4



Author: rjones

Update of /cvs/pkgs/rpms/ocaml-camlimages/EL-4
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3755

Modified Files:
	camlimages-oversized-png-check-CVE-2009-2295.patch 
	ocaml-camlimages.spec 
Added Files:
	camlimages-oversized-tiff-check-CVE-2009-3296.patch 
Log Message:
* Fri Oct 16 2009 Richard W.M. Jones <rjones redhat com> - 2.2.0-9
- ocaml-camlimages: TIFF reader multiple integer overflows
  (CVE 2009-3296 / RHBZ#528732).


camlimages-oversized-tiff-check-CVE-2009-3296.patch:
 tiffread.c |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)

--- NEW FILE camlimages-oversized-tiff-check-CVE-2009-3296.patch ---
--- camlimages-2.2.orig/tiff/tiffread.c	2004-09-21 22:56:44.000000000 +0100
+++ camlimages-2.2.tiff/tiff/tiffread.c	2009-10-16 10:47:32.515257997 +0100
@@ -18,6 +18,13 @@
 #include <caml/memory.h>
 #include <caml/fail.h>
 
+#include <limits.h>
+#define oversized(x, y) \
+  ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
+#define failwith_oversized(lib) \
+  failwith("#lib error: image contains oversized or bogus width and height");
+
 #if HAVE_TIFF
 
 /* These are defined in caml/config.h */
@@ -68,6 +75,10 @@
     TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres);
     TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric);
 
+    if (oversized (imagewidth, imagelength)) {
+      failwith_oversized("tiff");
+    }
+
     if( imagesample == 3 && photometric == PHOTOMETRIC_RGB ){
       if( imagebits != 8 ){
 	failwith("Sorry, tiff rgb file must be 24bit-color");
@@ -156,6 +167,11 @@
     TIFFGetField(tif, TIFFTAG_RESOLUTIONUNIT, &runit);
     TIFFGetField(tif, TIFFTAG_XRESOLUTION, &xres);
     TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres);
+
+    if (oversized (imagewidth, imagelength)) {
+      failwith_oversized("tiff");
+    }
+
     if( imagesample != 3 || imagebits != 8 ) {
       failwith("tiff file is not in the 24 bit RGB format");
     }

camlimages-oversized-png-check-CVE-2009-2295.patch:
 pngread.c |   28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

Index: camlimages-oversized-png-check-CVE-2009-2295.patch
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/EL-4/camlimages-oversized-png-check-CVE-2009-2295.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- camlimages-oversized-png-check-CVE-2009-2295.patch	3 Jul 2009 18:28:47 -0000	1.2
+++ camlimages-oversized-png-check-CVE-2009-2295.patch	16 Oct 2009 09:51:57 -0000	1.3
@@ -1,28 +1,28 @@
---- camlimages-3.0.1.orig/src/pngread.c	2007-01-18 10:29:57.000000000 +0000
-+++ camlimages-3.0.1.oversized/src/pngread.c	2009-07-03 15:51:00.000000000 +0100
-@@ -15,6 +15,8 @@
- #include "config.h"
- #endif
+--- camlimages-2.2.orig/png/pngread.c	2002-03-26 13:15:10.000000000 +0000
++++ camlimages-2.2.png/png/pngread.c	2009-10-16 10:46:07.759508515 +0100
+@@ -13,6 +13,8 @@
+ /***********************************************************************/
+ #include <config.h>
  
 +#include <limits.h>
 +
+ #if HAVE_PNG
  #include <png.h>
- 
- #include <caml/mlvalues.h>
-@@ -26,6 +28,12 @@
+ #endif
+@@ -33,6 +35,12 @@
  #define PNG_TAG_INDEX16 2
  #define PNG_TAG_INDEX4 3
  
 +/* Test if x or y are negative, or if multiplying x * y would cause an
 + * arithmetic overflow.
 + */
-+#define oversized(x, y)						\
++#define oversized(x, y)                                                \
 +  ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
 +
  value read_png_file_as_rgb24( name )
       value name;
  {
-@@ -81,6 +89,9 @@
+@@ -88,6 +96,9 @@
    png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
  	       &interlace_type, NULL, NULL);
  
@@ -32,7 +32,7 @@
    if ( color_type == PNG_COLOR_TYPE_GRAY ||
         color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { 
      png_set_gray_to_rgb(png_ptr); 
-@@ -102,10 +113,16 @@
+@@ -109,10 +120,16 @@
  
    rowbytes = png_get_rowbytes(png_ptr, info_ptr);
  
@@ -49,7 +49,7 @@
      row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
  
      res = alloc_tuple(3);
-@@ -235,6 +252,9 @@
+@@ -242,6 +259,9 @@
    png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
  	       &interlace_type, NULL, NULL);
  
@@ -59,7 +59,7 @@
    if ( color_type == PNG_COLOR_TYPE_GRAY ||
         color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { 
      png_set_gray_to_rgb(png_ptr); 
-@@ -251,6 +271,9 @@
+@@ -258,6 +278,9 @@
  
    rowbytes = png_get_rowbytes(png_ptr, info_ptr);
  
@@ -69,10 +69,12 @@
  /*
  fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
  */
-@@ -259,6 +282,9 @@
+@@ -265,7 +288,10 @@
+     int i;
      png_bytep *row_pointers;
      char mesg[256];
-  
+- 
++
 +    if (oversized (sizeof (png_bytep), height))
 +      failwith ("png error: image contains oversized or bogus height");
 +


Index: ocaml-camlimages.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/EL-4/ocaml-camlimages.spec,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -p -r1.3 -r1.4
--- ocaml-camlimages.spec	3 Jul 2009 13:59:36 -0000	1.3
+++ ocaml-camlimages.spec	16 Oct 2009 09:51:57 -0000	1.4
@@ -13,6 +13,9 @@ Patch0:         camlimages-2.2.0-stubdes
 # https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4
 Patch1:         camlimages-oversized-png-check-CVE-2009-2295.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=528732
+Patch2:         camlimages-oversized-tiff-check-CVE-2009-3296.patch
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 # Excluding on ppc64 due to missing dependencies (Bug #239518)
@@ -48,10 +51,8 @@ Includes documentation provided by ocaml
 %prep
 %setup -q -n camlimages-2.2 -a 1
 %patch0 -p1
-
-pushd png
-%patch1 -p2
-popd
+%patch1 -p1
+%patch2 -p1
 
 sed -i -e 's|LIBRARYDIRS=ppm bmp xvthumb jpeg tiff gif png xpm ps graphics freetype|LIBRARYDIRS=%buildlibs|' Makefile.build.in
 
@@ -82,6 +83,10 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Fri Oct 16 2009 Richard W.M. Jones <rjones redhat com> - 2.2.0-9
+- ocaml-camlimages: TIFF reader multiple integer overflows
+  (CVE 2009-3296 / RHBZ#528732).
+
 * Fri Jul  3 2009 Richard W.M. Jones <rjones redhat com> - 2.2.0-8
 - ocaml-camlimages: PNG reader multiple integer overflows
   (CVE 2009-2295 / RHBZ#509531).


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]