Hello, I fix this bug yesterday in the git repository. Please contact me before working on it next time (I am not yet on VAC). I appreciate your work but I am sorry it is a duplicate (and not using the same approach, since I split the patch).
Thanks anyway. Regards Sylvain Le Gall On Sat, Aug 08, 2009 at 05:59:04PM +1000, Steffen Joeris wrote: > Hi > > I'd suggest going with gentoo's approach of using a separate oversized.h file. > Any objections? I've tried building this, but the debdiff between the -dev > binary packages was quite huge, so I am not uploading anything. > > Cheers > Steffen > > [0]: https://bugs.gentoo.org/attachment.cgi?id=199108&action=view > diff -u camlimages-3.0.1/debian/changelog camlimages-3.0.1/debian/changelog > --- camlimages-3.0.1/debian/changelog > +++ camlimages-3.0.1/debian/changelog > @@ -1,3 +1,12 @@ > +camlimages (1:3.0.1-2.1) unstable; urgency=high > + > + * Non-maintainer upload by the security team > + * Expand security patch for integer overflows to also cover other > + image types (Closes: #540146) > + Fixes: CVE-2009-2660 > + > + -- Steffen Joeris <wh...@debian.org> Sat, 08 Aug 2009 07:05:38 +0000 > + > camlimages (1:3.0.1-2) unstable; urgency=low > > [ Mehdi Dogguy ] > diff -u camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch > camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch > --- camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch > +++ camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch > @@ -8,82 +8,155 @@ > -diff -urNad camlimages~/src/pngread.c camlimages/src/pngread.c > ---- camlimages~/src/pngread.c 2009-06-23 11:22:20.000000000 +0200 > -+++ camlimages/src/pngread.c 2009-07-03 17:51:31.000000000 +0200 > -@@ -15,6 +15,8 @@ > - #include "config.h" > - #endif > - > -+#include <limits.h> > +Index: src/gifread.c > +=================================================================== > +--- src/gifread.c.orig > ++++ camlimages-3.0.1/src/gifread.c > +@@ -20,6 +20,8 @@ > + #include <caml/memory.h> > + #include <caml/fail.h> > + > ++#include "oversized.h" > ++ > + #include <stdio.h> > + #include <string.h> > + > +@@ -191,6 +193,9 @@ value dGifGetLine( value hdl ) > + > + GifFileType *GifFile = (GifFileType*) hdl; > + > ++ if( oversized( GifFile->Image.Width, sizeof(GifPixelType) ) ){ > ++ failwith_oversized("gif"); > ++ } > + buf = alloc_string( GifFile->Image.Width * sizeof(GifPixelType) ); > + > + if( DGifGetLine(GifFile, String_val(buf), GifFile->Image.Width ) > +Index: src/jpegread.c > +=================================================================== > +--- src/jpegread.c.orig > ++++ camlimages-3.0.1/src/jpegread.c > +@@ -20,6 +20,8 @@ > + #include <caml/memory.h> > + #include <caml/fail.h> > + > ++#include "oversized.h" > ++ > + #include <stdio.h> > + #include <string.h> > + > +@@ -156,6 +158,12 @@ read_JPEG_file (value name) > + */ > + /* JSAMPLEs per row in output buffer */ > + > ++ if( oversized(cinfo.output_width, cinfo.output_components) ){ > ++ jpeg_destroy_decompress(&cinfo); > ++ fclose(infile); > ++ failwith_oversized("jpeg"); > ++ } > ++ > + row_stride = cinfo.output_width * cinfo.output_components; > + > + /* Make a one-row-high sample array that will go away when done with > image */ > +@@ -177,6 +185,12 @@ read_JPEG_file (value name) > + jpeg_read_scanlines(&cinfo, buffer + cinfo.output_scanline, 1); > + } > + > ++ if( oversized(row_stride, cinfo.output_height) ){ > ++ jpeg_destroy_decompress(&cinfo); > ++ fclose(infile); > ++ failwith_oversized("jpeg"); > ++ } > + > - #include <png.h> > - > - #include <caml/mlvalues.h> > -@@ -26,6 +28,12 @@ > - #define PNG_TAG_INDEX16 2 > - #define PNG_TAG_INDEX4 3 > - > + { > + CAMLlocalN(r,3); > + r[0] = Val_int(cinfo.output_width); > +@@ -352,6 +366,7 @@ value open_jpeg_file_for_read_start( jpe > + > + { > + CAMLlocalN(r,3); > ++ // CR jfuruse: integer overflow > + r[0] = Val_int(cinfop->output_width); > + r[1] = Val_int(cinfop->output_height); > + r[2] = alloc_tuple(3); > +Index: src/oversized.h > +=================================================================== > +--- /dev/null > ++++ camlimages-3.0.1/src/oversized.h > +@@ -0,0 +1,9 @@ > ++#include <limits.h> > +/* Test if x or y are negative, or if multiplying x * y would cause an > + * arithmetic overflow. > + */ > +#define oversized(x, y) \ > + ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y))) > + > - value read_png_file_as_rgb24( name ) > - value name; > - { > -@@ -81,6 +89,9 @@ > ++#define failwith_oversized(lib) \ > ++ failwith("#lib error: image contains oversized or bogus width and > height"); > +Index: src/pngread.c > +=================================================================== > +--- src/pngread.c.orig > ++++ camlimages-3.0.1/src/pngread.c > +@@ -17,6 +17,8 @@ > + > + #include <png.h> > + > ++#include "oversized.h" > ++ > + #include <caml/mlvalues.h> > + #include <caml/alloc.h> > + #include <caml/memory.h> > +@@ -81,6 +83,9 @@ value read_png_file_as_rgb24( name ) > png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, > &interlace_type, NULL, NULL); > > + if (oversized (width, height)) > -+ failwith ("png error: image contains oversized or bogus width and > height"); > ++ failwith_oversized("png"); > + > if ( color_type == PNG_COLOR_TYPE_GRAY || > color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { > png_set_gray_to_rgb(png_ptr); > -@@ -102,10 +113,16 @@ > +@@ -102,10 +107,16 @@ value read_png_file_as_rgb24( name ) > > rowbytes = png_get_rowbytes(png_ptr, info_ptr); > > + if (oversized (rowbytes, height)) > -+ failwith ("png error: image contains oversized or bogus rowbytes and > height"); > ++ failwith_oversized("png"); > + > { > int i; > png_bytep *row_pointers; > > + if (oversized (sizeof (png_bytep), height)) > -+ failwith ("png error: image contains oversized or bogus height"); > ++ failwith_oversized("png"); > + > row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height); > > res = alloc_tuple(3); > -@@ -235,6 +252,9 @@ > +@@ -235,6 +246,9 @@ value read_png_file( name ) > png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, > &interlace_type, NULL, NULL); > > + if (oversized (width, height)) > -+ failwith ("png error: image contains oversized or bogus width and > height"); > ++ failwith_oversized("png"); > + > if ( color_type == PNG_COLOR_TYPE_GRAY || > color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { > png_set_gray_to_rgb(png_ptr); > -@@ -251,6 +271,9 @@ > +@@ -251,6 +265,9 @@ value read_png_file( name ) > > rowbytes = png_get_rowbytes(png_ptr, info_ptr); > > + if (oversized (rowbytes, height)) > -+ failwith ("png error: image contains oversized or bogus rowbytes and > height"); > ++ failwith_oversized("png"); > + > /* > fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr); > */ > -@@ -259,6 +282,9 @@ > +@@ -259,6 +276,9 @@ fprintf(stderr, "pngread.c: actual loadi > png_bytep *row_pointers; > char mesg[256]; > > + if (oversized (sizeof (png_bytep), height)) > -+ failwith ("png error: image contains oversized or bogus height"); > ++ failwith_oversized("png"); > + > row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height); > res = alloc_tuple(3); > > +
signature.asc
Description: Digital signature