[Bug 509531] CVE-2009-2295 ocaml-camlimages: PNG reader multiple integer overflows (oCERT-2009-009)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=509531





--- Comment #5 from Tomas Hoger <thoger@xxxxxxxxxx>  2009-07-03 09:59:49 EDT ---
(In reply to comment #4)
> Created an attachment (id=350433)
 --> (https://bugzilla.redhat.com/attachment.cgi?id=350433) [details]
> camlimages-oversized-png-check.patch

One note from a very quick look... in general, test like:

  (x) * (y) < (x) || (x) * (y) < (y)

is not sufficient to catch all possible integer overflows in multiplication. 
Think of x == y == 0x10001, x * y == 0x100020001, which is 0x20001 in 32bit
world.  This can still result in small buffer that may be overflown later.

The test is usually written as:

  y != 0  &&  x > (TYPE)_MAX / y

(first part is needed if y can be 0, not needed in cases where y is
sizeof(sometype)).

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

_______________________________________________
Fedora-ocaml-list mailing list
Fedora-ocaml-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-ocaml-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux