Author: rjones Update of /cvs/pkgs/rpms/ocaml-camlimages/EL-4 In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20504/EL-4 Modified Files: camlimages-oversized-png-check-CVE-2009-2295.patch Log Message: Updated patch from https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11 camlimages-oversized-png-check-CVE-2009-2295.patch: Index: camlimages-oversized-png-check-CVE-2009-2295.patch =================================================================== RCS file: /cvs/pkgs/rpms/ocaml-camlimages/EL-4/camlimages-oversized-png-check-CVE-2009-2295.patch,v retrieving revision 1.1 retrieving revision 1.2 diff -u -p -r1.1 -r1.2 --- camlimages-oversized-png-check-CVE-2009-2295.patch 3 Jul 2009 13:59:36 -0000 1.1 +++ camlimages-oversized-png-check-CVE-2009-2295.patch 3 Jul 2009 18:28:47 -0000 1.2 @@ -1,6 +1,15 @@ ---- camlimages-3.0.1/src/pngread.c 2007-01-18 10:29:57.000000000 +0000 -+++ camlimages-3.0.1-oversized-png-checks/src/pngread.c 2009-07-03 14:19:42.000000000 +0100 -@@ -26,6 +26,12 @@ +--- camlimages-3.0.1.orig/src/pngread.c 2007-01-18 10:29:57.000000000 +0000 ++++ camlimages-3.0.1.oversized/src/pngread.c 2009-07-03 15:51:00.000000000 +0100 +@@ -15,6 +15,8 @@ + #include "config.h" + #endif + ++#include <limits.h> ++ + #include <png.h> + + #include <caml/mlvalues.h> +@@ -26,6 +28,12 @@ #define PNG_TAG_INDEX16 2 #define PNG_TAG_INDEX4 3 @@ -8,12 +17,12 @@ + * arithmetic overflow. + */ +#define oversized(x, y) \ -+ ((x) < 0 || (y) < 0 || (x) * (y) < (x) || (x) * (y) < (y)) ++ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y))) + value read_png_file_as_rgb24( name ) value name; { -@@ -81,6 +87,9 @@ +@@ -81,6 +89,9 @@ png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, &interlace_type, NULL, NULL); @@ -23,7 +32,7 @@ if ( color_type == PNG_COLOR_TYPE_GRAY || color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { png_set_gray_to_rgb(png_ptr); -@@ -102,6 +111,9 @@ +@@ -102,10 +113,16 @@ rowbytes = png_get_rowbytes(png_ptr, info_ptr); @@ -33,7 +42,14 @@ { int i; png_bytep *row_pointers; -@@ -235,6 +247,9 @@ + ++ if (oversized (sizeof (png_bytep), height)) ++ failwith ("png error: image contains oversized or bogus height"); ++ + row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height); + + res = alloc_tuple(3); +@@ -235,6 +252,9 @@ png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, &interlace_type, NULL, NULL); @@ -43,7 +59,7 @@ if ( color_type == PNG_COLOR_TYPE_GRAY || color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { png_set_gray_to_rgb(png_ptr); -@@ -251,6 +266,9 @@ +@@ -251,6 +271,9 @@ rowbytes = png_get_rowbytes(png_ptr, info_ptr); @@ -53,3 +69,13 @@ /* fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr); */ +@@ -259,6 +282,9 @@ + png_bytep *row_pointers; + char mesg[256]; + ++ if (oversized (sizeof (png_bytep), height)) ++ failwith ("png error: image contains oversized or bogus height"); ++ + row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height); + res = alloc_tuple(3); + _______________________________________________ Fedora-ocaml-list mailing list Fedora-ocaml-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-ocaml-list