Author: rjones
Update of /cvs/pkgs/rpms/ocaml-camlimages/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv22975
Modified Files:
camlimages-oversized-png-check-CVE-2009-2295.patch
ocaml-camlimages.spec
Added Files:
camlimages-oversized-tiff-check-CVE-2009-3296.patch
Log Message:
* Fri Oct 16 2009 Richard W.M. Jones <rjones@xxxxxxxxxx> - 2.2.0-11
- ocaml-camlimages: TIFF reader multiple integer overflows
(CVE 2009-3296 / RHBZ#528732).
camlimages-oversized-tiff-check-CVE-2009-3296.patch:
tiffread.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- NEW FILE camlimages-oversized-tiff-check-CVE-2009-3296.patch ---
--- camlimages-2.2.orig/tiff/tiffread.c 2004-09-21 22:56:44.000000000 +0100
+++ camlimages-2.2.tiff/tiff/tiffread.c 2009-10-16 10:47:32.515257997 +0100
@@ -18,6 +18,13 @@
#include <caml/memory.h>
#include <caml/fail.h>
+#include <limits.h>
+#define oversized(x, y) \
+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
+#define failwith_oversized(lib) \
+ failwith("#lib error: image contains oversized or bogus width and height");
+
#if HAVE_TIFF
/* These are defined in caml/config.h */
@@ -68,6 +75,10 @@
TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres);
TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric);
+ if (oversized (imagewidth, imagelength)) {
+ failwith_oversized("tiff");
+ }
+
if( imagesample == 3 && photometric == PHOTOMETRIC_RGB ){
if( imagebits != 8 ){
failwith("Sorry, tiff rgb file must be 24bit-color");
@@ -156,6 +167,11 @@
TIFFGetField(tif, TIFFTAG_RESOLUTIONUNIT, &runit);
TIFFGetField(tif, TIFFTAG_XRESOLUTION, &xres);
TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres);
+
+ if (oversized (imagewidth, imagelength)) {
+ failwith_oversized("tiff");
+ }
+
if( imagesample != 3 || imagebits != 8 ) {
failwith("tiff file is not in the 24 bit RGB format");
}
camlimages-oversized-png-check-CVE-2009-2295.patch:
pngread.c | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
Index: camlimages-oversized-png-check-CVE-2009-2295.patch
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/EL-5/camlimages-oversized-png-check-CVE-2009-2295.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- camlimages-oversized-png-check-CVE-2009-2295.patch 3 Jul 2009 18:28:47 -0000 1.2
+++ camlimages-oversized-png-check-CVE-2009-2295.patch 16 Oct 2009 09:49:59 -0000 1.3
@@ -1,28 +1,28 @@
---- camlimages-3.0.1.orig/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
-+++ camlimages-3.0.1.oversized/src/pngread.c 2009-07-03 15:51:00.000000000 +0100
-@@ -15,6 +15,8 @@
- #include "config.h"
- #endif
+--- camlimages-2.2.orig/png/pngread.c 2002-03-26 13:15:10.000000000 +0000
++++ camlimages-2.2.png/png/pngread.c 2009-10-16 10:46:07.759508515 +0100
+@@ -13,6 +13,8 @@
+ /***********************************************************************/
+ #include <config.h>
+#include <limits.h>
+
+ #if HAVE_PNG
#include <png.h>
-
- #include <caml/mlvalues.h>
-@@ -26,6 +28,12 @@
+ #endif
+@@ -33,6 +35,12 @@
#define PNG_TAG_INDEX16 2
#define PNG_TAG_INDEX4 3
+/* Test if x or y are negative, or if multiplying x * y would cause an
+ * arithmetic overflow.
+ */
-+#define oversized(x, y) \
++#define oversized(x, y) \
+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
value read_png_file_as_rgb24( name )
value name;
{
-@@ -81,6 +89,9 @@
+@@ -88,6 +96,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
@@ -32,7 +32,7 @@
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
-@@ -102,10 +113,16 @@
+@@ -109,10 +120,16 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
@@ -49,7 +49,7 @@
row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
res = alloc_tuple(3);
-@@ -235,6 +252,9 @@
+@@ -242,6 +259,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
@@ -59,7 +59,7 @@
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
-@@ -251,6 +271,9 @@
+@@ -258,6 +278,9 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
@@ -69,10 +69,12 @@
/*
fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
*/
-@@ -259,6 +282,9 @@
+@@ -265,7 +288,10 @@
+ int i;
png_bytep *row_pointers;
char mesg[256];
-
+-
++
+ if (oversized (sizeof (png_bytep), height))
+ failwith ("png error: image contains oversized or bogus height");
+
Index: ocaml-camlimages.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/EL-5/ocaml-camlimages.spec,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -p -r1.4 -r1.5
--- ocaml-camlimages.spec 3 Jul 2009 14:06:49 -0000 1.4
+++ ocaml-camlimages.spec 16 Oct 2009 09:49:59 -0000 1.5
@@ -1,6 +1,6 @@
Name: ocaml-camlimages
Version: 2.2.0
-Release: 10%{?dist}
+Release: 11%{?dist}
Summary: OCaml image processing library
Group: Development/Libraries
@@ -13,6 +13,9 @@ Patch0: camlimages-2.2.0-stubdes
# https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4
Patch1: camlimages-oversized-png-check-CVE-2009-2295.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=528732
+Patch2: camlimages-oversized-tiff-check-CVE-2009-3296.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: ocaml-lablgtk libpng-devel libjpeg-devel ocaml
@@ -45,10 +48,8 @@ Includes documentation provided by ocaml
%prep
%setup -q -n camlimages-2.2 -a 1
%patch0 -p1
-
-pushd png
-%patch1 -p2
-popd
+%patch1 -p1
+%patch2 -p1
sed -i -e 's|LIBRARYDIRS=ppm bmp xvthumb jpeg tiff gif png xpm ps graphics freetype|LIBRARYDIRS=%buildlibs|' Makefile.build.in
@@ -79,6 +80,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Fri Oct 16 2009 Richard W.M. Jones <rjones@xxxxxxxxxx> - 2.2.0-11
+- ocaml-camlimages: TIFF reader multiple integer overflows
+ (CVE 2009-3296 / RHBZ#528732).
+
* Fri Jul 3 2009 Richard W.M. Jones <rjones@xxxxxxxxxx> - 2.2.0-10
- ocaml-camlimages: PNG reader multiple integer overflows
(CVE 2009-2295 / RHBZ#509531).
_______________________________________________
Fedora-ocaml-list mailing list
Fedora-ocaml-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-ocaml-list
