rpms/ocaml-camlimages/F-11 camlimages-oversized-tiff-check-CVE-2009-3296.patch, NONE, 1.1 ocaml-camlimages.spec, 1.16, 1.17

"Richard W.M. Jones" <rjones@xxxxxxxxxxxxxxxxx> · Fri, 16 Oct 2009 09:36:24 +0000 (UTC)

Author: rjones

Update of /cvs/pkgs/rpms/ocaml-camlimages/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12043

Modified Files:
	ocaml-camlimages.spec 
Added Files:
	camlimages-oversized-tiff-check-CVE-2009-3296.patch 
Log Message:
* Fri Oct 16 2009 Richard W.M. Jones <rjones@xxxxxxxxxx> - 3.0.1-7.fc11.3
- ocaml-camlimages: TIFF reader multiple integer overflows
  (CVE 2009-3296 / RHBZ#528732).


camlimages-oversized-tiff-check-CVE-2009-3296.patch:
 tiffread.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- NEW FILE camlimages-oversized-tiff-check-CVE-2009-3296.patch ---
--- camlimages-3.0.1.old/src/tiffread.c	2007-01-18 10:29:57.000000000 +0000
+++ camlimages-3.0.1/src/tiffread.c	2009-10-16 10:26:53.841258260 +0100
@@ -21,6 +21,13 @@
 #include <caml/memory.h>
 #include <caml/fail.h>
 
+#include <limits.h>
+#define oversized(x, y) \
+  ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
+#define failwith_oversized(lib) \
+  failwith("#lib error: image contains oversized or bogus width and height");
+
 /* These are defined in caml/config.h */
 #define int16 int16tiff
 #define uint16 uint16tiff
@@ -64,6 +71,10 @@
     TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres);
     TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric);
 
+    if (oversized (imagewidth, imagelength)) {
+      failwith_oversized("tiff");
+    }
+
     if( imagesample == 3 && photometric == PHOTOMETRIC_RGB ){
       if( imagebits != 8 ){
 	failwith("Sorry, tiff rgb file must be 24bit-color");


Index: ocaml-camlimages.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/F-11/ocaml-camlimages.spec,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -p -r1.16 -r1.17
--- ocaml-camlimages.spec	3 Jul 2009 18:30:05 -0000	1.16
+++ ocaml-camlimages.spec	16 Oct 2009 09:36:24 -0000	1.17
@@ -4,7 +4,7 @@
 
 Name:           ocaml-camlimages
 Version:        3.0.1
-Release:        7%{?dist}.2
+Release:        7%{?dist}.3
 Summary:        OCaml image processing library
 
 Group:          Development/Libraries
@@ -19,6 +19,9 @@ Patch0:         camlimages-3.0.1-display
 # https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4
 Patch1:         camlimages-oversized-png-check-CVE-2009-2295.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=528732
+Patch2:         camlimages-oversized-tiff-check-CVE-2009-3296.patch
+
 BuildRequires:  ocaml >= 3.10.1
 BuildRequires:  ocaml-lablgtk-devel
 BuildRequires:  ocaml-x11
@@ -66,6 +69,7 @@ Includes documentation provided by ocaml
 # the examples/liv directory, so rename it:
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 aclocal -I .
 automake
 autoconf
@@ -111,6 +115,10 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Fri Oct 16 2009 Richard W.M. Jones <rjones@xxxxxxxxxx> - 3.0.1-7.fc11.3
+- ocaml-camlimages: TIFF reader multiple integer overflows
+  (CVE 2009-3296 / RHBZ#528732).
+
 * Fri Jul  3 2009 Richard W.M. Jones <rjones@xxxxxxxxxx> - 3.0.1-7.fc11.2
 - ocaml-camlimages: PNG reader multiple integer overflows
   (CVE 2009-2295 / RHBZ#509531).

_______________________________________________
Fedora-ocaml-list mailing list
Fedora-ocaml-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-ocaml-list




