Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 199108 Details for
Bug 276235
<dev-ml/camlimages-3.0.1 integer overflows (CVE-2009-{2295,2660})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
camlimages-3.0.1-CVE-2009-2295.patch
camlimages-3.0.1-CVE-2009-2295.patch (text/plain), 4.25 KB, created by
Robert Buchholz (RETIRED)
on 2009-07-25 11:38:38 UTC
(
hide
)
Description:
camlimages-3.0.1-CVE-2009-2295.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2009-07-25 11:38:38 UTC
Size:
4.25 KB
patch
obsolete
>Index: src/gifread.c >=================================================================== >--- src/gifread.c.orig >+++ src/gifread.c >@@ -20,6 +20,8 @@ > #include <caml/memory.h> > #include <caml/fail.h> > >+#include "oversized.h" >+ > #include <stdio.h> > #include <string.h> > >@@ -191,6 +193,9 @@ value dGifGetLine( value hdl ) > > GifFileType *GifFile = (GifFileType*) hdl; > >+ if( oversized( GifFile->Image.Width, sizeof(GifPixelType) ) ){ >+ failwith_oversized("gif"); >+ } > buf = alloc_string( GifFile->Image.Width * sizeof(GifPixelType) ); > > if( DGifGetLine(GifFile, String_val(buf), GifFile->Image.Width ) >Index: src/jpegread.c >=================================================================== >--- src/jpegread.c.orig >+++ src/jpegread.c >@@ -20,6 +20,8 @@ > #include <caml/memory.h> > #include <caml/fail.h> > >+#include "oversized.h" >+ > #include <stdio.h> > #include <string.h> > >@@ -156,6 +158,12 @@ read_JPEG_file (value name) > */ > /* JSAMPLEs per row in output buffer */ > >+ if( oversized(cinfo.output_width, cinfo.output_components) ){ >+ jpeg_destroy_decompress(&cinfo); >+ fclose(infile); >+ failwith_oversized("jpeg"); >+ } >+ > row_stride = cinfo.output_width * cinfo.output_components; > > /* Make a one-row-high sample array that will go away when done with image */ >@@ -177,6 +185,12 @@ read_JPEG_file (value name) > jpeg_read_scanlines(&cinfo, buffer + cinfo.output_scanline, 1); > } > >+ if( oversized(row_stride, cinfo.output_height) ){ >+ jpeg_destroy_decompress(&cinfo); >+ fclose(infile); >+ failwith_oversized("jpeg"); >+ } >+ > { > CAMLlocalN(r,3); > r[0] = Val_int(cinfo.output_width); >@@ -352,6 +366,7 @@ value open_jpeg_file_for_read_start( jpe > > { > CAMLlocalN(r,3); >+ // CR jfuruse: integer overflow > r[0] = Val_int(cinfop->output_width); > r[1] = Val_int(cinfop->output_height); > r[2] = alloc_tuple(3); >Index: src/oversized.h >=================================================================== >--- /dev/null >+++ src/oversized.h >@@ -0,0 +1,9 @@ >+#include <limits.h> >+/* Test if x or y are negative, or if multiplying x * y would cause an >+ * arithmetic overflow. >+ */ >+#define oversized(x, y) \ >+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y))) >+ >+#define failwith_oversized(lib) \ >+ failwith("#lib error: image contains oversized or bogus width and height"); >Index: src/pngread.c >=================================================================== >--- src/pngread.c.orig >+++ src/pngread.c >@@ -17,6 +17,8 @@ > > #include <png.h> > >+#include "oversized.h" >+ > #include <caml/mlvalues.h> > #include <caml/alloc.h> > #include <caml/memory.h> >@@ -81,6 +83,9 @@ value read_png_file_as_rgb24( name ) > png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, > &interlace_type, NULL, NULL); > >+ if (oversized (width, height)) >+ failwith_oversized("png"); >+ > if ( color_type == PNG_COLOR_TYPE_GRAY || > color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { > png_set_gray_to_rgb(png_ptr); >@@ -102,10 +107,16 @@ value read_png_file_as_rgb24( name ) > > rowbytes = png_get_rowbytes(png_ptr, info_ptr); > >+ if (oversized (rowbytes, height)) >+ failwith_oversized("png"); >+ > { > int i; > png_bytep *row_pointers; > >+ if (oversized (sizeof (png_bytep), height)) >+ failwith_oversized("png"); >+ > row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height); > > res = alloc_tuple(3); >@@ -235,6 +246,9 @@ value read_png_file( name ) > png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, > &interlace_type, NULL, NULL); > >+ if (oversized (width, height)) >+ failwith_oversized("png"); >+ > if ( color_type == PNG_COLOR_TYPE_GRAY || > color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { > png_set_gray_to_rgb(png_ptr); >@@ -251,6 +265,9 @@ value read_png_file( name ) > > rowbytes = png_get_rowbytes(png_ptr, info_ptr); > >+ if (oversized (rowbytes, height)) >+ failwith_oversized("png"); >+ > /* > fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr); > */ >@@ -259,6 +276,9 @@ fprintf(stderr, "pngread.c: actual loadi > png_bytep *row_pointers; > char mesg[256]; > >+ if (oversized (sizeof (png_bytep), height)) >+ failwith_oversized("png"); >+ > row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height); > res = alloc_tuple(3); >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=199108">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 276235
: 199108 |
201702
