[Pkg-ocaml-maint-commits] [SCM] camlimages packaging branch, master, updated. debian/3.0.1-2-1-gd1d2bc1
Sylvain Le Gall
gildor at debian.org
Fri Aug 7 22:01:21 UTC 2009
The following commit has been merged in the master branch:
commit d1d2bc1fd0d29bae066bd0d0bfa6651a08c2321e
Author: Sylvain Le Gall <gildor at debian.org>
Date: Sat Aug 8 00:01:01 2009 +0200
Add a patch fix_more_integer_overflows to fix security issues (CVE-2009-2660), (Closes: 540146)
diff --git a/debian/changelog b/debian/changelog
index 3ca3368..59856cf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+camlimages (1:3.0.1-3) unstable; urgency=low
+
+ * Add a patch fix_more_integer_overflows to fix security issues
+ (CVE-2009-2660), (Closes: 540146)
+
+ -- Sylvain Le Gall <gildor at debian.org> Fri, 07 Aug 2009 23:56:55 +0200
+
camlimages (1:3.0.1-2) unstable; urgency=low
[ Mehdi Dogguy ]
diff --git a/debian/patches/fix_more_integer_overflows.dpatch b/debian/patches/fix_more_integer_overflows.dpatch
new file mode 100755
index 0000000..9277d7c
--- /dev/null
+++ b/debian/patches/fix_more_integer_overflows.dpatch
@@ -0,0 +1,167 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## fix_more_integer_overflows.dpatch by Sylvain Le Gall <gildor at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix multiple integer overflows round 2.
+## DP: http://security-tracker.debian.net/tracker/CVE-2009-2660
+
+ at DPATCH@
+diff -urNad camlimages~/src/gifread.c camlimages/src/gifread.c
+--- camlimages~/src/gifread.c 2009-07-31 22:57:24.000000000 +0200
++++ camlimages/src/gifread.c 2009-08-07 23:45:01.000000000 +0200
+@@ -20,6 +20,8 @@
+ #include <caml/memory.h>
+ #include <caml/fail.h>
+
++#include "oversized.h"
++
+ #include <stdio.h>
+ #include <string.h>
+
+@@ -191,6 +193,9 @@
+
+ GifFileType *GifFile = (GifFileType*) hdl;
+
++ if( oversized( GifFile->Image.Width, sizeof(GifPixelType) ) ){
++ failwith_oversized("gif");
++ }
+ buf = alloc_string( GifFile->Image.Width * sizeof(GifPixelType) );
+
+ if( DGifGetLine(GifFile, String_val(buf), GifFile->Image.Width )
+diff -urNad camlimages~/src/jpegread.c camlimages/src/jpegread.c
+--- camlimages~/src/jpegread.c 2009-07-31 22:57:24.000000000 +0200
++++ camlimages/src/jpegread.c 2009-08-07 23:45:01.000000000 +0200
+@@ -20,6 +20,8 @@
+ #include <caml/memory.h>
+ #include <caml/fail.h>
+
++#include "oversized.h"
++
+ #include <stdio.h>
+ #include <string.h>
+
+@@ -156,6 +158,12 @@
+ */
+ /* JSAMPLEs per row in output buffer */
+
++ if( oversized(cinfo.output_width, cinfo.output_components) ){
++ jpeg_destroy_decompress(&cinfo);
++ fclose(infile);
++ failwith_oversized("jpeg");
++ }
++
+ row_stride = cinfo.output_width * cinfo.output_components;
+
+ /* Make a one-row-high sample array that will go away when done with image */
+@@ -177,6 +185,12 @@
+ jpeg_read_scanlines(&cinfo, buffer + cinfo.output_scanline, 1);
+ }
+
++ if( oversized(row_stride, cinfo.output_height) ){
++ jpeg_destroy_decompress(&cinfo);
++ fclose(infile);
++ failwith_oversized("jpeg");
++ }
++
+ {
+ CAMLlocalN(r,3);
+ r[0] = Val_int(cinfo.output_width);
+@@ -352,6 +366,7 @@
+
+ {
+ CAMLlocalN(r,3);
++ // CR jfuruse: integer overflow
+ r[0] = Val_int(cinfop->output_width);
+ r[1] = Val_int(cinfop->output_height);
+ r[2] = alloc_tuple(3);
+diff -urNad camlimages~/src/oversized.h camlimages/src/oversized.h
+--- camlimages~/src/oversized.h 1970-01-01 01:00:00.000000000 +0100
++++ camlimages/src/oversized.h 2009-08-07 23:45:01.000000000 +0200
+@@ -0,0 +1,9 @@
++#include <limits.h>
++/* Test if x or y are negative, or if multiplying x * y would cause an
++ * arithmetic overflow.
++ */
++#define oversized(x, y) \
++ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
++
++#define failwith_oversized(lib) \
++ failwith("#lib error: image contains oversized or bogus width and height");
+diff -urNad camlimages~/src/pngread.c camlimages/src/pngread.c
+--- camlimages~/src/pngread.c 2009-08-07 23:44:02.000000000 +0200
++++ camlimages/src/pngread.c 2009-08-07 23:51:15.000000000 +0200
+@@ -19,6 +19,8 @@
+
+ #include <png.h>
+
++#include "oversized.h"
++
+ #include <caml/mlvalues.h>
+ #include <caml/alloc.h>
+ #include <caml/memory.h>
+@@ -28,12 +30,6 @@
+ #define PNG_TAG_INDEX16 2
+ #define PNG_TAG_INDEX4 3
+
+-/* Test if x or y are negative, or if multiplying x * y would cause an
+- * arithmetic overflow.
+- */
+-#define oversized(x, y) \
+- ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+-
+ value read_png_file_as_rgb24( name )
+ value name;
+ {
+@@ -90,7 +86,7 @@
+ &interlace_type, NULL, NULL);
+
+ if (oversized (width, height))
+- failwith ("png error: image contains oversized or bogus width and height");
++ failwith_oversized("png");
+
+ if ( color_type == PNG_COLOR_TYPE_GRAY ||
+ color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
+@@ -114,14 +110,14 @@
+ rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+
+ if (oversized (rowbytes, height))
+- failwith ("png error: image contains oversized or bogus rowbytes and height");
++ failwith_oversized("png");
+
+ {
+ int i;
+ png_bytep *row_pointers;
+
+ if (oversized (sizeof (png_bytep), height))
+- failwith ("png error: image contains oversized or bogus height");
++ failwith_oversized("png");
+
+ row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
+
+@@ -253,7 +249,7 @@
+ &interlace_type, NULL, NULL);
+
+ if (oversized (width, height))
+- failwith ("png error: image contains oversized or bogus width and height");
++ failwith_oversized("png");
+
+ if ( color_type == PNG_COLOR_TYPE_GRAY ||
+ color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
+@@ -272,7 +268,7 @@
+ rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+
+ if (oversized (rowbytes, height))
+- failwith ("png error: image contains oversized or bogus rowbytes and height");
++ failwith_oversized("png");
+
+ /*
+ fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
+@@ -283,7 +279,7 @@
+ char mesg[256];
+
+ if (oversized (sizeof (png_bytep), height))
+- failwith ("png error: image contains oversized or bogus height");
++ failwith_oversized("png");
+
+ row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height);
+ res = alloc_tuple(3);
--
camlimages packaging
More information about the Pkg-ocaml-maint-commits
mailing list