[Pkg-ocaml-maint-commits] [SCM] camlimages packaging branch, master, updated. debian/3.0.1-1-15-gc7e6b16
Mehdi Dogguy
dogguy at pps.jussieu.fr
Fri Jul 3 16:13:52 UTC 2009
The following commit has been merged in the master branch:
commit c7e6b169ed8548f25b37cc2bf5f4bb65497afe5c
Author: Mehdi Dogguy <dogguy at pps.jussieu.fr>
Date: Fri Jul 3 18:04:01 2009 +0200
Add a patch fix_integer_overflows to fix security issue (CVE-2009-2295)
diff --git a/debian/changelog b/debian/changelog
index fa7ab98..1bf6fba 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,7 @@ camlimages (1:3.0.1-2) unstable; urgency=low
OCaml 3.11.1 transition.
* Bump standards to 3.8.2
* Move documentation from the -dev package to the -doc one.
+ * Add a patch fix_integer_overflows to fix security issue (CVE-2009-2295)
-- Mehdi Dogguy <dogguy at pps.jussieu.fr> Thu, 02 Jul 2009 11:39:30 +0200
diff --git a/debian/patches/00list b/debian/patches/00list
index e56af52..c86435d 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -1 +1,2 @@
fix_3_0_1_release
+fix_integer_overflows
diff --git a/debian/patches/fix_integer_overflows.dpatch b/debian/patches/fix_integer_overflows.dpatch
new file mode 100755
index 0000000..a2daeec
--- /dev/null
+++ b/debian/patches/fix_integer_overflows.dpatch
@@ -0,0 +1,89 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## fix_integer_overflows.dpatch by Mehdi Dogguy <dogguy at pps.jussieu.fr>
+##
+## DP: Fix multiple integer overflows.
+## DP: http://www.ocert.org/advisories/ocert-2009-009.html
+
+ at DPATCH@
+diff -urNad camlimages~/src/pngread.c camlimages/src/pngread.c
+--- camlimages~/src/pngread.c 2009-06-23 11:22:20.000000000 +0200
++++ camlimages/src/pngread.c 2009-07-03 17:51:31.000000000 +0200
+@@ -15,6 +15,8 @@
+ #include "config.h"
+ #endif
+
++#include <limits.h>
++
+ #include <png.h>
+
+ #include <caml/mlvalues.h>
+@@ -26,6 +28,12 @@
+ #define PNG_TAG_INDEX16 2
+ #define PNG_TAG_INDEX4 3
+
++/* Test if x or y are negative, or if multiplying x * y would cause an
++ * arithmetic overflow.
++ */
++#define oversized(x, y) \
++ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
++
+ value read_png_file_as_rgb24( name )
+ value name;
+ {
+@@ -81,6 +89,9 @@
+ png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ &interlace_type, NULL, NULL);
+
++ if (oversized (width, height))
++ failwith ("png error: image contains oversized or bogus width and height");
++
+ if ( color_type == PNG_COLOR_TYPE_GRAY ||
+ color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
+ png_set_gray_to_rgb(png_ptr);
+@@ -102,10 +113,16 @@
+
+ rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+
++ if (oversized (rowbytes, height))
++ failwith ("png error: image contains oversized or bogus rowbytes and height");
++
+ {
+ int i;
+ png_bytep *row_pointers;
+
++ if (oversized (sizeof (png_bytep), height))
++ failwith ("png error: image contains oversized or bogus height");
++
+ row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
+
+ res = alloc_tuple(3);
+@@ -235,6 +252,9 @@
+ png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ &interlace_type, NULL, NULL);
+
++ if (oversized (width, height))
++ failwith ("png error: image contains oversized or bogus width and height");
++
+ if ( color_type == PNG_COLOR_TYPE_GRAY ||
+ color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
+ png_set_gray_to_rgb(png_ptr);
+@@ -251,6 +271,9 @@
+
+ rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+
++ if (oversized (rowbytes, height))
++ failwith ("png error: image contains oversized or bogus rowbytes and height");
++
+ /*
+ fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
+ */
+@@ -259,6 +282,9 @@
+ png_bytep *row_pointers;
+ char mesg[256];
+
++ if (oversized (sizeof (png_bytep), height))
++ failwith ("png error: image contains oversized or bogus height");
++
+ row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height);
+ res = alloc_tuple(3);
+
--
camlimages packaging
More information about the Pkg-ocaml-maint-commits
mailing list