Version française
Home     About     Download     Resources     Contact us    
Browse thread
Camlimages integer overflows with PNG images
[ Home ] [ Index: by date | by threads ]
[ Search: ]

[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
Date: -- (:)
From: Richard Jones <rich@a...>
Subject: Re: [Caml-list] Camlimages integer overflows with PNG images
On Fri, Jul 03, 2009 at 06:36:32PM +0100, Anil Madhavapeddy wrote:
> On 3 Jul 2009, at 18:28, Richard Jones wrote:
> 
> >On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote:
> >>Do you have a patch for this at all?  I need to stick it into OpenBSD
> >>fairly urgently as we're in release lock.
> >
> >Yes, I worked up a patch here:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11
> >
> >Not entirely sure if it is correct and complete though, so if you have
> >any suggested changes, please share them.
> 
> Should width and height be clamped further to 31-/63- bits in addition  
> to the multiplication check?  It's stored in an OCaml int later on,  
> and it's pretty unlikely anyone would be working with images that size.

I don't know, but it sounds like it might be a good idea.  I'm open to
patches or exploit/testing code for this issue.  But at the moment my
primary concern is to get the upstream developers to take a look at
the issue and deliver a proper, comprehensive patch.

And to fix up the immediate security hole for the major distros.  At
the time of writing, Fedora is going with the patch in comment 11.

Rich.

-- 
Richard Jones
Red Hat