Version française
Home     About     Download     Resources     Contact us    

This site is updated infrequently. For up-to-date information, please visit the new OCaml website at

Browse thread
Camlimages integer overflows with PNG images
[ Home ] [ Index: by date | by threads ]
[ Search: ]

[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
Date: -- (:)
From: Richard Jones <rich@a...>
Subject: Re: [Caml-list] Camlimages integer overflows with PNG images
On Fri, Jul 03, 2009 at 06:36:32PM +0100, Anil Madhavapeddy wrote:
> On 3 Jul 2009, at 18:28, Richard Jones wrote:
> >On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote:
> >>Do you have a patch for this at all?  I need to stick it into OpenBSD
> >>fairly urgently as we're in release lock.
> >
> >Yes, I worked up a patch here:
> >
> >
> >
> >Not entirely sure if it is correct and complete though, so if you have
> >any suggested changes, please share them.
> Should width and height be clamped further to 31-/63- bits in addition  
> to the multiplication check?  It's stored in an OCaml int later on,  
> and it's pretty unlikely anyone would be working with images that size.

I don't know, but it sounds like it might be a good idea.  I'm open to
patches or exploit/testing code for this issue.  But at the moment my
primary concern is to get the upstream developers to take a look at
the issue and deliver a proper, comprehensive patch.

And to fix up the immediate security hole for the major distros.  At
the time of writing, Fedora is going with the patch in comment 11.


Richard Jones
Red Hat