Browse thread
Camlimages integer overflows with PNG images
-
Richard Jones
-
Richard Jones
-
Anil Madhavapeddy
- Richard Jones
-
Anil Madhavapeddy
-
Richard Jones
[
Home
]
[ Index:
by date
|
by threads
]
[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
| Date: | -- (:) |
| From: | Richard Jones <rich@a...> |
| Subject: | Re: [Caml-list] Camlimages integer overflows with PNG images |
On Fri, Jul 03, 2009 at 06:36:32PM +0100, Anil Madhavapeddy wrote: > On 3 Jul 2009, at 18:28, Richard Jones wrote: > > >On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote: > >>Do you have a patch for this at all? I need to stick it into OpenBSD > >>fairly urgently as we're in release lock. > > > >Yes, I worked up a patch here: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11 > > > >Not entirely sure if it is correct and complete though, so if you have > >any suggested changes, please share them. > > Should width and height be clamped further to 31-/63- bits in addition > to the multiplication check? It's stored in an OCaml int later on, > and it's pretty unlikely anyone would be working with images that size. I don't know, but it sounds like it might be a good idea. I'm open to patches or exploit/testing code for this issue. But at the moment my primary concern is to get the upstream developers to take a look at the issue and deliver a proper, comprehensive patch. And to fix up the immediate security hole for the major distros. At the time of writing, Fedora is going with the patch in comment 11. Rich. -- Richard Jones Red Hat