Coincidentally I am working on png reading code of camlimages again this week.
I will check the patch and incorporate it to the CVS version soon.

=
j

On Sat, Jul 4, 2009 at 3:35 AM, Richard Jones<rich@annexia.org> wrote:
> On Fri, Jul 03, 2009 at 06:36:32PM +0100, Anil Madhavapeddy wrote:
>> On 3 Jul 2009, at 18:28, Richard Jones wrote:
>>
>> >On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote:
>> >>Do you have a patch for this at all?  I need to stick it into OpenBSD
>> >>fairly urgently as we're in release lock.
>> >
>> >Yes, I worked up a patch here:
>> >
>> > https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11
>> >
>> >Not entirely sure if it is correct and complete though, so if you have
>> >any suggested changes, please share them.
>>
>> Should width and height be clamped further to 31-/63- bits in addition
>> to the multiplication check?  It's stored in an OCaml int later on,
>> and it's pretty unlikely anyone would be working with images that size.
>
> I don't know, but it sounds like it might be a good idea.  I'm open to
> patches or exploit/testing code for this issue.  But at the moment my
> primary concern is to get the upstream developers to take a look at
> the issue and deliver a proper, comprehensive patch.
>
> And to fix up the immediate security hole for the major distros.  At
> the time of writing, Fedora is going with the patch in comment 11.
>
> Rich.
>
> --
> Richard Jones
> Red Hat
>
> _______________________________________________
> Caml-list mailing list. Subscription management:
> http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list
> Archives: http://caml.inria.fr
> Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
> Bug reports: http://caml.inria.fr/bin/caml-bugs
>