From 1bbaae18c39caf211592df4dd61b221a658bade3 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@fedoraproject.org>
Date: Fri, 3 Jul 2009 13:52:16 +0000
Subject: [PATCH] Add patch.

---
 ...es-oversized-png-check-CVE-2009-2295.patch | 55 +++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 camlimages-oversized-png-check-CVE-2009-2295.patch

diff --git a/camlimages-oversized-png-check-CVE-2009-2295.patch b/camlimages-oversized-png-check-CVE-2009-2295.patch
new file mode 100644
index 0000000..88014d5
--- /dev/null
+++ b/camlimages-oversized-png-check-CVE-2009-2295.patch
@@ -0,0 +1,55 @@
+--- camlimages-3.0.1/src/pngread.c	2007-01-18 10:29:57.000000000 +0000
++++ camlimages-3.0.1-oversized-png-checks/src/pngread.c	2009-07-03 14:19:42.000000000 +0100
+@@ -26,6 +26,12 @@
+ #define PNG_TAG_INDEX16 2
+ #define PNG_TAG_INDEX4 3
+ 
++/* Test if x or y are negative, or if multiplying x * y would cause an
++ * arithmetic overflow.
++ */
++#define oversized(x, y)						\
++  ((x) < 0 || (y) < 0 || (x) * (y) < (x) || (x) * (y) < (y))
++
+ value read_png_file_as_rgb24( name )
+      value name;
+ {
+@@ -81,6 +87,9 @@
+   png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ 	       &interlace_type, NULL, NULL);
+ 
++  if (oversized (width, height))
++    failwith ("png error: image contains oversized or bogus width and height");
++
+   if ( color_type == PNG_COLOR_TYPE_GRAY ||
+        color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { 
+     png_set_gray_to_rgb(png_ptr); 
+@@ -102,6 +111,9 @@
+ 
+   rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ 
++  if (oversized (rowbytes, height))
++    failwith ("png error: image contains oversized or bogus rowbytes and height");
++
+   {
+     int i;
+     png_bytep *row_pointers;
+@@ -235,6 +247,9 @@
+   png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ 	       &interlace_type, NULL, NULL);
+ 
++  if (oversized (width, height))
++    failwith ("png error: image contains oversized or bogus width and height");
++
+   if ( color_type == PNG_COLOR_TYPE_GRAY ||
+        color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { 
+     png_set_gray_to_rgb(png_ptr); 
+@@ -251,6 +266,9 @@
+ 
+   rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ 
++  if (oversized (rowbytes, height))
++    failwith ("png error: image contains oversized or bogus rowbytes and height");
++
+ /*
+ fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
+ */