- ocaml-camlimages: PNG reader multiple integer overflows (CVE 2009-2295 /

RHBZ#509531).
2009-07-03 13:59:11 +00:00 · 2009-07-03 13:59:11 +00:00 · e92f2cc6ff
parent 931548aa93
commit e92f2cc6ff
2 changed files with 70 additions and 2 deletions
--- a/camlimages-oversized-png-check-CVE-2009-2295.patch
+++ b/camlimages-oversized-png-check-CVE-2009-2295.patch
@ -0,0 +1,55 @@
+--- camlimages-3.0.1/src/pngread.c	2007-01-18 10:29:57.000000000 +0000
+++ camlimages-3.0.1-oversized-png-checks/src/pngread.c	2009-07-03 14:19:42.000000000 +0100
+@@ -26,6 +26,12 @@
+ #define PNG_TAG_INDEX16 2
+ #define PNG_TAG_INDEX4 3
+ 
+/* Test if x or y are negative, or if multiplying x * y would cause an
+ * arithmetic overflow.
+ */
+#define oversized(x, y)						\
+  ((x) < 0 || (y) < 0 || (x) * (y) < (x) || (x) * (y) < (y))
+
+ value read_png_file_as_rgb24( name )
+      value name;
+ {
+@@ -81,6 +87,9 @@
+   png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ 	       &interlace_type, NULL, NULL);
+ 
+  if (oversized (width, height))
+    failwith ("png error: image contains oversized or bogus width and height");
+
+   if ( color_type == PNG_COLOR_TYPE_GRAY ||
+        color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { 
+     png_set_gray_to_rgb(png_ptr); 
+@@ -102,6 +111,9 @@
+ 
+   rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ 
+  if (oversized (rowbytes, height))
+    failwith ("png error: image contains oversized or bogus rowbytes and height");
+
+   {
+     int i;
+     png_bytep *row_pointers;
+@@ -235,6 +247,9 @@
+   png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ 	       &interlace_type, NULL, NULL);
+ 
+  if (oversized (width, height))
+    failwith ("png error: image contains oversized or bogus width and height");
+
+   if ( color_type == PNG_COLOR_TYPE_GRAY ||
+        color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { 
+     png_set_gray_to_rgb(png_ptr); 
+@@ -251,6 +266,9 @@
+ 
+   rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ 
+  if (oversized (rowbytes, height))
+    failwith ("png error: image contains oversized or bogus rowbytes and height");
+
+ /*
+ fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
+ */
--- a/ocaml-camlimages.spec
+++ b/ocaml-camlimages.spec
@ -1,6 +1,6 @@
 Name:           ocaml-camlimages
 Version:        2.2.0
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        OCaml image processing library

 Group:          Development/Libraries
@ -9,6 +9,10 @@ URL:            http://pauillac.inria.fr/camlimages/
 Source0:        ftp://ftp.inria.fr/INRIA/Projects/cristal/caml-light/bazar-ocaml/camlimages-%{version}.tgz
 Source1:        camlimages-2.2.0-htmlref.tar.gz
 Patch0:         camlimages-2.2.0-stubdest.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4
+Patch1:         camlimages-oversized-png-check-CVE-2009-2295.patch
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

 BuildRequires:  lablgtk libpng-devel libjpeg-devel ocaml
@ -40,7 +44,12 @@ Includes documentation provided by ocamldoc

 %prep
 %setup -q -n camlimages-2.2 -a 1
-%patch -p1
+%patch0 -p1
+
+pushd png
+%patch1 -p2
+popd
+
 sed -i -e 's|LIBRARYDIRS=ppm bmp xvthumb jpeg tiff gif png xpm ps graphics freetype|LIBRARYDIRS=%buildlibs|' Makefile.build.in

 %build
@ -70,6 +79,10 @@ rm -rf $RPM_BUILD_ROOT


 %changelog
+* Fri Jul  3 2009 Richard W.M. Jones <rjones@redhat.com> - 2.2.0-8
+- ocaml-camlimages: PNG reader multiple integer overflows
+  (CVE 2009-2295 / RHBZ#509531).
+
 * Fri May 04 2007 Nigel Jones <dev@nigelj.com> 2.2.0-7
 - Change to Makefile patch to move .so files to stublibs
 - Rename to ocaml-camlimages