- ocaml-camlimages: PNG reader multiple integer overflows (CVE 2009-2295 /
RHBZ#509531).
This commit is contained in:
parent
931548aa93
commit
e92f2cc6ff
55
camlimages-oversized-png-check-CVE-2009-2295.patch
Normal file
55
camlimages-oversized-png-check-CVE-2009-2295.patch
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
--- camlimages-3.0.1/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
|
||||||
|
+++ camlimages-3.0.1-oversized-png-checks/src/pngread.c 2009-07-03 14:19:42.000000000 +0100
|
||||||
|
@@ -26,6 +26,12 @@
|
||||||
|
#define PNG_TAG_INDEX16 2
|
||||||
|
#define PNG_TAG_INDEX4 3
|
||||||
|
|
||||||
|
+/* Test if x or y are negative, or if multiplying x * y would cause an
|
||||||
|
+ * arithmetic overflow.
|
||||||
|
+ */
|
||||||
|
+#define oversized(x, y) \
|
||||||
|
+ ((x) < 0 || (y) < 0 || (x) * (y) < (x) || (x) * (y) < (y))
|
||||||
|
+
|
||||||
|
value read_png_file_as_rgb24( name )
|
||||||
|
value name;
|
||||||
|
{
|
||||||
|
@@ -81,6 +87,9 @@
|
||||||
|
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
|
||||||
|
&interlace_type, NULL, NULL);
|
||||||
|
|
||||||
|
+ if (oversized (width, height))
|
||||||
|
+ failwith ("png error: image contains oversized or bogus width and height");
|
||||||
|
+
|
||||||
|
if ( color_type == PNG_COLOR_TYPE_GRAY ||
|
||||||
|
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
|
||||||
|
png_set_gray_to_rgb(png_ptr);
|
||||||
|
@@ -102,6 +111,9 @@
|
||||||
|
|
||||||
|
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
|
||||||
|
|
||||||
|
+ if (oversized (rowbytes, height))
|
||||||
|
+ failwith ("png error: image contains oversized or bogus rowbytes and height");
|
||||||
|
+
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
png_bytep *row_pointers;
|
||||||
|
@@ -235,6 +247,9 @@
|
||||||
|
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
|
||||||
|
&interlace_type, NULL, NULL);
|
||||||
|
|
||||||
|
+ if (oversized (width, height))
|
||||||
|
+ failwith ("png error: image contains oversized or bogus width and height");
|
||||||
|
+
|
||||||
|
if ( color_type == PNG_COLOR_TYPE_GRAY ||
|
||||||
|
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
|
||||||
|
png_set_gray_to_rgb(png_ptr);
|
||||||
|
@@ -251,6 +266,9 @@
|
||||||
|
|
||||||
|
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
|
||||||
|
|
||||||
|
+ if (oversized (rowbytes, height))
|
||||||
|
+ failwith ("png error: image contains oversized or bogus rowbytes and height");
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
|
||||||
|
*/
|
@ -1,6 +1,6 @@
|
|||||||
Name: ocaml-camlimages
|
Name: ocaml-camlimages
|
||||||
Version: 2.2.0
|
Version: 2.2.0
|
||||||
Release: 7%{?dist}
|
Release: 8%{?dist}
|
||||||
Summary: OCaml image processing library
|
Summary: OCaml image processing library
|
||||||
|
|
||||||
Group: Development/Libraries
|
Group: Development/Libraries
|
||||||
@ -9,6 +9,10 @@ URL: http://pauillac.inria.fr/camlimages/
|
|||||||
Source0: ftp://ftp.inria.fr/INRIA/Projects/cristal/caml-light/bazar-ocaml/camlimages-%{version}.tgz
|
Source0: ftp://ftp.inria.fr/INRIA/Projects/cristal/caml-light/bazar-ocaml/camlimages-%{version}.tgz
|
||||||
Source1: camlimages-2.2.0-htmlref.tar.gz
|
Source1: camlimages-2.2.0-htmlref.tar.gz
|
||||||
Patch0: camlimages-2.2.0-stubdest.patch
|
Patch0: camlimages-2.2.0-stubdest.patch
|
||||||
|
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4
|
||||||
|
Patch1: camlimages-oversized-png-check-CVE-2009-2295.patch
|
||||||
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
|
|
||||||
BuildRequires: lablgtk libpng-devel libjpeg-devel ocaml
|
BuildRequires: lablgtk libpng-devel libjpeg-devel ocaml
|
||||||
@ -40,7 +44,12 @@ Includes documentation provided by ocamldoc
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n camlimages-2.2 -a 1
|
%setup -q -n camlimages-2.2 -a 1
|
||||||
%patch -p1
|
%patch0 -p1
|
||||||
|
|
||||||
|
pushd png
|
||||||
|
%patch1 -p2
|
||||||
|
popd
|
||||||
|
|
||||||
sed -i -e 's|LIBRARYDIRS=ppm bmp xvthumb jpeg tiff gif png xpm ps graphics freetype|LIBRARYDIRS=%buildlibs|' Makefile.build.in
|
sed -i -e 's|LIBRARYDIRS=ppm bmp xvthumb jpeg tiff gif png xpm ps graphics freetype|LIBRARYDIRS=%buildlibs|' Makefile.build.in
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -70,6 +79,10 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jul 3 2009 Richard W.M. Jones <rjones@redhat.com> - 2.2.0-8
|
||||||
|
- ocaml-camlimages: PNG reader multiple integer overflows
|
||||||
|
(CVE 2009-2295 / RHBZ#509531).
|
||||||
|
|
||||||
* Fri May 04 2007 Nigel Jones <dev@nigelj.com> 2.2.0-7
|
* Fri May 04 2007 Nigel Jones <dev@nigelj.com> 2.2.0-7
|
||||||
- Change to Makefile patch to move .so files to stublibs
|
- Change to Makefile patch to move .so files to stublibs
|
||||||
- Rename to ocaml-camlimages
|
- Rename to ocaml-camlimages
|
||||||
|
Loading…
Reference in New Issue
Block a user