[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Patch proposal for CVE-2017-6960 in Wheezy (/Jessie)

Hi Ola,

> I have reviewed your code and it looks good to me. I do not know this
> library very well however so may have overlooked something. But the
> checks looks ok.
> What I'm not sure of is the break statement, but I guess you have
> control over that part.

Thanks for your review !

This code is executed in a big do-while structure, that's why we break
in case of errors (upstream did it at line 620 for example). The return
value res is initialized with value 1 (=error) at line 524 so we return
error. Error handling is then realised at line 1891.

> Have you tested that the solution work against some test image that
> breaked it in earlier version?
> Have you done any form of regression test?

I have tested with the original reproducer and crafted myself other
malicious apng files to trigger the case where (h > UINT_MAX/(4*(frames+1))) or
(w > UINT_MAX/(4*(frames+1))) which I forgot to handle at the beginning.

regression tests with two "normal" apng files, everything was working

If nobody is against it, I'd upload this patch now.


             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E

Attachment: signature.asc
Description: PGP signature

Reply to: