Bug#540146: gentoo's patch and debdiff

To: 540146@bugs.debian.org
Subject: Bug#540146: gentoo's patch and debdiff
From: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Sat, 8 Aug 2009 17:59:04 +1000
Message-id: <[🔎] 200908081759.08699.steffen.joeris@skolelinux.de>
Reply-to: Steffen Joeris <steffen.joeris@skolelinux.de>, 540146@bugs.debian.org

Hi

I'd suggest going with gentoo's approach of using a separate oversized.h file.
Any objections? I've tried building this, but the debdiff between the -dev 
binary packages was quite huge, so I am not uploading anything.

Cheers
Steffen

[0]: https://bugs.gentoo.org/attachment.cgi?id=199108&action=view

diff -u camlimages-3.0.1/debian/changelog camlimages-3.0.1/debian/changelog
--- camlimages-3.0.1/debian/changelog
+++ camlimages-3.0.1/debian/changelog
@@ -1,3 +1,12 @@
+camlimages (1:3.0.1-2.1) unstable; urgency=high
+
+  * Non-maintainer upload by the security team
+  * Expand security patch for integer overflows to also cover other
+    image types (Closes: #540146)
+    Fixes: CVE-2009-2660
+
+ -- Steffen Joeris <white@debian.org>  Sat, 08 Aug 2009 07:05:38 +0000
+
 camlimages (1:3.0.1-2) unstable; urgency=low
 
   [ Mehdi Dogguy ]
diff -u camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch
--- camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch
+++ camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch
@@ -8,82 +8,155 @@
-diff -urNad camlimages~/src/pngread.c camlimages/src/pngread.c
---- camlimages~/src/pngread.c	2009-06-23 11:22:20.000000000 +0200
-+++ camlimages/src/pngread.c	2009-07-03 17:51:31.000000000 +0200
-@@ -15,6 +15,8 @@
- #include "config.h"
- #endif
- 
-+#include <limits.h>
+Index: src/gifread.c
+===================================================================
+--- src/gifread.c.orig
++++ camlimages-3.0.1/src/gifread.c
+@@ -20,6 +20,8 @@
+ #include <caml/memory.h>
+ #include <caml/fail.h>
+ 
++#include "oversized.h"
++
+ #include <stdio.h>
+ #include <string.h>
+ 
+@@ -191,6 +193,9 @@ value dGifGetLine( value hdl )
+ 
+   GifFileType *GifFile = (GifFileType*) hdl;
+ 
++  if( oversized( GifFile->Image.Width, sizeof(GifPixelType) ) ){
++    failwith_oversized("gif");
++  }
+   buf = alloc_string( GifFile->Image.Width * sizeof(GifPixelType) ); 
+ 
+   if( DGifGetLine(GifFile, String_val(buf), GifFile->Image.Width ) 
+Index: src/jpegread.c
+===================================================================
+--- src/jpegread.c.orig
++++ camlimages-3.0.1/src/jpegread.c
+@@ -20,6 +20,8 @@
+ #include <caml/memory.h>
+ #include <caml/fail.h>
+ 
++#include "oversized.h"
++
+ #include <stdio.h>
+ #include <string.h>
+ 
+@@ -156,6 +158,12 @@ read_JPEG_file (value name)
+    */ 
+   /* JSAMPLEs per row in output buffer */
+ 
++  if( oversized(cinfo.output_width, cinfo.output_components) ){
++    jpeg_destroy_decompress(&cinfo);
++    fclose(infile);
++    failwith_oversized("jpeg");
++  }
++
+   row_stride = cinfo.output_width * cinfo.output_components;
+ 
+   /* Make a one-row-high sample array that will go away when done with image */
+@@ -177,6 +185,12 @@ read_JPEG_file (value name)
+     jpeg_read_scanlines(&cinfo, buffer + cinfo.output_scanline, 1); 
+   }
+ 
++  if( oversized(row_stride, cinfo.output_height) ){
++    jpeg_destroy_decompress(&cinfo);
++    fclose(infile);
++    failwith_oversized("jpeg");
++  }
 +
- #include <png.h>
- 
- #include <caml/mlvalues.h>
-@@ -26,6 +28,12 @@
- #define PNG_TAG_INDEX16 2
- #define PNG_TAG_INDEX4 3
- 
+   {
+     CAMLlocalN(r,3);
+     r[0] = Val_int(cinfo.output_width);
+@@ -352,6 +366,7 @@ value open_jpeg_file_for_read_start( jpe
+ 
+   { 
+     CAMLlocalN(r,3);
++    // CR jfuruse: integer overflow
+     r[0] = Val_int(cinfop->output_width);
+     r[1] = Val_int(cinfop->output_height);
+     r[2] = alloc_tuple(3);
+Index: src/oversized.h
+===================================================================
+--- /dev/null
++++ camlimages-3.0.1/src/oversized.h
+@@ -0,0 +1,9 @@
++#include <limits.h>
 +/* Test if x or y are negative, or if multiplying x * y would cause an
 + * arithmetic overflow.
 + */
 +#define oversized(x, y)						\
 +  ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
 +
- value read_png_file_as_rgb24( name )
-      value name;
- {
-@@ -81,6 +89,9 @@
++#define failwith_oversized(lib) \
++  failwith("#lib error: image contains oversized or bogus width and height");
+Index: src/pngread.c
+===================================================================
+--- src/pngread.c.orig
++++ camlimages-3.0.1/src/pngread.c
+@@ -17,6 +17,8 @@
+ 
+ #include <png.h>
+ 
++#include "oversized.h"
++
+ #include <caml/mlvalues.h>
+ #include <caml/alloc.h>
+ #include <caml/memory.h>
+@@ -81,6 +83,9 @@ value read_png_file_as_rgb24( name )
    png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
  	       &interlace_type, NULL, NULL);
  
 +  if (oversized (width, height))
-+    failwith ("png error: image contains oversized or bogus width and height");
++    failwith_oversized("png");
 +
    if ( color_type == PNG_COLOR_TYPE_GRAY ||
         color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { 
      png_set_gray_to_rgb(png_ptr); 
-@@ -102,10 +113,16 @@
+@@ -102,10 +107,16 @@ value read_png_file_as_rgb24( name )
  
    rowbytes = png_get_rowbytes(png_ptr, info_ptr);
  
 +  if (oversized (rowbytes, height))
-+    failwith ("png error: image contains oversized or bogus rowbytes and height");
++    failwith_oversized("png");
 +
    {
      int i;
      png_bytep *row_pointers;
  
 +    if (oversized (sizeof (png_bytep), height))
-+      failwith ("png error: image contains oversized or bogus height");
++      failwith_oversized("png");
 +
      row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
  
      res = alloc_tuple(3);
-@@ -235,6 +252,9 @@
+@@ -235,6 +246,9 @@ value read_png_file( name )
    png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
  	       &interlace_type, NULL, NULL);
  
 +  if (oversized (width, height))
-+    failwith ("png error: image contains oversized or bogus width and height");
++    failwith_oversized("png");
 +
    if ( color_type == PNG_COLOR_TYPE_GRAY ||
         color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { 
      png_set_gray_to_rgb(png_ptr); 
-@@ -251,6 +271,9 @@
+@@ -251,6 +265,9 @@ value read_png_file( name )
  
    rowbytes = png_get_rowbytes(png_ptr, info_ptr);
  
 +  if (oversized (rowbytes, height))
-+    failwith ("png error: image contains oversized or bogus rowbytes and height");
++    failwith_oversized("png");
 +
  /*
  fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
  */
-@@ -259,6 +282,9 @@
+@@ -259,6 +276,9 @@ fprintf(stderr, "pngread.c: actual loadi
      png_bytep *row_pointers;
      char mesg[256];
   
 +    if (oversized (sizeof (png_bytep), height))
-+      failwith ("png error: image contains oversized or bogus height");
++      failwith_oversized("png");
 +
      row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height);
      res = alloc_tuple(3);
  
+

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Bug#540146: gentoo's patch and debdiff
  - From: Sylvain Le Gall <gildor@debian.org>

Prev by Date: Processed: tagging 540146
Next by Date: Bug#540146: gentoo's patch and debdiff
Previous by thread: Processed: tagging 540146
Next by thread: Bug#540146: gentoo's patch and debdiff
Index(es):
- Date
- Thread