[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#540146: gentoo's patch and debdiff

Hello,

I fix this bug yesterday in the git repository. Please contact me before
working on it next time (I am not yet on VAC). I appreciate your work
but I am sorry it is a duplicate (and not using the same approach, since
I split the patch).

Thanks anyway.

Regards
Sylvain Le Gall

On Sat, Aug 08, 2009 at 05:59:04PM +1000, Steffen Joeris wrote:
> Hi
> 
> I'd suggest going with gentoo's approach of using a separate oversized.h file.
> Any objections? I've tried building this, but the debdiff between the -dev 
> binary packages was quite huge, so I am not uploading anything.
> 
> Cheers
> Steffen
> 
> [0]: https://bugs.gentoo.org/attachment.cgi?id=199108&action=view

> diff -u camlimages-3.0.1/debian/changelog camlimages-3.0.1/debian/changelog
> --- camlimages-3.0.1/debian/changelog
> +++ camlimages-3.0.1/debian/changelog
> @@ -1,3 +1,12 @@
> +camlimages (1:3.0.1-2.1) unstable; urgency=high
> +
> +  * Non-maintainer upload by the security team
> +  * Expand security patch for integer overflows to also cover other
> +    image types (Closes: #540146)
> +    Fixes: CVE-2009-2660
> +
> + -- Steffen Joeris <white@debian.org>  Sat, 08 Aug 2009 07:05:38 +0000
> +
>  camlimages (1:3.0.1-2) unstable; urgency=low
>  
>    [ Mehdi Dogguy ]
> diff -u camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch
> --- camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch
> +++ camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch
> @@ -8,82 +8,155 @@
> -diff -urNad camlimages~/src/pngread.c camlimages/src/pngread.c
> ---- camlimages~/src/pngread.c	2009-06-23 11:22:20.000000000 +0200
> -+++ camlimages/src/pngread.c	2009-07-03 17:51:31.000000000 +0200
> -@@ -15,6 +15,8 @@
> - #include "config.h"
> - #endif
> - 
> -+#include <limits.h>
> +Index: src/gifread.c
> +===================================================================
> +--- src/gifread.c.orig
> ++++ camlimages-3.0.1/src/gifread.c
> +@@ -20,6 +20,8 @@
> + #include <caml/memory.h>
> + #include <caml/fail.h>
> + 
> ++#include "oversized.h"
> ++
> + #include <stdio.h>
> + #include <string.h>
> + 
> +@@ -191,6 +193,9 @@ value dGifGetLine( value hdl )
> + 
> +   GifFileType *GifFile = (GifFileType*) hdl;
> + 
> ++  if( oversized( GifFile->Image.Width, sizeof(GifPixelType) ) ){
> ++    failwith_oversized("gif");
> ++  }
> +   buf = alloc_string( GifFile->Image.Width * sizeof(GifPixelType) ); 
> + 
> +   if( DGifGetLine(GifFile, String_val(buf), GifFile->Image.Width ) 
> +Index: src/jpegread.c
> +===================================================================
> +--- src/jpegread.c.orig
> ++++ camlimages-3.0.1/src/jpegread.c
> +@@ -20,6 +20,8 @@
> + #include <caml/memory.h>
> + #include <caml/fail.h>
> + 
> ++#include "oversized.h"
> ++
> + #include <stdio.h>
> + #include <string.h>
> + 
> +@@ -156,6 +158,12 @@ read_JPEG_file (value name)
> +    */ 
> +   /* JSAMPLEs per row in output buffer */
> + 
> ++  if( oversized(cinfo.output_width, cinfo.output_components) ){
> ++    jpeg_destroy_decompress(&cinfo);
> ++    fclose(infile);
> ++    failwith_oversized("jpeg");
> ++  }
> ++
> +   row_stride = cinfo.output_width * cinfo.output_components;
> + 
> +   /* Make a one-row-high sample array that will go away when done with image */
> +@@ -177,6 +185,12 @@ read_JPEG_file (value name)
> +     jpeg_read_scanlines(&cinfo, buffer + cinfo.output_scanline, 1); 
> +   }
> + 
> ++  if( oversized(row_stride, cinfo.output_height) ){
> ++    jpeg_destroy_decompress(&cinfo);
> ++    fclose(infile);
> ++    failwith_oversized("jpeg");
> ++  }
>  +
> - #include <png.h>
> - 
> - #include <caml/mlvalues.h>
> -@@ -26,6 +28,12 @@
> - #define PNG_TAG_INDEX16 2
> - #define PNG_TAG_INDEX4 3
> - 
> +   {
> +     CAMLlocalN(r,3);
> +     r[0] = Val_int(cinfo.output_width);
> +@@ -352,6 +366,7 @@ value open_jpeg_file_for_read_start( jpe
> + 
> +   { 
> +     CAMLlocalN(r,3);
> ++    // CR jfuruse: integer overflow
> +     r[0] = Val_int(cinfop->output_width);
> +     r[1] = Val_int(cinfop->output_height);
> +     r[2] = alloc_tuple(3);
> +Index: src/oversized.h
> +===================================================================
> +--- /dev/null
> ++++ camlimages-3.0.1/src/oversized.h
> +@@ -0,0 +1,9 @@
> ++#include <limits.h>
>  +/* Test if x or y are negative, or if multiplying x * y would cause an
>  + * arithmetic overflow.
>  + */
>  +#define oversized(x, y)						\
>  +  ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
>  +
> - value read_png_file_as_rgb24( name )
> -      value name;
> - {
> -@@ -81,6 +89,9 @@
> ++#define failwith_oversized(lib) \
> ++  failwith("#lib error: image contains oversized or bogus width and height");
> +Index: src/pngread.c
> +===================================================================
> +--- src/pngread.c.orig
> ++++ camlimages-3.0.1/src/pngread.c
> +@@ -17,6 +17,8 @@
> + 
> + #include <png.h>
> + 
> ++#include "oversized.h"
> ++
> + #include <caml/mlvalues.h>
> + #include <caml/alloc.h>
> + #include <caml/memory.h>
> +@@ -81,6 +83,9 @@ value read_png_file_as_rgb24( name )
>     png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
>   	       &interlace_type, NULL, NULL);
>   
>  +  if (oversized (width, height))
> -+    failwith ("png error: image contains oversized or bogus width and height");
> ++    failwith_oversized("png");
>  +
>     if ( color_type == PNG_COLOR_TYPE_GRAY ||
>          color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { 
>       png_set_gray_to_rgb(png_ptr); 
> -@@ -102,10 +113,16 @@
> +@@ -102,10 +107,16 @@ value read_png_file_as_rgb24( name )
>   
>     rowbytes = png_get_rowbytes(png_ptr, info_ptr);
>   
>  +  if (oversized (rowbytes, height))
> -+    failwith ("png error: image contains oversized or bogus rowbytes and height");
> ++    failwith_oversized("png");
>  +
>     {
>       int i;
>       png_bytep *row_pointers;
>   
>  +    if (oversized (sizeof (png_bytep), height))
> -+      failwith ("png error: image contains oversized or bogus height");
> ++      failwith_oversized("png");
>  +
>       row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
>   
>       res = alloc_tuple(3);
> -@@ -235,6 +252,9 @@
> +@@ -235,6 +246,9 @@ value read_png_file( name )
>     png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
>   	       &interlace_type, NULL, NULL);
>   
>  +  if (oversized (width, height))
> -+    failwith ("png error: image contains oversized or bogus width and height");
> ++    failwith_oversized("png");
>  +
>     if ( color_type == PNG_COLOR_TYPE_GRAY ||
>          color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { 
>       png_set_gray_to_rgb(png_ptr); 
> -@@ -251,6 +271,9 @@
> +@@ -251,6 +265,9 @@ value read_png_file( name )
>   
>     rowbytes = png_get_rowbytes(png_ptr, info_ptr);
>   
>  +  if (oversized (rowbytes, height))
> -+    failwith ("png error: image contains oversized or bogus rowbytes and height");
> ++    failwith_oversized("png");
>  +
>   /*
>   fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
>   */
> -@@ -259,6 +282,9 @@
> +@@ -259,6 +276,9 @@ fprintf(stderr, "pngread.c: actual loadi
>       png_bytep *row_pointers;
>       char mesg[256];
>    
>  +    if (oversized (sizeof (png_bytep), height))
> -+      failwith ("png error: image contains oversized or bogus height");
> ++      failwith_oversized("png");
>  +
>       row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height);
>       res = alloc_tuple(3);
>   
> +

Attachment: signature.asc
Description: Digital signature

Reply to: