From: Richard Jones <rich@annexia.org>
To: Anil Madhavapeddy <anil@recoil.org>
Cc: caml-list@inria.fr
Subject: Re: [Caml-list] Camlimages integer overflows with PNG images
Date: Fri, 3 Jul 2009 19:35:07 +0100 [thread overview]
Message-ID: <20090703183507.GA26539@annexia.org> (raw)
In-Reply-To: <0554DF81-B2CD-4B0A-8988-C6627594CB0B@recoil.org>
On Fri, Jul 03, 2009 at 06:36:32PM +0100, Anil Madhavapeddy wrote:
> On 3 Jul 2009, at 18:28, Richard Jones wrote:
>
> >On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote:
> >>Do you have a patch for this at all? I need to stick it into OpenBSD
> >>fairly urgently as we're in release lock.
> >
> >Yes, I worked up a patch here:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11
> >
> >Not entirely sure if it is correct and complete though, so if you have
> >any suggested changes, please share them.
>
> Should width and height be clamped further to 31-/63- bits in addition
> to the multiplication check? It's stored in an OCaml int later on,
> and it's pretty unlikely anyone would be working with images that size.
I don't know, but it sounds like it might be a good idea. I'm open to
patches or exploit/testing code for this issue. But at the moment my
primary concern is to get the upstream developers to take a look at
the issue and deliver a proper, comprehensive patch.
And to fix up the immediate security hole for the major distros. At
the time of writing, Fedora is going with the patch in comment 11.
Rich.
--
Richard Jones
Red Hat
next prev parent reply other threads:[~2009-07-03 18:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-03 11:38 Richard Jones
[not found] ` <0D39970B-7727-4503-A218-C8CDD3B64F4D@recoil.org>
2009-07-03 17:28 ` [Caml-list] " Richard Jones
2009-07-03 17:36 ` Anil Madhavapeddy
2009-07-03 18:35 ` Richard Jones [this message]
2009-07-04 1:56 ` Jun Furuse
2009-10-16 16:01 ` Richard Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090703183507.GA26539@annexia.org \
--to=rich@annexia.org \
--cc=anil@recoil.org \
--cc=caml-list@inria.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox