From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on yquem.inria.fr X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=AWL,SPF_FAIL autolearn=disabled version=3.1.3 Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) by yquem.inria.fr (Postfix) with ESMTP id AF7D0BC37 for ; Fri, 3 Jul 2009 20:35:08 +0200 (CEST) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvMDAPjrTUpQRFuwWWdsb2JhbACZCgEWFbQ8gkmBSQU X-IronPort-AV: E=Sophos;i="4.42,343,1243807200"; d="scan'208";a="30635535" Received: from furbychan.cocan.org ([80.68.91.176]) by mail3-smtp-sop.national.inria.fr with ESMTP; 03 Jul 2009 20:35:08 +0200 Received: from rich by furbychan.cocan.org with local (Exim 4.63) (envelope-from ) id 1MMnbH-0006xp-51; Fri, 03 Jul 2009 19:35:07 +0100 Date: Fri, 3 Jul 2009 19:35:07 +0100 To: Anil Madhavapeddy Cc: caml-list@inria.fr Subject: Re: [Caml-list] Camlimages integer overflows with PNG images Message-ID: <20090703183507.GA26539@annexia.org> References: <20090703113838.GA8086@annexia.org> <0D39970B-7727-4503-A218-C8CDD3B64F4D@recoil.org> <20090703172803.GA22720@annexia.org> <0554DF81-B2CD-4B0A-8988-C6627594CB0B@recoil.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0554DF81-B2CD-4B0A-8988-C6627594CB0B@recoil.org> User-Agent: Mutt/1.5.13 (2006-08-11) From: Richard Jones X-Spam: no; 0.00; camlimages:01 0100,:01 anil:01 0100,:01 anil:01 bug:01 ocaml:01 distros:01 2009:98 28,:98 2009:98 height:98 wrote:01 wrote:01 overflows:01 On Fri, Jul 03, 2009 at 06:36:32PM +0100, Anil Madhavapeddy wrote: > On 3 Jul 2009, at 18:28, Richard Jones wrote: > > >On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote: > >>Do you have a patch for this at all? I need to stick it into OpenBSD > >>fairly urgently as we're in release lock. > > > >Yes, I worked up a patch here: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11 > > > >Not entirely sure if it is correct and complete though, so if you have > >any suggested changes, please share them. > > Should width and height be clamped further to 31-/63- bits in addition > to the multiplication check? It's stored in an OCaml int later on, > and it's pretty unlikely anyone would be working with images that size. I don't know, but it sounds like it might be a good idea. I'm open to patches or exploit/testing code for this issue. But at the moment my primary concern is to get the upstream developers to take a look at the issue and deliver a proper, comprehensive patch. And to fix up the immediate security hole for the major distros. At the time of writing, Fedora is going with the patch in comment 11. Rich. -- Richard Jones Red Hat