From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <anil@recoil.org>
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on yquem.inria.fr
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=disabled 
	version=3.1.3
X-Original-To: caml-list@yquem.inria.fr
Delivered-To: caml-list@yquem.inria.fr
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104])
	by yquem.inria.fr (Postfix) with ESMTP id 18578BC37
	for <caml-list@yquem.inria.fr>; Fri,  3 Jul 2009 19:37:07 +0200 (CEST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqkDABPfTUrCRgOEgWdsb2JhbACBUZdDAQEWJLQogkmBSQU
X-IronPort-AV: E=Sophos;i="4.42,343,1243807200"; 
   d="scan'208";a="30633566"
Received: from fork.recoil.org ([194.70.3.132])
  by mail3-smtp-sop.national.inria.fr with SMTP; 03 Jul 2009 19:36:36 +0200
Received: (qmail 19866 invoked by uid 3023); 3 Jul 2009 17:36:35 -0000
Received: from 94-194-206-35.zone8.bethere.co.uk (HELO shock.config) (94.194.206.35)
  (smtp-auth username remote@recoil.org, mechanism cram-md5)
  by fork.recoil.org (qpsmtpd/0.32) with ESMTP; Fri, 03 Jul 2009 18:36:34 +0100
Cc: caml-list@inria.fr
Message-Id: <0554DF81-B2CD-4B0A-8988-C6627594CB0B@recoil.org>
From: Anil Madhavapeddy <anil@recoil.org>
To: Richard Jones <rich@annexia.org>
In-Reply-To: <20090703172803.GA22720@annexia.org>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Subject: Re: [Caml-list] Camlimages integer overflows with PNG images
Date: Fri, 3 Jul 2009 18:36:32 +0100
References: <20090703113838.GA8086@annexia.org> <0D39970B-7727-4503-A218-C8CDD3B64F4D@recoil.org> <20090703172803.GA22720@annexia.org>
X-Mailer: Apple Mail (2.935.3)
X-Spam: no; 0.00; anil:01 anil:01 camlimages:01 0100,:01 bug:01 ocaml:01 28,:98 2009:98 height:98 wrote:01 wrote:01 overflows:01 integer:01 caml-list:01 int:01 

On 3 Jul 2009, at 18:28, Richard Jones wrote:

> On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote:
>> Do you have a patch for this at all?  I need to stick it into OpenBSD
>> fairly urgently as we're in release lock.
>
> Yes, I worked up a patch here:
>
>  https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11
>
> Not entirely sure if it is correct and complete though, so if you have
> any suggested changes, please share them.

Should width and height be clamped further to 31-/63- bits in addition  
to the multiplication check?  It's stored in an OCaml int later on,  
and it's pretty unlikely anyone would be working with images that size.

-anil