From: Jun Furuse <jun.furuse@gmail.com>
To: Richard Jones <rich@annexia.org>
Cc: Anil Madhavapeddy <anil@recoil.org>, caml-list@inria.fr
Subject: Re: [Caml-list] Camlimages integer overflows with PNG images
Date: Sat, 4 Jul 2009 10:56:50 +0900 [thread overview]
Message-ID: <5160b4200907031856g247ebbe9va973b9447572e4e6@mail.gmail.com> (raw)
In-Reply-To: <20090703183507.GA26539@annexia.org>
Coincidentally I am working on png reading code of camlimages again this week.
I will check the patch and incorporate it to the CVS version soon.
=
j
On Sat, Jul 4, 2009 at 3:35 AM, Richard Jones<rich@annexia.org> wrote:
> On Fri, Jul 03, 2009 at 06:36:32PM +0100, Anil Madhavapeddy wrote:
>> On 3 Jul 2009, at 18:28, Richard Jones wrote:
>>
>> >On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote:
>> >>Do you have a patch for this at all? I need to stick it into OpenBSD
>> >>fairly urgently as we're in release lock.
>> >
>> >Yes, I worked up a patch here:
>> >
>> > https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11
>> >
>> >Not entirely sure if it is correct and complete though, so if you have
>> >any suggested changes, please share them.
>>
>> Should width and height be clamped further to 31-/63- bits in addition
>> to the multiplication check? It's stored in an OCaml int later on,
>> and it's pretty unlikely anyone would be working with images that size.
>
> I don't know, but it sounds like it might be a good idea. I'm open to
> patches or exploit/testing code for this issue. But at the moment my
> primary concern is to get the upstream developers to take a look at
> the issue and deliver a proper, comprehensive patch.
>
> And to fix up the immediate security hole for the major distros. At
> the time of writing, Fedora is going with the patch in comment 11.
>
> Rich.
>
> --
> Richard Jones
> Red Hat
>
> _______________________________________________
> Caml-list mailing list. Subscription management:
> http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list
> Archives: http://caml.inria.fr
> Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
> Bug reports: http://caml.inria.fr/bin/caml-bugs
>
next prev parent reply other threads:[~2009-07-04 1:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-03 11:38 Richard Jones
[not found] ` <0D39970B-7727-4503-A218-C8CDD3B64F4D@recoil.org>
2009-07-03 17:28 ` [Caml-list] " Richard Jones
2009-07-03 17:36 ` Anil Madhavapeddy
2009-07-03 18:35 ` Richard Jones
2009-07-04 1:56 ` Jun Furuse [this message]
2009-10-16 16:01 ` Richard Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5160b4200907031856g247ebbe9va973b9447572e4e6@mail.gmail.com \
--to=jun.furuse@gmail.com \
--cc=anil@recoil.org \
--cc=caml-list@inria.fr \
--cc=rich@annexia.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).