From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jun.furuse@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on yquem.inria.fr
X-Spam-Level: *
X-Spam-Status: No, score=1.9 required=5.0 tests=AWL,DNS_FROM_RFC_POST,
	SPF_NEUTRAL autolearn=disabled version=3.1.3
X-Original-To: caml-list@yquem.inria.fr
Delivered-To: caml-list@yquem.inria.fr
Received: from mail4-relais-sop.national.inria.fr (mail4-relais-sop.national.inria.fr [192.134.164.105])
	by yquem.inria.fr (Postfix) with ESMTP id 049BCBC37
	for <caml-list@yquem.inria.fr>; Sat,  4 Jul 2009 03:56:51 +0200 (CEST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiQBAI5TTkrRVdzemGdsb2JhbACOUYoDPwEBAQEBCAkMBxOiM4Eaj0EBAwIEgkWBSQU
X-IronPort-AV: E=Sophos;i="4.42,345,1243807200"; 
   d="scan'208";a="42900261"
Received: from mail-fx0-f222.google.com ([209.85.220.222])
  by mail4-smtp-sop.national.inria.fr with ESMTP; 04 Jul 2009 03:56:51 +0200
Received: by fxm22 with SMTP id 22so2830960fxm.9
        for <caml-list@inria.fr>; Fri, 03 Jul 2009 18:56:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:in-reply-to:references
         :date:message-id:subject:from:to:cc:content-type
         :content-transfer-encoding;
        bh=hwHqQ228HNYnYeroDQb+QOzsIqfQrwd1MZT+PC7xI2U=;
        b=swtVDzGed95jbl+Yo73U2ovju/P5ymBx1G3xEyzZm6/aWSk+yrEHP6cjlZYNu0H9Mv
         HQQ5MaZ20h7nDz1csZdcqJ7RTW8GWvrjPScFqMUp+nqO9tRmNeNfRgdr8QmezH7Ji+jA
         gVjg+wZ1aX03tmrsMJdpl0pbjSpAhYAl8ZfVo=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        b=lZhU4c6qYsB9+PnIemqgz0DKzx4AC0Yf4APbqcrNF8gXBzHZtEYJ0lXx2PX8E6I9Xk
         I5rtl8/rgS0pfx4z9y1pc0l9YjkJUDXJN3i+VOsmQ8e/vGmGp/R2SQpFzjRyCv5/GFfS
         LyhDmNdMjpTZlP4Dffa7x9odEz67qTVimUCbI=
MIME-Version: 1.0
Received: by 10.223.107.199 with SMTP id c7mr1246974fap.31.1246672611012; Fri, 
	03 Jul 2009 18:56:51 -0700 (PDT)
In-Reply-To: <20090703183507.GA26539@annexia.org>
References: <20090703113838.GA8086@annexia.org>
	 <0D39970B-7727-4503-A218-C8CDD3B64F4D@recoil.org>
	 <20090703172803.GA22720@annexia.org>
	 <0554DF81-B2CD-4B0A-8988-C6627594CB0B@recoil.org>
	 <20090703183507.GA26539@annexia.org>
Date: Sat, 4 Jul 2009 10:56:50 +0900
Message-ID: <5160b4200907031856g247ebbe9va973b9447572e4e6@mail.gmail.com>
Subject: Re: [Caml-list] Camlimages integer overflows with PNG images
From: Jun Furuse <jun.furuse@gmail.com>
To: Richard Jones <rich@annexia.org>
Cc: Anil Madhavapeddy <anil@recoil.org>, caml-list@inria.fr
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Spam: no; 0.00; camlimages:01 furuse:01 furuse:01 camlimages:01 cvs:01 0100,:01 anil:01 0100,:01 anil:01 bug:01 ocaml:01 distros:01 beginner's:01 ocaml:01 bug:01 

Coincidentally I am working on png reading code of camlimages again this we=
ek.
I will check the patch and incorporate it to the CVS version soon.

=3D
j

On Sat, Jul 4, 2009 at 3:35 AM, Richard Jones<rich@annexia.org> wrote:
> On Fri, Jul 03, 2009 at 06:36:32PM +0100, Anil Madhavapeddy wrote:
>> On 3 Jul 2009, at 18:28, Richard Jones wrote:
>>
>> >On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote:
>> >>Do you have a patch for this at all? =A0I need to stick it into OpenBS=
D
>> >>fairly urgently as we're in release lock.
>> >
>> >Yes, I worked up a patch here:
>> >
>> > https://bugzilla.redhat.com/show_bug.cgi?id=3D509531#c11
>> >
>> >Not entirely sure if it is correct and complete though, so if you have
>> >any suggested changes, please share them.
>>
>> Should width and height be clamped further to 31-/63- bits in addition
>> to the multiplication check? =A0It's stored in an OCaml int later on,
>> and it's pretty unlikely anyone would be working with images that size.
>
> I don't know, but it sounds like it might be a good idea. =A0I'm open to
> patches or exploit/testing code for this issue. =A0But at the moment my
> primary concern is to get the upstream developers to take a look at
> the issue and deliver a proper, comprehensive patch.
>
> And to fix up the immediate security hole for the major distros. =A0At
> the time of writing, Fedora is going with the patch in comment 11.
>
> Rich.
>
> --
> Richard Jones
> Red Hat
>
> _______________________________________________
> Caml-list mailing list. Subscription management:
> http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list
> Archives: http://caml.inria.fr
> Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
> Bug reports: http://caml.inria.fr/bin/caml-bugs
>