Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Alexis Ballier (aballier)" <aballier@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in dev-ml/camlimages/files: camlimages-3.0.1-lablgtk.patch camlimages-3.0.1-CVE-2009-2295.patch
Date: Fri, 24 Jul 2009 20:51:32
Message-Id: E1MURjm-0007RQ-Uu@stork.gentoo.org
1 aballier 09/07/24 20:51:30
2
3 Added: camlimages-3.0.1-lablgtk.patch
4 camlimages-3.0.1-CVE-2009-2295.patch
5 Log:
6 Version bump with security fixes from upstream, bug #276235
7 (Portage version: 2.2_rc33/cvs/Linux x86_64)
8
9 Revision Changes Path
10 1.1 dev-ml/camlimages/files/camlimages-3.0.1-lablgtk.patch
11
12 file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-ml/camlimages/files/camlimages-3.0.1-lablgtk.patch?rev=1.1&view=markup
13 plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-ml/camlimages/files/camlimages-3.0.1-lablgtk.patch?rev=1.1&content-type=text/plain
14
15 Index: camlimages-3.0.1-lablgtk.patch
16 ===================================================================
17 Index: camlimages-3.0.1/examples/liv/liv.ml
18 ===================================================================
19 --- camlimages-3.0.1.orig/examples/liv/liv.ml
20 +++ camlimages-3.0.1/examples/liv/liv.ml
21 @@ -12,6 +12,10 @@
22
23 (* $Id: camlimages-3.0.1-lablgtk.patch,v 1.1 2009/07/24 20:51:30 aballier Exp $ *)
24
25 +
26 +module D = Display
27 +open D
28 +
29 open Images;;
30 open OImages;;
31
32 @@ -21,14 +25,13 @@ open GMain;;
33
34 open Livmisc;;
35 open Gui;;
36 -open Display;;
37 open Tout;;
38
39 open Gc;;
40
41 exception Skipped;;
42
43 -let base_filters = ref ([] : Display.filter list);;
44 +let base_filters = ref ([] : D.filter list);;
45
46 let r = Gc.get () in
47 r.max_overhead <- 0; Gc.set r;
48 @@ -52,15 +55,15 @@ Arg.parse [
49 "-root",
50 Arg.String
51 (function
52 - | "center" -> Display.root_mode := `CENTER
53 - | "random" -> Display.root_mode := `RANDOM
54 + | "center" -> D.root_mode := `CENTER
55 + | "random" -> D.root_mode := `RANDOM
56 | _ -> raise (Failure "root mode")),
57 ": on root [center|random]";
58 "-transition",
59 Arg.String
60 (function
61 - | "myst" -> Display.transition := `MYST
62 - | "transparent" -> Display.transition := `TRANSPARENT
63 + | "myst" -> D.transition := `MYST
64 + | "transparent" -> D.transition := `TRANSPARENT
65 | _ -> raise (Failure "transition")),
66 ": transition [myst|transparent]";
67 "-transparentborder",
68
69
70
71 1.1 dev-ml/camlimages/files/camlimages-3.0.1-CVE-2009-2295.patch
72
73 file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-ml/camlimages/files/camlimages-3.0.1-CVE-2009-2295.patch?rev=1.1&view=markup
74 plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-ml/camlimages/files/camlimages-3.0.1-CVE-2009-2295.patch?rev=1.1&content-type=text/plain
75
76 Index: camlimages-3.0.1-CVE-2009-2295.patch
77 ===================================================================
78 Index: src/gifread.c
79 ===================================================================
80 --- src/gifread.c.orig
81 +++ src/gifread.c
82 @@ -20,6 +20,8 @@
83 #include <caml/memory.h>
84 #include <caml/fail.h>
85
86 +#include "oversized.h"
87 +
88 #include <stdio.h>
89 #include <string.h>
90
91 @@ -191,6 +193,9 @@ value dGifGetLine( value hdl )
92
93 GifFileType *GifFile = (GifFileType*) hdl;
94
95 + if( oversized( GifFile->Image.Width, sizeof(GifPixelType) ) ){
96 + failwith_oversized("gif");
97 + }
98 buf = alloc_string( GifFile->Image.Width * sizeof(GifPixelType) );
99
100 if( DGifGetLine(GifFile, String_val(buf), GifFile->Image.Width )
101 Index: src/jpegread.c
102 ===================================================================
103 --- src/jpegread.c.orig
104 +++ src/jpegread.c
105 @@ -20,6 +20,8 @@
106 #include <caml/memory.h>
107 #include <caml/fail.h>
108
109 +#include "oversized.h"
110 +
111 #include <stdio.h>
112 #include <string.h>
113
114 @@ -156,6 +158,12 @@ read_JPEG_file (value name)
115 */
116 /* JSAMPLEs per row in output buffer */
117
118 + if( oversized(cinfo.output_width, cinfo.output_components) ){
119 + jpeg_destroy_decompress(&cinfo);
120 + fclose(infile);
121 + failwith_oversized("jpeg");
122 + }
123 +
124 row_stride = cinfo.output_width * cinfo.output_components;
125
126 /* Make a one-row-high sample array that will go away when done with image */
127 @@ -177,6 +185,12 @@ read_JPEG_file (value name)
128 jpeg_read_scanlines(&cinfo, buffer + cinfo.output_scanline, 1);
129 }
130
131 + if( oversized(row_stride, cinfo.output_height) ){
132 + jpeg_destroy_decompress(&cinfo);
133 + fclose(infile);
134 + failwith_oversized("jpeg");
135 + }
136 +
137 {
138 CAMLlocalN(r,3);
139 r[0] = Val_int(cinfo.output_width);
140 @@ -352,6 +366,7 @@ value open_jpeg_file_for_read_start( jpe
141
142 {
143 CAMLlocalN(r,3);
144 + // CR jfuruse: integer overflow
145 r[0] = Val_int(cinfop->output_width);
146 r[1] = Val_int(cinfop->output_height);
147 r[2] = alloc_tuple(3);
148 Index: src/oversized.h
149 ===================================================================
150 --- /dev/null
151 +++ src/oversized.h
152 @@ -0,0 +1,9 @@
153 +#include <limits.h>
154 +/* Test if x or y are negative, or if multiplying x * y would cause an
155 + * arithmetic overflow.
156 + */
157 +#define oversized(x, y) \
158 + ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
159 +
160 +#define failwith_oversized(lib) \
161 + failwith("#lib error: image contains oversized or bogus width and height");
162 Index: src/pngread.c
163 ===================================================================
164 --- src/pngread.c.orig
165 +++ src/pngread.c
166 @@ -17,6 +17,8 @@
167
168 #include <png.h>
169
170 +#include "oversized.h"
171 +
172 #include <caml/mlvalues.h>
173 #include <caml/alloc.h>
174 #include <caml/memory.h>
175 @@ -81,6 +83,9 @@ value read_png_file_as_rgb24( name )
176 png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
177 &interlace_type, NULL, NULL);
178
179 + if (oversized (width, height))
180 + failwith_oversized("png");
181 +
182 if ( color_type == PNG_COLOR_TYPE_GRAY ||
183 color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
184 png_set_gray_to_rgb(png_ptr);
185 @@ -102,10 +107,16 @@ value read_png_file_as_rgb24( name )
186
187 rowbytes = png_get_rowbytes(png_ptr, info_ptr);
188
189 + if (oversized (rowbytes, height))
190 + failwith_oversized("png");
191 +
192 {
193 int i;
194 png_bytep *row_pointers;
195
196 + if (oversized (sizeof (png_bytep), height))
197 + failwith_oversized("png");
198 +
199 row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
200
201 res = alloc_tuple(3);
202 @@ -235,6 +246,9 @@ value read_png_file( name )
203 png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
204 &interlace_type, NULL, NULL);
205
206 + if (oversized (width, height))
207 + failwith_oversized("png");
208 +
209 if ( color_type == PNG_COLOR_TYPE_GRAY ||
210 color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
211 png_set_gray_to_rgb(png_ptr);
212 @@ -251,6 +265,9 @@ value read_png_file( name )
213
214 rowbytes = png_get_rowbytes(png_ptr, info_ptr);
215
216 + if (oversized (rowbytes, height))
217 + failwith_oversized("png");
218 +
219 /*
220 fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
221 */
222 @@ -259,6 +276,9 @@ fprintf(stderr, "pngread.c: actual loadi
223 png_bytep *row_pointers;
224 char mesg[256];
225
226 + if (oversized (sizeof (png_bytep), height))
227 + failwith_oversized("png");
228 +
229 row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height);
230 res = alloc_tuple(3);
Report Message
Find on MARC Find on Google Groups