1 |
aballier 09/07/24 20:51:30 |
2 |
|
3 |
Added: camlimages-3.0.1-lablgtk.patch |
4 |
camlimages-3.0.1-CVE-2009-2295.patch |
5 |
Log: |
6 |
Version bump with security fixes from upstream, bug #276235 |
7 |
(Portage version: 2.2_rc33/cvs/Linux x86_64) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 dev-ml/camlimages/files/camlimages-3.0.1-lablgtk.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-ml/camlimages/files/camlimages-3.0.1-lablgtk.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-ml/camlimages/files/camlimages-3.0.1-lablgtk.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: camlimages-3.0.1-lablgtk.patch |
16 |
=================================================================== |
17 |
Index: camlimages-3.0.1/examples/liv/liv.ml |
18 |
=================================================================== |
19 |
--- camlimages-3.0.1.orig/examples/liv/liv.ml |
20 |
+++ camlimages-3.0.1/examples/liv/liv.ml |
21 |
@@ -12,6 +12,10 @@ |
22 |
|
23 |
(* $Id: camlimages-3.0.1-lablgtk.patch,v 1.1 2009/07/24 20:51:30 aballier Exp $ *) |
24 |
|
25 |
+ |
26 |
+module D = Display |
27 |
+open D |
28 |
+ |
29 |
open Images;; |
30 |
open OImages;; |
31 |
|
32 |
@@ -21,14 +25,13 @@ open GMain;; |
33 |
|
34 |
open Livmisc;; |
35 |
open Gui;; |
36 |
-open Display;; |
37 |
open Tout;; |
38 |
|
39 |
open Gc;; |
40 |
|
41 |
exception Skipped;; |
42 |
|
43 |
-let base_filters = ref ([] : Display.filter list);; |
44 |
+let base_filters = ref ([] : D.filter list);; |
45 |
|
46 |
let r = Gc.get () in |
47 |
r.max_overhead <- 0; Gc.set r; |
48 |
@@ -52,15 +55,15 @@ Arg.parse [ |
49 |
"-root", |
50 |
Arg.String |
51 |
(function |
52 |
- | "center" -> Display.root_mode := `CENTER |
53 |
- | "random" -> Display.root_mode := `RANDOM |
54 |
+ | "center" -> D.root_mode := `CENTER |
55 |
+ | "random" -> D.root_mode := `RANDOM |
56 |
| _ -> raise (Failure "root mode")), |
57 |
": on root [center|random]"; |
58 |
"-transition", |
59 |
Arg.String |
60 |
(function |
61 |
- | "myst" -> Display.transition := `MYST |
62 |
- | "transparent" -> Display.transition := `TRANSPARENT |
63 |
+ | "myst" -> D.transition := `MYST |
64 |
+ | "transparent" -> D.transition := `TRANSPARENT |
65 |
| _ -> raise (Failure "transition")), |
66 |
": transition [myst|transparent]"; |
67 |
"-transparentborder", |
68 |
|
69 |
|
70 |
|
71 |
1.1 dev-ml/camlimages/files/camlimages-3.0.1-CVE-2009-2295.patch |
72 |
|
73 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-ml/camlimages/files/camlimages-3.0.1-CVE-2009-2295.patch?rev=1.1&view=markup |
74 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-ml/camlimages/files/camlimages-3.0.1-CVE-2009-2295.patch?rev=1.1&content-type=text/plain |
75 |
|
76 |
Index: camlimages-3.0.1-CVE-2009-2295.patch |
77 |
=================================================================== |
78 |
Index: src/gifread.c |
79 |
=================================================================== |
80 |
--- src/gifread.c.orig |
81 |
+++ src/gifread.c |
82 |
@@ -20,6 +20,8 @@ |
83 |
#include <caml/memory.h> |
84 |
#include <caml/fail.h> |
85 |
|
86 |
+#include "oversized.h" |
87 |
+ |
88 |
#include <stdio.h> |
89 |
#include <string.h> |
90 |
|
91 |
@@ -191,6 +193,9 @@ value dGifGetLine( value hdl ) |
92 |
|
93 |
GifFileType *GifFile = (GifFileType*) hdl; |
94 |
|
95 |
+ if( oversized( GifFile->Image.Width, sizeof(GifPixelType) ) ){ |
96 |
+ failwith_oversized("gif"); |
97 |
+ } |
98 |
buf = alloc_string( GifFile->Image.Width * sizeof(GifPixelType) ); |
99 |
|
100 |
if( DGifGetLine(GifFile, String_val(buf), GifFile->Image.Width ) |
101 |
Index: src/jpegread.c |
102 |
=================================================================== |
103 |
--- src/jpegread.c.orig |
104 |
+++ src/jpegread.c |
105 |
@@ -20,6 +20,8 @@ |
106 |
#include <caml/memory.h> |
107 |
#include <caml/fail.h> |
108 |
|
109 |
+#include "oversized.h" |
110 |
+ |
111 |
#include <stdio.h> |
112 |
#include <string.h> |
113 |
|
114 |
@@ -156,6 +158,12 @@ read_JPEG_file (value name) |
115 |
*/ |
116 |
/* JSAMPLEs per row in output buffer */ |
117 |
|
118 |
+ if( oversized(cinfo.output_width, cinfo.output_components) ){ |
119 |
+ jpeg_destroy_decompress(&cinfo); |
120 |
+ fclose(infile); |
121 |
+ failwith_oversized("jpeg"); |
122 |
+ } |
123 |
+ |
124 |
row_stride = cinfo.output_width * cinfo.output_components; |
125 |
|
126 |
/* Make a one-row-high sample array that will go away when done with image */ |
127 |
@@ -177,6 +185,12 @@ read_JPEG_file (value name) |
128 |
jpeg_read_scanlines(&cinfo, buffer + cinfo.output_scanline, 1); |
129 |
} |
130 |
|
131 |
+ if( oversized(row_stride, cinfo.output_height) ){ |
132 |
+ jpeg_destroy_decompress(&cinfo); |
133 |
+ fclose(infile); |
134 |
+ failwith_oversized("jpeg"); |
135 |
+ } |
136 |
+ |
137 |
{ |
138 |
CAMLlocalN(r,3); |
139 |
r[0] = Val_int(cinfo.output_width); |
140 |
@@ -352,6 +366,7 @@ value open_jpeg_file_for_read_start( jpe |
141 |
|
142 |
{ |
143 |
CAMLlocalN(r,3); |
144 |
+ // CR jfuruse: integer overflow |
145 |
r[0] = Val_int(cinfop->output_width); |
146 |
r[1] = Val_int(cinfop->output_height); |
147 |
r[2] = alloc_tuple(3); |
148 |
Index: src/oversized.h |
149 |
=================================================================== |
150 |
--- /dev/null |
151 |
+++ src/oversized.h |
152 |
@@ -0,0 +1,9 @@ |
153 |
+#include <limits.h> |
154 |
+/* Test if x or y are negative, or if multiplying x * y would cause an |
155 |
+ * arithmetic overflow. |
156 |
+ */ |
157 |
+#define oversized(x, y) \ |
158 |
+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y))) |
159 |
+ |
160 |
+#define failwith_oversized(lib) \ |
161 |
+ failwith("#lib error: image contains oversized or bogus width and height"); |
162 |
Index: src/pngread.c |
163 |
=================================================================== |
164 |
--- src/pngread.c.orig |
165 |
+++ src/pngread.c |
166 |
@@ -17,6 +17,8 @@ |
167 |
|
168 |
#include <png.h> |
169 |
|
170 |
+#include "oversized.h" |
171 |
+ |
172 |
#include <caml/mlvalues.h> |
173 |
#include <caml/alloc.h> |
174 |
#include <caml/memory.h> |
175 |
@@ -81,6 +83,9 @@ value read_png_file_as_rgb24( name ) |
176 |
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, |
177 |
&interlace_type, NULL, NULL); |
178 |
|
179 |
+ if (oversized (width, height)) |
180 |
+ failwith_oversized("png"); |
181 |
+ |
182 |
if ( color_type == PNG_COLOR_TYPE_GRAY || |
183 |
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { |
184 |
png_set_gray_to_rgb(png_ptr); |
185 |
@@ -102,10 +107,16 @@ value read_png_file_as_rgb24( name ) |
186 |
|
187 |
rowbytes = png_get_rowbytes(png_ptr, info_ptr); |
188 |
|
189 |
+ if (oversized (rowbytes, height)) |
190 |
+ failwith_oversized("png"); |
191 |
+ |
192 |
{ |
193 |
int i; |
194 |
png_bytep *row_pointers; |
195 |
|
196 |
+ if (oversized (sizeof (png_bytep), height)) |
197 |
+ failwith_oversized("png"); |
198 |
+ |
199 |
row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height); |
200 |
|
201 |
res = alloc_tuple(3); |
202 |
@@ -235,6 +246,9 @@ value read_png_file( name ) |
203 |
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, |
204 |
&interlace_type, NULL, NULL); |
205 |
|
206 |
+ if (oversized (width, height)) |
207 |
+ failwith_oversized("png"); |
208 |
+ |
209 |
if ( color_type == PNG_COLOR_TYPE_GRAY || |
210 |
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { |
211 |
png_set_gray_to_rgb(png_ptr); |
212 |
@@ -251,6 +265,9 @@ value read_png_file( name ) |
213 |
|
214 |
rowbytes = png_get_rowbytes(png_ptr, info_ptr); |
215 |
|
216 |
+ if (oversized (rowbytes, height)) |
217 |
+ failwith_oversized("png"); |
218 |
+ |
219 |
/* |
220 |
fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr); |
221 |
*/ |
222 |
@@ -259,6 +276,9 @@ fprintf(stderr, "pngread.c: actual loadi |
223 |
png_bytep *row_pointers; |
224 |
char mesg[256]; |
225 |
|
226 |
+ if (oversized (sizeof (png_bytep), height)) |
227 |
+ failwith_oversized("png"); |
228 |
+ |
229 |
row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height); |
230 |
res = alloc_tuple(3); |