Hi I'd suggest going with gentoo's approach of using a separate oversized.h file. Any objections? I've tried building this, but the debdiff between the -dev binary packages was quite huge, so I am not uploading anything.
Cheers Steffen [0]: https://bugs.gentoo.org/attachment.cgi?id=199108&action=view
diff -u camlimages-3.0.1/debian/changelog camlimages-3.0.1/debian/changelog --- camlimages-3.0.1/debian/changelog +++ camlimages-3.0.1/debian/changelog @@ -1,3 +1,12 @@ +camlimages (1:3.0.1-2.1) unstable; urgency=high + + * Non-maintainer upload by the security team + * Expand security patch for integer overflows to also cover other + image types (Closes: #540146) + Fixes: CVE-2009-2660 + + -- Steffen Joeris <wh...@debian.org> Sat, 08 Aug 2009 07:05:38 +0000 + camlimages (1:3.0.1-2) unstable; urgency=low [ Mehdi Dogguy ] diff -u camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch --- camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch +++ camlimages-3.0.1/debian/patches/fix_integer_overflows.dpatch @@ -8,82 +8,155 @@ -diff -urNad camlimages~/src/pngread.c camlimages/src/pngread.c ---- camlimages~/src/pngread.c 2009-06-23 11:22:20.000000000 +0200 -+++ camlimages/src/pngread.c 2009-07-03 17:51:31.000000000 +0200 -@@ -15,6 +15,8 @@ - #include "config.h" - #endif - -+#include <limits.h> +Index: src/gifread.c +=================================================================== +--- src/gifread.c.orig ++++ camlimages-3.0.1/src/gifread.c +@@ -20,6 +20,8 @@ + #include <caml/memory.h> + #include <caml/fail.h> + ++#include "oversized.h" ++ + #include <stdio.h> + #include <string.h> + +@@ -191,6 +193,9 @@ value dGifGetLine( value hdl ) + + GifFileType *GifFile = (GifFileType*) hdl; + ++ if( oversized( GifFile->Image.Width, sizeof(GifPixelType) ) ){ ++ failwith_oversized("gif"); ++ } + buf = alloc_string( GifFile->Image.Width * sizeof(GifPixelType) ); + + if( DGifGetLine(GifFile, String_val(buf), GifFile->Image.Width ) +Index: src/jpegread.c +=================================================================== +--- src/jpegread.c.orig ++++ camlimages-3.0.1/src/jpegread.c +@@ -20,6 +20,8 @@ + #include <caml/memory.h> + #include <caml/fail.h> + ++#include "oversized.h" ++ + #include <stdio.h> + #include <string.h> + +@@ -156,6 +158,12 @@ read_JPEG_file (value name) + */ + /* JSAMPLEs per row in output buffer */ + ++ if( oversized(cinfo.output_width, cinfo.output_components) ){ ++ jpeg_destroy_decompress(&cinfo); ++ fclose(infile); ++ failwith_oversized("jpeg"); ++ } ++ + row_stride = cinfo.output_width * cinfo.output_components; + + /* Make a one-row-high sample array that will go away when done with image */ +@@ -177,6 +185,12 @@ read_JPEG_file (value name) + jpeg_read_scanlines(&cinfo, buffer + cinfo.output_scanline, 1); + } + ++ if( oversized(row_stride, cinfo.output_height) ){ ++ jpeg_destroy_decompress(&cinfo); ++ fclose(infile); ++ failwith_oversized("jpeg"); ++ } + - #include <png.h> - - #include <caml/mlvalues.h> -@@ -26,6 +28,12 @@ - #define PNG_TAG_INDEX16 2 - #define PNG_TAG_INDEX4 3 - + { + CAMLlocalN(r,3); + r[0] = Val_int(cinfo.output_width); +@@ -352,6 +366,7 @@ value open_jpeg_file_for_read_start( jpe + + { + CAMLlocalN(r,3); ++ // CR jfuruse: integer overflow + r[0] = Val_int(cinfop->output_width); + r[1] = Val_int(cinfop->output_height); + r[2] = alloc_tuple(3); +Index: src/oversized.h +=================================================================== +--- /dev/null ++++ camlimages-3.0.1/src/oversized.h +@@ -0,0 +1,9 @@ ++#include <limits.h> +/* Test if x or y are negative, or if multiplying x * y would cause an + * arithmetic overflow. + */ +#define oversized(x, y) \ + ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y))) + - value read_png_file_as_rgb24( name ) - value name; - { -@@ -81,6 +89,9 @@ ++#define failwith_oversized(lib) \ ++ failwith("#lib error: image contains oversized or bogus width and height"); +Index: src/pngread.c +=================================================================== +--- src/pngread.c.orig ++++ camlimages-3.0.1/src/pngread.c +@@ -17,6 +17,8 @@ + + #include <png.h> + ++#include "oversized.h" ++ + #include <caml/mlvalues.h> + #include <caml/alloc.h> + #include <caml/memory.h> +@@ -81,6 +83,9 @@ value read_png_file_as_rgb24( name ) png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, &interlace_type, NULL, NULL); + if (oversized (width, height)) -+ failwith ("png error: image contains oversized or bogus width and height"); ++ failwith_oversized("png"); + if ( color_type == PNG_COLOR_TYPE_GRAY || color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { png_set_gray_to_rgb(png_ptr); -@@ -102,10 +113,16 @@ +@@ -102,10 +107,16 @@ value read_png_file_as_rgb24( name ) rowbytes = png_get_rowbytes(png_ptr, info_ptr); + if (oversized (rowbytes, height)) -+ failwith ("png error: image contains oversized or bogus rowbytes and height"); ++ failwith_oversized("png"); + { int i; png_bytep *row_pointers; + if (oversized (sizeof (png_bytep), height)) -+ failwith ("png error: image contains oversized or bogus height"); ++ failwith_oversized("png"); + row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height); res = alloc_tuple(3); -@@ -235,6 +252,9 @@ +@@ -235,6 +246,9 @@ value read_png_file( name ) png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, &interlace_type, NULL, NULL); + if (oversized (width, height)) -+ failwith ("png error: image contains oversized or bogus width and height"); ++ failwith_oversized("png"); + if ( color_type == PNG_COLOR_TYPE_GRAY || color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { png_set_gray_to_rgb(png_ptr); -@@ -251,6 +271,9 @@ +@@ -251,6 +265,9 @@ value read_png_file( name ) rowbytes = png_get_rowbytes(png_ptr, info_ptr); + if (oversized (rowbytes, height)) -+ failwith ("png error: image contains oversized or bogus rowbytes and height"); ++ failwith_oversized("png"); + /* fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr); */ -@@ -259,6 +282,9 @@ +@@ -259,6 +276,9 @@ fprintf(stderr, "pngread.c: actual loadi png_bytep *row_pointers; char mesg[256]; + if (oversized (sizeof (png_bytep), height)) -+ failwith ("png error: image contains oversized or bogus height"); ++ failwith_oversized("png"); + row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height); res = alloc_tuple(3); +
signature.asc
Description: This is a digitally signed message part.