From 3efb0bdd5c79f5dcb21495e9b444721603ae93f0 Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Mon, 17 Sep 2018 10:12:53 +0200
Subject: libpng: fix for CVE-2018-13785

ref: https://nvd.nist.gov/vuln/detail/CVE-2018-13785

Change-Id: I1e4f17816bca50dd405ac7ee7c16d8d9aa7e0b21
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
 .../libpng/libpng/CVE-2018-13785.patch             | 40 ++++++++++++++++++++++
 recipes-multimedia/libpng/libpng_%.bbappend        |  5 +++
 2 files changed, 45 insertions(+)
 create mode 100644 recipes-multimedia/libpng/libpng/CVE-2018-13785.patch
 create mode 100644 recipes-multimedia/libpng/libpng_%.bbappend

diff --git a/recipes-multimedia/libpng/libpng/CVE-2018-13785.patch b/recipes-multimedia/libpng/libpng/CVE-2018-13785.patch
new file mode 100644
index 0000000..0d8aaf8
--- /dev/null
+++ b/recipes-multimedia/libpng/libpng/CVE-2018-13785.patch
@@ -0,0 +1,40 @@
+From 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sun, 17 Jun 2018 22:56:29 -0400
+Subject: [PATCH] [libpng16] Fix the calculation of row_factor in
+ png_check_chunk_length
+
+(Bug report by Thuan Pham, SourceForge issue #278)
+
+CVE: CVE-2018-13785
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ pngrutil.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/pngrutil.c b/pngrutil.c
+index 95571b5..5ba995a 100644
+--- a/pngrutil.c
++++ b/pngrutil.c
+@@ -3167,10 +3167,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
+    {
+       png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
+       size_t row_factor =
+-         (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+-          + 1 + (png_ptr->interlaced? 6: 0));
++         (size_t)png_ptr->width
++         * (size_t)png_ptr->channels
++         * (png_ptr->bit_depth > 8? 2: 1)
++         + 1
++         + (png_ptr->interlaced? 6: 0);
+       if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+-         idat_limit=PNG_UINT_31_MAX;
++         idat_limit = PNG_UINT_31_MAX;
+       else
+          idat_limit = png_ptr->height * row_factor;
+       row_factor = row_factor > 32566? 32566 : row_factor;
+-- 
+1.9.1
+
diff --git a/recipes-multimedia/libpng/libpng_%.bbappend b/recipes-multimedia/libpng/libpng_%.bbappend
new file mode 100644
index 0000000..948941d
--- /dev/null
+++ b/recipes-multimedia/libpng/libpng_%.bbappend
@@ -0,0 +1,5 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "file://CVE-2018-13785.patch \
+           "
-- 
cgit v1.2.3-54-g00ecf