1 files changed, 40 insertions, 0 deletions
diff --git a/recipes-multimedia/libpng/libpng/CVE-2018-13785.patch b/recipes-multimedia/libpng/libpng/CVE-2018-13785.patch
new file mode 100644
index 0000000..0d8aaf8
--- /dev/null
+++ b/recipes-multimedia/libpng/libpng/CVE-2018-13785.patch
@@ -0,0 +1,40 @@
+From 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sun, 17 Jun 2018 22:56:29 -0400
+Subject: [PATCH] [libpng16] Fix the calculation of row_factor in
+ png_check_chunk_length
+(Bug report by Thuan Pham, SourceForge issue #278)
+CVE: CVE-2018-13785
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ pngrutil.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+diff --git a/pngrutil.c b/pngrutil.c
+index 95571b5..5ba995a 100644
+--- a/pngrutil.c
+++ b/pngrutil.c
+@@ -3167,10 +3167,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
+    {
+       png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
+       size_t row_factor =
+-         (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+-          + 1 + (png_ptr->interlaced? 6: 0));
+         (size_t)png_ptr->width
+         * (size_t)png_ptr->channels
+         * (png_ptr->bit_depth > 8? 2: 1)
+         + 1
+         + (png_ptr->interlaced? 6: 0);
+       if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+-         idat_limit=PNG_UINT_31_MAX;
+         idat_limit = PNG_UINT_31_MAX;
+       else
+          idat_limit = png_ptr->height * row_factor;
+       row_factor = row_factor > 32566? 32566 : row_factor;
+-- 
+1.9.1

diff --git a/recipes-multimedia/libpng/libpng/CVE-2018-13785.patch b/recipes-multimedia/libpng/libpng/CVE-2018-13785.patch new file mode 100644 index 0000000..0d8aaf8 --- /dev/null +++ b/recipes-multimedia/libpng/libpng/CVE-2018-13785.patch
@@ -0,0 +1,40 @@
	1	From 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2 Mon Sep 17 00:00:00 2001
	2	From: Cosmin Truta <ctruta@gmail.com>
	3	Date: Sun, 17 Jun 2018 22:56:29 -0400
	4	Subject: [PATCH] [libpng16] Fix the calculation of row_factor in
	5	png_check_chunk_length
	6
	7	(Bug report by Thuan Pham, SourceForge issue #278)
	8
	9	CVE: CVE-2018-13785
	10	Upstream-Status: Backport
	11
	12	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	13	---
	14	pngrutil.c \| 9 ++++++---
	15	1 file changed, 6 insertions(+), 3 deletions(-)
	16
	17	diff --git a/pngrutil.c b/pngrutil.c
	18	index 95571b5..5ba995a 100644
	19	--- a/pngrutil.c
	20	+++ b/pngrutil.c
	21	@@ -3167,10 +3167,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
	22	{
	23	png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
	24	size_t row_factor =
	25	- (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
	26	- + 1 + (png_ptr->interlaced? 6: 0));
	27	+ (size_t)png_ptr->width
	28	+ * (size_t)png_ptr->channels
	29	+ * (png_ptr->bit_depth > 8? 2: 1)
	30	+ + 1
	31	+ + (png_ptr->interlaced? 6: 0);
	32	if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
	33	- idat_limit=PNG_UINT_31_MAX;
	34	+ idat_limit = PNG_UINT_31_MAX;
	35	else
	36	idat_limit = png_ptr->height * row_factor;
	37	row_factor = row_factor > 32566? 32566 : row_factor;
	38	--
	39	1.9.1
	40