summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2015-04-29 09:02:19 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-05-01 11:34:51 (GMT)
commitcafdccb29c350a0f030ef55f9cc7d5c4c0b5a0bb (patch)
treebd881f97a3aba8d9946996fc7c951207dd46443e
parent13eda671267c7b38be0b863319f187fc8b4eae05 (diff)
downloadpoky-cafdccb29c350a0f030ef55f9cc7d5c4c0b5a0bb.tar.gz
libpng16: CVE-2015-0973
Fixes CVE-2015-0973 (duplicate of CVE-2014-9495), a heap-based overflow vulnerability in the png_combine_row() function of the libpng library, when very large interlaced images were used. Upstream patch: http://sourceforge.net/p/libpng/code/ci/dc294204b641373bc6eb603075a8b98f51a75dd8/ External Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0973 http://seclists.org/oss-sec/2014/q4/1133 (From OE-Core rev: 10c8aeebca301ffd853e75df3f9c1d16d0352d76) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch47
-rw-r--r--meta/recipes-multimedia/libpng/libpng_1.6.8.bb1
2 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch b/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch
new file mode 100644
index 0000000..d66ac0c
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch
@@ -0,0 +1,47 @@
1libpng16: Fixed an overflow in png_combine_row with very wide interlaced
2
3Fixes CVE-2015-0973 (duplicate of CVE-2014-9495), a heap-based overflow
4vulnerability in the png_combine_row() function of the libpng library,
5when very large interlaced images were used.
6
7Upstream patch:
8http://sourceforge.net/p/libpng/code/ci/dc294204b641373bc6eb603075a8b98f51a75dd8/
9
10Upstream-Status: Backport
11
12Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
13---
14diff --git a/pngrutil.c b/pngrutil.c
15index e9fdd62..4c26be4 100644
16--- a/pngrutil.c
17+++ b/pngrutil.c
18@@ -3003,7 +3003,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
19 {
20 unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
21 png_const_bytep sp = png_ptr->row_buf + 1;
22- png_uint_32 row_width = png_ptr->width;
23+ png_alloc_size_t row_width = png_ptr->width;
24 unsigned int pass = png_ptr->pass;
25 png_bytep end_ptr = 0;
26 png_byte end_byte = 0;
27@@ -3278,7 +3278,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
28
29 /* But don't allow this number to exceed the actual row width. */
30 if (bytes_to_copy > row_width)
31- bytes_to_copy = row_width;
32+ bytes_to_copy = (unsigned int)/*SAFE*/row_width;
33 }
34
35 else /* normal row; Adam7 only ever gives us one pixel to copy. */
36@@ -3458,7 +3458,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
37 dp += bytes_to_jump;
38 row_width -= bytes_to_jump;
39 if (bytes_to_copy > row_width)
40- bytes_to_copy = row_width;
41+ bytes_to_copy = (unsigned int)/*SAFE*/row_width;
42 }
43 }
44
45--
461.9.1
47
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.8.bb b/meta/recipes-multimedia/libpng/libpng_1.6.8.bb
index d063495..bb7745b 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.8.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.8.bb
@@ -10,6 +10,7 @@ LIBV = "16"
10 10
11SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/${PV}/libpng-${PV}.tar.xz \ 11SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/${PV}/libpng-${PV}.tar.xz \
12 file://0001-configure-lower-automake-requirement.patch \ 12 file://0001-configure-lower-automake-requirement.patch \
13 file://libpng16-CVE-2015-0973.patch \
13 " 14 "
14 15
15SRC_URI[md5sum] = "51ce71a1642cdde1f4485a7ff82193c0" 16SRC_URI[md5sum] = "51ce71a1642cdde1f4485a7ff82193c0"