libpng: CVE-2015-8126

Fixes buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8126 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8126 Upstream patches: https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766 https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978 https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Paul Vaduva <Paul.Vaduva@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-03-15 07:17:13 +0100
committer: Paul Vaduva <Paul.Vaduva@enea.com> 2016-03-17 13:27:37 +0100
commit: e556bbcee03a7ffab00b3748f3370be7f915c772 (patch)
tree: 24289fc33e88e2e2c7bfffd5a7c953568cb84ae0
parent: 0b13cc2376a5bf69fcbf809ddad8a4bf928970be (diff)
download: poky-e556bbcee03a7ffab00b3748f3370be7f915c772.tar.gz
5 files changed, 290 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch
new file mode 100644
index 0000000000..7d4c3fe80b
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch
@@ -0,0 +1,69 @@
+From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Thu, 29 Oct 2015 09:26:41 -0500
+Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk
+Upstream-Status: Backport
+https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766
+CVE: CVE-2015-8126 patch #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+diff -ruN a/libpng.3 b/libpng.3
+--- a/libpng.3  2014-08-21 12:53:36.000000000 +0200
+++ b/libpng.3  2016-03-14 12:32:29.071935164 +0100
+@@ -5611,6 +5611,11 @@
+ chunk.  This error was fixed in libpng-1.6.3, and a tool (called
+ contrib/tools/png-fix-itxt) has been added to the libpng distribution.
+ 
+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+is an error. Previously this requirement of the PNG specification was not
+enforced. Libpng continues to accept over-length PLTE chunks when reading,
+but does not make any use of the extra entries.
+
+ .SH XIII.  Detecting libpng
+ 
+ The png_get_io_ptr() function has been present since libpng-0.88, has never
+diff -ruN a/libpng-manual.txt b/libpng-manual.txt
+--- a/libpng-manual.txt 2014-08-21 12:53:36.000000000 +0200
+++ b/libpng-manual.txt 2016-03-14 12:32:29.067935336 +0100
+@@ -5107,6 +5107,11 @@
+ chunk.  This error was fixed in libpng-1.6.3, and a tool (called
+ contrib/tools/png-fix-itxt) has been added to the libpng distribution.
+ 
+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+is an error. Previously this requirement of the PNG specification was not
+enforced. Libpng continues to accept over-length PLTE chunks when reading,
+but does not make any use of the extra entries.
+
+ XIII.  Detecting libpng
+ 
+ The png_get_io_ptr() function has been present since libpng-0.88, has never
+diff -ruN a/pngwutil.c b/pngwutil.c
+--- a/pngwutil.c        2014-08-21 12:53:37.000000000 +0200
+++ b/pngwutil.c        2016-03-14 12:35:00.001454124 +0100
+@@ -919,17 +919,20 @@
+ png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
+     png_uint_32 num_pal)
+ {
+-   png_uint_32 i;
+   png_uint_32 max_num_pal, i;
+    png_const_colorp pal_ptr;
+    png_byte buf[3];
+ 
+    png_debug(1, "in png_write_PLTE");
+ 
+   max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
+    if ((
+ #ifdef PNG_MNG_FEATURES_SUPPORTED
+        !(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) &&
+ #endif
+-       num_pal == 0) || num_pal > 256)
+       num_pal == 0) || num_pal > max_num_pal)
+    {
+       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+       {
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch
new file mode 100644
index 0000000000..69cb565901
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch
@@ -0,0 +1,88 @@
+From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Fri, 30 Oct 2015 07:57:49 -0500
+Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin
+ Truta).
+Upstream-Status: Backport
+https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d
+Many changes involved date and version updates with don't apply in this case.
+CVE: CVE-2015-8126 patch #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+diff -ruN a/pngrutil.c b/pngrutil.c
+--- a/pngrutil.c        2014-08-21 12:53:36.000000000 +0200
+++ b/pngrutil.c        2016-03-14 13:05:12.419581068 +0100
+@@ -997,6 +997,9 @@
+     * confusing.
+     *
+     * Fix this by not sharing the palette in this way.
+    *
+    * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
+    * it attempts to set a palette length that is too large for the bit depth.
+     */
+    png_set_PLTE(png_ptr, info_ptr, palette, num);
+ 
+diff -ruN a/pngset.c b/pngset.c
+--- a/pngset.c  2014-08-21 12:53:36.000000000 +0200
+++ b/pngset.c  2016-03-14 13:05:12.439580208 +0100
+@@ -503,12 +503,17 @@
+     png_const_colorp palette, int num_palette)
+ {
+ 
+   png_uint_32 max_palette_length;
+
+    png_debug1(1, "in %s storage function", "PLTE");
+ 
+    if (png_ptr == NULL || info_ptr == NULL)
+       return;
+ 
+-   if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)
+   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
+   if (num_palette < 0 || num_palette > max_palette_length)
+    {
+       if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+          png_error(png_ptr, "Invalid palette length");
+@@ -541,8 +546,8 @@
+    png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
+ 
+    /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
+-    * of num_palette entries, in case of an invalid PNG file that has
+-    * too-large sample values.
+    * of num_palette entries, in case of an invalid PNG file or incorrect
+    * call to png_set_PLTE() with too-large sample values.
+     */
+    png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
+        PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
+diff -ruN a/pngwutil.c b/pngwutil.c
+--- a/pngwutil.c        2016-03-14 13:01:23.433428517 +0100
+++ b/pngwutil.c        2016-03-14 13:07:42.933108329 +0100
+@@ -919,20 +919,20 @@
+ png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
+     png_uint_32 num_pal)
+ {
+-   png_uint_32 max_num_pal, i;
+   png_uint_32 max_palette_length, i;
+    png_const_colorp pal_ptr;
+    png_byte buf[3];
+ 
+    png_debug(1, "in png_write_PLTE");
+ 
+-   max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+       (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+ 
+    if ((
+ #ifdef PNG_MNG_FEATURES_SUPPORTED
+        !(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) &&
+ #endif
+-       num_pal == 0) || num_pal > max_num_pal)
+       num_pal == 0) || num_pal > max_palette_length)
+    {
+       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+       {
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch
new file mode 100644
index 0000000000..0e0ad23200
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch
@@ -0,0 +1,79 @@
+From 1bef8e97995c33123665582e57d3ed40b57d5978 Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Fri, 30 Oct 2015 11:34:37 -0500
+Subject: [PATCH] [libpng16] Silently truncate over-length PLTE chunk while
+ reading.
+Upstream-Status: Backport
+https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978
+Normal Issues is date and version conflicts not applied.
+CVE: CVE-2015-8i26 patch #3
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ANNOUNCE   |  3 ++-
+ CHANGES    |  3 ++-
+ pngrutil.c | 15 +++++++++++----
+ pngset.c   |  2 +-
+ 4 files changed, 16 insertions(+), 7 deletions(-)
+Index: libpng-1.6.17/pngrutil.c
+===================================================================
+--- libpng-1.6.17.orig/pngrutil.c
+++ libpng-1.6.17/pngrutil.c
+@@ -867,7 +867,7 @@ void /* PRIVATE */
+ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
+ {
+    png_color palette[PNG_MAX_PALETTE_LENGTH];
+-   int num, i;
+   int max_palette_length, num, i;
+ #ifdef PNG_POINTER_INDEXING_SUPPORTED
+    png_colorp pal_ptr;
+ #endif
+@@ -925,9 +925,19 @@ png_handle_PLTE(png_structrp png_ptr, pn
+       return;
+    }
+ 
+   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
+    /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
+    num = (int)length / 3;
+ 
+   /* If the palette has 256 or fewer entries but is too large for the bit depth,
+    * we don't issue an error, to preserve the behavior of previous libpng versions.
+    * We silently truncate the unused extra palette entries here.
+    */
+   if (num > max_palette_length)
+     num = max_palette_length;
+
+ #ifdef PNG_POINTER_INDEXING_SUPPORTED
+    for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
+    {
+@@ -997,9 +1007,6 @@ png_handle_PLTE(png_structrp png_ptr, pn
+     * confusing.
+     *
+     * Fix this by not sharing the palette in this way.
+-    *
+-    * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
+-    * it attempts to set a palette length that is too large for the bit depth.
+     */
+    png_set_PLTE(png_ptr, info_ptr, palette, num);
+ 
+Index: libpng-1.6.17/pngset.c
+===================================================================
+--- libpng-1.6.17.orig/pngset.c
+++ libpng-1.6.17/pngset.c
+@@ -523,7 +523,7 @@ png_set_PLTE(png_structrp png_ptr, png_i
+    max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+       (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+ 
+-   if (num_palette < 0 || num_palette > max_palette_length)
+   if (num_palette < 0 || num_palette > (int) max_palette_length)
+    {
+       if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+          png_error(png_ptr, "Invalid palette length");
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch
new file mode 100644
index 0000000000..2622630d10
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch
@@ -0,0 +1,48 @@
+From 83f4c735c88e7f451541c1528d8043c31ba3b466 Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Thu, 5 Nov 2015 11:18:44 -0600
+Subject: [PATCH] [libpng16] Clean up coding style in png_handle_PLTE()
+Upstream-Status: Backport
+https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466
+CVE:  CVE-2015-8126 patch #4
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ pngrutil.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+Index: libpng-1.6.17/pngrutil.c
+===================================================================
+--- libpng-1.6.17.orig/pngrutil.c
+++ libpng-1.6.17/pngrutil.c
+@@ -925,18 +925,21 @@ png_handle_PLTE(png_structrp png_ptr, pn
+       return;
+    }
+ 
+-   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+-      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+-
+    /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
+    num = (int)length / 3;
+ 
+-   /* If the palette has 256 or fewer entries but is too large for the bit depth,
+-    * we don't issue an error, to preserve the behavior of previous libpng versions.
+-    * We silently truncate the unused extra palette entries here.
+   /* If the palette has 256 or fewer entries but is too large for the bit
+    * depth, we don't issue an error, to preserve the behavior of previous
+    * libpng versions. We silently truncate the unused extra palette entries
+    * here.
+     */
+   if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+      max_palette_length = (1 << png_ptr->bit_depth);
+   else
+      max_palette_length = PNG_MAX_PALETTE_LENGTH;
+
+    if (num > max_palette_length)
+-     num = max_palette_length;
+      num = max_palette_length;
+ 
+ #ifdef PNG_POINTER_INDEXING_SUPPORTED
+    for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.13.bb b/meta/recipes-multimedia/libpng/libpng_1.6.13.bb
index 3d32bfea2c..80dcc0a63f 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.13.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.13.bb
@@ -10,6 +10,12 @@ LIBV = "16"
 SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/${PV}/libpng-${PV}.tar.xz \
          "
+SRC_URI += "\
+            file://CVE-2015-8126_1.patch \
+            file://CVE-2015-8126_2.patch \
+            file://CVE-2015-8126_3.patch \
+            file://CVE-2015-8126_4.patch \
+            "
 SRC_URI[md5sum] = "9822c25466f060142359f80ed142c9e5"
 SRC_URI[sha256sum] = "d9c8ce54a5fc8052ed794ca65b553384a74c0608b09ae163cbbb07176018e625"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-03-15 07:17:13 +0100
committer	Paul Vaduva <Paul.Vaduva@enea.com>	2016-03-17 13:27:37 +0100
commit	e556bbcee03a7ffab00b3748f3370be7f915c772 (patch)
tree	24289fc33e88e2e2c7bfffd5a7c953568cb84ae0
parent	0b13cc2376a5bf69fcbf809ddad8a4bf928970be (diff)
download	poky-e556bbcee03a7ffab00b3748f3370be7f915c772.tar.gz

diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch new file mode 100644 index 0000000000..7d4c3fe80b --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch
@@ -0,0 +1,69 @@
		1	From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001
		2	From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
		3	Date: Thu, 29 Oct 2015 09:26:41 -0500
		4	Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk
		5
		6	Upstream-Status: Backport
		7	https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766
		8
		9	CVE: CVE-2015-8126 patch #1
		10
		11	Signed-off-by: Armin Kuster <akuster@mvista.com>
		12	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		13
		14	diff -ruN a/libpng.3 b/libpng.3
		15	--- a/libpng.3 2014-08-21 12:53:36.000000000 +0200
		16	+++ b/libpng.3 2016-03-14 12:32:29.071935164 +0100
		17	@@ -5611,6 +5611,11 @@
		18	chunk. This error was fixed in libpng-1.6.3, and a tool (called
		19	contrib/tools/png-fix-itxt) has been added to the libpng distribution.
		20
		21	+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
		22	+is an error. Previously this requirement of the PNG specification was not
		23	+enforced. Libpng continues to accept over-length PLTE chunks when reading,
		24	+but does not make any use of the extra entries.
		25	+
		26	.SH XIII. Detecting libpng
		27
		28	The png_get_io_ptr() function has been present since libpng-0.88, has never
		29	diff -ruN a/libpng-manual.txt b/libpng-manual.txt
		30	--- a/libpng-manual.txt 2014-08-21 12:53:36.000000000 +0200
		31	+++ b/libpng-manual.txt 2016-03-14 12:32:29.067935336 +0100
		32	@@ -5107,6 +5107,11 @@
		33	chunk. This error was fixed in libpng-1.6.3, and a tool (called
		34	contrib/tools/png-fix-itxt) has been added to the libpng distribution.
		35
		36	+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
		37	+is an error. Previously this requirement of the PNG specification was not
		38	+enforced. Libpng continues to accept over-length PLTE chunks when reading,
		39	+but does not make any use of the extra entries.
		40	+
		41	XIII. Detecting libpng
		42
		43	The png_get_io_ptr() function has been present since libpng-0.88, has never
		44	diff -ruN a/pngwutil.c b/pngwutil.c
		45	--- a/pngwutil.c 2014-08-21 12:53:37.000000000 +0200
		46	+++ b/pngwutil.c 2016-03-14 12:35:00.001454124 +0100
		47	@@ -919,17 +919,20 @@
		48	png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
		49	png_uint_32 num_pal)
		50	{
		51	- png_uint_32 i;
		52	+ png_uint_32 max_num_pal, i;
		53	png_const_colorp pal_ptr;
		54	png_byte buf[3];
		55
		56	png_debug(1, "in png_write_PLTE");
		57
		58	+ max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
		59	+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
		60	+
		61	if ((
		62	#ifdef PNG_MNG_FEATURES_SUPPORTED
		63	!(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) &&
		64	#endif
		65	- num_pal == 0) \|\| num_pal > 256)
		66	+ num_pal == 0) \|\| num_pal > max_num_pal)
		67	{
		68	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
		69	{


diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch new file mode 100644 index 0000000000..69cb565901 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch
@@ -0,0 +1,88 @@
		1	From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001
		2	From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
		3	Date: Fri, 30 Oct 2015 07:57:49 -0500
		4	Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin
		5	Truta).
		6
		7	Upstream-Status: Backport
		8	https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d
		9
		10	Many changes involved date and version updates with don't apply in this case.
		11
		12	CVE: CVE-2015-8126 patch #2
		13	Signed-off-by: Armin Kuster <akuster@mvista.com>
		14	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		15
		16	diff -ruN a/pngrutil.c b/pngrutil.c
		17	--- a/pngrutil.c 2014-08-21 12:53:36.000000000 +0200
		18	+++ b/pngrutil.c 2016-03-14 13:05:12.419581068 +0100
		19	@@ -997,6 +997,9 @@
		20	* confusing.
		21	*
		22	* Fix this by not sharing the palette in this way.
		23	+ *
		24	+ * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
		25	+ * it attempts to set a palette length that is too large for the bit depth.
		26	*/
		27	png_set_PLTE(png_ptr, info_ptr, palette, num);
		28
		29	diff -ruN a/pngset.c b/pngset.c
		30	--- a/pngset.c 2014-08-21 12:53:36.000000000 +0200
		31	+++ b/pngset.c 2016-03-14 13:05:12.439580208 +0100
		32	@@ -503,12 +503,17 @@
		33	png_const_colorp palette, int num_palette)
		34	{
		35
		36	+ png_uint_32 max_palette_length;
		37	+
		38	png_debug1(1, "in %s storage function", "PLTE");
		39
		40	if (png_ptr == NULL \|\| info_ptr == NULL)
		41	return;
		42
		43	- if (num_palette < 0 \|\| num_palette > PNG_MAX_PALETTE_LENGTH)
		44	+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
		45	+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
		46	+
		47	+ if (num_palette < 0 \|\| num_palette > max_palette_length)
		48	{
		49	if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
		50	png_error(png_ptr, "Invalid palette length");
		51	@@ -541,8 +546,8 @@
		52	png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
		53
		54	/* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
		55	- * of num_palette entries, in case of an invalid PNG file that has
		56	- * too-large sample values.
		57	+ * of num_palette entries, in case of an invalid PNG file or incorrect
		58	+ * call to png_set_PLTE() with too-large sample values.
		59	*/
		60	png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
		61	PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
		62	diff -ruN a/pngwutil.c b/pngwutil.c
		63	--- a/pngwutil.c 2016-03-14 13:01:23.433428517 +0100
		64	+++ b/pngwutil.c 2016-03-14 13:07:42.933108329 +0100
		65	@@ -919,20 +919,20 @@
		66	png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
		67	png_uint_32 num_pal)
		68	{
		69	- png_uint_32 max_num_pal, i;
		70	+ png_uint_32 max_palette_length, i;
		71	png_const_colorp pal_ptr;
		72	png_byte buf[3];
		73
		74	png_debug(1, "in png_write_PLTE");
		75
		76	- max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
		77	+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
		78	(1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
		79
		80	if ((
		81	#ifdef PNG_MNG_FEATURES_SUPPORTED
		82	!(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) &&
		83	#endif
		84	- num_pal == 0) \|\| num_pal > max_num_pal)
		85	+ num_pal == 0) \|\| num_pal > max_palette_length)
		86	{
		87	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
		88	{


diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch new file mode 100644 index 0000000000..0e0ad23200 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch
@@ -0,0 +1,79 @@
		1	From 1bef8e97995c33123665582e57d3ed40b57d5978 Mon Sep 17 00:00:00 2001
		2	From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
		3	Date: Fri, 30 Oct 2015 11:34:37 -0500
		4	Subject: [PATCH] [libpng16] Silently truncate over-length PLTE chunk while
		5	reading.
		6
		7	Upstream-Status: Backport
		8	https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978
		9
		10	Normal Issues is date and version conflicts not applied.
		11
		12	CVE: CVE-2015-8i26 patch #3
		13
		14	Signed-off-by: Armin Kuster <akuster@mvista.com>
		15
		16
		17	---
		18	ANNOUNCE \| 3 ++-
		19	CHANGES \| 3 ++-
		20	pngrutil.c \| 15 +++++++++++----
		21	pngset.c \| 2 +-
		22	4 files changed, 16 insertions(+), 7 deletions(-)
		23
		24	Index: libpng-1.6.17/pngrutil.c
		25	===================================================================
		26	--- libpng-1.6.17.orig/pngrutil.c
		27	+++ libpng-1.6.17/pngrutil.c
		28	@@ -867,7 +867,7 @@ void /* PRIVATE */
		29	png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
		30	{
		31	png_color palette[PNG_MAX_PALETTE_LENGTH];
		32	- int num, i;
		33	+ int max_palette_length, num, i;
		34	#ifdef PNG_POINTER_INDEXING_SUPPORTED
		35	png_colorp pal_ptr;
		36	#endif
		37	@@ -925,9 +925,19 @@ png_handle_PLTE(png_structrp png_ptr, pn
		38	return;
		39	}
		40
		41	+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
		42	+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
		43	+
		44	/* The cast is safe because 'length' is less than 3PNG_MAX_PALETTE_LENGTH /
		45	num = (int)length / 3;
		46
		47	+ /* If the palette has 256 or fewer entries but is too large for the bit depth,
		48	+ * we don't issue an error, to preserve the behavior of previous libpng versions.
		49	+ * We silently truncate the unused extra palette entries here.
		50	+ */
		51	+ if (num > max_palette_length)
		52	+ num = max_palette_length;
		53	+
		54	#ifdef PNG_POINTER_INDEXING_SUPPORTED
		55	for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
		56	{
		57	@@ -997,9 +1007,6 @@ png_handle_PLTE(png_structrp png_ptr, pn
		58	* confusing.
		59	*
		60	* Fix this by not sharing the palette in this way.
		61	- *
		62	- * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
		63	- * it attempts to set a palette length that is too large for the bit depth.
		64	*/
		65	png_set_PLTE(png_ptr, info_ptr, palette, num);
		66
		67	Index: libpng-1.6.17/pngset.c
		68	===================================================================
		69	--- libpng-1.6.17.orig/pngset.c
		70	+++ libpng-1.6.17/pngset.c
		71	@@ -523,7 +523,7 @@ png_set_PLTE(png_structrp png_ptr, png_i
		72	max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
		73	(1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
		74
		75	- if (num_palette < 0 \|\| num_palette > max_palette_length)
		76	+ if (num_palette < 0 \|\| num_palette > (int) max_palette_length)
		77	{
		78	if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
		79	png_error(png_ptr, "Invalid palette length");


diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch new file mode 100644 index 0000000000..2622630d10 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch
@@ -0,0 +1,48 @@
		1	From 83f4c735c88e7f451541c1528d8043c31ba3b466 Mon Sep 17 00:00:00 2001
		2	From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
		3	Date: Thu, 5 Nov 2015 11:18:44 -0600
		4	Subject: [PATCH] [libpng16] Clean up coding style in png_handle_PLTE()
		5
		6	Upstream-Status: Backport
		7	https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466
		8
		9	CVE: CVE-2015-8126 patch #4
		10	Signed-off-by: Armin Kuster <akuster@mvista.com>
		11
		12	---
		13	pngrutil.c \| 17 ++++++++++-------
		14	1 file changed, 10 insertions(+), 7 deletions(-)
		15
		16	Index: libpng-1.6.17/pngrutil.c
		17	===================================================================
		18	--- libpng-1.6.17.orig/pngrutil.c
		19	+++ libpng-1.6.17/pngrutil.c
		20	@@ -925,18 +925,21 @@ png_handle_PLTE(png_structrp png_ptr, pn
		21	return;
		22	}
		23
		24	- max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
		25	- (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
		26	-
		27	/* The cast is safe because 'length' is less than 3PNG_MAX_PALETTE_LENGTH /
		28	num = (int)length / 3;
		29
		30	- /* If the palette has 256 or fewer entries but is too large for the bit depth,
		31	- * we don't issue an error, to preserve the behavior of previous libpng versions.
		32	- * We silently truncate the unused extra palette entries here.
		33	+ /* If the palette has 256 or fewer entries but is too large for the bit
		34	+ * depth, we don't issue an error, to preserve the behavior of previous
		35	+ * libpng versions. We silently truncate the unused extra palette entries
		36	+ * here.
		37	*/
		38	+ if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
		39	+ max_palette_length = (1 << png_ptr->bit_depth);
		40	+ else
		41	+ max_palette_length = PNG_MAX_PALETTE_LENGTH;
		42	+
		43	if (num > max_palette_length)
		44	- num = max_palette_length;
		45	+ num = max_palette_length;
		46
		47	#ifdef PNG_POINTER_INDEXING_SUPPORTED
		48	for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)


diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.13.bb b/meta/recipes-multimedia/libpng/libpng_1.6.13.bb index 3d32bfea2c..80dcc0a63f 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.13.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.13.bb
@@ -10,6 +10,12 @@ LIBV = "16"
10		10
11	SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/${PV}/libpng-${PV}.tar.xz \	11	SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/${PV}/libpng-${PV}.tar.xz \
12	"	12	"
		13	SRC_URI += "\
		14	file://CVE-2015-8126_1.patch \
		15	file://CVE-2015-8126_2.patch \
		16	file://CVE-2015-8126_3.patch \
		17	file://CVE-2015-8126_4.patch \
		18	"
13		19
14	SRC_URI[md5sum] = "9822c25466f060142359f80ed142c9e5"	20	SRC_URI[md5sum] = "9822c25466f060142359f80ed142c9e5"
15	SRC_URI[sha256sum] = "d9c8ce54a5fc8052ed794ca65b553384a74c0608b09ae163cbbb07176018e625"	21	SRC_URI[sha256sum] = "d9c8ce54a5fc8052ed794ca65b553384a74c0608b09ae163cbbb07176018e625"