libpng: CVE-2015-8126

Fixes buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8126 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8126 Upstream patches: https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766 https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978 https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Paul Vaduva <Paul.Vaduva@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-03-15 07:17:13 +0100
committer: Paul Vaduva <Paul.Vaduva@enea.com> 2016-03-17 13:27:37 +0100
commit: e556bbcee03a7ffab00b3748f3370be7f915c772 (patch)
tree: 24289fc33e88e2e2c7bfffd5a7c953568cb84ae0 /meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch
parent: 0b13cc2376a5bf69fcbf809ddad8a4bf928970be (diff)
download: poky-e556bbcee03a7ffab00b3748f3370be7f915c772.tar.gz
1 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch
new file mode 100644
index 0000000000..0e0ad23200
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch
@@ -0,0 +1,79 @@
+From 1bef8e97995c33123665582e57d3ed40b57d5978 Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Fri, 30 Oct 2015 11:34:37 -0500
+Subject: [PATCH] [libpng16] Silently truncate over-length PLTE chunk while
+ reading.
+Upstream-Status: Backport
+https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978
+Normal Issues is date and version conflicts not applied.
+CVE: CVE-2015-8i26 patch #3
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ANNOUNCE   |  3 ++-
+ CHANGES    |  3 ++-
+ pngrutil.c | 15 +++++++++++----
+ pngset.c   |  2 +-
+ 4 files changed, 16 insertions(+), 7 deletions(-)
+Index: libpng-1.6.17/pngrutil.c
+===================================================================
+--- libpng-1.6.17.orig/pngrutil.c
+++ libpng-1.6.17/pngrutil.c
+@@ -867,7 +867,7 @@ void /* PRIVATE */
+ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
+ {
+    png_color palette[PNG_MAX_PALETTE_LENGTH];
+-   int num, i;
+   int max_palette_length, num, i;
+ #ifdef PNG_POINTER_INDEXING_SUPPORTED
+    png_colorp pal_ptr;
+ #endif
+@@ -925,9 +925,19 @@ png_handle_PLTE(png_structrp png_ptr, pn
+       return;
+    }
+ 
+   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
+    /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
+    num = (int)length / 3;
+ 
+   /* If the palette has 256 or fewer entries but is too large for the bit depth,
+    * we don't issue an error, to preserve the behavior of previous libpng versions.
+    * We silently truncate the unused extra palette entries here.
+    */
+   if (num > max_palette_length)
+     num = max_palette_length;
+
+ #ifdef PNG_POINTER_INDEXING_SUPPORTED
+    for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
+    {
+@@ -997,9 +1007,6 @@ png_handle_PLTE(png_structrp png_ptr, pn
+     * confusing.
+     *
+     * Fix this by not sharing the palette in this way.
+-    *
+-    * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
+-    * it attempts to set a palette length that is too large for the bit depth.
+     */
+    png_set_PLTE(png_ptr, info_ptr, palette, num);
+ 
+Index: libpng-1.6.17/pngset.c
+===================================================================
+--- libpng-1.6.17.orig/pngset.c
+++ libpng-1.6.17/pngset.c
+@@ -523,7 +523,7 @@ png_set_PLTE(png_structrp png_ptr, png_i
+    max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+       (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+ 
+-   if (num_palette < 0 || num_palette > max_palette_length)
+   if (num_palette < 0 || num_palette > (int) max_palette_length)
+    {
+       if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+          png_error(png_ptr, "Invalid palette length");
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-03-15 07:17:13 +0100
committer	Paul Vaduva <Paul.Vaduva@enea.com>	2016-03-17 13:27:37 +0100
commit	e556bbcee03a7ffab00b3748f3370be7f915c772 (patch)
tree	24289fc33e88e2e2c7bfffd5a7c953568cb84ae0 /meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch
parent	0b13cc2376a5bf69fcbf809ddad8a4bf928970be (diff)
download	poky-e556bbcee03a7ffab00b3748f3370be7f915c772.tar.gz

diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch new file mode 100644 index 0000000000..0e0ad23200 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch
@@ -0,0 +1,79 @@
	1	From 1bef8e97995c33123665582e57d3ed40b57d5978 Mon Sep 17 00:00:00 2001
	2	From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
	3	Date: Fri, 30 Oct 2015 11:34:37 -0500
	4	Subject: [PATCH] [libpng16] Silently truncate over-length PLTE chunk while
	5	reading.
	6
	7	Upstream-Status: Backport
	8	https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978
	9
	10	Normal Issues is date and version conflicts not applied.
	11
	12	CVE: CVE-2015-8i26 patch #3
	13
	14	Signed-off-by: Armin Kuster <akuster@mvista.com>
	15
	16
	17	---
	18	ANNOUNCE \| 3 ++-
	19	CHANGES \| 3 ++-
	20	pngrutil.c \| 15 +++++++++++----
	21	pngset.c \| 2 +-
	22	4 files changed, 16 insertions(+), 7 deletions(-)
	23
	24	Index: libpng-1.6.17/pngrutil.c
	25	===================================================================
	26	--- libpng-1.6.17.orig/pngrutil.c
	27	+++ libpng-1.6.17/pngrutil.c
	28	@@ -867,7 +867,7 @@ void /* PRIVATE */
	29	png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
	30	{
	31	png_color palette[PNG_MAX_PALETTE_LENGTH];
	32	- int num, i;
	33	+ int max_palette_length, num, i;
	34	#ifdef PNG_POINTER_INDEXING_SUPPORTED
	35	png_colorp pal_ptr;
	36	#endif
	37	@@ -925,9 +925,19 @@ png_handle_PLTE(png_structrp png_ptr, pn
	38	return;
	39	}
	40
	41	+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
	42	+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
	43	+
	44	/* The cast is safe because 'length' is less than 3PNG_MAX_PALETTE_LENGTH /
	45	num = (int)length / 3;
	46
	47	+ /* If the palette has 256 or fewer entries but is too large for the bit depth,
	48	+ * we don't issue an error, to preserve the behavior of previous libpng versions.
	49	+ * We silently truncate the unused extra palette entries here.
	50	+ */
	51	+ if (num > max_palette_length)
	52	+ num = max_palette_length;
	53	+
	54	#ifdef PNG_POINTER_INDEXING_SUPPORTED
	55	for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
	56	{
	57	@@ -997,9 +1007,6 @@ png_handle_PLTE(png_structrp png_ptr, pn
	58	* confusing.
	59	*
	60	* Fix this by not sharing the palette in this way.
	61	- *
	62	- * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
	63	- * it attempts to set a palette length that is too large for the bit depth.
	64	*/
	65	png_set_PLTE(png_ptr, info_ptr, palette, num);
	66
	67	Index: libpng-1.6.17/pngset.c
	68	===================================================================
	69	--- libpng-1.6.17.orig/pngset.c
	70	+++ libpng-1.6.17/pngset.c
	71	@@ -523,7 +523,7 @@ png_set_PLTE(png_structrp png_ptr, png_i
	72	max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
	73	(1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
	74
	75	- if (num_palette < 0 \|\| num_palette > max_palette_length)
	76	+ if (num_palette < 0 \|\| num_palette > (int) max_palette_length)
	77	{
	78	if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
	79	png_error(png_ptr, "Invalid palette length");