libpng: CVE-2015-8126

Fixes buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8126 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8126 Upstream patches: https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766 https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978 https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Paul Vaduva <Paul.Vaduva@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-03-15 07:17:13 +0100
committer: Paul Vaduva <Paul.Vaduva@enea.com> 2016-03-17 13:27:37 +0100
commit: e556bbcee03a7ffab00b3748f3370be7f915c772 (patch)
tree: 24289fc33e88e2e2c7bfffd5a7c953568cb84ae0 /meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch
parent: 0b13cc2376a5bf69fcbf809ddad8a4bf928970be (diff)
download: poky-e556bbcee03a7ffab00b3748f3370be7f915c772.tar.gz
1 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch
new file mode 100644
index 0000000000..2622630d10
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch
@@ -0,0 +1,48 @@
+From 83f4c735c88e7f451541c1528d8043c31ba3b466 Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Thu, 5 Nov 2015 11:18:44 -0600
+Subject: [PATCH] [libpng16] Clean up coding style in png_handle_PLTE()
+Upstream-Status: Backport
+https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466
+CVE:  CVE-2015-8126 patch #4
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ pngrutil.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+Index: libpng-1.6.17/pngrutil.c
+===================================================================
+--- libpng-1.6.17.orig/pngrutil.c
+++ libpng-1.6.17/pngrutil.c
+@@ -925,18 +925,21 @@ png_handle_PLTE(png_structrp png_ptr, pn
+       return;
+    }
+ 
+-   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+-      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+-
+    /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
+    num = (int)length / 3;
+ 
+-   /* If the palette has 256 or fewer entries but is too large for the bit depth,
+-    * we don't issue an error, to preserve the behavior of previous libpng versions.
+-    * We silently truncate the unused extra palette entries here.
+   /* If the palette has 256 or fewer entries but is too large for the bit
+    * depth, we don't issue an error, to preserve the behavior of previous
+    * libpng versions. We silently truncate the unused extra palette entries
+    * here.
+     */
+   if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+      max_palette_length = (1 << png_ptr->bit_depth);
+   else
+      max_palette_length = PNG_MAX_PALETTE_LENGTH;
+
+    if (num > max_palette_length)
+-     num = max_palette_length;
+      num = max_palette_length;
+ 
+ #ifdef PNG_POINTER_INDEXING_SUPPORTED
+    for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-03-15 07:17:13 +0100
committer	Paul Vaduva <Paul.Vaduva@enea.com>	2016-03-17 13:27:37 +0100
commit	e556bbcee03a7ffab00b3748f3370be7f915c772 (patch)
tree	24289fc33e88e2e2c7bfffd5a7c953568cb84ae0 /meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch
parent	0b13cc2376a5bf69fcbf809ddad8a4bf928970be (diff)
download	poky-e556bbcee03a7ffab00b3748f3370be7f915c772.tar.gz

diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch new file mode 100644 index 0000000000..2622630d10 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch
@@ -0,0 +1,48 @@
	1	From 83f4c735c88e7f451541c1528d8043c31ba3b466 Mon Sep 17 00:00:00 2001
	2	From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
	3	Date: Thu, 5 Nov 2015 11:18:44 -0600
	4	Subject: [PATCH] [libpng16] Clean up coding style in png_handle_PLTE()
	5
	6	Upstream-Status: Backport
	7	https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466
	8
	9	CVE: CVE-2015-8126 patch #4
	10	Signed-off-by: Armin Kuster <akuster@mvista.com>
	11
	12	---
	13	pngrutil.c \| 17 ++++++++++-------
	14	1 file changed, 10 insertions(+), 7 deletions(-)
	15
	16	Index: libpng-1.6.17/pngrutil.c
	17	===================================================================
	18	--- libpng-1.6.17.orig/pngrutil.c
	19	+++ libpng-1.6.17/pngrutil.c
	20	@@ -925,18 +925,21 @@ png_handle_PLTE(png_structrp png_ptr, pn
	21	return;
	22	}
	23
	24	- max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
	25	- (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
	26	-
	27	/* The cast is safe because 'length' is less than 3PNG_MAX_PALETTE_LENGTH /
	28	num = (int)length / 3;
	29
	30	- /* If the palette has 256 or fewer entries but is too large for the bit depth,
	31	- * we don't issue an error, to preserve the behavior of previous libpng versions.
	32	- * We silently truncate the unused extra palette entries here.
	33	+ /* If the palette has 256 or fewer entries but is too large for the bit
	34	+ * depth, we don't issue an error, to preserve the behavior of previous
	35	+ * libpng versions. We silently truncate the unused extra palette entries
	36	+ * here.
	37	*/
	38	+ if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
	39	+ max_palette_length = (1 << png_ptr->bit_depth);
	40	+ else
	41	+ max_palette_length = PNG_MAX_PALETTE_LENGTH;
	42	+
	43	if (num > max_palette_length)
	44	- num = max_palette_length;
	45	+ num = max_palette_length;
	46
	47	#ifdef PNG_POINTER_INDEXING_SUPPORTED
	48	for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)