libpng: Security fix CVE-2015-8126

libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions Adjusted dir location to match the version. (From OE-Core master rev: d0a8313a03711ff881ad89b6cfc545f66a0bc018) (From OE-Core rev: 20a1f80f554c2dc9da414c5846fb5bafd73e2cac) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-02-05 06:03:48 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-03-03 11:11:39 +0000
commit: fbe015523fd9ef214d3c988e727f57196a4b1f27 (patch)
tree: 4e671e45f6f93b144396cb30a5f9dd660ba3304d /meta/recipes-multimedia/libpng/libpng-1.6.16/CVE-2015-8126_1.patch
parent: 2f9a715583a97b0cf82489f899d0cf696835f2f8 (diff)
download: poky-fbe015523fd9ef214d3c988e727f57196a4b1f27.tar.gz
1 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.16/CVE-2015-8126_1.patch b/meta/recipes-multimedia/libpng/libpng-1.6.16/CVE-2015-8126_1.patch
new file mode 100644
index 0000000000..25fe1364d3
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.16/CVE-2015-8126_1.patch
@@ -0,0 +1,91 @@
+From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Thu, 29 Oct 2015 09:26:41 -0500
+Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk
+Upstream-Status: Backport
+https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766
+CVE: CVE-2015-8126 patch #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ libpng-manual.txt | 5 +++++
+ libpng.3          | 5 +++++
+ pngwrite.c        | 4 ++--
+ pngwutil.c        | 7 +++++--
+ 4 files changed, 17 insertions(+), 4 deletions(-)
+Index: libpng-1.6.17/libpng-manual.txt
+===================================================================
+--- libpng-1.6.17.orig/libpng-manual.txt
+++ libpng-1.6.17/libpng-manual.txt
+@@ -5109,6 +5109,11 @@ length, which resulted in PNG files that
+ chunk.  This error was fixed in libpng-1.6.3, and a tool (called
+ contrib/tools/png-fix-itxt) has been added to the libpng distribution.
+ 
+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+is an error. Previously this requirement of the PNG specification was not
+enforced. Libpng continues to accept over-length PLTE chunks when reading,
+but does not make any use of the extra entries.
+
+ XIII.  Detecting libpng
+ 
+ The png_get_io_ptr() function has been present since libpng-0.88, has never
+Index: libpng-1.6.17/libpng.3
+===================================================================
+--- libpng-1.6.17.orig/libpng.3
+++ libpng-1.6.17/libpng.3
+@@ -5613,6 +5613,11 @@ length, which resulted in PNG files that
+ chunk.  This error was fixed in libpng-1.6.3, and a tool (called
+ contrib/tools/png-fix-itxt) has been added to the libpng distribution.
+ 
+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+is an error. Previously this requirement of the PNG specification was not
+enforced. Libpng continues to accept over-length PLTE chunks when reading,
+but does not make any use of the extra entries.
+
+ .SH XIII.  Detecting libpng
+ 
+ The png_get_io_ptr() function has been present since libpng-0.88, has never
+Index: libpng-1.6.17/pngwrite.c
+===================================================================
+--- libpng-1.6.17.orig/pngwrite.c
+++ libpng-1.6.17/pngwrite.c
+@@ -205,7 +205,7 @@ png_write_info(png_structrp png_ptr, png
+       png_write_PLTE(png_ptr, info_ptr->palette,
+           (png_uint_32)info_ptr->num_palette);
+ 
+-   else if ((info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) !=0)
+   else if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+       png_error(png_ptr, "Valid palette required for paletted images");
+ 
+ #ifdef PNG_WRITE_tRNS_SUPPORTED
+Index: libpng-1.6.17/pngwutil.c
+===================================================================
+--- libpng-1.6.17.orig/pngwutil.c
+++ libpng-1.6.17/pngwutil.c
+@@ -922,17 +922,20 @@ void /* PRIVATE */
+ png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
+     png_uint_32 num_pal)
+ {
+-   png_uint_32 i;
+   png_uint_32 max_num_pal, i;
+    png_const_colorp pal_ptr;
+    png_byte buf[3];
+ 
+    png_debug(1, "in png_write_PLTE");
+ 
+   max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
+    if ((
+ #ifdef PNG_MNG_FEATURES_SUPPORTED
+        (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
+ #endif
+-       num_pal == 0) || num_pal > 256)
+       num_pal == 0) || num_pal > max_num_pal)
+    {
+       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+       {
author	Armin Kuster <akuster@mvista.com>	2016-02-05 06:03:48 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-03-03 11:11:39 +0000
commit	fbe015523fd9ef214d3c988e727f57196a4b1f27 (patch)
tree	4e671e45f6f93b144396cb30a5f9dd660ba3304d /meta/recipes-multimedia/libpng/libpng-1.6.16/CVE-2015-8126_1.patch
parent	2f9a715583a97b0cf82489f899d0cf696835f2f8 (diff)
download	poky-fbe015523fd9ef214d3c988e727f57196a4b1f27.tar.gz

diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.16/CVE-2015-8126_1.patch b/meta/recipes-multimedia/libpng/libpng-1.6.16/CVE-2015-8126_1.patch new file mode 100644 index 0000000000..25fe1364d3 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.16/CVE-2015-8126_1.patch
@@ -0,0 +1,91 @@
	1	From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001
	2	From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
	3	Date: Thu, 29 Oct 2015 09:26:41 -0500
	4	Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk
	5
	6	Upstream-Status: Backport
	7	https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766
	8
	9	CVE: CVE-2015-8126 patch #1
	10
	11	Signed-off-by: Armin Kuster <akuster@mvista.com>
	12
	13	---
	14	libpng-manual.txt \| 5 +++++
	15	libpng.3 \| 5 +++++
	16	pngwrite.c \| 4 ++--
	17	pngwutil.c \| 7 +++++--
	18	4 files changed, 17 insertions(+), 4 deletions(-)
	19
	20	Index: libpng-1.6.17/libpng-manual.txt
	21	===================================================================
	22	--- libpng-1.6.17.orig/libpng-manual.txt
	23	+++ libpng-1.6.17/libpng-manual.txt
	24	@@ -5109,6 +5109,11 @@ length, which resulted in PNG files that
	25	chunk. This error was fixed in libpng-1.6.3, and a tool (called
	26	contrib/tools/png-fix-itxt) has been added to the libpng distribution.
	27
	28	+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
	29	+is an error. Previously this requirement of the PNG specification was not
	30	+enforced. Libpng continues to accept over-length PLTE chunks when reading,
	31	+but does not make any use of the extra entries.
	32	+
	33	XIII. Detecting libpng
	34
	35	The png_get_io_ptr() function has been present since libpng-0.88, has never
	36	Index: libpng-1.6.17/libpng.3
	37	===================================================================
	38	--- libpng-1.6.17.orig/libpng.3
	39	+++ libpng-1.6.17/libpng.3
	40	@@ -5613,6 +5613,11 @@ length, which resulted in PNG files that
	41	chunk. This error was fixed in libpng-1.6.3, and a tool (called
	42	contrib/tools/png-fix-itxt) has been added to the libpng distribution.
	43
	44	+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
	45	+is an error. Previously this requirement of the PNG specification was not
	46	+enforced. Libpng continues to accept over-length PLTE chunks when reading,
	47	+but does not make any use of the extra entries.
	48	+
	49	.SH XIII. Detecting libpng
	50
	51	The png_get_io_ptr() function has been present since libpng-0.88, has never
	52	Index: libpng-1.6.17/pngwrite.c
	53	===================================================================
	54	--- libpng-1.6.17.orig/pngwrite.c
	55	+++ libpng-1.6.17/pngwrite.c
	56	@@ -205,7 +205,7 @@ png_write_info(png_structrp png_ptr, png
	57	png_write_PLTE(png_ptr, info_ptr->palette,
	58	(png_uint_32)info_ptr->num_palette);
	59
	60	- else if ((info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) !=0)
	61	+ else if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
	62	png_error(png_ptr, "Valid palette required for paletted images");
	63
	64	#ifdef PNG_WRITE_tRNS_SUPPORTED
	65	Index: libpng-1.6.17/pngwutil.c
	66	===================================================================
	67	--- libpng-1.6.17.orig/pngwutil.c
	68	+++ libpng-1.6.17/pngwutil.c
	69	@@ -922,17 +922,20 @@ void /* PRIVATE */
	70	png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
	71	png_uint_32 num_pal)
	72	{
	73	- png_uint_32 i;
	74	+ png_uint_32 max_num_pal, i;
	75	png_const_colorp pal_ptr;
	76	png_byte buf[3];
	77
	78	png_debug(1, "in png_write_PLTE");
	79
	80	+ max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
	81	+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
	82	+
	83	if ((
	84	#ifdef PNG_MNG_FEATURES_SUPPORTED
	85	(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
	86	#endif
	87	- num_pal == 0) \|\| num_pal > 256)
	88	+ num_pal == 0) \|\| num_pal > max_num_pal)
	89	{
	90	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
	91	{