libpng: Security fix CVE-2015-8126

libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions (From OE-Core rev: d0a8313a03711ff881ad89b6cfc545f66a0bc018) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-02-05 06:03:48 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-02-07 22:55:24 +0000
commit: 21a816c73a09031ba7634f7a32f2c2e7dc3f0bc9 (patch)
tree: d72c4e2bff32775c91b5568f28985402b68dec39 /meta/recipes-multimedia/libpng/libpng-1.6.17
parent: 6a0fbfaeb59f573afc970fd8cc481afddd832109 (diff)
download: poky-21a816c73a09031ba7634f7a32f2c2e7dc3f0bc9.tar.gz
4 files changed, 352 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch
new file mode 100644
index 0000000000..25fe1364d3
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch
@@ -0,0 +1,91 @@
+From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Thu, 29 Oct 2015 09:26:41 -0500
+Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk
+Upstream-Status: Backport
+https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766
+CVE: CVE-2015-8126 patch #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ libpng-manual.txt | 5 +++++
+ libpng.3          | 5 +++++
+ pngwrite.c        | 4 ++--
+ pngwutil.c        | 7 +++++--
+ 4 files changed, 17 insertions(+), 4 deletions(-)
+Index: libpng-1.6.17/libpng-manual.txt
+===================================================================
+--- libpng-1.6.17.orig/libpng-manual.txt
+++ libpng-1.6.17/libpng-manual.txt
+@@ -5109,6 +5109,11 @@ length, which resulted in PNG files that
+ chunk.  This error was fixed in libpng-1.6.3, and a tool (called
+ contrib/tools/png-fix-itxt) has been added to the libpng distribution.
+ 
+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+is an error. Previously this requirement of the PNG specification was not
+enforced. Libpng continues to accept over-length PLTE chunks when reading,
+but does not make any use of the extra entries.
+
+ XIII.  Detecting libpng
+ 
+ The png_get_io_ptr() function has been present since libpng-0.88, has never
+Index: libpng-1.6.17/libpng.3
+===================================================================
+--- libpng-1.6.17.orig/libpng.3
+++ libpng-1.6.17/libpng.3
+@@ -5613,6 +5613,11 @@ length, which resulted in PNG files that
+ chunk.  This error was fixed in libpng-1.6.3, and a tool (called
+ contrib/tools/png-fix-itxt) has been added to the libpng distribution.
+ 
+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+is an error. Previously this requirement of the PNG specification was not
+enforced. Libpng continues to accept over-length PLTE chunks when reading,
+but does not make any use of the extra entries.
+
+ .SH XIII.  Detecting libpng
+ 
+ The png_get_io_ptr() function has been present since libpng-0.88, has never
+Index: libpng-1.6.17/pngwrite.c
+===================================================================
+--- libpng-1.6.17.orig/pngwrite.c
+++ libpng-1.6.17/pngwrite.c
+@@ -205,7 +205,7 @@ png_write_info(png_structrp png_ptr, png
+       png_write_PLTE(png_ptr, info_ptr->palette,
+           (png_uint_32)info_ptr->num_palette);
+ 
+-   else if ((info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) !=0)
+   else if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+       png_error(png_ptr, "Valid palette required for paletted images");
+ 
+ #ifdef PNG_WRITE_tRNS_SUPPORTED
+Index: libpng-1.6.17/pngwutil.c
+===================================================================
+--- libpng-1.6.17.orig/pngwutil.c
+++ libpng-1.6.17/pngwutil.c
+@@ -922,17 +922,20 @@ void /* PRIVATE */
+ png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
+     png_uint_32 num_pal)
+ {
+-   png_uint_32 i;
+   png_uint_32 max_num_pal, i;
+    png_const_colorp pal_ptr;
+    png_byte buf[3];
+ 
+    png_debug(1, "in png_write_PLTE");
+ 
+   max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
+    if ((
+ #ifdef PNG_MNG_FEATURES_SUPPORTED
+        (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
+ #endif
+-       num_pal == 0) || num_pal > 256)
+       num_pal == 0) || num_pal > max_num_pal)
+    {
+       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+       {
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch
new file mode 100644
index 0000000000..4aa917084a
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch
@@ -0,0 +1,134 @@
+From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Fri, 30 Oct 2015 07:57:49 -0500
+Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin
+ Truta).
+Upstream-Status: Backport
+https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d
+Many changes involved date and version updates with don't apply in this case.
+CVE: CVE-2015-8126 patch #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ANNOUNCE          |  6 +++---
+ CHANGES           |  4 ++--
+ libpng-manual.txt | 11 +++++------
+ libpng.3          | 19 +++++++++----------
+ pngrutil.c        |  3 +++
+ pngset.c          | 13 +++++++++----
+ pngwutil.c        |  6 +++---
+ 7 files changed, 34 insertions(+), 28 deletions(-)
+Index: libpng-1.6.17/libpng-manual.txt
+===================================================================
+--- libpng-1.6.17.orig/libpng-manual.txt
+++ libpng-1.6.17/libpng-manual.txt
+@@ -5109,10 +5109,9 @@ length, which resulted in PNG files that
+ chunk.  This error was fixed in libpng-1.6.3, and a tool (called
+ contrib/tools/png-fix-itxt) has been added to the libpng distribution.
+ 
+-Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk
+ is an error. Previously this requirement of the PNG specification was not
+-enforced. Libpng continues to accept over-length PLTE chunks when reading,
+-but does not make any use of the extra entries.
+enforced, and the palette was always limited to 256 entries.
+ 
+ XIII.  Detecting libpng
+ 
+Index: libpng-1.6.17/libpng.3
+===================================================================
+--- libpng-1.6.17.orig/libpng.3
+++ libpng-1.6.17/libpng.3
+@@ -5613,10 +5613,9 @@ length, which resulted in PNG files that
+ chunk.  This error was fixed in libpng-1.6.3, and a tool (called
+ contrib/tools/png-fix-itxt) has been added to the libpng distribution.
+ 
+-Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk
+ is an error. Previously this requirement of the PNG specification was not
+-enforced. Libpng continues to accept over-length PLTE chunks when reading,
+-but does not make any use of the extra entries.
+enforced, and the palette was always limited to 256 entries.
+ 
+ .SH XIII.  Detecting libpng
+ 
+Index: libpng-1.6.17/pngrutil.c
+===================================================================
+--- libpng-1.6.17.orig/pngrutil.c
+++ libpng-1.6.17/pngrutil.c
+@@ -997,6 +997,9 @@ png_handle_PLTE(png_structrp png_ptr, pn
+     * confusing.
+     *
+     * Fix this by not sharing the palette in this way.
+    *
+    * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
+    * it attempts to set a palette length that is too large for the bit depth.
+     */
+    png_set_PLTE(png_ptr, info_ptr, palette, num);
+ 
+Index: libpng-1.6.17/pngset.c
+===================================================================
+--- libpng-1.6.17.orig/pngset.c
+++ libpng-1.6.17/pngset.c
+@@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_i
+     png_const_colorp palette, int num_palette)
+ {
+ 
+   png_uint_32 max_palette_length;
+
+    png_debug1(1, "in %s storage function", "PLTE");
+ 
+    if (png_ptr == NULL || info_ptr == NULL)
+       return;
+ 
+-   if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)
+   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
+   if (num_palette < 0 || num_palette > max_palette_length)
+    {
+       if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+          png_error(png_ptr, "Invalid palette length");
+@@ -551,8 +556,8 @@ png_set_PLTE(png_structrp png_ptr, png_i
+    png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
+ 
+    /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
+-    * of num_palette entries, in case of an invalid PNG file that has
+-    * too-large sample values.
+    * of num_palette entries, in case of an invalid PNG file or incorrect
+    * call to png_set_PLTE() with too-large sample values.
+     */
+    png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
+        PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
+Index: libpng-1.6.17/pngwutil.c
+===================================================================
+--- libpng-1.6.17.orig/pngwutil.c
+++ libpng-1.6.17/pngwutil.c
+@@ -922,20 +922,20 @@ void /* PRIVATE */
+ png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
+     png_uint_32 num_pal)
+ {
+-   png_uint_32 max_num_pal, i;
+   png_uint_32 max_palette_length, i;
+    png_const_colorp pal_ptr;
+    png_byte buf[3];
+ 
+    png_debug(1, "in png_write_PLTE");
+ 
+-   max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+       (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+ 
+    if ((
+ #ifdef PNG_MNG_FEATURES_SUPPORTED
+        (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
+ #endif
+-       num_pal == 0) || num_pal > max_num_pal)
+       num_pal == 0) || num_pal > max_palette_length)
+    {
+       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+       {
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch
new file mode 100644
index 0000000000..0e0ad23200
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch
@@ -0,0 +1,79 @@
+From 1bef8e97995c33123665582e57d3ed40b57d5978 Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Fri, 30 Oct 2015 11:34:37 -0500
+Subject: [PATCH] [libpng16] Silently truncate over-length PLTE chunk while
+ reading.
+Upstream-Status: Backport
+https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978
+Normal Issues is date and version conflicts not applied.
+CVE: CVE-2015-8i26 patch #3
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ANNOUNCE   |  3 ++-
+ CHANGES    |  3 ++-
+ pngrutil.c | 15 +++++++++++----
+ pngset.c   |  2 +-
+ 4 files changed, 16 insertions(+), 7 deletions(-)
+Index: libpng-1.6.17/pngrutil.c
+===================================================================
+--- libpng-1.6.17.orig/pngrutil.c
+++ libpng-1.6.17/pngrutil.c
+@@ -867,7 +867,7 @@ void /* PRIVATE */
+ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
+ {
+    png_color palette[PNG_MAX_PALETTE_LENGTH];
+-   int num, i;
+   int max_palette_length, num, i;
+ #ifdef PNG_POINTER_INDEXING_SUPPORTED
+    png_colorp pal_ptr;
+ #endif
+@@ -925,9 +925,19 @@ png_handle_PLTE(png_structrp png_ptr, pn
+       return;
+    }
+ 
+   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
+    /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
+    num = (int)length / 3;
+ 
+   /* If the palette has 256 or fewer entries but is too large for the bit depth,
+    * we don't issue an error, to preserve the behavior of previous libpng versions.
+    * We silently truncate the unused extra palette entries here.
+    */
+   if (num > max_palette_length)
+     num = max_palette_length;
+
+ #ifdef PNG_POINTER_INDEXING_SUPPORTED
+    for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
+    {
+@@ -997,9 +1007,6 @@ png_handle_PLTE(png_structrp png_ptr, pn
+     * confusing.
+     *
+     * Fix this by not sharing the palette in this way.
+-    *
+-    * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
+-    * it attempts to set a palette length that is too large for the bit depth.
+     */
+    png_set_PLTE(png_ptr, info_ptr, palette, num);
+ 
+Index: libpng-1.6.17/pngset.c
+===================================================================
+--- libpng-1.6.17.orig/pngset.c
+++ libpng-1.6.17/pngset.c
+@@ -523,7 +523,7 @@ png_set_PLTE(png_structrp png_ptr, png_i
+    max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+       (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+ 
+-   if (num_palette < 0 || num_palette > max_palette_length)
+   if (num_palette < 0 || num_palette > (int) max_palette_length)
+    {
+       if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+          png_error(png_ptr, "Invalid palette length");
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch
new file mode 100644
index 0000000000..2622630d10
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch
@@ -0,0 +1,48 @@
+From 83f4c735c88e7f451541c1528d8043c31ba3b466 Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Thu, 5 Nov 2015 11:18:44 -0600
+Subject: [PATCH] [libpng16] Clean up coding style in png_handle_PLTE()
+Upstream-Status: Backport
+https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466
+CVE:  CVE-2015-8126 patch #4
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ pngrutil.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+Index: libpng-1.6.17/pngrutil.c
+===================================================================
+--- libpng-1.6.17.orig/pngrutil.c
+++ libpng-1.6.17/pngrutil.c
+@@ -925,18 +925,21 @@ png_handle_PLTE(png_structrp png_ptr, pn
+       return;
+    }
+ 
+-   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+-      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+-
+    /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
+    num = (int)length / 3;
+ 
+-   /* If the palette has 256 or fewer entries but is too large for the bit depth,
+-    * we don't issue an error, to preserve the behavior of previous libpng versions.
+-    * We silently truncate the unused extra palette entries here.
+   /* If the palette has 256 or fewer entries but is too large for the bit
+    * depth, we don't issue an error, to preserve the behavior of previous
+    * libpng versions. We silently truncate the unused extra palette entries
+    * here.
+     */
+   if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+      max_palette_length = (1 << png_ptr->bit_depth);
+   else
+      max_palette_length = PNG_MAX_PALETTE_LENGTH;
+
+    if (num > max_palette_length)
+-     num = max_palette_length;
+      num = max_palette_length;
+ 
+ #ifdef PNG_POINTER_INDEXING_SUPPORTED
+    for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
author	Armin Kuster <akuster@mvista.com>	2016-02-05 06:03:48 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-02-07 22:55:24 +0000
commit	21a816c73a09031ba7634f7a32f2c2e7dc3f0bc9 (patch)
tree	d72c4e2bff32775c91b5568f28985402b68dec39 /meta/recipes-multimedia/libpng/libpng-1.6.17
parent	6a0fbfaeb59f573afc970fd8cc481afddd832109 (diff)
download	poky-21a816c73a09031ba7634f7a32f2c2e7dc3f0bc9.tar.gz

diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch new file mode 100644 index 0000000000..25fe1364d3 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch
@@ -0,0 +1,91 @@
	1	From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001
	2	From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
	3	Date: Thu, 29 Oct 2015 09:26:41 -0500
	4	Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk
	5
	6	Upstream-Status: Backport
	7	https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766
	8
	9	CVE: CVE-2015-8126 patch #1
	10
	11	Signed-off-by: Armin Kuster <akuster@mvista.com>
	12
	13	---
	14	libpng-manual.txt \| 5 +++++
	15	libpng.3 \| 5 +++++
	16	pngwrite.c \| 4 ++--
	17	pngwutil.c \| 7 +++++--
	18	4 files changed, 17 insertions(+), 4 deletions(-)
	19
	20	Index: libpng-1.6.17/libpng-manual.txt
	21	===================================================================
	22	--- libpng-1.6.17.orig/libpng-manual.txt
	23	+++ libpng-1.6.17/libpng-manual.txt
	24	@@ -5109,6 +5109,11 @@ length, which resulted in PNG files that
	25	chunk. This error was fixed in libpng-1.6.3, and a tool (called
	26	contrib/tools/png-fix-itxt) has been added to the libpng distribution.
	27
	28	+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
	29	+is an error. Previously this requirement of the PNG specification was not
	30	+enforced. Libpng continues to accept over-length PLTE chunks when reading,
	31	+but does not make any use of the extra entries.
	32	+
	33	XIII. Detecting libpng
	34
	35	The png_get_io_ptr() function has been present since libpng-0.88, has never
	36	Index: libpng-1.6.17/libpng.3
	37	===================================================================
	38	--- libpng-1.6.17.orig/libpng.3
	39	+++ libpng-1.6.17/libpng.3
	40	@@ -5613,6 +5613,11 @@ length, which resulted in PNG files that
	41	chunk. This error was fixed in libpng-1.6.3, and a tool (called
	42	contrib/tools/png-fix-itxt) has been added to the libpng distribution.
	43
	44	+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
	45	+is an error. Previously this requirement of the PNG specification was not
	46	+enforced. Libpng continues to accept over-length PLTE chunks when reading,
	47	+but does not make any use of the extra entries.
	48	+
	49	.SH XIII. Detecting libpng
	50
	51	The png_get_io_ptr() function has been present since libpng-0.88, has never
	52	Index: libpng-1.6.17/pngwrite.c
	53	===================================================================
	54	--- libpng-1.6.17.orig/pngwrite.c
	55	+++ libpng-1.6.17/pngwrite.c
	56	@@ -205,7 +205,7 @@ png_write_info(png_structrp png_ptr, png
	57	png_write_PLTE(png_ptr, info_ptr->palette,
	58	(png_uint_32)info_ptr->num_palette);
	59
	60	- else if ((info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) !=0)
	61	+ else if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
	62	png_error(png_ptr, "Valid palette required for paletted images");
	63
	64	#ifdef PNG_WRITE_tRNS_SUPPORTED
	65	Index: libpng-1.6.17/pngwutil.c
	66	===================================================================
	67	--- libpng-1.6.17.orig/pngwutil.c
	68	+++ libpng-1.6.17/pngwutil.c
	69	@@ -922,17 +922,20 @@ void /* PRIVATE */
	70	png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
	71	png_uint_32 num_pal)
	72	{
	73	- png_uint_32 i;
	74	+ png_uint_32 max_num_pal, i;
	75	png_const_colorp pal_ptr;
	76	png_byte buf[3];
	77
	78	png_debug(1, "in png_write_PLTE");
	79
	80	+ max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
	81	+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
	82	+
	83	if ((
	84	#ifdef PNG_MNG_FEATURES_SUPPORTED
	85	(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
	86	#endif
	87	- num_pal == 0) \|\| num_pal > 256)
	88	+ num_pal == 0) \|\| num_pal > max_num_pal)
	89	{
	90	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
	91	{


diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch new file mode 100644 index 0000000000..4aa917084a --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch
@@ -0,0 +1,134 @@
	1	From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001
	2	From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
	3	Date: Fri, 30 Oct 2015 07:57:49 -0500
	4	Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin
	5	Truta).
	6
	7	Upstream-Status: Backport
	8	https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d
	9
	10	Many changes involved date and version updates with don't apply in this case.
	11
	12	CVE: CVE-2015-8126 patch #2
	13	Signed-off-by: Armin Kuster <akuster@mvista.com>
	14
	15	---
	16	ANNOUNCE \| 6 +++---
	17	CHANGES \| 4 ++--
	18	libpng-manual.txt \| 11 +++++------
	19	libpng.3 \| 19 +++++++++----------
	20	pngrutil.c \| 3 +++
	21	pngset.c \| 13 +++++++++----
	22	pngwutil.c \| 6 +++---
	23	7 files changed, 34 insertions(+), 28 deletions(-)
	24
	25	Index: libpng-1.6.17/libpng-manual.txt
	26	===================================================================
	27	--- libpng-1.6.17.orig/libpng-manual.txt
	28	+++ libpng-1.6.17/libpng-manual.txt
	29	@@ -5109,10 +5109,9 @@ length, which resulted in PNG files that
	30	chunk. This error was fixed in libpng-1.6.3, and a tool (called
	31	contrib/tools/png-fix-itxt) has been added to the libpng distribution.
	32
	33	-Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
	34	+Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk
	35	is an error. Previously this requirement of the PNG specification was not
	36	-enforced. Libpng continues to accept over-length PLTE chunks when reading,
	37	-but does not make any use of the extra entries.
	38	+enforced, and the palette was always limited to 256 entries.
	39
	40	XIII. Detecting libpng
	41
	42	Index: libpng-1.6.17/libpng.3
	43	===================================================================
	44	--- libpng-1.6.17.orig/libpng.3
	45	+++ libpng-1.6.17/libpng.3
	46	@@ -5613,10 +5613,9 @@ length, which resulted in PNG files that
	47	chunk. This error was fixed in libpng-1.6.3, and a tool (called
	48	contrib/tools/png-fix-itxt) has been added to the libpng distribution.
	49
	50	-Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
	51	+Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk
	52	is an error. Previously this requirement of the PNG specification was not
	53	-enforced. Libpng continues to accept over-length PLTE chunks when reading,
	54	-but does not make any use of the extra entries.
	55	+enforced, and the palette was always limited to 256 entries.
	56
	57	.SH XIII. Detecting libpng
	58
	59	Index: libpng-1.6.17/pngrutil.c
	60	===================================================================
	61	--- libpng-1.6.17.orig/pngrutil.c
	62	+++ libpng-1.6.17/pngrutil.c
	63	@@ -997,6 +997,9 @@ png_handle_PLTE(png_structrp png_ptr, pn
	64	* confusing.
	65	*
	66	* Fix this by not sharing the palette in this way.
	67	+ *
	68	+ * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
	69	+ * it attempts to set a palette length that is too large for the bit depth.
	70	*/
	71	png_set_PLTE(png_ptr, info_ptr, palette, num);
	72
	73	Index: libpng-1.6.17/pngset.c
	74	===================================================================
	75	--- libpng-1.6.17.orig/pngset.c
	76	+++ libpng-1.6.17/pngset.c
	77	@@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_i
	78	png_const_colorp palette, int num_palette)
	79	{
	80
	81	+ png_uint_32 max_palette_length;
	82	+
	83	png_debug1(1, "in %s storage function", "PLTE");
	84
	85	if (png_ptr == NULL \|\| info_ptr == NULL)
	86	return;
	87
	88	- if (num_palette < 0 \|\| num_palette > PNG_MAX_PALETTE_LENGTH)
	89	+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
	90	+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
	91	+
	92	+ if (num_palette < 0 \|\| num_palette > max_palette_length)
	93	{
	94	if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
	95	png_error(png_ptr, "Invalid palette length");
	96	@@ -551,8 +556,8 @@ png_set_PLTE(png_structrp png_ptr, png_i
	97	png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
	98
	99	/* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
	100	- * of num_palette entries, in case of an invalid PNG file that has
	101	- * too-large sample values.
	102	+ * of num_palette entries, in case of an invalid PNG file or incorrect
	103	+ * call to png_set_PLTE() with too-large sample values.
	104	*/
	105	png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
	106	PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
	107	Index: libpng-1.6.17/pngwutil.c
	108	===================================================================
	109	--- libpng-1.6.17.orig/pngwutil.c
	110	+++ libpng-1.6.17/pngwutil.c
	111	@@ -922,20 +922,20 @@ void /* PRIVATE */
	112	png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
	113	png_uint_32 num_pal)
	114	{
	115	- png_uint_32 max_num_pal, i;
	116	+ png_uint_32 max_palette_length, i;
	117	png_const_colorp pal_ptr;
	118	png_byte buf[3];
	119
	120	png_debug(1, "in png_write_PLTE");
	121
	122	- max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
	123	+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
	124	(1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
	125
	126	if ((
	127	#ifdef PNG_MNG_FEATURES_SUPPORTED
	128	(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
	129	#endif
	130	- num_pal == 0) \|\| num_pal > max_num_pal)
	131	+ num_pal == 0) \|\| num_pal > max_palette_length)
	132	{
	133	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
	134	{


diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch new file mode 100644 index 0000000000..0e0ad23200 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch
@@ -0,0 +1,79 @@
	1	From 1bef8e97995c33123665582e57d3ed40b57d5978 Mon Sep 17 00:00:00 2001
	2	From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
	3	Date: Fri, 30 Oct 2015 11:34:37 -0500
	4	Subject: [PATCH] [libpng16] Silently truncate over-length PLTE chunk while
	5	reading.
	6
	7	Upstream-Status: Backport
	8	https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978
	9
	10	Normal Issues is date and version conflicts not applied.
	11
	12	CVE: CVE-2015-8i26 patch #3
	13
	14	Signed-off-by: Armin Kuster <akuster@mvista.com>
	15
	16
	17	---
	18	ANNOUNCE \| 3 ++-
	19	CHANGES \| 3 ++-
	20	pngrutil.c \| 15 +++++++++++----
	21	pngset.c \| 2 +-
	22	4 files changed, 16 insertions(+), 7 deletions(-)
	23
	24	Index: libpng-1.6.17/pngrutil.c
	25	===================================================================
	26	--- libpng-1.6.17.orig/pngrutil.c
	27	+++ libpng-1.6.17/pngrutil.c
	28	@@ -867,7 +867,7 @@ void /* PRIVATE */
	29	png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
	30	{
	31	png_color palette[PNG_MAX_PALETTE_LENGTH];
	32	- int num, i;
	33	+ int max_palette_length, num, i;
	34	#ifdef PNG_POINTER_INDEXING_SUPPORTED
	35	png_colorp pal_ptr;
	36	#endif
	37	@@ -925,9 +925,19 @@ png_handle_PLTE(png_structrp png_ptr, pn
	38	return;
	39	}
	40
	41	+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
	42	+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
	43	+
	44	/* The cast is safe because 'length' is less than 3PNG_MAX_PALETTE_LENGTH /
	45	num = (int)length / 3;
	46
	47	+ /* If the palette has 256 or fewer entries but is too large for the bit depth,
	48	+ * we don't issue an error, to preserve the behavior of previous libpng versions.
	49	+ * We silently truncate the unused extra palette entries here.
	50	+ */
	51	+ if (num > max_palette_length)
	52	+ num = max_palette_length;
	53	+
	54	#ifdef PNG_POINTER_INDEXING_SUPPORTED
	55	for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
	56	{
	57	@@ -997,9 +1007,6 @@ png_handle_PLTE(png_structrp png_ptr, pn
	58	* confusing.
	59	*
	60	* Fix this by not sharing the palette in this way.
	61	- *
	62	- * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
	63	- * it attempts to set a palette length that is too large for the bit depth.
	64	*/
	65	png_set_PLTE(png_ptr, info_ptr, palette, num);
	66
	67	Index: libpng-1.6.17/pngset.c
	68	===================================================================
	69	--- libpng-1.6.17.orig/pngset.c
	70	+++ libpng-1.6.17/pngset.c
	71	@@ -523,7 +523,7 @@ png_set_PLTE(png_structrp png_ptr, png_i
	72	max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
	73	(1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
	74
	75	- if (num_palette < 0 \|\| num_palette > max_palette_length)
	76	+ if (num_palette < 0 \|\| num_palette > (int) max_palette_length)
	77	{
	78	if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
	79	png_error(png_ptr, "Invalid palette length");


diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch new file mode 100644 index 0000000000..2622630d10 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch
@@ -0,0 +1,48 @@
	1	From 83f4c735c88e7f451541c1528d8043c31ba3b466 Mon Sep 17 00:00:00 2001
	2	From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
	3	Date: Thu, 5 Nov 2015 11:18:44 -0600
	4	Subject: [PATCH] [libpng16] Clean up coding style in png_handle_PLTE()
	5
	6	Upstream-Status: Backport
	7	https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466
	8
	9	CVE: CVE-2015-8126 patch #4
	10	Signed-off-by: Armin Kuster <akuster@mvista.com>
	11
	12	---
	13	pngrutil.c \| 17 ++++++++++-------
	14	1 file changed, 10 insertions(+), 7 deletions(-)
	15
	16	Index: libpng-1.6.17/pngrutil.c
	17	===================================================================
	18	--- libpng-1.6.17.orig/pngrutil.c
	19	+++ libpng-1.6.17/pngrutil.c
	20	@@ -925,18 +925,21 @@ png_handle_PLTE(png_structrp png_ptr, pn
	21	return;
	22	}
	23
	24	- max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
	25	- (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
	26	-
	27	/* The cast is safe because 'length' is less than 3PNG_MAX_PALETTE_LENGTH /
	28	num = (int)length / 3;
	29
	30	- /* If the palette has 256 or fewer entries but is too large for the bit depth,
	31	- * we don't issue an error, to preserve the behavior of previous libpng versions.
	32	- * We silently truncate the unused extra palette entries here.
	33	+ /* If the palette has 256 or fewer entries but is too large for the bit
	34	+ * depth, we don't issue an error, to preserve the behavior of previous
	35	+ * libpng versions. We silently truncate the unused extra palette entries
	36	+ * here.
	37	*/
	38	+ if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
	39	+ max_palette_length = (1 << png_ptr->bit_depth);
	40	+ else
	41	+ max_palette_length = PNG_MAX_PALETTE_LENGTH;
	42	+
	43	if (num > max_palette_length)
	44	- num = max_palette_length;
	45	+ num = max_palette_length;
	46
	47	#ifdef PNG_POINTER_INDEXING_SUPPORTED
	48	for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)