summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia
diff options
context:
space:
mode:
authorSinan Kaya <okaya@kernel.org>2018-09-22 02:16:49 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-09-27 12:17:46 +0100
commitb77082e38f8d6b94001df83d66fbfef0dad970cd (patch)
tree17f400533edfec8f2fd023477bc3f0cc92655b21 /meta/recipes-multimedia
parentd39e43f17fe76e15dc84adfd225ee80c75e2df7d (diff)
downloadpoky-b77082e38f8d6b94001df83d66fbfef0dad970cd.tar.gz
libpng: CVE-2018-13785
* CVE-2018-13785 In libpng 1.6.34, a wrong calculation of row_factor in the png_check_chunk_length function (pngrutil.c) may trigger an integer overflow and resultant divide-by-zero while processing a crafted PNG file, leading to a denial of service. (cherry picked from 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2) Affects libpng <= 1.6.34 CVE: CVE-2018-13785 Ref: https://access.redhat.com/security/cve/cve-2018-13785 (From OE-Core rev: 4cc1862695c6899b61e3900216376c1b2f338a19) Signed-off-by: Sinan Kaya <okaya@kernel.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia')
-rw-r--r--meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch37
-rw-r--r--meta/recipes-multimedia/libpng/libpng_1.6.34.bb4
2 files changed, 40 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch b/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch
new file mode 100644
index 0000000000..84b1af1fbf
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch
@@ -0,0 +1,37 @@
1From 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2 Mon Sep 17 00:00:00 2001
2From: Cosmin Truta <ctruta@gmail.com>
3Date: Sun, 17 Jun 2018 22:56:29 -0400
4Subject: [PATCH] [libpng16] Fix the calculation of row_factor in
5 png_check_chunk_length
6
7(Bug report by Thuan Pham, SourceForge issue #278)
8Upstream-Status: Backport [https://github.com/glennrp/libpng/commit/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2]
9Signed-off-by: Sinan Kaya <okaya@kernel.org>
10---
11 pngrutil.c | 9 ++++++---
12 1 file changed, 6 insertions(+), 3 deletions(-)
13
14diff --git a/pngrutil.c b/pngrutil.c
15index 95571b517..5ba995abf 100644
16--- a/pngrutil.c
17+++ b/pngrutil.c
18@@ -3167,10 +3167,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
19 {
20 png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
21 size_t row_factor =
22- (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
23- + 1 + (png_ptr->interlaced? 6: 0));
24+ (size_t)png_ptr->width
25+ * (size_t)png_ptr->channels
26+ * (png_ptr->bit_depth > 8? 2: 1)
27+ + 1
28+ + (png_ptr->interlaced? 6: 0);
29 if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
30- idat_limit=PNG_UINT_31_MAX;
31+ idat_limit = PNG_UINT_31_MAX;
32 else
33 idat_limit = png_ptr->height * row_factor;
34 row_factor = row_factor > 32566? 32566 : row_factor;
35--
362.19.0
37
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.34.bb b/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
index e52d032289..3877d6cbf0 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
@@ -8,7 +8,9 @@ DEPENDS = "zlib"
8 8
9LIBV = "16" 9LIBV = "16"
10 10
11SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz" 11SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \
12 file://CVE-2018-13785.patch \
13"
12SRC_URI[md5sum] = "c05b6ca7190a5e387b78657dbe5536b2" 14SRC_URI[md5sum] = "c05b6ca7190a5e387b78657dbe5536b2"
13SRC_URI[sha256sum] = "2f1e960d92ce3b3abd03d06dfec9637dfbd22febf107a536b44f7a47c60659f6" 15SRC_URI[sha256sum] = "2f1e960d92ce3b3abd03d06dfec9637dfbd22febf107a536b44f7a47c60659f6"
14 16
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-10 01:05:25 +0000