summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch')
-rw-r--r--meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch69
1 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch
new file mode 100644
index 0000000..7d4c3fe
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch
@@ -0,0 +1,69 @@
1From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001
2From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
3Date: Thu, 29 Oct 2015 09:26:41 -0500
4Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk
5
6Upstream-Status: Backport
7https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766
8
9CVE: CVE-2015-8126 patch #1
10
11Signed-off-by: Armin Kuster <akuster@mvista.com>
12Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
13
14diff -ruN a/libpng.3 b/libpng.3
15--- a/libpng.3 2014-08-21 12:53:36.000000000 +0200
16+++ b/libpng.3 2016-03-14 12:32:29.071935164 +0100
17@@ -5611,6 +5611,11 @@
18 chunk. This error was fixed in libpng-1.6.3, and a tool (called
19 contrib/tools/png-fix-itxt) has been added to the libpng distribution.
20
21+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
22+is an error. Previously this requirement of the PNG specification was not
23+enforced. Libpng continues to accept over-length PLTE chunks when reading,
24+but does not make any use of the extra entries.
25+
26 .SH XIII. Detecting libpng
27
28 The png_get_io_ptr() function has been present since libpng-0.88, has never
29diff -ruN a/libpng-manual.txt b/libpng-manual.txt
30--- a/libpng-manual.txt 2014-08-21 12:53:36.000000000 +0200
31+++ b/libpng-manual.txt 2016-03-14 12:32:29.067935336 +0100
32@@ -5107,6 +5107,11 @@
33 chunk. This error was fixed in libpng-1.6.3, and a tool (called
34 contrib/tools/png-fix-itxt) has been added to the libpng distribution.
35
36+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
37+is an error. Previously this requirement of the PNG specification was not
38+enforced. Libpng continues to accept over-length PLTE chunks when reading,
39+but does not make any use of the extra entries.
40+
41 XIII. Detecting libpng
42
43 The png_get_io_ptr() function has been present since libpng-0.88, has never
44diff -ruN a/pngwutil.c b/pngwutil.c
45--- a/pngwutil.c 2014-08-21 12:53:37.000000000 +0200
46+++ b/pngwutil.c 2016-03-14 12:35:00.001454124 +0100
47@@ -919,17 +919,20 @@
48 png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
49 png_uint_32 num_pal)
50 {
51- png_uint_32 i;
52+ png_uint_32 max_num_pal, i;
53 png_const_colorp pal_ptr;
54 png_byte buf[3];
55
56 png_debug(1, "in png_write_PLTE");
57
58+ max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
59+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
60+
61 if ((
62 #ifdef PNG_MNG_FEATURES_SUPPORTED
63 !(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) &&
64 #endif
65- num_pal == 0) || num_pal > 256)
66+ num_pal == 0) || num_pal > max_num_pal)
67 {
68 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
69 {