diff options
Diffstat (limited to 'meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch')
| -rw-r--r-- | meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch new file mode 100644 index 0000000000..7d4c3fe80b --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch | |||
| @@ -0,0 +1,69 @@ | |||
| 1 | From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | ||
| 3 | Date: Thu, 29 Oct 2015 09:26:41 -0500 | ||
| 4 | Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk | ||
| 5 | |||
| 6 | Upstream-Status: Backport | ||
| 7 | https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766 | ||
| 8 | |||
| 9 | CVE: CVE-2015-8126 patch #1 | ||
| 10 | |||
| 11 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
| 12 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 13 | |||
| 14 | diff -ruN a/libpng.3 b/libpng.3 | ||
| 15 | --- a/libpng.3 2014-08-21 12:53:36.000000000 +0200 | ||
| 16 | +++ b/libpng.3 2016-03-14 12:32:29.071935164 +0100 | ||
| 17 | @@ -5611,6 +5611,11 @@ | ||
| 18 | chunk. This error was fixed in libpng-1.6.3, and a tool (called | ||
| 19 | contrib/tools/png-fix-itxt) has been added to the libpng distribution. | ||
| 20 | |||
| 21 | +Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk | ||
| 22 | +is an error. Previously this requirement of the PNG specification was not | ||
| 23 | +enforced. Libpng continues to accept over-length PLTE chunks when reading, | ||
| 24 | +but does not make any use of the extra entries. | ||
| 25 | + | ||
| 26 | .SH XIII. Detecting libpng | ||
| 27 | |||
| 28 | The png_get_io_ptr() function has been present since libpng-0.88, has never | ||
| 29 | diff -ruN a/libpng-manual.txt b/libpng-manual.txt | ||
| 30 | --- a/libpng-manual.txt 2014-08-21 12:53:36.000000000 +0200 | ||
| 31 | +++ b/libpng-manual.txt 2016-03-14 12:32:29.067935336 +0100 | ||
| 32 | @@ -5107,6 +5107,11 @@ | ||
| 33 | chunk. This error was fixed in libpng-1.6.3, and a tool (called | ||
| 34 | contrib/tools/png-fix-itxt) has been added to the libpng distribution. | ||
| 35 | |||
| 36 | +Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk | ||
| 37 | +is an error. Previously this requirement of the PNG specification was not | ||
| 38 | +enforced. Libpng continues to accept over-length PLTE chunks when reading, | ||
| 39 | +but does not make any use of the extra entries. | ||
| 40 | + | ||
| 41 | XIII. Detecting libpng | ||
| 42 | |||
| 43 | The png_get_io_ptr() function has been present since libpng-0.88, has never | ||
| 44 | diff -ruN a/pngwutil.c b/pngwutil.c | ||
| 45 | --- a/pngwutil.c 2014-08-21 12:53:37.000000000 +0200 | ||
| 46 | +++ b/pngwutil.c 2016-03-14 12:35:00.001454124 +0100 | ||
| 47 | @@ -919,17 +919,20 @@ | ||
| 48 | png_write_PLTE(png_structrp png_ptr, png_const_colorp palette, | ||
| 49 | png_uint_32 num_pal) | ||
| 50 | { | ||
| 51 | - png_uint_32 i; | ||
| 52 | + png_uint_32 max_num_pal, i; | ||
| 53 | png_const_colorp pal_ptr; | ||
| 54 | png_byte buf[3]; | ||
| 55 | |||
| 56 | png_debug(1, "in png_write_PLTE"); | ||
| 57 | |||
| 58 | + max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
| 59 | + (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; | ||
| 60 | + | ||
| 61 | if (( | ||
| 62 | #ifdef PNG_MNG_FEATURES_SUPPORTED | ||
| 63 | !(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) && | ||
| 64 | #endif | ||
| 65 | - num_pal == 0) || num_pal > 256) | ||
| 66 | + num_pal == 0) || num_pal > max_num_pal) | ||
| 67 | { | ||
| 68 | if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | ||
| 69 | { | ||