summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch')
-rw-r--r--meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch88
1 files changed, 88 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch
new file mode 100644
index 0000000..69cb565
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch
@@ -0,0 +1,88 @@
1From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001
2From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
3Date: Fri, 30 Oct 2015 07:57:49 -0500
4Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin
5 Truta).
6
7Upstream-Status: Backport
8https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d
9
10Many changes involved date and version updates with don't apply in this case.
11
12CVE: CVE-2015-8126 patch #2
13Signed-off-by: Armin Kuster <akuster@mvista.com>
14Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
15
16diff -ruN a/pngrutil.c b/pngrutil.c
17--- a/pngrutil.c 2014-08-21 12:53:36.000000000 +0200
18+++ b/pngrutil.c 2016-03-14 13:05:12.419581068 +0100
19@@ -997,6 +997,9 @@
20 * confusing.
21 *
22 * Fix this by not sharing the palette in this way.
23+ *
24+ * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
25+ * it attempts to set a palette length that is too large for the bit depth.
26 */
27 png_set_PLTE(png_ptr, info_ptr, palette, num);
28
29diff -ruN a/pngset.c b/pngset.c
30--- a/pngset.c 2014-08-21 12:53:36.000000000 +0200
31+++ b/pngset.c 2016-03-14 13:05:12.439580208 +0100
32@@ -503,12 +503,17 @@
33 png_const_colorp palette, int num_palette)
34 {
35
36+ png_uint_32 max_palette_length;
37+
38 png_debug1(1, "in %s storage function", "PLTE");
39
40 if (png_ptr == NULL || info_ptr == NULL)
41 return;
42
43- if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)
44+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
45+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
46+
47+ if (num_palette < 0 || num_palette > max_palette_length)
48 {
49 if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
50 png_error(png_ptr, "Invalid palette length");
51@@ -541,8 +546,8 @@
52 png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
53
54 /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
55- * of num_palette entries, in case of an invalid PNG file that has
56- * too-large sample values.
57+ * of num_palette entries, in case of an invalid PNG file or incorrect
58+ * call to png_set_PLTE() with too-large sample values.
59 */
60 png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
61 PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
62diff -ruN a/pngwutil.c b/pngwutil.c
63--- a/pngwutil.c 2016-03-14 13:01:23.433428517 +0100
64+++ b/pngwutil.c 2016-03-14 13:07:42.933108329 +0100
65@@ -919,20 +919,20 @@
66 png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
67 png_uint_32 num_pal)
68 {
69- png_uint_32 max_num_pal, i;
70+ png_uint_32 max_palette_length, i;
71 png_const_colorp pal_ptr;
72 png_byte buf[3];
73
74 png_debug(1, "in png_write_PLTE");
75
76- max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
77+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
78 (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
79
80 if ((
81 #ifdef PNG_MNG_FEATURES_SUPPORTED
82 !(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) &&
83 #endif
84- num_pal == 0) || num_pal > max_num_pal)
85+ num_pal == 0) || num_pal > max_palette_length)
86 {
87 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
88 {