1 files changed, 88 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch
new file mode 100644
index 0000000000..69cb565901
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch
@@ -0,0 +1,88 @@
+From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Fri, 30 Oct 2015 07:57:49 -0500
+Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin
+ Truta).
+Upstream-Status: Backport
+https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d
+Many changes involved date and version updates with don't apply in this case.
+CVE: CVE-2015-8126 patch #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+diff -ruN a/pngrutil.c b/pngrutil.c
+--- a/pngrutil.c        2014-08-21 12:53:36.000000000 +0200
+++ b/pngrutil.c        2016-03-14 13:05:12.419581068 +0100
+@@ -997,6 +997,9 @@
+     * confusing.
+     *
+     * Fix this by not sharing the palette in this way.
+    *
+    * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
+    * it attempts to set a palette length that is too large for the bit depth.
+     */
+    png_set_PLTE(png_ptr, info_ptr, palette, num);
+ 
+diff -ruN a/pngset.c b/pngset.c
+--- a/pngset.c  2014-08-21 12:53:36.000000000 +0200
+++ b/pngset.c  2016-03-14 13:05:12.439580208 +0100
+@@ -503,12 +503,17 @@
+     png_const_colorp palette, int num_palette)
+ {
+ 
+   png_uint_32 max_palette_length;
+
+    png_debug1(1, "in %s storage function", "PLTE");
+ 
+    if (png_ptr == NULL || info_ptr == NULL)
+       return;
+ 
+-   if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)
+   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
+   if (num_palette < 0 || num_palette > max_palette_length)
+    {
+       if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+          png_error(png_ptr, "Invalid palette length");
+@@ -541,8 +546,8 @@
+    png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
+ 
+    /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
+-    * of num_palette entries, in case of an invalid PNG file that has
+-    * too-large sample values.
+    * of num_palette entries, in case of an invalid PNG file or incorrect
+    * call to png_set_PLTE() with too-large sample values.
+     */
+    png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
+        PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
+diff -ruN a/pngwutil.c b/pngwutil.c
+--- a/pngwutil.c        2016-03-14 13:01:23.433428517 +0100
+++ b/pngwutil.c        2016-03-14 13:07:42.933108329 +0100
+@@ -919,20 +919,20 @@
+ png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
+     png_uint_32 num_pal)
+ {
+-   png_uint_32 max_num_pal, i;
+   png_uint_32 max_palette_length, i;
+    png_const_colorp pal_ptr;
+    png_byte buf[3];
+ 
+    png_debug(1, "in png_write_PLTE");
+ 
+-   max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+       (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+ 
+    if ((
+ #ifdef PNG_MNG_FEATURES_SUPPORTED
+        !(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) &&
+ #endif
+-       num_pal == 0) || num_pal > max_num_pal)
+       num_pal == 0) || num_pal > max_palette_length)
+    {
+       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+       {

diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch new file mode 100644 index 0000000000..69cb565901 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch
@@ -0,0 +1,88 @@
	1	From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001
	2	From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
	3	Date: Fri, 30 Oct 2015 07:57:49 -0500
	4	Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin
	5	Truta).
	6
	7	Upstream-Status: Backport
	8	https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d
	9
	10	Many changes involved date and version updates with don't apply in this case.
	11
	12	CVE: CVE-2015-8126 patch #2
	13	Signed-off-by: Armin Kuster <akuster@mvista.com>
	14	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	15
	16	diff -ruN a/pngrutil.c b/pngrutil.c
	17	--- a/pngrutil.c 2014-08-21 12:53:36.000000000 +0200
	18	+++ b/pngrutil.c 2016-03-14 13:05:12.419581068 +0100
	19	@@ -997,6 +997,9 @@
	20	* confusing.
	21	*
	22	* Fix this by not sharing the palette in this way.
	23	+ *
	24	+ * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
	25	+ * it attempts to set a palette length that is too large for the bit depth.
	26	*/
	27	png_set_PLTE(png_ptr, info_ptr, palette, num);
	28
	29	diff -ruN a/pngset.c b/pngset.c
	30	--- a/pngset.c 2014-08-21 12:53:36.000000000 +0200
	31	+++ b/pngset.c 2016-03-14 13:05:12.439580208 +0100
	32	@@ -503,12 +503,17 @@
	33	png_const_colorp palette, int num_palette)
	34	{
	35
	36	+ png_uint_32 max_palette_length;
	37	+
	38	png_debug1(1, "in %s storage function", "PLTE");
	39
	40	if (png_ptr == NULL \|\| info_ptr == NULL)
	41	return;
	42
	43	- if (num_palette < 0 \|\| num_palette > PNG_MAX_PALETTE_LENGTH)
	44	+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
	45	+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
	46	+
	47	+ if (num_palette < 0 \|\| num_palette > max_palette_length)
	48	{
	49	if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
	50	png_error(png_ptr, "Invalid palette length");
	51	@@ -541,8 +546,8 @@
	52	png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
	53
	54	/* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
	55	- * of num_palette entries, in case of an invalid PNG file that has
	56	- * too-large sample values.
	57	+ * of num_palette entries, in case of an invalid PNG file or incorrect
	58	+ * call to png_set_PLTE() with too-large sample values.
	59	*/
	60	png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
	61	PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
	62	diff -ruN a/pngwutil.c b/pngwutil.c
	63	--- a/pngwutil.c 2016-03-14 13:01:23.433428517 +0100
	64	+++ b/pngwutil.c 2016-03-14 13:07:42.933108329 +0100
	65	@@ -919,20 +919,20 @@
	66	png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
	67	png_uint_32 num_pal)
	68	{
	69	- png_uint_32 max_num_pal, i;
	70	+ png_uint_32 max_palette_length, i;
	71	png_const_colorp pal_ptr;
	72	png_byte buf[3];
	73
	74	png_debug(1, "in png_write_PLTE");
	75
	76	- max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
	77	+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
	78	(1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
	79
	80	if ((
	81	#ifdef PNG_MNG_FEATURES_SUPPORTED
	82	!(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) &&
	83	#endif
	84	- num_pal == 0) \|\| num_pal > max_num_pal)
	85	+ num_pal == 0) \|\| num_pal > max_palette_length)
	86	{
	87	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
	88	{