diff options
Diffstat (limited to 'meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch')
-rw-r--r-- | meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch new file mode 100644 index 0000000000..69cb565901 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch | |||
@@ -0,0 +1,88 @@ | |||
1 | From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001 | ||
2 | From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | ||
3 | Date: Fri, 30 Oct 2015 07:57:49 -0500 | ||
4 | Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin | ||
5 | Truta). | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d | ||
9 | |||
10 | Many changes involved date and version updates with don't apply in this case. | ||
11 | |||
12 | CVE: CVE-2015-8126 patch #2 | ||
13 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
15 | |||
16 | diff -ruN a/pngrutil.c b/pngrutil.c | ||
17 | --- a/pngrutil.c 2014-08-21 12:53:36.000000000 +0200 | ||
18 | +++ b/pngrutil.c 2016-03-14 13:05:12.419581068 +0100 | ||
19 | @@ -997,6 +997,9 @@ | ||
20 | * confusing. | ||
21 | * | ||
22 | * Fix this by not sharing the palette in this way. | ||
23 | + * | ||
24 | + * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when | ||
25 | + * it attempts to set a palette length that is too large for the bit depth. | ||
26 | */ | ||
27 | png_set_PLTE(png_ptr, info_ptr, palette, num); | ||
28 | |||
29 | diff -ruN a/pngset.c b/pngset.c | ||
30 | --- a/pngset.c 2014-08-21 12:53:36.000000000 +0200 | ||
31 | +++ b/pngset.c 2016-03-14 13:05:12.439580208 +0100 | ||
32 | @@ -503,12 +503,17 @@ | ||
33 | png_const_colorp palette, int num_palette) | ||
34 | { | ||
35 | |||
36 | + png_uint_32 max_palette_length; | ||
37 | + | ||
38 | png_debug1(1, "in %s storage function", "PLTE"); | ||
39 | |||
40 | if (png_ptr == NULL || info_ptr == NULL) | ||
41 | return; | ||
42 | |||
43 | - if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH) | ||
44 | + max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
45 | + (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; | ||
46 | + | ||
47 | + if (num_palette < 0 || num_palette > max_palette_length) | ||
48 | { | ||
49 | if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | ||
50 | png_error(png_ptr, "Invalid palette length"); | ||
51 | @@ -541,8 +546,8 @@ | ||
52 | png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0); | ||
53 | |||
54 | /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead | ||
55 | - * of num_palette entries, in case of an invalid PNG file that has | ||
56 | - * too-large sample values. | ||
57 | + * of num_palette entries, in case of an invalid PNG file or incorrect | ||
58 | + * call to png_set_PLTE() with too-large sample values. | ||
59 | */ | ||
60 | png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, | ||
61 | PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); | ||
62 | diff -ruN a/pngwutil.c b/pngwutil.c | ||
63 | --- a/pngwutil.c 2016-03-14 13:01:23.433428517 +0100 | ||
64 | +++ b/pngwutil.c 2016-03-14 13:07:42.933108329 +0100 | ||
65 | @@ -919,20 +919,20 @@ | ||
66 | png_write_PLTE(png_structrp png_ptr, png_const_colorp palette, | ||
67 | png_uint_32 num_pal) | ||
68 | { | ||
69 | - png_uint_32 max_num_pal, i; | ||
70 | + png_uint_32 max_palette_length, i; | ||
71 | png_const_colorp pal_ptr; | ||
72 | png_byte buf[3]; | ||
73 | |||
74 | png_debug(1, "in png_write_PLTE"); | ||
75 | |||
76 | - max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
77 | + max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
78 | (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; | ||
79 | |||
80 | if (( | ||
81 | #ifdef PNG_MNG_FEATURES_SUPPORTED | ||
82 | !(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) && | ||
83 | #endif | ||
84 | - num_pal == 0) || num_pal > max_num_pal) | ||
85 | + num_pal == 0) || num_pal > max_palette_length) | ||
86 | { | ||
87 | if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | ||
88 | { | ||