diff options
Diffstat (limited to 'meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch')
-rw-r--r-- | meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch new file mode 100644 index 0000000000..25fe1364d3 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch | |||
@@ -0,0 +1,91 @@ | |||
1 | From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001 | ||
2 | From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | ||
3 | Date: Thu, 29 Oct 2015 09:26:41 -0500 | ||
4 | Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766 | ||
8 | |||
9 | CVE: CVE-2015-8126 patch #1 | ||
10 | |||
11 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
12 | |||
13 | --- | ||
14 | libpng-manual.txt | 5 +++++ | ||
15 | libpng.3 | 5 +++++ | ||
16 | pngwrite.c | 4 ++-- | ||
17 | pngwutil.c | 7 +++++-- | ||
18 | 4 files changed, 17 insertions(+), 4 deletions(-) | ||
19 | |||
20 | Index: libpng-1.6.17/libpng-manual.txt | ||
21 | =================================================================== | ||
22 | --- libpng-1.6.17.orig/libpng-manual.txt | ||
23 | +++ libpng-1.6.17/libpng-manual.txt | ||
24 | @@ -5109,6 +5109,11 @@ length, which resulted in PNG files that | ||
25 | chunk. This error was fixed in libpng-1.6.3, and a tool (called | ||
26 | contrib/tools/png-fix-itxt) has been added to the libpng distribution. | ||
27 | |||
28 | +Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk | ||
29 | +is an error. Previously this requirement of the PNG specification was not | ||
30 | +enforced. Libpng continues to accept over-length PLTE chunks when reading, | ||
31 | +but does not make any use of the extra entries. | ||
32 | + | ||
33 | XIII. Detecting libpng | ||
34 | |||
35 | The png_get_io_ptr() function has been present since libpng-0.88, has never | ||
36 | Index: libpng-1.6.17/libpng.3 | ||
37 | =================================================================== | ||
38 | --- libpng-1.6.17.orig/libpng.3 | ||
39 | +++ libpng-1.6.17/libpng.3 | ||
40 | @@ -5613,6 +5613,11 @@ length, which resulted in PNG files that | ||
41 | chunk. This error was fixed in libpng-1.6.3, and a tool (called | ||
42 | contrib/tools/png-fix-itxt) has been added to the libpng distribution. | ||
43 | |||
44 | +Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk | ||
45 | +is an error. Previously this requirement of the PNG specification was not | ||
46 | +enforced. Libpng continues to accept over-length PLTE chunks when reading, | ||
47 | +but does not make any use of the extra entries. | ||
48 | + | ||
49 | .SH XIII. Detecting libpng | ||
50 | |||
51 | The png_get_io_ptr() function has been present since libpng-0.88, has never | ||
52 | Index: libpng-1.6.17/pngwrite.c | ||
53 | =================================================================== | ||
54 | --- libpng-1.6.17.orig/pngwrite.c | ||
55 | +++ libpng-1.6.17/pngwrite.c | ||
56 | @@ -205,7 +205,7 @@ png_write_info(png_structrp png_ptr, png | ||
57 | png_write_PLTE(png_ptr, info_ptr->palette, | ||
58 | (png_uint_32)info_ptr->num_palette); | ||
59 | |||
60 | - else if ((info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) !=0) | ||
61 | + else if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | ||
62 | png_error(png_ptr, "Valid palette required for paletted images"); | ||
63 | |||
64 | #ifdef PNG_WRITE_tRNS_SUPPORTED | ||
65 | Index: libpng-1.6.17/pngwutil.c | ||
66 | =================================================================== | ||
67 | --- libpng-1.6.17.orig/pngwutil.c | ||
68 | +++ libpng-1.6.17/pngwutil.c | ||
69 | @@ -922,17 +922,20 @@ void /* PRIVATE */ | ||
70 | png_write_PLTE(png_structrp png_ptr, png_const_colorp palette, | ||
71 | png_uint_32 num_pal) | ||
72 | { | ||
73 | - png_uint_32 i; | ||
74 | + png_uint_32 max_num_pal, i; | ||
75 | png_const_colorp pal_ptr; | ||
76 | png_byte buf[3]; | ||
77 | |||
78 | png_debug(1, "in png_write_PLTE"); | ||
79 | |||
80 | + max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
81 | + (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; | ||
82 | + | ||
83 | if (( | ||
84 | #ifdef PNG_MNG_FEATURES_SUPPORTED | ||
85 | (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 && | ||
86 | #endif | ||
87 | - num_pal == 0) || num_pal > 256) | ||
88 | + num_pal == 0) || num_pal > max_num_pal) | ||
89 | { | ||
90 | if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | ||
91 | { | ||