summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch')
-rw-r--r--meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch79
1 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch
new file mode 100644
index 0000000000..0e0ad23200
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch
@@ -0,0 +1,79 @@
1From 1bef8e97995c33123665582e57d3ed40b57d5978 Mon Sep 17 00:00:00 2001
2From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
3Date: Fri, 30 Oct 2015 11:34:37 -0500
4Subject: [PATCH] [libpng16] Silently truncate over-length PLTE chunk while
5 reading.
6
7Upstream-Status: Backport
8https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978
9
10Normal Issues is date and version conflicts not applied.
11
12CVE: CVE-2015-8i26 patch #3
13
14Signed-off-by: Armin Kuster <akuster@mvista.com>
15
16
17---
18 ANNOUNCE | 3 ++-
19 CHANGES | 3 ++-
20 pngrutil.c | 15 +++++++++++----
21 pngset.c | 2 +-
22 4 files changed, 16 insertions(+), 7 deletions(-)
23
24Index: libpng-1.6.17/pngrutil.c
25===================================================================
26--- libpng-1.6.17.orig/pngrutil.c
27+++ libpng-1.6.17/pngrutil.c
28@@ -867,7 +867,7 @@ void /* PRIVATE */
29 png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
30 {
31 png_color palette[PNG_MAX_PALETTE_LENGTH];
32- int num, i;
33+ int max_palette_length, num, i;
34 #ifdef PNG_POINTER_INDEXING_SUPPORTED
35 png_colorp pal_ptr;
36 #endif
37@@ -925,9 +925,19 @@ png_handle_PLTE(png_structrp png_ptr, pn
38 return;
39 }
40
41+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
42+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
43+
44 /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
45 num = (int)length / 3;
46
47+ /* If the palette has 256 or fewer entries but is too large for the bit depth,
48+ * we don't issue an error, to preserve the behavior of previous libpng versions.
49+ * We silently truncate the unused extra palette entries here.
50+ */
51+ if (num > max_palette_length)
52+ num = max_palette_length;
53+
54 #ifdef PNG_POINTER_INDEXING_SUPPORTED
55 for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
56 {
57@@ -997,9 +1007,6 @@ png_handle_PLTE(png_structrp png_ptr, pn
58 * confusing.
59 *
60 * Fix this by not sharing the palette in this way.
61- *
62- * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
63- * it attempts to set a palette length that is too large for the bit depth.
64 */
65 png_set_PLTE(png_ptr, info_ptr, palette, num);
66
67Index: libpng-1.6.17/pngset.c
68===================================================================
69--- libpng-1.6.17.orig/pngset.c
70+++ libpng-1.6.17/pngset.c
71@@ -523,7 +523,7 @@ png_set_PLTE(png_structrp png_ptr, png_i
72 max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
73 (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
74
75- if (num_palette < 0 || num_palette > max_palette_length)
76+ if (num_palette < 0 || num_palette > (int) max_palette_length)
77 {
78 if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
79 png_error(png_ptr, "Invalid palette length");