1 files changed, 29 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch b/meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch
new file mode 100644
index 0000000000..c4f98c69a4
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch
@@ -0,0 +1,29 @@
+This patch is taken from upstream and is a fix for CVE CVE-2011-2501
+Description: fix denial of service via error message data
+Origin: upstream, http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=65e6d5a34f49acdb362a0625a706c6b914e670af
+Upstream-Status: Backport
+Signed-off-by: Joshua Lock <josh@linux.intel.com>
+Index: libpng-1.2.44/pngerror.c
+===================================================================
+--- libpng-1.2.44.orig/pngerror.c       2011-07-26 08:18:20.769498103 -0400
+++ libpng-1.2.44/pngerror.c    2011-07-26 08:18:32.819498098 -0400
+@@ -181,8 +181,13 @@
+    {
+       buffer[iout++] = ':';
+       buffer[iout++] = ' ';
+-      png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
+-      buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
+
+      iin = 0;
+      while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
+         buffer[iout++] = error_message[iin++];
+
+      /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
+      buffer[iout] = '\0';
+    }
+ }
+

diff --git a/meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch b/meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch new file mode 100644 index 0000000000..c4f98c69a4 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch
@@ -0,0 +1,29 @@
	1	This patch is taken from upstream and is a fix for CVE CVE-2011-2501
	2
	3	Description: fix denial of service via error message data
	4	Origin: upstream, http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=65e6d5a34f49acdb362a0625a706c6b914e670af
	5
	6	Upstream-Status: Backport
	7
	8	Signed-off-by: Joshua Lock <josh@linux.intel.com>
	9
	10	Index: libpng-1.2.44/pngerror.c
	11	===================================================================
	12	--- libpng-1.2.44.orig/pngerror.c 2011-07-26 08:18:20.769498103 -0400
	13	+++ libpng-1.2.44/pngerror.c 2011-07-26 08:18:32.819498098 -0400
	14	@@ -181,8 +181,13 @@
	15	{
	16	buffer[iout++] = ':';
	17	buffer[iout++] = ' ';
	18	- png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
	19	- buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
	20	+
	21	+ iin = 0;
	22	+ while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
	23	+ buffer[iout++] = error_message[iin++];
	24	+
	25	+ /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
	26	+ buffer[iout] = '\0';
	27	}
	28	}
	29