diff options
Diffstat (limited to 'meta/recipes-multimedia/libpng/libpng')
3 files changed, 96 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch b/meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch new file mode 100644 index 0000000000..c4f98c69a4 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | This patch is taken from upstream and is a fix for CVE CVE-2011-2501 | ||
2 | |||
3 | Description: fix denial of service via error message data | ||
4 | Origin: upstream, http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=65e6d5a34f49acdb362a0625a706c6b914e670af | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | |||
8 | Signed-off-by: Joshua Lock <josh@linux.intel.com> | ||
9 | |||
10 | Index: libpng-1.2.44/pngerror.c | ||
11 | =================================================================== | ||
12 | --- libpng-1.2.44.orig/pngerror.c 2011-07-26 08:18:20.769498103 -0400 | ||
13 | +++ libpng-1.2.44/pngerror.c 2011-07-26 08:18:32.819498098 -0400 | ||
14 | @@ -181,8 +181,13 @@ | ||
15 | { | ||
16 | buffer[iout++] = ':'; | ||
17 | buffer[iout++] = ' '; | ||
18 | - png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT); | ||
19 | - buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0'; | ||
20 | + | ||
21 | + iin = 0; | ||
22 | + while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0') | ||
23 | + buffer[iout++] = error_message[iin++]; | ||
24 | + | ||
25 | + /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */ | ||
26 | + buffer[iout] = '\0'; | ||
27 | } | ||
28 | } | ||
29 | |||
diff --git a/meta/recipes-multimedia/libpng/libpng/03-CVE-2011-2690.patch b/meta/recipes-multimedia/libpng/libpng/03-CVE-2011-2690.patch new file mode 100644 index 0000000000..f38a222170 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng/03-CVE-2011-2690.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | This patch is taken from upstream and is a fix for CVE CVE-2011-2690 | ||
2 | |||
3 | Description: fix denial of service and possible arbitrary code | ||
4 | execution via crafted PNG image | ||
5 | Origin: upstream, http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=d572394c2a018ef22e9685ac189f5f05c08ea6f5 | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Signed-off-by: Joshua Lock <josh@linux.intel.com> | ||
10 | |||
11 | Index: libpng-1.2.44/pngrtran.c | ||
12 | =================================================================== | ||
13 | --- libpng-1.2.44.orig/pngrtran.c 2011-07-26 08:18:55.489498092 -0400 | ||
14 | +++ libpng-1.2.44/pngrtran.c 2011-07-26 08:19:02.079498092 -0400 | ||
15 | @@ -676,10 +676,21 @@ | ||
16 | png_set_rgb_to_gray(png_structp png_ptr, int error_action, double red, | ||
17 | double green) | ||
18 | { | ||
19 | - int red_fixed = (int)((float)red*100000.0 + 0.5); | ||
20 | - int green_fixed = (int)((float)green*100000.0 + 0.5); | ||
21 | + int red_fixed, green_fixed; | ||
22 | if (png_ptr == NULL) | ||
23 | return; | ||
24 | + if (red > 21474.83647 || red < -21474.83648 || | ||
25 | + green > 21474.83647 || green < -21474.83648) | ||
26 | + { | ||
27 | + png_warning(png_ptr, "ignoring out of range rgb_to_gray coefficients"); | ||
28 | + red_fixed = -1; | ||
29 | + green_fixed = -1; | ||
30 | + } | ||
31 | + else | ||
32 | + { | ||
33 | + red_fixed = (int)((float)red*100000.0 + 0.5); | ||
34 | + green_fixed = (int)((float)green*100000.0 + 0.5); | ||
35 | + } | ||
36 | png_set_rgb_to_gray_fixed(png_ptr, error_action, red_fixed, green_fixed); | ||
37 | } | ||
38 | #endif | ||
diff --git a/meta/recipes-multimedia/libpng/libpng/04-CVE-2011-2692.patch b/meta/recipes-multimedia/libpng/libpng/04-CVE-2011-2692.patch new file mode 100644 index 0000000000..5a0f51e269 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng/04-CVE-2011-2692.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | This patch is taken from upstream and is a fix for CVE CVE-2011-2962 | ||
2 | |||
3 | Description: fix denial of service and possible arbitrary code | ||
4 | execution via invalid sCAL chunks | ||
5 | Origin: upstream, http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=61a2d8a2a7b03023e63eae9a3e64607aaaa6d339 | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Signed-off-by: Joshua Lock <josh@linux.intel.com> | ||
10 | |||
11 | Index: libpng-1.2.44/pngrutil.c | ||
12 | =================================================================== | ||
13 | --- libpng-1.2.44.orig/pngrutil.c 2011-07-26 08:19:22.619498085 -0400 | ||
14 | +++ libpng-1.2.44/pngrutil.c 2011-07-26 08:19:26.909498086 -0400 | ||
15 | @@ -1812,6 +1812,14 @@ | ||
16 | return; | ||
17 | } | ||
18 | |||
19 | + /* Need unit type, width, \0, height: minimum 4 bytes */ | ||
20 | + else if (length < 4) | ||
21 | + { | ||
22 | + png_warning(png_ptr, "sCAL chunk too short"); | ||
23 | + png_crc_finish(png_ptr, length); | ||
24 | + return; | ||
25 | + } | ||
26 | + | ||
27 | png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)", | ||
28 | length + 1); | ||
29 | png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1); | ||