diff options
Diffstat (limited to 'meta/recipes-multimedia/libpng/libpng')
-rw-r--r-- | meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch b/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch new file mode 100644 index 0000000000..d66ac0c9ca --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | libpng16: Fixed an overflow in png_combine_row with very wide interlaced | ||
2 | |||
3 | Fixes CVE-2015-0973 (duplicate of CVE-2014-9495), a heap-based overflow | ||
4 | vulnerability in the png_combine_row() function of the libpng library, | ||
5 | when very large interlaced images were used. | ||
6 | |||
7 | Upstream patch: | ||
8 | http://sourceforge.net/p/libpng/code/ci/dc294204b641373bc6eb603075a8b98f51a75dd8/ | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | |||
12 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
13 | --- | ||
14 | diff --git a/pngrutil.c b/pngrutil.c | ||
15 | index e9fdd62..4c26be4 100644 | ||
16 | --- a/pngrutil.c | ||
17 | +++ b/pngrutil.c | ||
18 | @@ -3003,7 +3003,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) | ||
19 | { | ||
20 | unsigned int pixel_depth = png_ptr->transformed_pixel_depth; | ||
21 | png_const_bytep sp = png_ptr->row_buf + 1; | ||
22 | - png_uint_32 row_width = png_ptr->width; | ||
23 | + png_alloc_size_t row_width = png_ptr->width; | ||
24 | unsigned int pass = png_ptr->pass; | ||
25 | png_bytep end_ptr = 0; | ||
26 | png_byte end_byte = 0; | ||
27 | @@ -3278,7 +3278,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) | ||
28 | |||
29 | /* But don't allow this number to exceed the actual row width. */ | ||
30 | if (bytes_to_copy > row_width) | ||
31 | - bytes_to_copy = row_width; | ||
32 | + bytes_to_copy = (unsigned int)/*SAFE*/row_width; | ||
33 | } | ||
34 | |||
35 | else /* normal row; Adam7 only ever gives us one pixel to copy. */ | ||
36 | @@ -3458,7 +3458,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) | ||
37 | dp += bytes_to_jump; | ||
38 | row_width -= bytes_to_jump; | ||
39 | if (bytes_to_copy > row_width) | ||
40 | - bytes_to_copy = row_width; | ||
41 | + bytes_to_copy = (unsigned int)/*SAFE*/row_width; | ||
42 | } | ||
43 | } | ||
44 | |||
45 | -- | ||
46 | 1.9.1 | ||
47 | |||