diff options
Diffstat (limited to 'meta/recipes-multimedia/libpng')
5 files changed, 359 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch new file mode 100644 index 0000000000..25fe1364d3 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch | |||
@@ -0,0 +1,91 @@ | |||
1 | From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001 | ||
2 | From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | ||
3 | Date: Thu, 29 Oct 2015 09:26:41 -0500 | ||
4 | Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766 | ||
8 | |||
9 | CVE: CVE-2015-8126 patch #1 | ||
10 | |||
11 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
12 | |||
13 | --- | ||
14 | libpng-manual.txt | 5 +++++ | ||
15 | libpng.3 | 5 +++++ | ||
16 | pngwrite.c | 4 ++-- | ||
17 | pngwutil.c | 7 +++++-- | ||
18 | 4 files changed, 17 insertions(+), 4 deletions(-) | ||
19 | |||
20 | Index: libpng-1.6.17/libpng-manual.txt | ||
21 | =================================================================== | ||
22 | --- libpng-1.6.17.orig/libpng-manual.txt | ||
23 | +++ libpng-1.6.17/libpng-manual.txt | ||
24 | @@ -5109,6 +5109,11 @@ length, which resulted in PNG files that | ||
25 | chunk. This error was fixed in libpng-1.6.3, and a tool (called | ||
26 | contrib/tools/png-fix-itxt) has been added to the libpng distribution. | ||
27 | |||
28 | +Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk | ||
29 | +is an error. Previously this requirement of the PNG specification was not | ||
30 | +enforced. Libpng continues to accept over-length PLTE chunks when reading, | ||
31 | +but does not make any use of the extra entries. | ||
32 | + | ||
33 | XIII. Detecting libpng | ||
34 | |||
35 | The png_get_io_ptr() function has been present since libpng-0.88, has never | ||
36 | Index: libpng-1.6.17/libpng.3 | ||
37 | =================================================================== | ||
38 | --- libpng-1.6.17.orig/libpng.3 | ||
39 | +++ libpng-1.6.17/libpng.3 | ||
40 | @@ -5613,6 +5613,11 @@ length, which resulted in PNG files that | ||
41 | chunk. This error was fixed in libpng-1.6.3, and a tool (called | ||
42 | contrib/tools/png-fix-itxt) has been added to the libpng distribution. | ||
43 | |||
44 | +Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk | ||
45 | +is an error. Previously this requirement of the PNG specification was not | ||
46 | +enforced. Libpng continues to accept over-length PLTE chunks when reading, | ||
47 | +but does not make any use of the extra entries. | ||
48 | + | ||
49 | .SH XIII. Detecting libpng | ||
50 | |||
51 | The png_get_io_ptr() function has been present since libpng-0.88, has never | ||
52 | Index: libpng-1.6.17/pngwrite.c | ||
53 | =================================================================== | ||
54 | --- libpng-1.6.17.orig/pngwrite.c | ||
55 | +++ libpng-1.6.17/pngwrite.c | ||
56 | @@ -205,7 +205,7 @@ png_write_info(png_structrp png_ptr, png | ||
57 | png_write_PLTE(png_ptr, info_ptr->palette, | ||
58 | (png_uint_32)info_ptr->num_palette); | ||
59 | |||
60 | - else if ((info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) !=0) | ||
61 | + else if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | ||
62 | png_error(png_ptr, "Valid palette required for paletted images"); | ||
63 | |||
64 | #ifdef PNG_WRITE_tRNS_SUPPORTED | ||
65 | Index: libpng-1.6.17/pngwutil.c | ||
66 | =================================================================== | ||
67 | --- libpng-1.6.17.orig/pngwutil.c | ||
68 | +++ libpng-1.6.17/pngwutil.c | ||
69 | @@ -922,17 +922,20 @@ void /* PRIVATE */ | ||
70 | png_write_PLTE(png_structrp png_ptr, png_const_colorp palette, | ||
71 | png_uint_32 num_pal) | ||
72 | { | ||
73 | - png_uint_32 i; | ||
74 | + png_uint_32 max_num_pal, i; | ||
75 | png_const_colorp pal_ptr; | ||
76 | png_byte buf[3]; | ||
77 | |||
78 | png_debug(1, "in png_write_PLTE"); | ||
79 | |||
80 | + max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
81 | + (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; | ||
82 | + | ||
83 | if (( | ||
84 | #ifdef PNG_MNG_FEATURES_SUPPORTED | ||
85 | (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 && | ||
86 | #endif | ||
87 | - num_pal == 0) || num_pal > 256) | ||
88 | + num_pal == 0) || num_pal > max_num_pal) | ||
89 | { | ||
90 | if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | ||
91 | { | ||
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch new file mode 100644 index 0000000000..4aa917084a --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch | |||
@@ -0,0 +1,134 @@ | |||
1 | From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001 | ||
2 | From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | ||
3 | Date: Fri, 30 Oct 2015 07:57:49 -0500 | ||
4 | Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin | ||
5 | Truta). | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d | ||
9 | |||
10 | Many changes involved date and version updates with don't apply in this case. | ||
11 | |||
12 | CVE: CVE-2015-8126 patch #2 | ||
13 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
14 | |||
15 | --- | ||
16 | ANNOUNCE | 6 +++--- | ||
17 | CHANGES | 4 ++-- | ||
18 | libpng-manual.txt | 11 +++++------ | ||
19 | libpng.3 | 19 +++++++++---------- | ||
20 | pngrutil.c | 3 +++ | ||
21 | pngset.c | 13 +++++++++---- | ||
22 | pngwutil.c | 6 +++--- | ||
23 | 7 files changed, 34 insertions(+), 28 deletions(-) | ||
24 | |||
25 | Index: libpng-1.6.17/libpng-manual.txt | ||
26 | =================================================================== | ||
27 | --- libpng-1.6.17.orig/libpng-manual.txt | ||
28 | +++ libpng-1.6.17/libpng-manual.txt | ||
29 | @@ -5109,10 +5109,9 @@ length, which resulted in PNG files that | ||
30 | chunk. This error was fixed in libpng-1.6.3, and a tool (called | ||
31 | contrib/tools/png-fix-itxt) has been added to the libpng distribution. | ||
32 | |||
33 | -Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk | ||
34 | +Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk | ||
35 | is an error. Previously this requirement of the PNG specification was not | ||
36 | -enforced. Libpng continues to accept over-length PLTE chunks when reading, | ||
37 | -but does not make any use of the extra entries. | ||
38 | +enforced, and the palette was always limited to 256 entries. | ||
39 | |||
40 | XIII. Detecting libpng | ||
41 | |||
42 | Index: libpng-1.6.17/libpng.3 | ||
43 | =================================================================== | ||
44 | --- libpng-1.6.17.orig/libpng.3 | ||
45 | +++ libpng-1.6.17/libpng.3 | ||
46 | @@ -5613,10 +5613,9 @@ length, which resulted in PNG files that | ||
47 | chunk. This error was fixed in libpng-1.6.3, and a tool (called | ||
48 | contrib/tools/png-fix-itxt) has been added to the libpng distribution. | ||
49 | |||
50 | -Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk | ||
51 | +Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk | ||
52 | is an error. Previously this requirement of the PNG specification was not | ||
53 | -enforced. Libpng continues to accept over-length PLTE chunks when reading, | ||
54 | -but does not make any use of the extra entries. | ||
55 | +enforced, and the palette was always limited to 256 entries. | ||
56 | |||
57 | .SH XIII. Detecting libpng | ||
58 | |||
59 | Index: libpng-1.6.17/pngrutil.c | ||
60 | =================================================================== | ||
61 | --- libpng-1.6.17.orig/pngrutil.c | ||
62 | +++ libpng-1.6.17/pngrutil.c | ||
63 | @@ -997,6 +997,9 @@ png_handle_PLTE(png_structrp png_ptr, pn | ||
64 | * confusing. | ||
65 | * | ||
66 | * Fix this by not sharing the palette in this way. | ||
67 | + * | ||
68 | + * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when | ||
69 | + * it attempts to set a palette length that is too large for the bit depth. | ||
70 | */ | ||
71 | png_set_PLTE(png_ptr, info_ptr, palette, num); | ||
72 | |||
73 | Index: libpng-1.6.17/pngset.c | ||
74 | =================================================================== | ||
75 | --- libpng-1.6.17.orig/pngset.c | ||
76 | +++ libpng-1.6.17/pngset.c | ||
77 | @@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_i | ||
78 | png_const_colorp palette, int num_palette) | ||
79 | { | ||
80 | |||
81 | + png_uint_32 max_palette_length; | ||
82 | + | ||
83 | png_debug1(1, "in %s storage function", "PLTE"); | ||
84 | |||
85 | if (png_ptr == NULL || info_ptr == NULL) | ||
86 | return; | ||
87 | |||
88 | - if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH) | ||
89 | + max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
90 | + (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; | ||
91 | + | ||
92 | + if (num_palette < 0 || num_palette > max_palette_length) | ||
93 | { | ||
94 | if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | ||
95 | png_error(png_ptr, "Invalid palette length"); | ||
96 | @@ -551,8 +556,8 @@ png_set_PLTE(png_structrp png_ptr, png_i | ||
97 | png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0); | ||
98 | |||
99 | /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead | ||
100 | - * of num_palette entries, in case of an invalid PNG file that has | ||
101 | - * too-large sample values. | ||
102 | + * of num_palette entries, in case of an invalid PNG file or incorrect | ||
103 | + * call to png_set_PLTE() with too-large sample values. | ||
104 | */ | ||
105 | png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, | ||
106 | PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); | ||
107 | Index: libpng-1.6.17/pngwutil.c | ||
108 | =================================================================== | ||
109 | --- libpng-1.6.17.orig/pngwutil.c | ||
110 | +++ libpng-1.6.17/pngwutil.c | ||
111 | @@ -922,20 +922,20 @@ void /* PRIVATE */ | ||
112 | png_write_PLTE(png_structrp png_ptr, png_const_colorp palette, | ||
113 | png_uint_32 num_pal) | ||
114 | { | ||
115 | - png_uint_32 max_num_pal, i; | ||
116 | + png_uint_32 max_palette_length, i; | ||
117 | png_const_colorp pal_ptr; | ||
118 | png_byte buf[3]; | ||
119 | |||
120 | png_debug(1, "in png_write_PLTE"); | ||
121 | |||
122 | - max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
123 | + max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
124 | (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; | ||
125 | |||
126 | if (( | ||
127 | #ifdef PNG_MNG_FEATURES_SUPPORTED | ||
128 | (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 && | ||
129 | #endif | ||
130 | - num_pal == 0) || num_pal > max_num_pal) | ||
131 | + num_pal == 0) || num_pal > max_palette_length) | ||
132 | { | ||
133 | if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | ||
134 | { | ||
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch new file mode 100644 index 0000000000..0e0ad23200 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | From 1bef8e97995c33123665582e57d3ed40b57d5978 Mon Sep 17 00:00:00 2001 | ||
2 | From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | ||
3 | Date: Fri, 30 Oct 2015 11:34:37 -0500 | ||
4 | Subject: [PATCH] [libpng16] Silently truncate over-length PLTE chunk while | ||
5 | reading. | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978 | ||
9 | |||
10 | Normal Issues is date and version conflicts not applied. | ||
11 | |||
12 | CVE: CVE-2015-8i26 patch #3 | ||
13 | |||
14 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
15 | |||
16 | |||
17 | --- | ||
18 | ANNOUNCE | 3 ++- | ||
19 | CHANGES | 3 ++- | ||
20 | pngrutil.c | 15 +++++++++++---- | ||
21 | pngset.c | 2 +- | ||
22 | 4 files changed, 16 insertions(+), 7 deletions(-) | ||
23 | |||
24 | Index: libpng-1.6.17/pngrutil.c | ||
25 | =================================================================== | ||
26 | --- libpng-1.6.17.orig/pngrutil.c | ||
27 | +++ libpng-1.6.17/pngrutil.c | ||
28 | @@ -867,7 +867,7 @@ void /* PRIVATE */ | ||
29 | png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) | ||
30 | { | ||
31 | png_color palette[PNG_MAX_PALETTE_LENGTH]; | ||
32 | - int num, i; | ||
33 | + int max_palette_length, num, i; | ||
34 | #ifdef PNG_POINTER_INDEXING_SUPPORTED | ||
35 | png_colorp pal_ptr; | ||
36 | #endif | ||
37 | @@ -925,9 +925,19 @@ png_handle_PLTE(png_structrp png_ptr, pn | ||
38 | return; | ||
39 | } | ||
40 | |||
41 | + max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
42 | + (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; | ||
43 | + | ||
44 | /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */ | ||
45 | num = (int)length / 3; | ||
46 | |||
47 | + /* If the palette has 256 or fewer entries but is too large for the bit depth, | ||
48 | + * we don't issue an error, to preserve the behavior of previous libpng versions. | ||
49 | + * We silently truncate the unused extra palette entries here. | ||
50 | + */ | ||
51 | + if (num > max_palette_length) | ||
52 | + num = max_palette_length; | ||
53 | + | ||
54 | #ifdef PNG_POINTER_INDEXING_SUPPORTED | ||
55 | for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++) | ||
56 | { | ||
57 | @@ -997,9 +1007,6 @@ png_handle_PLTE(png_structrp png_ptr, pn | ||
58 | * confusing. | ||
59 | * | ||
60 | * Fix this by not sharing the palette in this way. | ||
61 | - * | ||
62 | - * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when | ||
63 | - * it attempts to set a palette length that is too large for the bit depth. | ||
64 | */ | ||
65 | png_set_PLTE(png_ptr, info_ptr, palette, num); | ||
66 | |||
67 | Index: libpng-1.6.17/pngset.c | ||
68 | =================================================================== | ||
69 | --- libpng-1.6.17.orig/pngset.c | ||
70 | +++ libpng-1.6.17/pngset.c | ||
71 | @@ -523,7 +523,7 @@ png_set_PLTE(png_structrp png_ptr, png_i | ||
72 | max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
73 | (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; | ||
74 | |||
75 | - if (num_palette < 0 || num_palette > max_palette_length) | ||
76 | + if (num_palette < 0 || num_palette > (int) max_palette_length) | ||
77 | { | ||
78 | if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | ||
79 | png_error(png_ptr, "Invalid palette length"); | ||
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch new file mode 100644 index 0000000000..2622630d10 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From 83f4c735c88e7f451541c1528d8043c31ba3b466 Mon Sep 17 00:00:00 2001 | ||
2 | From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | ||
3 | Date: Thu, 5 Nov 2015 11:18:44 -0600 | ||
4 | Subject: [PATCH] [libpng16] Clean up coding style in png_handle_PLTE() | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466 | ||
8 | |||
9 | CVE: CVE-2015-8126 patch #4 | ||
10 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
11 | |||
12 | --- | ||
13 | pngrutil.c | 17 ++++++++++------- | ||
14 | 1 file changed, 10 insertions(+), 7 deletions(-) | ||
15 | |||
16 | Index: libpng-1.6.17/pngrutil.c | ||
17 | =================================================================== | ||
18 | --- libpng-1.6.17.orig/pngrutil.c | ||
19 | +++ libpng-1.6.17/pngrutil.c | ||
20 | @@ -925,18 +925,21 @@ png_handle_PLTE(png_structrp png_ptr, pn | ||
21 | return; | ||
22 | } | ||
23 | |||
24 | - max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
25 | - (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; | ||
26 | - | ||
27 | /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */ | ||
28 | num = (int)length / 3; | ||
29 | |||
30 | - /* If the palette has 256 or fewer entries but is too large for the bit depth, | ||
31 | - * we don't issue an error, to preserve the behavior of previous libpng versions. | ||
32 | - * We silently truncate the unused extra palette entries here. | ||
33 | + /* If the palette has 256 or fewer entries but is too large for the bit | ||
34 | + * depth, we don't issue an error, to preserve the behavior of previous | ||
35 | + * libpng versions. We silently truncate the unused extra palette entries | ||
36 | + * here. | ||
37 | */ | ||
38 | + if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | ||
39 | + max_palette_length = (1 << png_ptr->bit_depth); | ||
40 | + else | ||
41 | + max_palette_length = PNG_MAX_PALETTE_LENGTH; | ||
42 | + | ||
43 | if (num > max_palette_length) | ||
44 | - num = max_palette_length; | ||
45 | + num = max_palette_length; | ||
46 | |||
47 | #ifdef PNG_POINTER_INDEXING_SUPPORTED | ||
48 | for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++) | ||
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.17.bb b/meta/recipes-multimedia/libpng/libpng_1.6.17.bb index 2d9835cf8c..110c43daf1 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.17.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.17.bb | |||
@@ -10,6 +10,13 @@ LIBV = "16" | |||
10 | 10 | ||
11 | SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/older-releases/${PV}/libpng-${PV}.tar.xz \ | 11 | SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/older-releases/${PV}/libpng-${PV}.tar.xz \ |
12 | " | 12 | " |
13 | SRC_URI += "\ | ||
14 | file://CVE-2015-8126_1.patch \ | ||
15 | file://CVE-2015-8126_2.patch \ | ||
16 | file://CVE-2015-8126_3.patch \ | ||
17 | file://CVE-2015-8126_4.patch \ | ||
18 | " | ||
19 | |||
13 | SRC_URI[md5sum] = "430a9b76b78533235cd4b9b26ce75c7e" | 20 | SRC_URI[md5sum] = "430a9b76b78533235cd4b9b26ce75c7e" |
14 | SRC_URI[sha256sum] = "98507b55fbe5cd43c51981f2924e4671fd81fe35d52dc53357e20f2c77fa5dfd" | 21 | SRC_URI[sha256sum] = "98507b55fbe5cd43c51981f2924e4671fd81fe35d52dc53357e20f2c77fa5dfd" |
15 | 22 | ||