summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-multimedia')
-rw-r--r--meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch29
-rw-r--r--meta/recipes-multimedia/libpng/libpng/03-CVE-2011-2690.patch38
-rw-r--r--meta/recipes-multimedia/libpng/libpng/04-CVE-2011-2692.patch29
-rw-r--r--meta/recipes-multimedia/libpng/libpng_1.2.44.bb7
4 files changed, 101 insertions, 2 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch b/meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch
new file mode 100644
index 0000000000..c4f98c69a4
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch
@@ -0,0 +1,29 @@
1This patch is taken from upstream and is a fix for CVE CVE-2011-2501
2
3Description: fix denial of service via error message data
4Origin: upstream, http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=65e6d5a34f49acdb362a0625a706c6b914e670af
5
6Upstream-Status: Backport
7
8Signed-off-by: Joshua Lock <josh@linux.intel.com>
9
10Index: libpng-1.2.44/pngerror.c
11===================================================================
12--- libpng-1.2.44.orig/pngerror.c 2011-07-26 08:18:20.769498103 -0400
13+++ libpng-1.2.44/pngerror.c 2011-07-26 08:18:32.819498098 -0400
14@@ -181,8 +181,13 @@
15 {
16 buffer[iout++] = ':';
17 buffer[iout++] = ' ';
18- png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
19- buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
20+
21+ iin = 0;
22+ while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
23+ buffer[iout++] = error_message[iin++];
24+
25+ /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
26+ buffer[iout] = '\0';
27 }
28 }
29
diff --git a/meta/recipes-multimedia/libpng/libpng/03-CVE-2011-2690.patch b/meta/recipes-multimedia/libpng/libpng/03-CVE-2011-2690.patch
new file mode 100644
index 0000000000..f38a222170
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng/03-CVE-2011-2690.patch
@@ -0,0 +1,38 @@
1This patch is taken from upstream and is a fix for CVE CVE-2011-2690
2
3Description: fix denial of service and possible arbitrary code
4 execution via crafted PNG image
5Origin: upstream, http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=d572394c2a018ef22e9685ac189f5f05c08ea6f5
6
7Upstream-Status: Backport
8
9Signed-off-by: Joshua Lock <josh@linux.intel.com>
10
11Index: libpng-1.2.44/pngrtran.c
12===================================================================
13--- libpng-1.2.44.orig/pngrtran.c 2011-07-26 08:18:55.489498092 -0400
14+++ libpng-1.2.44/pngrtran.c 2011-07-26 08:19:02.079498092 -0400
15@@ -676,10 +676,21 @@
16 png_set_rgb_to_gray(png_structp png_ptr, int error_action, double red,
17 double green)
18 {
19- int red_fixed = (int)((float)red*100000.0 + 0.5);
20- int green_fixed = (int)((float)green*100000.0 + 0.5);
21+ int red_fixed, green_fixed;
22 if (png_ptr == NULL)
23 return;
24+ if (red > 21474.83647 || red < -21474.83648 ||
25+ green > 21474.83647 || green < -21474.83648)
26+ {
27+ png_warning(png_ptr, "ignoring out of range rgb_to_gray coefficients");
28+ red_fixed = -1;
29+ green_fixed = -1;
30+ }
31+ else
32+ {
33+ red_fixed = (int)((float)red*100000.0 + 0.5);
34+ green_fixed = (int)((float)green*100000.0 + 0.5);
35+ }
36 png_set_rgb_to_gray_fixed(png_ptr, error_action, red_fixed, green_fixed);
37 }
38 #endif
diff --git a/meta/recipes-multimedia/libpng/libpng/04-CVE-2011-2692.patch b/meta/recipes-multimedia/libpng/libpng/04-CVE-2011-2692.patch
new file mode 100644
index 0000000000..5a0f51e269
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng/04-CVE-2011-2692.patch
@@ -0,0 +1,29 @@
1This patch is taken from upstream and is a fix for CVE CVE-2011-2962
2
3Description: fix denial of service and possible arbitrary code
4 execution via invalid sCAL chunks
5Origin: upstream, http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=61a2d8a2a7b03023e63eae9a3e64607aaaa6d339
6
7Upstream-Status: Backport
8
9Signed-off-by: Joshua Lock <josh@linux.intel.com>
10
11Index: libpng-1.2.44/pngrutil.c
12===================================================================
13--- libpng-1.2.44.orig/pngrutil.c 2011-07-26 08:19:22.619498085 -0400
14+++ libpng-1.2.44/pngrutil.c 2011-07-26 08:19:26.909498086 -0400
15@@ -1812,6 +1812,14 @@
16 return;
17 }
18
19+ /* Need unit type, width, \0, height: minimum 4 bytes */
20+ else if (length < 4)
21+ {
22+ png_warning(png_ptr, "sCAL chunk too short");
23+ png_crc_finish(png_ptr, length);
24+ return;
25+ }
26+
27 png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)",
28 length + 1);
29 png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
diff --git a/meta/recipes-multimedia/libpng/libpng_1.2.44.bb b/meta/recipes-multimedia/libpng/libpng_1.2.44.bb
index 4a8d5c30ed..58c20f0314 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.2.44.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.2.44.bb
@@ -6,9 +6,12 @@ LICENSE = "libpng"
6LIC_FILES_CHKSUM = "file://LICENSE;md5=a294a2bb08b7f25558119edbfd6b2e92 \ 6LIC_FILES_CHKSUM = "file://LICENSE;md5=a294a2bb08b7f25558119edbfd6b2e92 \
7 file://png.h;startline=172;endline=261;md5=3253923f0093658f470e52a06ddcf4e7" 7 file://png.h;startline=172;endline=261;md5=3253923f0093658f470e52a06ddcf4e7"
8DEPENDS = "zlib" 8DEPENDS = "zlib"
9PR = "r0" 9PR = "r1"
10 10
11SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/libpng-${PV}.tar.bz2" 11SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/libpng-${PV}.tar.bz2 \
12 file://02-CVE-2011-2501.patch \
13 file://03-CVE-2011-2690.patch \
14 file://04-CVE-2011-2692.patch"
12 15
13SRC_URI[md5sum] = "e3ac7879d62ad166a6f0c7441390d12b" 16SRC_URI[md5sum] = "e3ac7879d62ad166a6f0c7441390d12b"
14SRC_URI[sha256sum] = "b9ab20f1c2c3bf6c4448fd9bd8a4a8905b918114d5fada56c97bb758a17b7215" 17SRC_URI[sha256sum] = "b9ab20f1c2c3bf6c4448fd9bd8a4a8905b918114d5fada56c97bb758a17b7215"