diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch | 47 | ||||
-rw-r--r-- | meta/recipes-multimedia/libpng/libpng_1.6.8.bb | 1 |
2 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch b/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch new file mode 100644 index 0000000000..d66ac0c9ca --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | libpng16: Fixed an overflow in png_combine_row with very wide interlaced | ||
2 | |||
3 | Fixes CVE-2015-0973 (duplicate of CVE-2014-9495), a heap-based overflow | ||
4 | vulnerability in the png_combine_row() function of the libpng library, | ||
5 | when very large interlaced images were used. | ||
6 | |||
7 | Upstream patch: | ||
8 | http://sourceforge.net/p/libpng/code/ci/dc294204b641373bc6eb603075a8b98f51a75dd8/ | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | |||
12 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
13 | --- | ||
14 | diff --git a/pngrutil.c b/pngrutil.c | ||
15 | index e9fdd62..4c26be4 100644 | ||
16 | --- a/pngrutil.c | ||
17 | +++ b/pngrutil.c | ||
18 | @@ -3003,7 +3003,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) | ||
19 | { | ||
20 | unsigned int pixel_depth = png_ptr->transformed_pixel_depth; | ||
21 | png_const_bytep sp = png_ptr->row_buf + 1; | ||
22 | - png_uint_32 row_width = png_ptr->width; | ||
23 | + png_alloc_size_t row_width = png_ptr->width; | ||
24 | unsigned int pass = png_ptr->pass; | ||
25 | png_bytep end_ptr = 0; | ||
26 | png_byte end_byte = 0; | ||
27 | @@ -3278,7 +3278,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) | ||
28 | |||
29 | /* But don't allow this number to exceed the actual row width. */ | ||
30 | if (bytes_to_copy > row_width) | ||
31 | - bytes_to_copy = row_width; | ||
32 | + bytes_to_copy = (unsigned int)/*SAFE*/row_width; | ||
33 | } | ||
34 | |||
35 | else /* normal row; Adam7 only ever gives us one pixel to copy. */ | ||
36 | @@ -3458,7 +3458,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) | ||
37 | dp += bytes_to_jump; | ||
38 | row_width -= bytes_to_jump; | ||
39 | if (bytes_to_copy > row_width) | ||
40 | - bytes_to_copy = row_width; | ||
41 | + bytes_to_copy = (unsigned int)/*SAFE*/row_width; | ||
42 | } | ||
43 | } | ||
44 | |||
45 | -- | ||
46 | 1.9.1 | ||
47 | |||
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.8.bb b/meta/recipes-multimedia/libpng/libpng_1.6.8.bb index d063495f05..bb7745b47c 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.8.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.8.bb | |||
@@ -10,6 +10,7 @@ LIBV = "16" | |||
10 | 10 | ||
11 | SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/${PV}/libpng-${PV}.tar.xz \ | 11 | SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/${PV}/libpng-${PV}.tar.xz \ |
12 | file://0001-configure-lower-automake-requirement.patch \ | 12 | file://0001-configure-lower-automake-requirement.patch \ |
13 | file://libpng16-CVE-2015-0973.patch \ | ||
13 | " | 14 | " |
14 | 15 | ||
15 | SRC_URI[md5sum] = "51ce71a1642cdde1f4485a7ff82193c0" | 16 | SRC_URI[md5sum] = "51ce71a1642cdde1f4485a7ff82193c0" |