From fbe015523fd9ef214d3c988e727f57196a4b1f27 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Fri, 5 Feb 2016 06:03:48 -0800 Subject: libpng: Security fix CVE-2015-8126 libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions Adjusted dir location to match the version. (From OE-Core master rev: d0a8313a03711ff881ad89b6cfc545f66a0bc018) (From OE-Core rev: 20a1f80f554c2dc9da414c5846fb5bafd73e2cac) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster Signed-off-by: Joshua Lock Signed-off-by: Richard Purdie --- .../libpng/libpng-1.6.16/CVE-2015-8126_2.patch | 134 +++++++++++++++++++++ 1 file changed, 134 insertions(+) create mode 100644 meta/recipes-multimedia/libpng/libpng-1.6.16/CVE-2015-8126_2.patch (limited to 'meta/recipes-multimedia/libpng/libpng-1.6.16/CVE-2015-8126_2.patch') diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.16/CVE-2015-8126_2.patch b/meta/recipes-multimedia/libpng/libpng-1.6.16/CVE-2015-8126_2.patch new file mode 100644 index 0000000000..4aa917084a --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.16/CVE-2015-8126_2.patch @@ -0,0 +1,134 @@ +From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001 +From: Glenn Randers-Pehrson +Date: Fri, 30 Oct 2015 07:57:49 -0500 +Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin + Truta). + +Upstream-Status: Backport +https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d + +Many changes involved date and version updates with don't apply in this case. + +CVE: CVE-2015-8126 patch #2 +Signed-off-by: Armin Kuster + +--- + ANNOUNCE | 6 +++--- + CHANGES | 4 ++-- + libpng-manual.txt | 11 +++++------ + libpng.3 | 19 +++++++++---------- + pngrutil.c | 3 +++ + pngset.c | 13 +++++++++---- + pngwutil.c | 6 +++--- + 7 files changed, 34 insertions(+), 28 deletions(-) + +Index: libpng-1.6.17/libpng-manual.txt +=================================================================== +--- libpng-1.6.17.orig/libpng-manual.txt ++++ libpng-1.6.17/libpng-manual.txt +@@ -5109,10 +5109,9 @@ length, which resulted in PNG files that + chunk. This error was fixed in libpng-1.6.3, and a tool (called + contrib/tools/png-fix-itxt) has been added to the libpng distribution. + +-Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk ++Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk + is an error. Previously this requirement of the PNG specification was not +-enforced. Libpng continues to accept over-length PLTE chunks when reading, +-but does not make any use of the extra entries. ++enforced, and the palette was always limited to 256 entries. + + XIII. Detecting libpng + +Index: libpng-1.6.17/libpng.3 +=================================================================== +--- libpng-1.6.17.orig/libpng.3 ++++ libpng-1.6.17/libpng.3 +@@ -5613,10 +5613,9 @@ length, which resulted in PNG files that + chunk. This error was fixed in libpng-1.6.3, and a tool (called + contrib/tools/png-fix-itxt) has been added to the libpng distribution. + +-Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk ++Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk + is an error. Previously this requirement of the PNG specification was not +-enforced. Libpng continues to accept over-length PLTE chunks when reading, +-but does not make any use of the extra entries. ++enforced, and the palette was always limited to 256 entries. + + .SH XIII. Detecting libpng + +Index: libpng-1.6.17/pngrutil.c +=================================================================== +--- libpng-1.6.17.orig/pngrutil.c ++++ libpng-1.6.17/pngrutil.c +@@ -997,6 +997,9 @@ png_handle_PLTE(png_structrp png_ptr, pn + * confusing. + * + * Fix this by not sharing the palette in this way. ++ * ++ * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when ++ * it attempts to set a palette length that is too large for the bit depth. + */ + png_set_PLTE(png_ptr, info_ptr, palette, num); + +Index: libpng-1.6.17/pngset.c +=================================================================== +--- libpng-1.6.17.orig/pngset.c ++++ libpng-1.6.17/pngset.c +@@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_i + png_const_colorp palette, int num_palette) + { + ++ png_uint_32 max_palette_length; ++ + png_debug1(1, "in %s storage function", "PLTE"); + + if (png_ptr == NULL || info_ptr == NULL) + return; + +- if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH) ++ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? ++ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; ++ ++ if (num_palette < 0 || num_palette > max_palette_length) + { + if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) + png_error(png_ptr, "Invalid palette length"); +@@ -551,8 +556,8 @@ png_set_PLTE(png_structrp png_ptr, png_i + png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0); + + /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead +- * of num_palette entries, in case of an invalid PNG file that has +- * too-large sample values. ++ * of num_palette entries, in case of an invalid PNG file or incorrect ++ * call to png_set_PLTE() with too-large sample values. + */ + png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, + PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); +Index: libpng-1.6.17/pngwutil.c +=================================================================== +--- libpng-1.6.17.orig/pngwutil.c ++++ libpng-1.6.17/pngwutil.c +@@ -922,20 +922,20 @@ void /* PRIVATE */ + png_write_PLTE(png_structrp png_ptr, png_const_colorp palette, + png_uint_32 num_pal) + { +- png_uint_32 max_num_pal, i; ++ png_uint_32 max_palette_length, i; + png_const_colorp pal_ptr; + png_byte buf[3]; + + png_debug(1, "in png_write_PLTE"); + +- max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? ++ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? + (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; + + if (( + #ifdef PNG_MNG_FEATURES_SUPPORTED + (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 && + #endif +- num_pal == 0) || num_pal > max_num_pal) ++ num_pal == 0) || num_pal > max_palette_length) + { + if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) + { -- cgit v1.2.3-54-g00ecf