1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Thu, 29 Oct 2015 09:26:41 -0500
Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk
Upstream-Status: Backport
https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766
CVE: CVE-2015-8126 patch #1
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
diff -ruN a/libpng.3 b/libpng.3
--- a/libpng.3 2014-08-21 12:53:36.000000000 +0200
+++ b/libpng.3 2016-03-14 12:32:29.071935164 +0100
@@ -5611,6 +5611,11 @@
chunk. This error was fixed in libpng-1.6.3, and a tool (called
contrib/tools/png-fix-itxt) has been added to the libpng distribution.
+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+is an error. Previously this requirement of the PNG specification was not
+enforced. Libpng continues to accept over-length PLTE chunks when reading,
+but does not make any use of the extra entries.
+
.SH XIII. Detecting libpng
The png_get_io_ptr() function has been present since libpng-0.88, has never
diff -ruN a/libpng-manual.txt b/libpng-manual.txt
--- a/libpng-manual.txt 2014-08-21 12:53:36.000000000 +0200
+++ b/libpng-manual.txt 2016-03-14 12:32:29.067935336 +0100
@@ -5107,6 +5107,11 @@
chunk. This error was fixed in libpng-1.6.3, and a tool (called
contrib/tools/png-fix-itxt) has been added to the libpng distribution.
+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+is an error. Previously this requirement of the PNG specification was not
+enforced. Libpng continues to accept over-length PLTE chunks when reading,
+but does not make any use of the extra entries.
+
XIII. Detecting libpng
The png_get_io_ptr() function has been present since libpng-0.88, has never
diff -ruN a/pngwutil.c b/pngwutil.c
--- a/pngwutil.c 2014-08-21 12:53:37.000000000 +0200
+++ b/pngwutil.c 2016-03-14 12:35:00.001454124 +0100
@@ -919,17 +919,20 @@
png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
png_uint_32 num_pal)
{
- png_uint_32 i;
+ png_uint_32 max_num_pal, i;
png_const_colorp pal_ptr;
png_byte buf[3];
png_debug(1, "in png_write_PLTE");
+ max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
if ((
#ifdef PNG_MNG_FEATURES_SUPPORTED
!(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) &&
#endif
- num_pal == 0) || num_pal > 256)
+ num_pal == 0) || num_pal > max_num_pal)
{
if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
{
|
