summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libpng/libpng-1.6.16/CVE-2015-8126_3.patch
blob: 0e0ad23200a4beb2bcfd01cddccd53eb103964a9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
From 1bef8e97995c33123665582e57d3ed40b57d5978 Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Fri, 30 Oct 2015 11:34:37 -0500
Subject: [PATCH] [libpng16] Silently truncate over-length PLTE chunk while
 reading.

Upstream-Status: Backport
https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978

Normal Issues is date and version conflicts not applied.

CVE: CVE-2015-8i26 patch #3

Signed-off-by: Armin Kuster <akuster@mvista.com>


---
 ANNOUNCE   |  3 ++-
 CHANGES    |  3 ++-
 pngrutil.c | 15 +++++++++++----
 pngset.c   |  2 +-
 4 files changed, 16 insertions(+), 7 deletions(-)

Index: libpng-1.6.17/pngrutil.c
===================================================================
--- libpng-1.6.17.orig/pngrutil.c
+++ libpng-1.6.17/pngrutil.c
@@ -867,7 +867,7 @@ void /* PRIVATE */
 png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 {
    png_color palette[PNG_MAX_PALETTE_LENGTH];
-   int num, i;
+   int max_palette_length, num, i;
 #ifdef PNG_POINTER_INDEXING_SUPPORTED
    png_colorp pal_ptr;
 #endif
@@ -925,9 +925,19 @@ png_handle_PLTE(png_structrp png_ptr, pn
       return;
    }
 
+   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
    /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
    num = (int)length / 3;
 
+   /* If the palette has 256 or fewer entries but is too large for the bit depth,
+    * we don't issue an error, to preserve the behavior of previous libpng versions.
+    * We silently truncate the unused extra palette entries here.
+    */
+   if (num > max_palette_length)
+     num = max_palette_length;
+
 #ifdef PNG_POINTER_INDEXING_SUPPORTED
    for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
    {
@@ -997,9 +1007,6 @@ png_handle_PLTE(png_structrp png_ptr, pn
     * confusing.
     *
     * Fix this by not sharing the palette in this way.
-    *
-    * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
-    * it attempts to set a palette length that is too large for the bit depth.
     */
    png_set_PLTE(png_ptr, info_ptr, palette, num);
 
Index: libpng-1.6.17/pngset.c
===================================================================
--- libpng-1.6.17.orig/pngset.c
+++ libpng-1.6.17/pngset.c
@@ -523,7 +523,7 @@ png_set_PLTE(png_structrp png_ptr, png_i
    max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
       (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
 
-   if (num_palette < 0 || num_palette > max_palette_length)
+   if (num_palette < 0 || num_palette > (int) max_palette_length)
    {
       if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
          png_error(png_ptr, "Invalid palette length");