blob: f38a222170f68db443699ef936df6c431b103b37 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
This patch is taken from upstream and is a fix for CVE CVE-2011-2690
Description: fix denial of service and possible arbitrary code
execution via crafted PNG image
Origin: upstream, http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=d572394c2a018ef22e9685ac189f5f05c08ea6f5
Upstream-Status: Backport
Signed-off-by: Joshua Lock <josh@linux.intel.com>
Index: libpng-1.2.44/pngrtran.c
===================================================================
--- libpng-1.2.44.orig/pngrtran.c 2011-07-26 08:18:55.489498092 -0400
+++ libpng-1.2.44/pngrtran.c 2011-07-26 08:19:02.079498092 -0400
@@ -676,10 +676,21 @@
png_set_rgb_to_gray(png_structp png_ptr, int error_action, double red,
double green)
{
- int red_fixed = (int)((float)red*100000.0 + 0.5);
- int green_fixed = (int)((float)green*100000.0 + 0.5);
+ int red_fixed, green_fixed;
if (png_ptr == NULL)
return;
+ if (red > 21474.83647 || red < -21474.83648 ||
+ green > 21474.83647 || green < -21474.83648)
+ {
+ png_warning(png_ptr, "ignoring out of range rgb_to_gray coefficients");
+ red_fixed = -1;
+ green_fixed = -1;
+ }
+ else
+ {
+ red_fixed = (int)((float)red*100000.0 + 0.5);
+ green_fixed = (int)((float)green*100000.0 + 0.5);
+ }
png_set_rgb_to_gray_fixed(png_ptr, error_action, red_fixed, green_fixed);
}
#endif
|