blob: 5a0f51e269d8cef47951e2627d0da52443e20674 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
This patch is taken from upstream and is a fix for CVE CVE-2011-2962
Description: fix denial of service and possible arbitrary code
execution via invalid sCAL chunks
Origin: upstream, http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=61a2d8a2a7b03023e63eae9a3e64607aaaa6d339
Upstream-Status: Backport
Signed-off-by: Joshua Lock <josh@linux.intel.com>
Index: libpng-1.2.44/pngrutil.c
===================================================================
--- libpng-1.2.44.orig/pngrutil.c 2011-07-26 08:19:22.619498085 -0400
+++ libpng-1.2.44/pngrutil.c 2011-07-26 08:19:26.909498086 -0400
@@ -1812,6 +1812,14 @@
return;
}
+ /* Need unit type, width, \0, height: minimum 4 bytes */
+ else if (length < 4)
+ {
+ png_warning(png_ptr, "sCAL chunk too short");
+ png_crc_finish(png_ptr, length);
+ return;
+ }
+
png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)",
length + 1);
png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
|
