libpng16: CVE-2015-0973

Fixes CVE-2015-0973 (duplicate of CVE-2014-9495), a heap-based overflow vulnerability in the png_combine_row() function of the libpng library, when very large interlaced images were used. Upstream patch: http://sourceforge.net/p/libpng/code/ci/dc294204b641373bc6eb603075a8b98f51a75dd8/ External Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0973 http://seclists.org/oss-sec/2014/q4/1133 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-02-24 13:17:09 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2015-07-06 20:19:37 +0200
commit: 7247ad93ebeeb15defb0b57f4c95c0a0464c2cb8 (patch)
tree: 3b3266bc337f2a8cf4858c2a20cf562f5a207b54
parent: 57e2046e575c85d5963b108792a28fc166329234 (diff)
download: poky-7247ad93ebeeb15defb0b57f4c95c0a0464c2cb8.tar.gz
2 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch b/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch
new file mode 100644
index 0000000000..d66ac0c9ca
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch
@@ -0,0 +1,47 @@
+libpng16: Fixed an overflow in png_combine_row with very wide interlaced
+Fixes CVE-2015-0973 (duplicate of CVE-2014-9495), a heap-based overflow 
+vulnerability in the png_combine_row() function of the libpng library, 
+when very large interlaced images were used. 
+Upstream patch:
+http://sourceforge.net/p/libpng/code/ci/dc294204b641373bc6eb603075a8b98f51a75dd8/
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff --git a/pngrutil.c b/pngrutil.c
+index e9fdd62..4c26be4 100644
+--- a/pngrutil.c
+++ b/pngrutil.c
+@@ -3003,7 +3003,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
+ {
+    unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
+    png_const_bytep sp = png_ptr->row_buf + 1;
+-   png_uint_32 row_width = png_ptr->width;
+   png_alloc_size_t row_width = png_ptr->width;
+    unsigned int pass = png_ptr->pass;
+    png_bytep end_ptr = 0;
+    png_byte end_byte = 0;
+@@ -3278,7 +3278,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
+ 
+             /* But don't allow this number to exceed the actual row width. */
+             if (bytes_to_copy > row_width)
+-               bytes_to_copy = row_width;
+               bytes_to_copy = (unsigned int)/*SAFE*/row_width;
+          }
+ 
+          else /* normal row; Adam7 only ever gives us one pixel to copy. */
+@@ -3458,7 +3458,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
+                   dp += bytes_to_jump;
+                   row_width -= bytes_to_jump;
+                   if (bytes_to_copy > row_width)
+-                     bytes_to_copy = row_width;
+                     bytes_to_copy = (unsigned int)/*SAFE*/row_width;
+                }
+          }
+ 
+-- 
+1.9.1
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.8.bb b/meta/recipes-multimedia/libpng/libpng_1.6.8.bb
index d063495f05..bb7745b47c 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.8.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.8.bb
@@ -10,6 +10,7 @@ LIBV = "16"
 SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/${PV}/libpng-${PV}.tar.xz \
           file://0001-configure-lower-automake-requirement.patch \
+           file://libpng16-CVE-2015-0973.patch \
          "
 SRC_URI[md5sum] = "51ce71a1642cdde1f4485a7ff82193c0"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-02-24 13:17:09 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2015-07-06 20:19:37 +0200
commit	7247ad93ebeeb15defb0b57f4c95c0a0464c2cb8 (patch)
tree	3b3266bc337f2a8cf4858c2a20cf562f5a207b54
parent	57e2046e575c85d5963b108792a28fc166329234 (diff)
download	poky-7247ad93ebeeb15defb0b57f4c95c0a0464c2cb8.tar.gz

diff --git a/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch b/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch new file mode 100644 index 0000000000..d66ac0c9ca --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch
@@ -0,0 +1,47 @@
		1	libpng16: Fixed an overflow in png_combine_row with very wide interlaced
		2
		3	Fixes CVE-2015-0973 (duplicate of CVE-2014-9495), a heap-based overflow
		4	vulnerability in the png_combine_row() function of the libpng library,
		5	when very large interlaced images were used.
		6
		7	Upstream patch:
		8	http://sourceforge.net/p/libpng/code/ci/dc294204b641373bc6eb603075a8b98f51a75dd8/
		9
		10	Upstream-Status: Backport
		11
		12	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		13	---
		14	diff --git a/pngrutil.c b/pngrutil.c
		15	index e9fdd62..4c26be4 100644
		16	--- a/pngrutil.c
		17	+++ b/pngrutil.c
		18	@@ -3003,7 +3003,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
		19	{
		20	unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
		21	png_const_bytep sp = png_ptr->row_buf + 1;
		22	- png_uint_32 row_width = png_ptr->width;
		23	+ png_alloc_size_t row_width = png_ptr->width;
		24	unsigned int pass = png_ptr->pass;
		25	png_bytep end_ptr = 0;
		26	png_byte end_byte = 0;
		27	@@ -3278,7 +3278,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
		28
		29	/* But don't allow this number to exceed the actual row width. */
		30	if (bytes_to_copy > row_width)
		31	- bytes_to_copy = row_width;
		32	+ bytes_to_copy = (unsigned int)/SAFE/row_width;
		33	}
		34
		35	else /* normal row; Adam7 only ever gives us one pixel to copy. */
		36	@@ -3458,7 +3458,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
		37	dp += bytes_to_jump;
		38	row_width -= bytes_to_jump;
		39	if (bytes_to_copy > row_width)
		40	- bytes_to_copy = row_width;
		41	+ bytes_to_copy = (unsigned int)/SAFE/row_width;
		42	}
		43	}
		44
		45	--
		46	1.9.1
		47


diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.8.bb b/meta/recipes-multimedia/libpng/libpng_1.6.8.bb index d063495f05..bb7745b47c 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.8.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.8.bb
@@ -10,6 +10,7 @@ LIBV = "16"
10		10
11	SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/${PV}/libpng-${PV}.tar.xz \	11	SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/${PV}/libpng-${PV}.tar.xz \
12	file://0001-configure-lower-automake-requirement.patch \	12	file://0001-configure-lower-automake-requirement.patch \
		13	file://libpng16-CVE-2015-0973.patch \
13	"	14	"
14		15
15	SRC_URI[md5sum] = "51ce71a1642cdde1f4485a7ff82193c0"	16	SRC_URI[md5sum] = "51ce71a1642cdde1f4485a7ff82193c0"