diff options
| author |   Sona Sarmadi <sona.sarmadi@enea.com> | 2015-04-29 11:02:19 +0200 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-05-01 12:34:06 +0100 |
| commit | 10c8aeebca301ffd853e75df3f9c1d16d0352d76 (patch) | |
| tree | d0a31b130b59f399032d22321b8b85aa02326b94 /meta/recipes-multimedia | |
| parent | 5f7cdf1e1212af5e3dcf36c8817c63cc853b1a91 (diff) | |
| download | openembedded-core-10c8aeebca301ffd853e75df3f9c1d16d0352d76.tar.gz | |
libpng16: CVE-2015-0973
Fixes CVE-2015-0973 (duplicate of CVE-2014-9495), a heap-based overflow
vulnerability in the png_combine_row() function of the libpng library,
when very large interlaced images were used.
Upstream patch:
http://sourceforge.net/p/libpng/code/ci/dc294204b641373bc6eb603075a8b98f51a75dd8/
External Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0973
http://seclists.org/oss-sec/2014/q4/1133
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia')
| -rw-r--r-- | meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch | 47 | ||||
| -rw-r--r-- | meta/recipes-multimedia/libpng/libpng_1.6.8.bb | 1 |
2 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch b/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch new file mode 100644 index 0000000000..d66ac0c9ca --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng/libpng16-CVE-2015-0973.patch @@ -0,0 +1,47 @@ +libpng16: Fixed an overflow in png_combine_row with very wide interlaced + +Fixes CVE-2015-0973 (duplicate of CVE-2014-9495), a heap-based overflow +vulnerability in the png_combine_row() function of the libpng library, +when very large interlaced images were used. + +Upstream patch: +http://sourceforge.net/p/libpng/code/ci/dc294204b641373bc6eb603075a8b98f51a75dd8/ + +Upstream-Status: Backport + +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> +--- +diff --git a/pngrutil.c b/pngrutil.c +index e9fdd62..4c26be4 100644 +--- a/pngrutil.c ++++ b/pngrutil.c +@@ -3003,7 +3003,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) + { + unsigned int pixel_depth = png_ptr->transformed_pixel_depth; + png_const_bytep sp = png_ptr->row_buf + 1; +- png_uint_32 row_width = png_ptr->width; ++ png_alloc_size_t row_width = png_ptr->width; + unsigned int pass = png_ptr->pass; + png_bytep end_ptr = 0; + png_byte end_byte = 0; +@@ -3278,7 +3278,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) + + /* But don't allow this number to exceed the actual row width. */ + if (bytes_to_copy > row_width) +- bytes_to_copy = row_width; ++ bytes_to_copy = (unsigned int)/*SAFE*/row_width; + } + + else /* normal row; Adam7 only ever gives us one pixel to copy. */ +@@ -3458,7 +3458,7 @@ png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display) + dp += bytes_to_jump; + row_width -= bytes_to_jump; + if (bytes_to_copy > row_width) +- bytes_to_copy = row_width; ++ bytes_to_copy = (unsigned int)/*SAFE*/row_width; + } + } + +-- +1.9.1 + diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.8.bb b/meta/recipes-multimedia/libpng/libpng_1.6.8.bb index d063495f05..bb7745b47c 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.8.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.8.bb @@ -10,6 +10,7 @@ LIBV = "16" SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/${PV}/libpng-${PV}.tar.xz \ file://0001-configure-lower-automake-requirement.patch \ + file://libpng16-CVE-2015-0973.patch \ " SRC_URI[md5sum] = "51ce71a1642cdde1f4485a7ff82193c0" |