1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Thu, 29 Oct 2015 09:26:41 -0500
Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk
Upstream-Status: Backport
https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766
CVE: CVE-2015-8126 patch #1
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
libpng-manual.txt | 5 +++++
libpng.3 | 5 +++++
pngwrite.c | 4 ++--
pngwutil.c | 7 +++++--
4 files changed, 17 insertions(+), 4 deletions(-)
Index: libpng-1.6.17/libpng-manual.txt
===================================================================
--- libpng-1.6.17.orig/libpng-manual.txt
+++ libpng-1.6.17/libpng-manual.txt
@@ -5109,6 +5109,11 @@ length, which resulted in PNG files that
chunk. This error was fixed in libpng-1.6.3, and a tool (called
contrib/tools/png-fix-itxt) has been added to the libpng distribution.
+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+is an error. Previously this requirement of the PNG specification was not
+enforced. Libpng continues to accept over-length PLTE chunks when reading,
+but does not make any use of the extra entries.
+
XIII. Detecting libpng
The png_get_io_ptr() function has been present since libpng-0.88, has never
Index: libpng-1.6.17/libpng.3
===================================================================
--- libpng-1.6.17.orig/libpng.3
+++ libpng-1.6.17/libpng.3
@@ -5613,6 +5613,11 @@ length, which resulted in PNG files that
chunk. This error was fixed in libpng-1.6.3, and a tool (called
contrib/tools/png-fix-itxt) has been added to the libpng distribution.
+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+is an error. Previously this requirement of the PNG specification was not
+enforced. Libpng continues to accept over-length PLTE chunks when reading,
+but does not make any use of the extra entries.
+
.SH XIII. Detecting libpng
The png_get_io_ptr() function has been present since libpng-0.88, has never
Index: libpng-1.6.17/pngwrite.c
===================================================================
--- libpng-1.6.17.orig/pngwrite.c
+++ libpng-1.6.17/pngwrite.c
@@ -205,7 +205,7 @@ png_write_info(png_structrp png_ptr, png
png_write_PLTE(png_ptr, info_ptr->palette,
(png_uint_32)info_ptr->num_palette);
- else if ((info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) !=0)
+ else if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
png_error(png_ptr, "Valid palette required for paletted images");
#ifdef PNG_WRITE_tRNS_SUPPORTED
Index: libpng-1.6.17/pngwutil.c
===================================================================
--- libpng-1.6.17.orig/pngwutil.c
+++ libpng-1.6.17/pngwutil.c
@@ -922,17 +922,20 @@ void /* PRIVATE */
png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
png_uint_32 num_pal)
{
- png_uint_32 i;
+ png_uint_32 max_num_pal, i;
png_const_colorp pal_ptr;
png_byte buf[3];
png_debug(1, "in png_write_PLTE");
+ max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
if ((
#ifdef PNG_MNG_FEATURES_SUPPORTED
(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
#endif
- num_pal == 0) || num_pal > 256)
+ num_pal == 0) || num_pal > max_num_pal)
{
if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
{
|
