diff options
Diffstat (limited to 'meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch')
-rw-r--r-- | meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch new file mode 100644 index 0000000000..25fe1364d3 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch @@ -0,0 +1,91 @@ +From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001 +From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> +Date: Thu, 29 Oct 2015 09:26:41 -0500 +Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk + +Upstream-Status: Backport +https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766 + +CVE: CVE-2015-8126 patch #1 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + libpng-manual.txt | 5 +++++ + libpng.3 | 5 +++++ + pngwrite.c | 4 ++-- + pngwutil.c | 7 +++++-- + 4 files changed, 17 insertions(+), 4 deletions(-) + +Index: libpng-1.6.17/libpng-manual.txt +=================================================================== +--- libpng-1.6.17.orig/libpng-manual.txt ++++ libpng-1.6.17/libpng-manual.txt +@@ -5109,6 +5109,11 @@ length, which resulted in PNG files that + chunk. This error was fixed in libpng-1.6.3, and a tool (called + contrib/tools/png-fix-itxt) has been added to the libpng distribution. + ++Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk ++is an error. Previously this requirement of the PNG specification was not ++enforced. Libpng continues to accept over-length PLTE chunks when reading, ++but does not make any use of the extra entries. ++ + XIII. Detecting libpng + + The png_get_io_ptr() function has been present since libpng-0.88, has never +Index: libpng-1.6.17/libpng.3 +=================================================================== +--- libpng-1.6.17.orig/libpng.3 ++++ libpng-1.6.17/libpng.3 +@@ -5613,6 +5613,11 @@ length, which resulted in PNG files that + chunk. This error was fixed in libpng-1.6.3, and a tool (called + contrib/tools/png-fix-itxt) has been added to the libpng distribution. + ++Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk ++is an error. Previously this requirement of the PNG specification was not ++enforced. Libpng continues to accept over-length PLTE chunks when reading, ++but does not make any use of the extra entries. ++ + .SH XIII. Detecting libpng + + The png_get_io_ptr() function has been present since libpng-0.88, has never +Index: libpng-1.6.17/pngwrite.c +=================================================================== +--- libpng-1.6.17.orig/pngwrite.c ++++ libpng-1.6.17/pngwrite.c +@@ -205,7 +205,7 @@ png_write_info(png_structrp png_ptr, png + png_write_PLTE(png_ptr, info_ptr->palette, + (png_uint_32)info_ptr->num_palette); + +- else if ((info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) !=0) ++ else if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) + png_error(png_ptr, "Valid palette required for paletted images"); + + #ifdef PNG_WRITE_tRNS_SUPPORTED +Index: libpng-1.6.17/pngwutil.c +=================================================================== +--- libpng-1.6.17.orig/pngwutil.c ++++ libpng-1.6.17/pngwutil.c +@@ -922,17 +922,20 @@ void /* PRIVATE */ + png_write_PLTE(png_structrp png_ptr, png_const_colorp palette, + png_uint_32 num_pal) + { +- png_uint_32 i; ++ png_uint_32 max_num_pal, i; + png_const_colorp pal_ptr; + png_byte buf[3]; + + png_debug(1, "in png_write_PLTE"); + ++ max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? ++ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; ++ + if (( + #ifdef PNG_MNG_FEATURES_SUPPORTED + (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 && + #endif +- num_pal == 0) || num_pal > 256) ++ num_pal == 0) || num_pal > max_num_pal) + { + if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) + { |