Fix CVE-2018-13785 (#1599944)

2018-08-01 15:01:49 +02:00 · 2018-08-01 15:01:49 +02:00 · 5bedc9e43f
commit 5bedc9e43f
parent 8f6a49ed49
2 changed files with 41 additions and 1 deletions
--- a/libpng-CVE-2018-13785.patch
+++ b/libpng-CVE-2018-13785.patch
@ -0,0 +1,35 @@
+From 3a50b3eca60a9e2c80c1f08d268ed628d80eb5ba Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sun, 17 Jun 2018 22:56:29 -0400
+Subject: [PATCH] [libpng16] Fix the calculation of row_factor in
+ png_check_chunk_length
+
+(Bug report by Thuan Pham, SourceForge issue #278)
+---
+ pngrutil.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/pngrutil.c b/pngrutil.c
+index 8692933..eab2973 100644
+--- a/pngrutil.c
+++ b/pngrutil.c
+@@ -3149,10 +3149,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
+    {
+       png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
+       size_t row_factor =
+-         (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+-          + 1 + (png_ptr->interlaced? 6: 0));
+         (size_t)png_ptr->width
+         * (size_t)png_ptr->channels
+         * (png_ptr->bit_depth > 8? 2: 1)
+         + 1
+         + (png_ptr->interlaced? 6: 0);
+       if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+-         idat_limit=PNG_UINT_31_MAX;
+         idat_limit = PNG_UINT_31_MAX;
+       else
+          idat_limit = png_ptr->height * row_factor;
+       row_factor = row_factor > 32566? 32566 : row_factor;
+-- 
+2.17.1
+
--- a/libpng.spec
+++ b/libpng.spec
@ -2,7 +2,7 @@ Summary:       A library of functions for manipulating PNG image format files
 Name:          libpng
 Epoch:         2
 Version:       1.6.34
-Release:       5%{?dist}
+Release:       6%{?dist}
 License:       zlib
 Group:         System Environment/Libraries
 URL:           http://www.libpng.org/pub/png/
@ -13,6 +13,7 @@ Source0:       https://ftp-osl.osuosl.org/pub/libpng/src/libpng16/libpng-%{versi
 Source1:       pngusr.dfa
 Patch0:        libpng-multilib.patch
 Patch1:        libpng-fix-arm-neon.patch
+Patch2:        libpng-CVE-2018-13785.patch


 BuildRequires: gcc
@ -68,6 +69,7 @@ cp -p %{SOURCE1} .

 %patch0 -p1
 %patch1 -p1 -b .arm
+%patch2 -p1 -b .CVE-2018-13785

 %build
 autoreconf -vif
@ -109,6 +111,9 @@ make check
 %{_bindir}/pngfix

 %changelog
+* Wed Aug 01 2018 Nikola Forró <nforro@redhat.com> - 2:1.6.34-6
+- Fix CVE-2018-13785 (#1599944)
+
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.34-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild