rpms/libpng
6
0
Fork 0
Code Issues Pull Requests Releases Activity

fix for CVE-2015-8126 (#1281756, #1281757). Proper patch

Browse Source 
Signed-off-by: Petr Hracek <phracek@redhat.com>
This commit is contained in:
Petr Hracek 2015-11-18 12:30:00 +01:00
parent ad1e7bc139
commit 6ce4092697
2 changed files with 57 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
libpng-CVE-2015-8126.patch
View File

@ -1,5 +1,42 @@
diff --git a/pngrutil.c b/pngrutil.c
index 8f8edbc..5ca4dcb 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -866,7 +866,7 @@ void /* PRIVATE */
png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
{
png_color palette[PNG_MAX_PALETTE_LENGTH];
- int num, i;
+ int max_palette_length, num, i;
#ifdef PNG_POINTER_INDEXING_SUPPORTED
png_colorp pal_ptr;
#endif
@@ -927,6 +927,14 @@ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
/* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
num = (int)length / 3;
+ if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+ max_palette_length = (1 << png_ptr->bit_depth);
+ else
+ max_palette_length = PNG_MAX_PALETTE_LENGTH;
+
+ if (num > max_palette_length)
+ num = max_palette_length;
+
#ifdef PNG_POINTER_INDEXING_SUPPORTED
for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
{
@@ -959,7 +967,7 @@ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
#endif
{
- png_crc_finish(png_ptr, 0);
+ png_crc_finish(png_ptr, (int) length - num * 3);
}
#ifndef PNG_READ_OPT_PLTE_SUPPORTED
diff --git a/pngset.c b/pngset.c diff --git a/pngset.c b/pngset.c
index 5f62af1..772df71 100644 index 5f62af1..42e0dc2 100644
--- a/pngset.c --- a/pngset.c
+++ b/pngset.c +++ b/pngset.c
@@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr, @@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
@ -17,10 +54,23 @@ index 5f62af1..772df71 100644
+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? + max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; + (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+ +
+ if (num_palette < 0 || num_palette > max_palette_length) + if (num_palette < 0 || num_palette > (int) max_palette_length)
{ {
if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
png_error(png_ptr, "Invalid palette length"); png_error(png_ptr, "Invalid palette length");
diff --git a/pngwrite.c b/pngwrite.c
index 3c8cbbe..39ef69e 100644
--- a/pngwrite.c
+++ b/pngwrite.c
@@ -206,7 +206,7 @@ png_write_info(png_structrp png_ptr, png_const_inforp info_ptr)
png_write_PLTE(png_ptr, info_ptr->palette,
(png_uint_32)info_ptr->num_palette);
- else if ((info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) !=0)
+ else if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
png_error(png_ptr, "Valid palette required for paletted images");
#ifdef PNG_WRITE_tRNS_SUPPORTED
diff --git a/pngwutil.c b/pngwutil.c diff --git a/pngwutil.c b/pngwutil.c
index 9e6019e..01be584 100644 index 9e6019e..01be584 100644
--- a/pngwutil.c --- a/pngwutil.c

6
libpng.spec
View File

@ -2,7 +2,7 @@ Summary: A library of functions for manipulating PNG image format files
Name: libpng Name: libpng
Epoch: 2 Epoch: 2
Version: 1.6.18 Version: 1.6.18
Release: 2%{?dist} Release: 3%{?dist}
License: zlib License: zlib
Group: System Environment/Libraries Group: System Environment/Libraries
URL: http://www.libpng.org/pub/png/ URL: http://www.libpng.org/pub/png/
@ -112,6 +112,10 @@ make check
%{_bindir}/pngfix %{_bindir}/pngfix
%changelog %changelog
* Wed Nov 18 2015 Petr Hracek <phracek@redhat.com> - 2:1.6.18-3
- fix for CVE-2015-8126 (#1281756, #1281757)
- correct patch
* Wed Nov 18 2015 Petr Hracek <phracek@redhat.com> - 2:1.6.18-2 * Wed Nov 18 2015 Petr Hracek <phracek@redhat.com> - 2:1.6.18-2
- fix for CVE-2015-8126 (#1281756) - fix for CVE-2015-8126 (#1281756)