Fix CVE-2019-7317 (#1672411)

libpng-CVE-2019-7317.patch

@@ -0,0 +1,14 @@
+diff --git a/png.c b/png.c
+index a25afeb..ff9da3f 100644
+--- a/png.c
++++ b/png.c
+@@ -4594,8 +4594,7 @@ png_image_free(png_imagep image)
+    if (image != NULL && image->opaque != NULL &&
+       image->opaque->error_buf == NULL)
+    {
+-      /* Ignore errors here: */
+-      (void)png_safe_execute(image, png_image_free_function, image);
++      png_image_free_function(image);
+       image->opaque = NULL;
+    }
+ }

libpng.spec

@@ -2,7 +2,7 @@ Summary:       A library of functions for manipulating PNG image format files
 Name:          libpng
 Epoch:         2
 Version:       1.6.35
-Release:       2%{?dist}
+Release:       3%{?dist}
 License:       zlib
 URL:           http://www.libpng.org/pub/png/
 
@@ -10,6 +10,7 @@ Source0:       https://github.com/glennrp/%{name}/archive/v%{version}/%{name}-%{
 Source1:       pngusr.dfa
 Patch0:        libpng-multilib.patch
 Patch1:        libpng-fix-arm-neon.patch
+Patch2:        libpng-CVE-2019-7317.patch
 
 BuildRequires: gcc
 BuildRequires: zlib-devel
@@ -61,6 +62,7 @@ cp -p %{SOURCE1} .
 
 %patch0 -p1
 %patch1 -p1 -b .arm
+%patch2 -p1 -b .CVE-2019-7317
 
 %build
 autoreconf -vif
@@ -102,6 +104,9 @@ make check
 %{_bindir}/pngfix
 
 %changelog
+* Fri Feb 08 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.35-3
+- Fix CVE-2019-7317 (#1672411)
+
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.35-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild