rpms/libpng
5
0
Fork 0
Code Issues Pull Requests Releases Activity

fix for CVE-2015-8126 (#1281756)

Browse Source 
Signed-off-by: Petr Hracek <phracek@redhat.com>
This commit is contained in:
Petr Hracek 2015-11-18 09:49:11 +01:00
parent a7267750dd
commit ad1e7bc139
2 changed files with 57 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
libpng-CVE-2015-8126.patch Normal file
View File

@ -0,0 +1,50 @@
diff --git a/pngset.c b/pngset.c
index 5f62af1..772df71 100644
--- a/pngset.c
+++ b/pngset.c
@@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
png_const_colorp palette, int num_palette)
{
+ png_uint_32 max_palette_length;
+
png_debug1(1, "in %s storage function", "PLTE");
if (png_ptr == NULL || info_ptr == NULL)
return;
- if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)
+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
+ if (num_palette < 0 || num_palette > max_palette_length)
{
if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
png_error(png_ptr, "Invalid palette length");
diff --git a/pngwutil.c b/pngwutil.c
index 9e6019e..01be584 100644
--- a/pngwutil.c
+++ b/pngwutil.c
@@ -922,17 +922,20 @@ void /* PRIVATE */
png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
png_uint_32 num_pal)
{
- png_uint_32 i;
+ png_uint_32 max_palette_length, i;
png_const_colorp pal_ptr;
png_byte buf[3];
png_debug(1, "in png_write_PLTE");
+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
if ((
#ifdef PNG_MNG_FEATURES_SUPPORTED
(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
#endif
- num_pal == 0) || num_pal > 256)
+ num_pal == 0) || num_pal > max_palette_length)
{
if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
{

8
libpng.spec
View File

@ -2,7 +2,7 @@ Summary: A library of functions for manipulating PNG image format files
Name: libpng Name: libpng
Epoch: 2 Epoch: 2
Version: 1.6.18 Version: 1.6.18
Release: 1%{?dist} Release: 2%{?dist}
License: zlib License: zlib
Group: System Environment/Libraries Group: System Environment/Libraries
URL: http://www.libpng.org/pub/png/ URL: http://www.libpng.org/pub/png/
@ -13,6 +13,8 @@ Source0: ftp://ftp.simplesystems.org/pub/libpng/png/src/libpng16/libpng-%{
Source1: pngusr.dfa Source1: pngusr.dfa
Patch0: libpng-multilib.patch Patch0: libpng-multilib.patch
Patch1: libpng-fix-arm-neon.patch Patch1: libpng-fix-arm-neon.patch
Patch2: libpng-CVE-2015-8126.patch
BuildRequires: zlib-devel BuildRequires: zlib-devel
BuildRequires: autoconf automake libtool BuildRequires: autoconf automake libtool
@ -66,6 +68,7 @@ cp -p %{SOURCE1} .
%patch0 -p1 %patch0 -p1
%patch1 -p1 -b .arm %patch1 -p1 -b .arm
%patch2 -p1 -b .CVE-2015-8126
%build %build
autoreconf -vif autoreconf -vif
@ -109,6 +112,9 @@ make check
%{_bindir}/pngfix %{_bindir}/pngfix
%changelog %changelog
* Wed Nov 18 2015 Petr Hracek <phracek@redhat.com> - 2:1.6.18-2
- fix for CVE-2015-8126 (#1281756)
* Mon Aug 03 2015 Petr Hracek <phracek@redhat.com> - 2:1.6.18-1 * Mon Aug 03 2015 Petr Hracek <phracek@redhat.com> - 2:1.6.18-1
- New upstream release 1.6.18 (#1247132) - New upstream release 1.6.18 (#1247132)