fix for CVE-2015-8126 (#1281756)

Signed-off-by: Petr Hracek <phracek@redhat.com>
2015-11-18 09:49:11 +01:00 · 2015-11-18 09:49:11 +01:00 · ad1e7bc139
commit ad1e7bc139
parent a7267750dd
2 changed files with 57 additions and 1 deletions
--- a/libpng-CVE-2015-8126.patch
+++ b/libpng-CVE-2015-8126.patch
@ -0,0 +1,50 @@
+diff --git a/pngset.c b/pngset.c
+index 5f62af1..772df71 100644
+--- a/pngset.c
+++ b/pngset.c
+@@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
+     png_const_colorp palette, int num_palette)
+ {
+ 
+   png_uint_32 max_palette_length;
+
+    png_debug1(1, "in %s storage function", "PLTE");
+ 
+    if (png_ptr == NULL || info_ptr == NULL)
+       return;
+ 
+-   if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)
+   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
+   if (num_palette < 0 || num_palette > max_palette_length)
+    {
+       if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+          png_error(png_ptr, "Invalid palette length");
+diff --git a/pngwutil.c b/pngwutil.c
+index 9e6019e..01be584 100644
+--- a/pngwutil.c
+++ b/pngwutil.c
+@@ -922,17 +922,20 @@ void /* PRIVATE */
+ png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
+     png_uint_32 num_pal)
+ {
+-   png_uint_32 i;
+   png_uint_32 max_palette_length, i;
+    png_const_colorp pal_ptr;
+    png_byte buf[3];
+ 
+    png_debug(1, "in png_write_PLTE");
+ 
+   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+       (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
+    if ((
+ #ifdef PNG_MNG_FEATURES_SUPPORTED
+        (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
+ #endif
+-       num_pal == 0) || num_pal > 256)
+       num_pal == 0) || num_pal > max_palette_length)
+    {
+       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+       {
--- a/libpng.spec
+++ b/libpng.spec
@ -2,7 +2,7 @@ Summary:       A library of functions for manipulating PNG image format files
 Name:          libpng
 Epoch:         2
 Version:       1.6.18
-Release:       1%{?dist}
+Release:       2%{?dist}
 License:       zlib
 Group:         System Environment/Libraries
 URL:           http://www.libpng.org/pub/png/
@ -13,6 +13,8 @@ Source0:       ftp://ftp.simplesystems.org/pub/libpng/png/src/libpng16/libpng-%{
 Source1:       pngusr.dfa
 Patch0:        libpng-multilib.patch
 Patch1:        libpng-fix-arm-neon.patch
+Patch2:        libpng-CVE-2015-8126.patch
+

 BuildRequires: zlib-devel
 BuildRequires: autoconf automake libtool
@ -66,6 +68,7 @@ cp -p %{SOURCE1} .

 %patch0 -p1
 %patch1 -p1 -b .arm
+%patch2 -p1 -b .CVE-2015-8126

 %build
 autoreconf -vif
@ -109,6 +112,9 @@ make check
 %{_bindir}/pngfix

 %changelog
+* Wed Nov 18 2015 Petr Hracek <phracek@redhat.com> - 2:1.6.18-2
+- fix for CVE-2015-8126 (#1281756)
+
 * Mon Aug 03 2015 Petr Hracek <phracek@redhat.com> - 2:1.6.18-1
 - New upstream release 1.6.18 (#1247132)