28 lines
1.1 KiB
Diff
28 lines
1.1 KiB
Diff
Patch for CVE-2011-3026 in libpng 1.4 and up, from John Bowler.
|
|
|
|
|
|
diff -Naur libpng-1.5.8.orig/pngrutil.c libpng-1.5.8/pngrutil.c
|
|
--- libpng-1.5.8.orig/pngrutil.c 2012-02-01 00:00:34.000000000 -0500
|
|
+++ libpng-1.5.8/pngrutil.c 2012-02-16 13:26:51.627339765 -0500
|
|
@@ -432,15 +432,18 @@
|
|
/* Now check the limits on this chunk - if the limit fails the
|
|
* compressed data will be removed, the prefix will remain.
|
|
*/
|
|
+ if (prefix_size >= (~(png_size_t)0) - 1 ||
|
|
+ expanded_size >= (~(png_size_t)0) - 1 - prefix_size
|
|
#ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
|
|
- if (png_ptr->user_chunk_malloc_max &&
|
|
+ || (png_ptr->user_chunk_malloc_max &&
|
|
(prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1))
|
|
#else
|
|
# ifdef PNG_USER_CHUNK_MALLOC_MAX
|
|
- if ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
|
|
+ || ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
|
|
prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1)
|
|
# endif
|
|
#endif
|
|
+ )
|
|
png_warning(png_ptr, "Exceeded size limit while expanding chunk");
|
|
|
|
/* If the size is zero either there was an error and a message
|