1 |
vapier 08/04/14 03:04:30 |
2 |
|
3 |
Added: libpng-1.2.26-CVE-2008-1382.patch |
4 |
Log: |
5 |
Fix from upstream for CVE-2008-1382 #217047. |
6 |
(Portage version: 2.2_pre5) |
7 |
|
8 |
Revision Changes Path |
9 |
1.1 media-libs/libpng/files/libpng-1.2.26-CVE-2008-1382.patch |
10 |
|
11 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/libpng/files/libpng-1.2.26-CVE-2008-1382.patch?rev=1.1&view=markup |
12 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/libpng/files/libpng-1.2.26-CVE-2008-1382.patch?rev=1.1&content-type=text/plain |
13 |
|
14 |
Index: libpng-1.2.26-CVE-2008-1382.patch |
15 |
=================================================================== |
16 |
diff -ru4N libpng-1.2.26/png.h libpng-1.2.27beta01/png.h |
17 |
--- libpng-1.2.26/png.h 2008-04-02 12:27:29.867681595 -0500 |
18 |
+++ libpng-1.2.27beta01/png.h 2008-04-05 21:41:14.644268554 -0500 |
19 |
@@ -180,8 +180,11 @@ |
20 |
* 1.0.31 10 10031 10.so.0.31[.0] |
21 |
* 1.2.25 13 10225 12.so.0.25[.0] |
22 |
* 1.2.26beta01-06 13 10226 12.so.0.26[.0] |
23 |
* 1.2.26rc01 13 10226 12.so.0.26[.0] |
24 |
+ * 1.2.26 13 10226 12.so.0.26[.0] |
25 |
+ * 1.0.32 10 10032 10.so.0.32[.0] |
26 |
+ * 1.2.27beta01 13 10227 12.so.0.27[.0] |
27 |
* |
28 |
* Henceforth the source version will match the shared-library major |
29 |
* and minor numbers; the shared-library major version number will be |
30 |
* used for changes in backward compatibility, as it is intended. The |
31 |
diff -ru4N libpng-1.2.26/pngpread.c libpng-1.2.27beta01/pngpread.c |
32 |
--- libpng-1.2.26/pngpread.c 2008-04-05 21:37:29.944173338 -0500 |
33 |
+++ libpng-1.2.27beta01/pngpread.c 2008-04-05 21:41:14.898914350 -0500 |
34 |
@@ -1,8 +1,8 @@ |
35 |
|
36 |
/* pngpread.c - read a png file in push mode |
37 |
* |
38 |
- * Last changed in libpng 1.2.26 [April 2, 2008] |
39 |
+ * Last changed in libpng 1.2.27 [April 6, 2008] |
40 |
* For conditions of distribution and use, see copyright notice in png.h |
41 |
* Copyright (c) 1998-2008 Glenn Randers-Pehrson |
42 |
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) |
43 |
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) |
44 |
@@ -1501,11 +1501,16 @@ |
45 |
(png_charp)png_ptr->chunk_name, |
46 |
png_sizeof(png_ptr->unknown_chunk.name)); |
47 |
png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1]='\0'; |
48 |
|
49 |
- png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); |
50 |
png_ptr->unknown_chunk.size = (png_size_t)length; |
51 |
- png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); |
52 |
+ if (length == 0) |
53 |
+ png_ptr->unknown_chunk.data = NULL; |
54 |
+ else |
55 |
+ { |
56 |
+ png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); |
57 |
+ png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); |
58 |
+ } |
59 |
#if defined(PNG_READ_USER_CHUNKS_SUPPORTED) |
60 |
if(png_ptr->read_user_chunk_fn != NULL) |
61 |
{ |
62 |
/* callback to user unknown chunk handler */ |
63 |
@@ -1526,10 +1531,13 @@ |
64 |
} |
65 |
else |
66 |
#endif |
67 |
png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); |
68 |
- png_free(png_ptr, png_ptr->unknown_chunk.data); |
69 |
- png_ptr->unknown_chunk.data = NULL; |
70 |
+ if (png_ptr->unknown_chunk.data) |
71 |
+ { |
72 |
+ png_free(png_ptr, png_ptr->unknown_chunk.data); |
73 |
+ png_ptr->unknown_chunk.data = NULL; |
74 |
+ } |
75 |
} |
76 |
else |
77 |
#endif |
78 |
skip=length; |
79 |
diff -ru4N libpng-1.2.26/pngrutil.c libpng-1.2.27beta01/pngrutil.c |
80 |
--- libpng-1.2.26/pngrutil.c 2008-04-05 21:37:32.785260077 -0500 |
81 |
+++ libpng-1.2.27beta01/pngrutil.c 2008-04-05 21:41:15.202296784 -0500 |
82 |
@@ -1,8 +1,8 @@ |
83 |
|
84 |
/* pngrutil.c - utilities to read a PNG file |
85 |
* |
86 |
- * Last changed in libpng 1.2.26 [April 2, 2008] |
87 |
+ * Last changed in libpng 1.2.27 [April 6, 2008] |
88 |
* For conditions of distribution and use, see copyright notice in png.h |
89 |
* Copyright (c) 1998-2008 Glenn Randers-Pehrson |
90 |
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) |
91 |
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) |
92 |
@@ -2226,11 +2226,16 @@ |
93 |
png_memcpy((png_charp)png_ptr->unknown_chunk.name, |
94 |
(png_charp)png_ptr->chunk_name, |
95 |
png_sizeof(png_ptr->unknown_chunk.name)); |
96 |
png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1] = '\0'; |
97 |
- png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); |
98 |
png_ptr->unknown_chunk.size = (png_size_t)length; |
99 |
- png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); |
100 |
+ if (length == 0) |
101 |
+ png_ptr->unknown_chunk.data = NULL; |
102 |
+ else |
103 |
+ { |
104 |
+ png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); |
105 |
+ png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); |
106 |
+ } |
107 |
#if defined(PNG_READ_USER_CHUNKS_SUPPORTED) |
108 |
if(png_ptr->read_user_chunk_fn != NULL) |
109 |
{ |
110 |
/* callback to user unknown chunk handler */ |
111 |
@@ -2251,10 +2256,13 @@ |
112 |
} |
113 |
else |
114 |
#endif |
115 |
png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); |
116 |
- png_free(png_ptr, png_ptr->unknown_chunk.data); |
117 |
- png_ptr->unknown_chunk.data = NULL; |
118 |
+ if (png_ptr->unknown_chunk.data) |
119 |
+ { |
120 |
+ png_free(png_ptr, png_ptr->unknown_chunk.data); |
121 |
+ png_ptr->unknown_chunk.data = NULL; |
122 |
+ } |
123 |
} |
124 |
else |
125 |
#endif |
126 |
skip = length; |
127 |
diff -ru4N libpng-1.2.26/pngset.c libpng-1.2.27beta01/pngset.c |
128 |
--- libpng-1.2.26/pngset.c 2008-04-02 12:27:30.621225067 -0500 |
129 |
+++ libpng-1.2.27beta01/pngset.c 2008-04-05 21:41:15.248946598 -0500 |
130 |
@@ -1,8 +1,8 @@ |
131 |
|
132 |
/* pngset.c - storage of image information into info struct |
133 |
* |
134 |
- * Last changed in libpng 1.2.25 [February 18, 2008] |
135 |
+ * Last changed in libpng 1.2.27 [April 6, 2008] |
136 |
* For conditions of distribution and use, see copyright notice in png.h |
137 |
* Copyright (c) 1998-2008 Glenn Randers-Pehrson |
138 |
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) |
139 |
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) |
140 |
@@ -1039,30 +1039,33 @@ |
141 |
info_ptr->unknown_chunks=NULL; |
142 |
|
143 |
for (i = 0; i < num_unknowns; i++) |
144 |
{ |
145 |
- png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i; |
146 |
- png_unknown_chunkp from = unknowns + i; |
147 |
+ png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i; |
148 |
+ png_unknown_chunkp from = unknowns + i; |
149 |
|
150 |
- png_memcpy((png_charp)to->name, |
151 |
- (png_charp)from->name, |
152 |
- png_sizeof(from->name)); |
153 |
- to->name[png_sizeof(to->name)-1] = '\0'; |
154 |
+ png_memcpy((png_charp)to->name, |
155 |
+ (png_charp)from->name, |
156 |
+ png_sizeof(from->name)); |
157 |
+ to->name[png_sizeof(to->name)-1] = '\0'; |
158 |
+ to->size = from->size; |
159 |
+ /* note our location in the read or write sequence */ |
160 |
+ to->location = (png_byte)(png_ptr->mode & 0xff); |
161 |
|
162 |
- to->data = (png_bytep)png_malloc_warn(png_ptr, from->size); |
163 |
- if (to->data == NULL) |
164 |
- { |
165 |
- png_warning(png_ptr, |
166 |
+ if (from->size == 0) |
167 |
+ to->data=NULL; |
168 |
+ else |
169 |
+ { |
170 |
+ to->data = (png_bytep)png_malloc_warn(png_ptr, from->size); |
171 |
+ if (to->data == NULL) |
172 |
+ { |
173 |
+ png_warning(png_ptr, |
174 |
"Out of memory while processing unknown chunk."); |
175 |
- } |
176 |
- else |
177 |
- { |
178 |
- png_memcpy(to->data, from->data, from->size); |
179 |
- to->size = from->size; |
180 |
- |
181 |
- /* note our location in the read or write sequence */ |
182 |
- to->location = (png_byte)(png_ptr->mode & 0xff); |
183 |
- } |
184 |
+ to->size=0; |
185 |
+ } |
186 |
+ else |
187 |
+ png_memcpy(to->data, from->data, from->size); |
188 |
+ } |
189 |
} |
190 |
|
191 |
info_ptr->unknown_chunks = np; |
192 |
info_ptr->unknown_chunks_num += num_unknowns; |
193 |
diff -ru4N libpng-1.2.26/pngwrite.c libpng-1.2.27beta01/pngwrite.c |
194 |
--- libpng-1.2.26/pngwrite.c 2008-04-02 12:27:30.775542734 -0500 |
195 |
+++ libpng-1.2.27beta01/pngwrite.c 2008-04-05 21:41:15.402698604 -0500 |
196 |
@@ -111,8 +111,10 @@ |
197 |
!(up->location & PNG_HAVE_IDAT) && |
198 |
((up->name[3] & 0x20) || keep == PNG_HANDLE_CHUNK_ALWAYS || |
199 |
(png_ptr->flags & PNG_FLAG_KEEP_UNSAFE_CHUNKS))) |
200 |
{ |
201 |
+ if (up->size == 0) |
202 |
+ png_warning(png_ptr, "Writing zero-length unknown chunk"); |
203 |
png_write_chunk(png_ptr, up->name, up->data, up->size); |
204 |
} |
205 |
} |
206 |
} |
207 |
|
208 |
|
209 |
|
210 |
-- |
211 |
gentoo-commits@l.g.o mailing list |