| 1 |
vapier 08/04/14 03:04:30 |
| 2 |
|
| 3 |
Added: libpng-1.2.26-CVE-2008-1382.patch |
| 4 |
Log: |
| 5 |
Fix from upstream for CVE-2008-1382 #217047. |
| 6 |
(Portage version: 2.2_pre5) |
| 7 |
|
| 8 |
Revision Changes Path |
| 9 |
1.1 media-libs/libpng/files/libpng-1.2.26-CVE-2008-1382.patch |
| 10 |
|
| 11 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/libpng/files/libpng-1.2.26-CVE-2008-1382.patch?rev=1.1&view=markup |
| 12 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/libpng/files/libpng-1.2.26-CVE-2008-1382.patch?rev=1.1&content-type=text/plain |
| 13 |
|
| 14 |
Index: libpng-1.2.26-CVE-2008-1382.patch |
| 15 |
=================================================================== |
| 16 |
diff -ru4N libpng-1.2.26/png.h libpng-1.2.27beta01/png.h |
| 17 |
--- libpng-1.2.26/png.h 2008-04-02 12:27:29.867681595 -0500 |
| 18 |
+++ libpng-1.2.27beta01/png.h 2008-04-05 21:41:14.644268554 -0500 |
| 19 |
@@ -180,8 +180,11 @@ |
| 20 |
* 1.0.31 10 10031 10.so.0.31[.0] |
| 21 |
* 1.2.25 13 10225 12.so.0.25[.0] |
| 22 |
* 1.2.26beta01-06 13 10226 12.so.0.26[.0] |
| 23 |
* 1.2.26rc01 13 10226 12.so.0.26[.0] |
| 24 |
+ * 1.2.26 13 10226 12.so.0.26[.0] |
| 25 |
+ * 1.0.32 10 10032 10.so.0.32[.0] |
| 26 |
+ * 1.2.27beta01 13 10227 12.so.0.27[.0] |
| 27 |
* |
| 28 |
* Henceforth the source version will match the shared-library major |
| 29 |
* and minor numbers; the shared-library major version number will be |
| 30 |
* used for changes in backward compatibility, as it is intended. The |
| 31 |
diff -ru4N libpng-1.2.26/pngpread.c libpng-1.2.27beta01/pngpread.c |
| 32 |
--- libpng-1.2.26/pngpread.c 2008-04-05 21:37:29.944173338 -0500 |
| 33 |
+++ libpng-1.2.27beta01/pngpread.c 2008-04-05 21:41:14.898914350 -0500 |
| 34 |
@@ -1,8 +1,8 @@ |
| 35 |
|
| 36 |
/* pngpread.c - read a png file in push mode |
| 37 |
* |
| 38 |
- * Last changed in libpng 1.2.26 [April 2, 2008] |
| 39 |
+ * Last changed in libpng 1.2.27 [April 6, 2008] |
| 40 |
* For conditions of distribution and use, see copyright notice in png.h |
| 41 |
* Copyright (c) 1998-2008 Glenn Randers-Pehrson |
| 42 |
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) |
| 43 |
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) |
| 44 |
@@ -1501,11 +1501,16 @@ |
| 45 |
(png_charp)png_ptr->chunk_name, |
| 46 |
png_sizeof(png_ptr->unknown_chunk.name)); |
| 47 |
png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1]='\0'; |
| 48 |
|
| 49 |
- png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); |
| 50 |
png_ptr->unknown_chunk.size = (png_size_t)length; |
| 51 |
- png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); |
| 52 |
+ if (length == 0) |
| 53 |
+ png_ptr->unknown_chunk.data = NULL; |
| 54 |
+ else |
| 55 |
+ { |
| 56 |
+ png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); |
| 57 |
+ png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); |
| 58 |
+ } |
| 59 |
#if defined(PNG_READ_USER_CHUNKS_SUPPORTED) |
| 60 |
if(png_ptr->read_user_chunk_fn != NULL) |
| 61 |
{ |
| 62 |
/* callback to user unknown chunk handler */ |
| 63 |
@@ -1526,10 +1531,13 @@ |
| 64 |
} |
| 65 |
else |
| 66 |
#endif |
| 67 |
png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); |
| 68 |
- png_free(png_ptr, png_ptr->unknown_chunk.data); |
| 69 |
- png_ptr->unknown_chunk.data = NULL; |
| 70 |
+ if (png_ptr->unknown_chunk.data) |
| 71 |
+ { |
| 72 |
+ png_free(png_ptr, png_ptr->unknown_chunk.data); |
| 73 |
+ png_ptr->unknown_chunk.data = NULL; |
| 74 |
+ } |
| 75 |
} |
| 76 |
else |
| 77 |
#endif |
| 78 |
skip=length; |
| 79 |
diff -ru4N libpng-1.2.26/pngrutil.c libpng-1.2.27beta01/pngrutil.c |
| 80 |
--- libpng-1.2.26/pngrutil.c 2008-04-05 21:37:32.785260077 -0500 |
| 81 |
+++ libpng-1.2.27beta01/pngrutil.c 2008-04-05 21:41:15.202296784 -0500 |
| 82 |
@@ -1,8 +1,8 @@ |
| 83 |
|
| 84 |
/* pngrutil.c - utilities to read a PNG file |
| 85 |
* |
| 86 |
- * Last changed in libpng 1.2.26 [April 2, 2008] |
| 87 |
+ * Last changed in libpng 1.2.27 [April 6, 2008] |
| 88 |
* For conditions of distribution and use, see copyright notice in png.h |
| 89 |
* Copyright (c) 1998-2008 Glenn Randers-Pehrson |
| 90 |
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) |
| 91 |
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) |
| 92 |
@@ -2226,11 +2226,16 @@ |
| 93 |
png_memcpy((png_charp)png_ptr->unknown_chunk.name, |
| 94 |
(png_charp)png_ptr->chunk_name, |
| 95 |
png_sizeof(png_ptr->unknown_chunk.name)); |
| 96 |
png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1] = '\0'; |
| 97 |
- png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); |
| 98 |
png_ptr->unknown_chunk.size = (png_size_t)length; |
| 99 |
- png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); |
| 100 |
+ if (length == 0) |
| 101 |
+ png_ptr->unknown_chunk.data = NULL; |
| 102 |
+ else |
| 103 |
+ { |
| 104 |
+ png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); |
| 105 |
+ png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); |
| 106 |
+ } |
| 107 |
#if defined(PNG_READ_USER_CHUNKS_SUPPORTED) |
| 108 |
if(png_ptr->read_user_chunk_fn != NULL) |
| 109 |
{ |
| 110 |
/* callback to user unknown chunk handler */ |
| 111 |
@@ -2251,10 +2256,13 @@ |
| 112 |
} |
| 113 |
else |
| 114 |
#endif |
| 115 |
png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); |
| 116 |
- png_free(png_ptr, png_ptr->unknown_chunk.data); |
| 117 |
- png_ptr->unknown_chunk.data = NULL; |
| 118 |
+ if (png_ptr->unknown_chunk.data) |
| 119 |
+ { |
| 120 |
+ png_free(png_ptr, png_ptr->unknown_chunk.data); |
| 121 |
+ png_ptr->unknown_chunk.data = NULL; |
| 122 |
+ } |
| 123 |
} |
| 124 |
else |
| 125 |
#endif |
| 126 |
skip = length; |
| 127 |
diff -ru4N libpng-1.2.26/pngset.c libpng-1.2.27beta01/pngset.c |
| 128 |
--- libpng-1.2.26/pngset.c 2008-04-02 12:27:30.621225067 -0500 |
| 129 |
+++ libpng-1.2.27beta01/pngset.c 2008-04-05 21:41:15.248946598 -0500 |
| 130 |
@@ -1,8 +1,8 @@ |
| 131 |
|
| 132 |
/* pngset.c - storage of image information into info struct |
| 133 |
* |
| 134 |
- * Last changed in libpng 1.2.25 [February 18, 2008] |
| 135 |
+ * Last changed in libpng 1.2.27 [April 6, 2008] |
| 136 |
* For conditions of distribution and use, see copyright notice in png.h |
| 137 |
* Copyright (c) 1998-2008 Glenn Randers-Pehrson |
| 138 |
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) |
| 139 |
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) |
| 140 |
@@ -1039,30 +1039,33 @@ |
| 141 |
info_ptr->unknown_chunks=NULL; |
| 142 |
|
| 143 |
for (i = 0; i < num_unknowns; i++) |
| 144 |
{ |
| 145 |
- png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i; |
| 146 |
- png_unknown_chunkp from = unknowns + i; |
| 147 |
+ png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i; |
| 148 |
+ png_unknown_chunkp from = unknowns + i; |
| 149 |
|
| 150 |
- png_memcpy((png_charp)to->name, |
| 151 |
- (png_charp)from->name, |
| 152 |
- png_sizeof(from->name)); |
| 153 |
- to->name[png_sizeof(to->name)-1] = '\0'; |
| 154 |
+ png_memcpy((png_charp)to->name, |
| 155 |
+ (png_charp)from->name, |
| 156 |
+ png_sizeof(from->name)); |
| 157 |
+ to->name[png_sizeof(to->name)-1] = '\0'; |
| 158 |
+ to->size = from->size; |
| 159 |
+ /* note our location in the read or write sequence */ |
| 160 |
+ to->location = (png_byte)(png_ptr->mode & 0xff); |
| 161 |
|
| 162 |
- to->data = (png_bytep)png_malloc_warn(png_ptr, from->size); |
| 163 |
- if (to->data == NULL) |
| 164 |
- { |
| 165 |
- png_warning(png_ptr, |
| 166 |
+ if (from->size == 0) |
| 167 |
+ to->data=NULL; |
| 168 |
+ else |
| 169 |
+ { |
| 170 |
+ to->data = (png_bytep)png_malloc_warn(png_ptr, from->size); |
| 171 |
+ if (to->data == NULL) |
| 172 |
+ { |
| 173 |
+ png_warning(png_ptr, |
| 174 |
"Out of memory while processing unknown chunk."); |
| 175 |
- } |
| 176 |
- else |
| 177 |
- { |
| 178 |
- png_memcpy(to->data, from->data, from->size); |
| 179 |
- to->size = from->size; |
| 180 |
- |
| 181 |
- /* note our location in the read or write sequence */ |
| 182 |
- to->location = (png_byte)(png_ptr->mode & 0xff); |
| 183 |
- } |
| 184 |
+ to->size=0; |
| 185 |
+ } |
| 186 |
+ else |
| 187 |
+ png_memcpy(to->data, from->data, from->size); |
| 188 |
+ } |
| 189 |
} |
| 190 |
|
| 191 |
info_ptr->unknown_chunks = np; |
| 192 |
info_ptr->unknown_chunks_num += num_unknowns; |
| 193 |
diff -ru4N libpng-1.2.26/pngwrite.c libpng-1.2.27beta01/pngwrite.c |
| 194 |
--- libpng-1.2.26/pngwrite.c 2008-04-02 12:27:30.775542734 -0500 |
| 195 |
+++ libpng-1.2.27beta01/pngwrite.c 2008-04-05 21:41:15.402698604 -0500 |
| 196 |
@@ -111,8 +111,10 @@ |
| 197 |
!(up->location & PNG_HAVE_IDAT) && |
| 198 |
((up->name[3] & 0x20) || keep == PNG_HANDLE_CHUNK_ALWAYS || |
| 199 |
(png_ptr->flags & PNG_FLAG_KEEP_UNSAFE_CHUNKS))) |
| 200 |
{ |
| 201 |
+ if (up->size == 0) |
| 202 |
+ png_warning(png_ptr, "Writing zero-length unknown chunk"); |
| 203 |
png_write_chunk(png_ptr, up->name, up->data, up->size); |
| 204 |
} |
| 205 |
} |
| 206 |
} |
| 207 |
|
| 208 |
|
| 209 |
|
| 210 |
-- |
| 211 |
gentoo-commits@l.g.o mailing list |
Archives