diff options
Diffstat (limited to 'yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch')
-rw-r--r-- | yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch | 134 |
1 files changed, 0 insertions, 134 deletions
diff --git a/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch b/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch deleted file mode 100644 index 4aa917084..000000000 --- a/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch +++ /dev/null @@ -1,134 +0,0 @@ -From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001 -From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> -Date: Fri, 30 Oct 2015 07:57:49 -0500 -Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin - Truta). - -Upstream-Status: Backport -https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d - -Many changes involved date and version updates with don't apply in this case. - -CVE: CVE-2015-8126 patch #2 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - ANNOUNCE | 6 +++--- - CHANGES | 4 ++-- - libpng-manual.txt | 11 +++++------ - libpng.3 | 19 +++++++++---------- - pngrutil.c | 3 +++ - pngset.c | 13 +++++++++---- - pngwutil.c | 6 +++--- - 7 files changed, 34 insertions(+), 28 deletions(-) - -Index: libpng-1.6.17/libpng-manual.txt -=================================================================== ---- libpng-1.6.17.orig/libpng-manual.txt -+++ libpng-1.6.17/libpng-manual.txt -@@ -5109,10 +5109,9 @@ length, which resulted in PNG files that - chunk. This error was fixed in libpng-1.6.3, and a tool (called - contrib/tools/png-fix-itxt) has been added to the libpng distribution. - --Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk -+Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk - is an error. Previously this requirement of the PNG specification was not --enforced. Libpng continues to accept over-length PLTE chunks when reading, --but does not make any use of the extra entries. -+enforced, and the palette was always limited to 256 entries. - - XIII. Detecting libpng - -Index: libpng-1.6.17/libpng.3 -=================================================================== ---- libpng-1.6.17.orig/libpng.3 -+++ libpng-1.6.17/libpng.3 -@@ -5613,10 +5613,9 @@ length, which resulted in PNG files that - chunk. This error was fixed in libpng-1.6.3, and a tool (called - contrib/tools/png-fix-itxt) has been added to the libpng distribution. - --Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk -+Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk - is an error. Previously this requirement of the PNG specification was not --enforced. Libpng continues to accept over-length PLTE chunks when reading, --but does not make any use of the extra entries. -+enforced, and the palette was always limited to 256 entries. - - .SH XIII. Detecting libpng - -Index: libpng-1.6.17/pngrutil.c -=================================================================== ---- libpng-1.6.17.orig/pngrutil.c -+++ libpng-1.6.17/pngrutil.c -@@ -997,6 +997,9 @@ png_handle_PLTE(png_structrp png_ptr, pn - * confusing. - * - * Fix this by not sharing the palette in this way. -+ * -+ * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when -+ * it attempts to set a palette length that is too large for the bit depth. - */ - png_set_PLTE(png_ptr, info_ptr, palette, num); - -Index: libpng-1.6.17/pngset.c -=================================================================== ---- libpng-1.6.17.orig/pngset.c -+++ libpng-1.6.17/pngset.c -@@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_i - png_const_colorp palette, int num_palette) - { - -+ png_uint_32 max_palette_length; -+ - png_debug1(1, "in %s storage function", "PLTE"); - - if (png_ptr == NULL || info_ptr == NULL) - return; - -- if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH) -+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? -+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; -+ -+ if (num_palette < 0 || num_palette > max_palette_length) - { - if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) - png_error(png_ptr, "Invalid palette length"); -@@ -551,8 +556,8 @@ png_set_PLTE(png_structrp png_ptr, png_i - png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0); - - /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead -- * of num_palette entries, in case of an invalid PNG file that has -- * too-large sample values. -+ * of num_palette entries, in case of an invalid PNG file or incorrect -+ * call to png_set_PLTE() with too-large sample values. - */ - png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, - PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); -Index: libpng-1.6.17/pngwutil.c -=================================================================== ---- libpng-1.6.17.orig/pngwutil.c -+++ libpng-1.6.17/pngwutil.c -@@ -922,20 +922,20 @@ void /* PRIVATE */ - png_write_PLTE(png_structrp png_ptr, png_const_colorp palette, - png_uint_32 num_pal) - { -- png_uint_32 max_num_pal, i; -+ png_uint_32 max_palette_length, i; - png_const_colorp pal_ptr; - png_byte buf[3]; - - png_debug(1, "in png_write_PLTE"); - -- max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? -+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? - (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; - - if (( - #ifdef PNG_MNG_FEATURES_SUPPORTED - (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 && - #endif -- num_pal == 0) || num_pal > max_num_pal) -+ num_pal == 0) || num_pal > max_palette_length) - { - if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) - { |