diff options
Diffstat (limited to 'yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch')
| -rw-r--r-- | yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch | 79 |
1 files changed, 0 insertions, 79 deletions
diff --git a/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch b/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch deleted file mode 100644 index 0e0ad2320..000000000 --- a/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 1bef8e97995c33123665582e57d3ed40b57d5978 Mon Sep 17 00:00:00 2001 -From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> -Date: Fri, 30 Oct 2015 11:34:37 -0500 -Subject: [PATCH] [libpng16] Silently truncate over-length PLTE chunk while - reading. - -Upstream-Status: Backport -https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978 - -Normal Issues is date and version conflicts not applied. - -CVE: CVE-2015-8i26 patch #3 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - - ---- - ANNOUNCE | 3 ++- - CHANGES | 3 ++- - pngrutil.c | 15 +++++++++++---- - pngset.c | 2 +- - 4 files changed, 16 insertions(+), 7 deletions(-) - -Index: libpng-1.6.17/pngrutil.c -=================================================================== ---- libpng-1.6.17.orig/pngrutil.c -+++ libpng-1.6.17/pngrutil.c -@@ -867,7 +867,7 @@ void /* PRIVATE */ - png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) - { - png_color palette[PNG_MAX_PALETTE_LENGTH]; -- int num, i; -+ int max_palette_length, num, i; - #ifdef PNG_POINTER_INDEXING_SUPPORTED - png_colorp pal_ptr; - #endif -@@ -925,9 +925,19 @@ png_handle_PLTE(png_structrp png_ptr, pn - return; - } - -+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? -+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; -+ - /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */ - num = (int)length / 3; - -+ /* If the palette has 256 or fewer entries but is too large for the bit depth, -+ * we don't issue an error, to preserve the behavior of previous libpng versions. -+ * We silently truncate the unused extra palette entries here. -+ */ -+ if (num > max_palette_length) -+ num = max_palette_length; -+ - #ifdef PNG_POINTER_INDEXING_SUPPORTED - for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++) - { -@@ -997,9 +1007,6 @@ png_handle_PLTE(png_structrp png_ptr, pn - * confusing. - * - * Fix this by not sharing the palette in this way. -- * -- * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when -- * it attempts to set a palette length that is too large for the bit depth. - */ - png_set_PLTE(png_ptr, info_ptr, palette, num); - -Index: libpng-1.6.17/pngset.c -=================================================================== ---- libpng-1.6.17.orig/pngset.c -+++ libpng-1.6.17/pngset.c -@@ -523,7 +523,7 @@ png_set_PLTE(png_structrp png_ptr, png_i - max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? - (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; - -- if (num_palette < 0 || num_palette > max_palette_length) -+ if (num_palette < 0 || num_palette > (int) max_palette_length) - { - if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) - png_error(png_ptr, "Invalid palette length"); |