summaryrefslogtreecommitdiffstats
path: root/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch
diff options
context:
space:
mode:
Diffstat (limited to 'yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch')
-rw-r--r--yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch134
1 files changed, 0 insertions, 134 deletions
diff --git a/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch b/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch
deleted file mode 100644
index 4aa917084..000000000
--- a/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001
-From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
-Date: Fri, 30 Oct 2015 07:57:49 -0500
-Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin
- Truta).
-
-Upstream-Status: Backport
-https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d
-
-Many changes involved date and version updates with don't apply in this case.
-
-CVE: CVE-2015-8126 patch #2
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- ANNOUNCE | 6 +++---
- CHANGES | 4 ++--
- libpng-manual.txt | 11 +++++------
- libpng.3 | 19 +++++++++----------
- pngrutil.c | 3 +++
- pngset.c | 13 +++++++++----
- pngwutil.c | 6 +++---
- 7 files changed, 34 insertions(+), 28 deletions(-)
-
-Index: libpng-1.6.17/libpng-manual.txt
-===================================================================
---- libpng-1.6.17.orig/libpng-manual.txt
-+++ libpng-1.6.17/libpng-manual.txt
-@@ -5109,10 +5109,9 @@ length, which resulted in PNG files that
- chunk. This error was fixed in libpng-1.6.3, and a tool (called
- contrib/tools/png-fix-itxt) has been added to the libpng distribution.
-
--Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
-+Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk
- is an error. Previously this requirement of the PNG specification was not
--enforced. Libpng continues to accept over-length PLTE chunks when reading,
--but does not make any use of the extra entries.
-+enforced, and the palette was always limited to 256 entries.
-
- XIII. Detecting libpng
-
-Index: libpng-1.6.17/libpng.3
-===================================================================
---- libpng-1.6.17.orig/libpng.3
-+++ libpng-1.6.17/libpng.3
-@@ -5613,10 +5613,9 @@ length, which resulted in PNG files that
- chunk. This error was fixed in libpng-1.6.3, and a tool (called
- contrib/tools/png-fix-itxt) has been added to the libpng distribution.
-
--Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
-+Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk
- is an error. Previously this requirement of the PNG specification was not
--enforced. Libpng continues to accept over-length PLTE chunks when reading,
--but does not make any use of the extra entries.
-+enforced, and the palette was always limited to 256 entries.
-
- .SH XIII. Detecting libpng
-
-Index: libpng-1.6.17/pngrutil.c
-===================================================================
---- libpng-1.6.17.orig/pngrutil.c
-+++ libpng-1.6.17/pngrutil.c
-@@ -997,6 +997,9 @@ png_handle_PLTE(png_structrp png_ptr, pn
- * confusing.
- *
- * Fix this by not sharing the palette in this way.
-+ *
-+ * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
-+ * it attempts to set a palette length that is too large for the bit depth.
- */
- png_set_PLTE(png_ptr, info_ptr, palette, num);
-
-Index: libpng-1.6.17/pngset.c
-===================================================================
---- libpng-1.6.17.orig/pngset.c
-+++ libpng-1.6.17/pngset.c
-@@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_i
- png_const_colorp palette, int num_palette)
- {
-
-+ png_uint_32 max_palette_length;
-+
- png_debug1(1, "in %s storage function", "PLTE");
-
- if (png_ptr == NULL || info_ptr == NULL)
- return;
-
-- if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)
-+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
-+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
-+
-+ if (num_palette < 0 || num_palette > max_palette_length)
- {
- if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
- png_error(png_ptr, "Invalid palette length");
-@@ -551,8 +556,8 @@ png_set_PLTE(png_structrp png_ptr, png_i
- png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
-
- /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
-- * of num_palette entries, in case of an invalid PNG file that has
-- * too-large sample values.
-+ * of num_palette entries, in case of an invalid PNG file or incorrect
-+ * call to png_set_PLTE() with too-large sample values.
- */
- png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
- PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
-Index: libpng-1.6.17/pngwutil.c
-===================================================================
---- libpng-1.6.17.orig/pngwutil.c
-+++ libpng-1.6.17/pngwutil.c
-@@ -922,20 +922,20 @@ void /* PRIVATE */
- png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
- png_uint_32 num_pal)
- {
-- png_uint_32 max_num_pal, i;
-+ png_uint_32 max_palette_length, i;
- png_const_colorp pal_ptr;
- png_byte buf[3];
-
- png_debug(1, "in png_write_PLTE");
-
-- max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
-+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
- (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
-
- if ((
- #ifdef PNG_MNG_FEATURES_SUPPORTED
- (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
- #endif
-- num_pal == 0) || num_pal > max_num_pal)
-+ num_pal == 0) || num_pal > max_palette_length)
- {
- if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
- {
OpenPOWER on IntegriCloud