Annotation of /trunk/libpng/patches/libpng-1.2.26-CVE-2008-1382.patch
Parent Directory | Revision Log
Revision 565 -
(hide annotations)
(download)
Mon Apr 14 17:57:22 2008 UTC (16 years, 5 months ago) by niro
File size: 7815 byte(s)
Mon Apr 14 17:57:22 2008 UTC (16 years, 5 months ago) by niro
File size: 7815 byte(s)
-security fix
1 | niro | 565 | diff -ru4N libpng-1.2.26/png.h libpng-1.2.27beta01/png.h |
2 | --- libpng-1.2.26/png.h 2008-04-02 12:27:29.867681595 -0500 | ||
3 | +++ libpng-1.2.27beta01/png.h 2008-04-05 21:41:14.644268554 -0500 | ||
4 | @@ -180,8 +180,11 @@ | ||
5 | * 1.0.31 10 10031 10.so.0.31[.0] | ||
6 | * 1.2.25 13 10225 12.so.0.25[.0] | ||
7 | * 1.2.26beta01-06 13 10226 12.so.0.26[.0] | ||
8 | * 1.2.26rc01 13 10226 12.so.0.26[.0] | ||
9 | + * 1.2.26 13 10226 12.so.0.26[.0] | ||
10 | + * 1.0.32 10 10032 10.so.0.32[.0] | ||
11 | + * 1.2.27beta01 13 10227 12.so.0.27[.0] | ||
12 | * | ||
13 | * Henceforth the source version will match the shared-library major | ||
14 | * and minor numbers; the shared-library major version number will be | ||
15 | * used for changes in backward compatibility, as it is intended. The | ||
16 | diff -ru4N libpng-1.2.26/pngpread.c libpng-1.2.27beta01/pngpread.c | ||
17 | --- libpng-1.2.26/pngpread.c 2008-04-05 21:37:29.944173338 -0500 | ||
18 | +++ libpng-1.2.27beta01/pngpread.c 2008-04-05 21:41:14.898914350 -0500 | ||
19 | @@ -1,8 +1,8 @@ | ||
20 | |||
21 | /* pngpread.c - read a png file in push mode | ||
22 | * | ||
23 | - * Last changed in libpng 1.2.26 [April 2, 2008] | ||
24 | + * Last changed in libpng 1.2.27 [April 6, 2008] | ||
25 | * For conditions of distribution and use, see copyright notice in png.h | ||
26 | * Copyright (c) 1998-2008 Glenn Randers-Pehrson | ||
27 | * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) | ||
28 | * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) | ||
29 | @@ -1501,11 +1501,16 @@ | ||
30 | (png_charp)png_ptr->chunk_name, | ||
31 | png_sizeof(png_ptr->unknown_chunk.name)); | ||
32 | png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1]='\0'; | ||
33 | |||
34 | - png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); | ||
35 | png_ptr->unknown_chunk.size = (png_size_t)length; | ||
36 | - png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); | ||
37 | + if (length == 0) | ||
38 | + png_ptr->unknown_chunk.data = NULL; | ||
39 | + else | ||
40 | + { | ||
41 | + png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); | ||
42 | + png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); | ||
43 | + } | ||
44 | #if defined(PNG_READ_USER_CHUNKS_SUPPORTED) | ||
45 | if(png_ptr->read_user_chunk_fn != NULL) | ||
46 | { | ||
47 | /* callback to user unknown chunk handler */ | ||
48 | @@ -1526,10 +1531,13 @@ | ||
49 | } | ||
50 | else | ||
51 | #endif | ||
52 | png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); | ||
53 | - png_free(png_ptr, png_ptr->unknown_chunk.data); | ||
54 | - png_ptr->unknown_chunk.data = NULL; | ||
55 | + if (png_ptr->unknown_chunk.data) | ||
56 | + { | ||
57 | + png_free(png_ptr, png_ptr->unknown_chunk.data); | ||
58 | + png_ptr->unknown_chunk.data = NULL; | ||
59 | + } | ||
60 | } | ||
61 | else | ||
62 | #endif | ||
63 | skip=length; | ||
64 | diff -ru4N libpng-1.2.26/pngrutil.c libpng-1.2.27beta01/pngrutil.c | ||
65 | --- libpng-1.2.26/pngrutil.c 2008-04-05 21:37:32.785260077 -0500 | ||
66 | +++ libpng-1.2.27beta01/pngrutil.c 2008-04-05 21:41:15.202296784 -0500 | ||
67 | @@ -1,8 +1,8 @@ | ||
68 | |||
69 | /* pngrutil.c - utilities to read a PNG file | ||
70 | * | ||
71 | - * Last changed in libpng 1.2.26 [April 2, 2008] | ||
72 | + * Last changed in libpng 1.2.27 [April 6, 2008] | ||
73 | * For conditions of distribution and use, see copyright notice in png.h | ||
74 | * Copyright (c) 1998-2008 Glenn Randers-Pehrson | ||
75 | * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) | ||
76 | * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) | ||
77 | @@ -2226,11 +2226,16 @@ | ||
78 | png_memcpy((png_charp)png_ptr->unknown_chunk.name, | ||
79 | (png_charp)png_ptr->chunk_name, | ||
80 | png_sizeof(png_ptr->unknown_chunk.name)); | ||
81 | png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1] = '\0'; | ||
82 | - png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); | ||
83 | png_ptr->unknown_chunk.size = (png_size_t)length; | ||
84 | - png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); | ||
85 | + if (length == 0) | ||
86 | + png_ptr->unknown_chunk.data = NULL; | ||
87 | + else | ||
88 | + { | ||
89 | + png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); | ||
90 | + png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); | ||
91 | + } | ||
92 | #if defined(PNG_READ_USER_CHUNKS_SUPPORTED) | ||
93 | if(png_ptr->read_user_chunk_fn != NULL) | ||
94 | { | ||
95 | /* callback to user unknown chunk handler */ | ||
96 | @@ -2251,10 +2256,13 @@ | ||
97 | } | ||
98 | else | ||
99 | #endif | ||
100 | png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); | ||
101 | - png_free(png_ptr, png_ptr->unknown_chunk.data); | ||
102 | - png_ptr->unknown_chunk.data = NULL; | ||
103 | + if (png_ptr->unknown_chunk.data) | ||
104 | + { | ||
105 | + png_free(png_ptr, png_ptr->unknown_chunk.data); | ||
106 | + png_ptr->unknown_chunk.data = NULL; | ||
107 | + } | ||
108 | } | ||
109 | else | ||
110 | #endif | ||
111 | skip = length; | ||
112 | diff -ru4N libpng-1.2.26/pngset.c libpng-1.2.27beta01/pngset.c | ||
113 | --- libpng-1.2.26/pngset.c 2008-04-02 12:27:30.621225067 -0500 | ||
114 | +++ libpng-1.2.27beta01/pngset.c 2008-04-05 21:41:15.248946598 -0500 | ||
115 | @@ -1,8 +1,8 @@ | ||
116 | |||
117 | /* pngset.c - storage of image information into info struct | ||
118 | * | ||
119 | - * Last changed in libpng 1.2.25 [February 18, 2008] | ||
120 | + * Last changed in libpng 1.2.27 [April 6, 2008] | ||
121 | * For conditions of distribution and use, see copyright notice in png.h | ||
122 | * Copyright (c) 1998-2008 Glenn Randers-Pehrson | ||
123 | * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) | ||
124 | * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) | ||
125 | @@ -1039,30 +1039,33 @@ | ||
126 | info_ptr->unknown_chunks=NULL; | ||
127 | |||
128 | for (i = 0; i < num_unknowns; i++) | ||
129 | { | ||
130 | - png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i; | ||
131 | - png_unknown_chunkp from = unknowns + i; | ||
132 | + png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i; | ||
133 | + png_unknown_chunkp from = unknowns + i; | ||
134 | |||
135 | - png_memcpy((png_charp)to->name, | ||
136 | - (png_charp)from->name, | ||
137 | - png_sizeof(from->name)); | ||
138 | - to->name[png_sizeof(to->name)-1] = '\0'; | ||
139 | + png_memcpy((png_charp)to->name, | ||
140 | + (png_charp)from->name, | ||
141 | + png_sizeof(from->name)); | ||
142 | + to->name[png_sizeof(to->name)-1] = '\0'; | ||
143 | + to->size = from->size; | ||
144 | + /* note our location in the read or write sequence */ | ||
145 | + to->location = (png_byte)(png_ptr->mode & 0xff); | ||
146 | |||
147 | - to->data = (png_bytep)png_malloc_warn(png_ptr, from->size); | ||
148 | - if (to->data == NULL) | ||
149 | - { | ||
150 | - png_warning(png_ptr, | ||
151 | + if (from->size == 0) | ||
152 | + to->data=NULL; | ||
153 | + else | ||
154 | + { | ||
155 | + to->data = (png_bytep)png_malloc_warn(png_ptr, from->size); | ||
156 | + if (to->data == NULL) | ||
157 | + { | ||
158 | + png_warning(png_ptr, | ||
159 | "Out of memory while processing unknown chunk."); | ||
160 | - } | ||
161 | - else | ||
162 | - { | ||
163 | - png_memcpy(to->data, from->data, from->size); | ||
164 | - to->size = from->size; | ||
165 | - | ||
166 | - /* note our location in the read or write sequence */ | ||
167 | - to->location = (png_byte)(png_ptr->mode & 0xff); | ||
168 | - } | ||
169 | + to->size=0; | ||
170 | + } | ||
171 | + else | ||
172 | + png_memcpy(to->data, from->data, from->size); | ||
173 | + } | ||
174 | } | ||
175 | |||
176 | info_ptr->unknown_chunks = np; | ||
177 | info_ptr->unknown_chunks_num += num_unknowns; | ||
178 | diff -ru4N libpng-1.2.26/pngwrite.c libpng-1.2.27beta01/pngwrite.c | ||
179 | --- libpng-1.2.26/pngwrite.c 2008-04-02 12:27:30.775542734 -0500 | ||
180 | +++ libpng-1.2.27beta01/pngwrite.c 2008-04-05 21:41:15.402698604 -0500 | ||
181 | @@ -111,8 +111,10 @@ | ||
182 | !(up->location & PNG_HAVE_IDAT) && | ||
183 | ((up->name[3] & 0x20) || keep == PNG_HANDLE_CHUNK_ALWAYS || | ||
184 | (png_ptr->flags & PNG_FLAG_KEEP_UNSAFE_CHUNKS))) | ||
185 | { | ||
186 | + if (up->size == 0) | ||
187 | + png_warning(png_ptr, "Writing zero-length unknown chunk"); | ||
188 | png_write_chunk(png_ptr, up->name, up->data, up->size); | ||
189 | } | ||
190 | } | ||
191 | } |