Magellan Linux

  • Back to homepage
    • /[pkg-src]/trunk/libpng/patches/libpng-1.2.26-CVE-2008-1382.patch

    Annotation of /trunk/libpng/patches/libpng-1.2.26-CVE-2008-1382.patch

    Parent Directory Parent Directory | Revision Log Revision Log

    Revision 565 - (hide annotations) (download)
    Mon Apr 14 17:57:22 2008 UTC (16 years, 2 months ago) by niro
    File size: 7815 byte(s) 
    -security fix
    1 niro 565 diff -ru4N libpng-1.2.26/png.h libpng-1.2.27beta01/png.h
    2     --- libpng-1.2.26/png.h 2008-04-02 12:27:29.867681595 -0500
    3     +++ libpng-1.2.27beta01/png.h 2008-04-05 21:41:14.644268554 -0500
    4     @@ -180,8 +180,11 @@
    5     * 1.0.31 10 10031 10.so.0.31[.0]
    6     * 1.2.25 13 10225 12.so.0.25[.0]
    7     * 1.2.26beta01-06 13 10226 12.so.0.26[.0]
    8     * 1.2.26rc01 13 10226 12.so.0.26[.0]
    9     + * 1.2.26 13 10226 12.so.0.26[.0]
    10     + * 1.0.32 10 10032 10.so.0.32[.0]
    11     + * 1.2.27beta01 13 10227 12.so.0.27[.0]
    12     *
    13     * Henceforth the source version will match the shared-library major
    14     * and minor numbers; the shared-library major version number will be
    15     * used for changes in backward compatibility, as it is intended. The
    16     diff -ru4N libpng-1.2.26/pngpread.c libpng-1.2.27beta01/pngpread.c
    17     --- libpng-1.2.26/pngpread.c 2008-04-05 21:37:29.944173338 -0500
    18     +++ libpng-1.2.27beta01/pngpread.c 2008-04-05 21:41:14.898914350 -0500
    19     @@ -1,8 +1,8 @@
    20    
    21     /* pngpread.c - read a png file in push mode
    22     *
    23     - * Last changed in libpng 1.2.26 [April 2, 2008]
    24     + * Last changed in libpng 1.2.27 [April 6, 2008]
    25     * For conditions of distribution and use, see copyright notice in png.h
    26     * Copyright (c) 1998-2008 Glenn Randers-Pehrson
    27     * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
    28     * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
    29     @@ -1501,11 +1501,16 @@
    30     (png_charp)png_ptr->chunk_name,
    31     png_sizeof(png_ptr->unknown_chunk.name));
    32     png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1]='\0';
    33    
    34     - png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
    35     png_ptr->unknown_chunk.size = (png_size_t)length;
    36     - png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
    37     + if (length == 0)
    38     + png_ptr->unknown_chunk.data = NULL;
    39     + else
    40     + {
    41     + png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
    42     + png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
    43     + }
    44     #if defined(PNG_READ_USER_CHUNKS_SUPPORTED)
    45     if(png_ptr->read_user_chunk_fn != NULL)
    46     {
    47     /* callback to user unknown chunk handler */
    48     @@ -1526,10 +1531,13 @@
    49     }
    50     else
    51     #endif
    52     png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1);
    53     - png_free(png_ptr, png_ptr->unknown_chunk.data);
    54     - png_ptr->unknown_chunk.data = NULL;
    55     + if (png_ptr->unknown_chunk.data)
    56     + {
    57     + png_free(png_ptr, png_ptr->unknown_chunk.data);
    58     + png_ptr->unknown_chunk.data = NULL;
    59     + }
    60     }
    61     else
    62     #endif
    63     skip=length;
    64     diff -ru4N libpng-1.2.26/pngrutil.c libpng-1.2.27beta01/pngrutil.c
    65     --- libpng-1.2.26/pngrutil.c 2008-04-05 21:37:32.785260077 -0500
    66     +++ libpng-1.2.27beta01/pngrutil.c 2008-04-05 21:41:15.202296784 -0500
    67     @@ -1,8 +1,8 @@
    68    
    69     /* pngrutil.c - utilities to read a PNG file
    70     *
    71     - * Last changed in libpng 1.2.26 [April 2, 2008]
    72     + * Last changed in libpng 1.2.27 [April 6, 2008]
    73     * For conditions of distribution and use, see copyright notice in png.h
    74     * Copyright (c) 1998-2008 Glenn Randers-Pehrson
    75     * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
    76     * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
    77     @@ -2226,11 +2226,16 @@
    78     png_memcpy((png_charp)png_ptr->unknown_chunk.name,
    79     (png_charp)png_ptr->chunk_name,
    80     png_sizeof(png_ptr->unknown_chunk.name));
    81     png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1] = '\0';
    82     - png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
    83     png_ptr->unknown_chunk.size = (png_size_t)length;
    84     - png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
    85     + if (length == 0)
    86     + png_ptr->unknown_chunk.data = NULL;
    87     + else
    88     + {
    89     + png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
    90     + png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
    91     + }
    92     #if defined(PNG_READ_USER_CHUNKS_SUPPORTED)
    93     if(png_ptr->read_user_chunk_fn != NULL)
    94     {
    95     /* callback to user unknown chunk handler */
    96     @@ -2251,10 +2256,13 @@
    97     }
    98     else
    99     #endif
    100     png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1);
    101     - png_free(png_ptr, png_ptr->unknown_chunk.data);
    102     - png_ptr->unknown_chunk.data = NULL;
    103     + if (png_ptr->unknown_chunk.data)
    104     + {
    105     + png_free(png_ptr, png_ptr->unknown_chunk.data);
    106     + png_ptr->unknown_chunk.data = NULL;
    107     + }
    108     }
    109     else
    110     #endif
    111     skip = length;
    112     diff -ru4N libpng-1.2.26/pngset.c libpng-1.2.27beta01/pngset.c
    113     --- libpng-1.2.26/pngset.c 2008-04-02 12:27:30.621225067 -0500
    114     +++ libpng-1.2.27beta01/pngset.c 2008-04-05 21:41:15.248946598 -0500
    115     @@ -1,8 +1,8 @@
    116    
    117     /* pngset.c - storage of image information into info struct
    118     *
    119     - * Last changed in libpng 1.2.25 [February 18, 2008]
    120     + * Last changed in libpng 1.2.27 [April 6, 2008]
    121     * For conditions of distribution and use, see copyright notice in png.h
    122     * Copyright (c) 1998-2008 Glenn Randers-Pehrson
    123     * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
    124     * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
    125     @@ -1039,30 +1039,33 @@
    126     info_ptr->unknown_chunks=NULL;
    127    
    128     for (i = 0; i < num_unknowns; i++)
    129     {
    130     - png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i;
    131     - png_unknown_chunkp from = unknowns + i;
    132     + png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i;
    133     + png_unknown_chunkp from = unknowns + i;
    134    
    135     - png_memcpy((png_charp)to->name,
    136     - (png_charp)from->name,
    137     - png_sizeof(from->name));
    138     - to->name[png_sizeof(to->name)-1] = '\0';
    139     + png_memcpy((png_charp)to->name,
    140     + (png_charp)from->name,
    141     + png_sizeof(from->name));
    142     + to->name[png_sizeof(to->name)-1] = '\0';
    143     + to->size = from->size;
    144     + /* note our location in the read or write sequence */
    145     + to->location = (png_byte)(png_ptr->mode & 0xff);
    146    
    147     - to->data = (png_bytep)png_malloc_warn(png_ptr, from->size);
    148     - if (to->data == NULL)
    149     - {
    150     - png_warning(png_ptr,
    151     + if (from->size == 0)
    152     + to->data=NULL;
    153     + else
    154     + {
    155     + to->data = (png_bytep)png_malloc_warn(png_ptr, from->size);
    156     + if (to->data == NULL)
    157     + {
    158     + png_warning(png_ptr,
    159     "Out of memory while processing unknown chunk.");
    160     - }
    161     - else
    162     - {
    163     - png_memcpy(to->data, from->data, from->size);
    164     - to->size = from->size;
    165     -
    166     - /* note our location in the read or write sequence */
    167     - to->location = (png_byte)(png_ptr->mode & 0xff);
    168     - }
    169     + to->size=0;
    170     + }
    171     + else
    172     + png_memcpy(to->data, from->data, from->size);
    173     + }
    174     }
    175    
    176     info_ptr->unknown_chunks = np;
    177     info_ptr->unknown_chunks_num += num_unknowns;
    178     diff -ru4N libpng-1.2.26/pngwrite.c libpng-1.2.27beta01/pngwrite.c
    179     --- libpng-1.2.26/pngwrite.c 2008-04-02 12:27:30.775542734 -0500
    180     +++ libpng-1.2.27beta01/pngwrite.c 2008-04-05 21:41:15.402698604 -0500
    181     @@ -111,8 +111,10 @@
    182     !(up->location & PNG_HAVE_IDAT) &&
    183     ((up->name[3] & 0x20) || keep == PNG_HANDLE_CHUNK_ALWAYS ||
    184     (png_ptr->flags & PNG_FLAG_KEEP_UNSAFE_CHUNKS)))
    185     {
    186     + if (up->size == 0)
    187     + png_warning(png_ptr, "Writing zero-length unknown chunk");
    188     png_write_chunk(png_ptr, up->name, up->data, up->size);
    189     }
    190     }
    191     }