Contents of /trunk/libpng/patches/libpng-1.2.26-CVE-2008-1382.patch
Parent Directory
| 
Revision Log
Revision 565 -
(show annotations)
(download)
Mon Apr 14 17:57:22 2008 UTC (16 years, 1 month ago) by niro
File size: 7815 byte(s)
Mon Apr 14 17:57:22 2008 UTC (16 years, 1 month ago) by niro
File size: 7815 byte(s)
-security fix
| 1 | diff -ru4N libpng-1.2.26/png.h libpng-1.2.27beta01/png.h |
| 2 | --- libpng-1.2.26/png.h 2008-04-02 12:27:29.867681595 -0500 |
| 3 | +++ libpng-1.2.27beta01/png.h 2008-04-05 21:41:14.644268554 -0500 |
| 4 | @@ -180,8 +180,11 @@ |
| 5 | * 1.0.31 10 10031 10.so.0.31[.0] |
| 6 | * 1.2.25 13 10225 12.so.0.25[.0] |
| 7 | * 1.2.26beta01-06 13 10226 12.so.0.26[.0] |
| 8 | * 1.2.26rc01 13 10226 12.so.0.26[.0] |
| 9 | + * 1.2.26 13 10226 12.so.0.26[.0] |
| 10 | + * 1.0.32 10 10032 10.so.0.32[.0] |
| 11 | + * 1.2.27beta01 13 10227 12.so.0.27[.0] |
| 12 | * |
| 13 | * Henceforth the source version will match the shared-library major |
| 14 | * and minor numbers; the shared-library major version number will be |
| 15 | * used for changes in backward compatibility, as it is intended. The |
| 16 | diff -ru4N libpng-1.2.26/pngpread.c libpng-1.2.27beta01/pngpread.c |
| 17 | --- libpng-1.2.26/pngpread.c 2008-04-05 21:37:29.944173338 -0500 |
| 18 | +++ libpng-1.2.27beta01/pngpread.c 2008-04-05 21:41:14.898914350 -0500 |
| 19 | @@ -1,8 +1,8 @@ |
| 20 | |
| 21 | /* pngpread.c - read a png file in push mode |
| 22 | * |
| 23 | - * Last changed in libpng 1.2.26 [April 2, 2008] |
| 24 | + * Last changed in libpng 1.2.27 [April 6, 2008] |
| 25 | * For conditions of distribution and use, see copyright notice in png.h |
| 26 | * Copyright (c) 1998-2008 Glenn Randers-Pehrson |
| 27 | * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) |
| 28 | * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) |
| 29 | @@ -1501,11 +1501,16 @@ |
| 30 | (png_charp)png_ptr->chunk_name, |
| 31 | png_sizeof(png_ptr->unknown_chunk.name)); |
| 32 | png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1]='\0'; |
| 33 | |
| 34 | - png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); |
| 35 | png_ptr->unknown_chunk.size = (png_size_t)length; |
| 36 | - png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); |
| 37 | + if (length == 0) |
| 38 | + png_ptr->unknown_chunk.data = NULL; |
| 39 | + else |
| 40 | + { |
| 41 | + png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); |
| 42 | + png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); |
| 43 | + } |
| 44 | #if defined(PNG_READ_USER_CHUNKS_SUPPORTED) |
| 45 | if(png_ptr->read_user_chunk_fn != NULL) |
| 46 | { |
| 47 | /* callback to user unknown chunk handler */ |
| 48 | @@ -1526,10 +1531,13 @@ |
| 49 | } |
| 50 | else |
| 51 | #endif |
| 52 | png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); |
| 53 | - png_free(png_ptr, png_ptr->unknown_chunk.data); |
| 54 | - png_ptr->unknown_chunk.data = NULL; |
| 55 | + if (png_ptr->unknown_chunk.data) |
| 56 | + { |
| 57 | + png_free(png_ptr, png_ptr->unknown_chunk.data); |
| 58 | + png_ptr->unknown_chunk.data = NULL; |
| 59 | + } |
| 60 | } |
| 61 | else |
| 62 | #endif |
| 63 | skip=length; |
| 64 | diff -ru4N libpng-1.2.26/pngrutil.c libpng-1.2.27beta01/pngrutil.c |
| 65 | --- libpng-1.2.26/pngrutil.c 2008-04-05 21:37:32.785260077 -0500 |
| 66 | +++ libpng-1.2.27beta01/pngrutil.c 2008-04-05 21:41:15.202296784 -0500 |
| 67 | @@ -1,8 +1,8 @@ |
| 68 | |
| 69 | /* pngrutil.c - utilities to read a PNG file |
| 70 | * |
| 71 | - * Last changed in libpng 1.2.26 [April 2, 2008] |
| 72 | + * Last changed in libpng 1.2.27 [April 6, 2008] |
| 73 | * For conditions of distribution and use, see copyright notice in png.h |
| 74 | * Copyright (c) 1998-2008 Glenn Randers-Pehrson |
| 75 | * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) |
| 76 | * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) |
| 77 | @@ -2226,11 +2226,16 @@ |
| 78 | png_memcpy((png_charp)png_ptr->unknown_chunk.name, |
| 79 | (png_charp)png_ptr->chunk_name, |
| 80 | png_sizeof(png_ptr->unknown_chunk.name)); |
| 81 | png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1] = '\0'; |
| 82 | - png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); |
| 83 | png_ptr->unknown_chunk.size = (png_size_t)length; |
| 84 | - png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); |
| 85 | + if (length == 0) |
| 86 | + png_ptr->unknown_chunk.data = NULL; |
| 87 | + else |
| 88 | + { |
| 89 | + png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); |
| 90 | + png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); |
| 91 | + } |
| 92 | #if defined(PNG_READ_USER_CHUNKS_SUPPORTED) |
| 93 | if(png_ptr->read_user_chunk_fn != NULL) |
| 94 | { |
| 95 | /* callback to user unknown chunk handler */ |
| 96 | @@ -2251,10 +2256,13 @@ |
| 97 | } |
| 98 | else |
| 99 | #endif |
| 100 | png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); |
| 101 | - png_free(png_ptr, png_ptr->unknown_chunk.data); |
| 102 | - png_ptr->unknown_chunk.data = NULL; |
| 103 | + if (png_ptr->unknown_chunk.data) |
| 104 | + { |
| 105 | + png_free(png_ptr, png_ptr->unknown_chunk.data); |
| 106 | + png_ptr->unknown_chunk.data = NULL; |
| 107 | + } |
| 108 | } |
| 109 | else |
| 110 | #endif |
| 111 | skip = length; |
| 112 | diff -ru4N libpng-1.2.26/pngset.c libpng-1.2.27beta01/pngset.c |
| 113 | --- libpng-1.2.26/pngset.c 2008-04-02 12:27:30.621225067 -0500 |
| 114 | +++ libpng-1.2.27beta01/pngset.c 2008-04-05 21:41:15.248946598 -0500 |
| 115 | @@ -1,8 +1,8 @@ |
| 116 | |
| 117 | /* pngset.c - storage of image information into info struct |
| 118 | * |
| 119 | - * Last changed in libpng 1.2.25 [February 18, 2008] |
| 120 | + * Last changed in libpng 1.2.27 [April 6, 2008] |
| 121 | * For conditions of distribution and use, see copyright notice in png.h |
| 122 | * Copyright (c) 1998-2008 Glenn Randers-Pehrson |
| 123 | * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) |
| 124 | * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) |
| 125 | @@ -1039,30 +1039,33 @@ |
| 126 | info_ptr->unknown_chunks=NULL; |
| 127 | |
| 128 | for (i = 0; i < num_unknowns; i++) |
| 129 | { |
| 130 | - png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i; |
| 131 | - png_unknown_chunkp from = unknowns + i; |
| 132 | + png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i; |
| 133 | + png_unknown_chunkp from = unknowns + i; |
| 134 | |
| 135 | - png_memcpy((png_charp)to->name, |
| 136 | - (png_charp)from->name, |
| 137 | - png_sizeof(from->name)); |
| 138 | - to->name[png_sizeof(to->name)-1] = '\0'; |
| 139 | + png_memcpy((png_charp)to->name, |
| 140 | + (png_charp)from->name, |
| 141 | + png_sizeof(from->name)); |
| 142 | + to->name[png_sizeof(to->name)-1] = '\0'; |
| 143 | + to->size = from->size; |
| 144 | + /* note our location in the read or write sequence */ |
| 145 | + to->location = (png_byte)(png_ptr->mode & 0xff); |
| 146 | |
| 147 | - to->data = (png_bytep)png_malloc_warn(png_ptr, from->size); |
| 148 | - if (to->data == NULL) |
| 149 | - { |
| 150 | - png_warning(png_ptr, |
| 151 | + if (from->size == 0) |
| 152 | + to->data=NULL; |
| 153 | + else |
| 154 | + { |
| 155 | + to->data = (png_bytep)png_malloc_warn(png_ptr, from->size); |
| 156 | + if (to->data == NULL) |
| 157 | + { |
| 158 | + png_warning(png_ptr, |
| 159 | "Out of memory while processing unknown chunk."); |
| 160 | - } |
| 161 | - else |
| 162 | - { |
| 163 | - png_memcpy(to->data, from->data, from->size); |
| 164 | - to->size = from->size; |
| 165 | - |
| 166 | - /* note our location in the read or write sequence */ |
| 167 | - to->location = (png_byte)(png_ptr->mode & 0xff); |
| 168 | - } |
| 169 | + to->size=0; |
| 170 | + } |
| 171 | + else |
| 172 | + png_memcpy(to->data, from->data, from->size); |
| 173 | + } |
| 174 | } |
| 175 | |
| 176 | info_ptr->unknown_chunks = np; |
| 177 | info_ptr->unknown_chunks_num += num_unknowns; |
| 178 | diff -ru4N libpng-1.2.26/pngwrite.c libpng-1.2.27beta01/pngwrite.c |
| 179 | --- libpng-1.2.26/pngwrite.c 2008-04-02 12:27:30.775542734 -0500 |
| 180 | +++ libpng-1.2.27beta01/pngwrite.c 2008-04-05 21:41:15.402698604 -0500 |
| 181 | @@ -111,8 +111,10 @@ |
| 182 | !(up->location & PNG_HAVE_IDAT) && |
| 183 | ((up->name[3] & 0x20) || keep == PNG_HANDLE_CHUNK_ALWAYS || |
| 184 | (png_ptr->flags & PNG_FLAG_KEEP_UNSAFE_CHUNKS))) |
| 185 | { |
| 186 | + if (up->size == 0) |
| 187 | + png_warning(png_ptr, "Writing zero-length unknown chunk"); |
| 188 | png_write_chunk(png_ptr, up->name, up->data, up->size); |
| 189 | } |
| 190 | } |
| 191 | } |