SOURCES: libpng-cve.patch (NEW) - official fix for CVE-2008-1382

megabajt megabajt at pld-linux.org
Mon Apr 14 21:19:05 CEST 2008


Author: megabajt                     Date: Mon Apr 14 19:19:04 2008 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- official fix for CVE-2008-1382

---- Files affected:
SOURCES:
   libpng-cve.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/libpng-cve.patch
diff -u /dev/null SOURCES/libpng-cve.patch:1.1
--- /dev/null	Mon Apr 14 21:19:05 2008
+++ SOURCES/libpng-cve.patch	Mon Apr 14 21:18:59 2008
@@ -0,0 +1,191 @@
+diff -ru4N libpng-1.2.26/png.h libpng-1.2.27beta01/png.h
+--- libpng-1.2.26/png.h	2008-04-02 12:27:29.867681595 -0500
++++ libpng-1.2.27beta01/png.h	2008-04-05 21:41:14.644268554 -0500
+@@ -180,8 +180,11 @@
+  *    1.0.31                  10    10031  10.so.0.31[.0]
+  *    1.2.25                  13    10225  12.so.0.25[.0]
+  *    1.2.26beta01-06         13    10226  12.so.0.26[.0]
+  *    1.2.26rc01              13    10226  12.so.0.26[.0]
++ *    1.2.26                  13    10226  12.so.0.26[.0]
++ *    1.0.32                  10    10032  10.so.0.32[.0]
++ *    1.2.27beta01            13    10227  12.so.0.27[.0]
+  *
+  *    Henceforth the source version will match the shared-library major
+  *    and minor numbers; the shared-library major version number will be
+  *    used for changes in backward compatibility, as it is intended.  The
+diff -ru4N libpng-1.2.26/pngpread.c libpng-1.2.27beta01/pngpread.c
+--- libpng-1.2.26/pngpread.c	2008-04-05 21:37:29.944173338 -0500
++++ libpng-1.2.27beta01/pngpread.c	2008-04-05 21:41:14.898914350 -0500
+@@ -1,8 +1,8 @@
+ 
+ /* pngpread.c - read a png file in push mode
+  *
+- * Last changed in libpng 1.2.26 [April 2, 2008]
++ * Last changed in libpng 1.2.27 [April 6, 2008]
+  * For conditions of distribution and use, see copyright notice in png.h
+  * Copyright (c) 1998-2008 Glenn Randers-Pehrson
+  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
+  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
+@@ -1501,11 +1501,16 @@
+                  (png_charp)png_ptr->chunk_name, 
+                  png_sizeof(png_ptr->unknown_chunk.name));
+       png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1]='\0';
+ 
+-      png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
+       png_ptr->unknown_chunk.size = (png_size_t)length;
+-      png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
++      if (length == 0)
++         png_ptr->unknown_chunk.data = NULL;
++      else
++      {
++         png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
++         png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
++      }
+ #if defined(PNG_READ_USER_CHUNKS_SUPPORTED)
+       if(png_ptr->read_user_chunk_fn != NULL)
+       {
+          /* callback to user unknown chunk handler */
+@@ -1526,10 +1531,13 @@
+       }
+       else
+ #endif
+         png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1);
+-      png_free(png_ptr, png_ptr->unknown_chunk.data);
+-      png_ptr->unknown_chunk.data = NULL;
++      if (png_ptr->unknown_chunk.data)
++      {
++        png_free(png_ptr, png_ptr->unknown_chunk.data);
++        png_ptr->unknown_chunk.data = NULL;
++      }
+    }
+    else
+ #endif
+       skip=length;
+diff -ru4N libpng-1.2.26/pngrutil.c libpng-1.2.27beta01/pngrutil.c
+--- libpng-1.2.26/pngrutil.c	2008-04-05 21:37:32.785260077 -0500
++++ libpng-1.2.27beta01/pngrutil.c	2008-04-05 21:41:15.202296784 -0500
+@@ -1,8 +1,8 @@
+ 
+ /* pngrutil.c - utilities to read a PNG file
+  *
+- * Last changed in libpng 1.2.26 [April 2, 2008]
++ * Last changed in libpng 1.2.27 [April 6, 2008]
+  * For conditions of distribution and use, see copyright notice in png.h
+  * Copyright (c) 1998-2008 Glenn Randers-Pehrson
+  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
+  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
+@@ -2226,11 +2226,16 @@
+        png_memcpy((png_charp)png_ptr->unknown_chunk.name,
+                   (png_charp)png_ptr->chunk_name, 
+                   png_sizeof(png_ptr->unknown_chunk.name));
+        png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1] = '\0';
+-       png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
+        png_ptr->unknown_chunk.size = (png_size_t)length;
+-       png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
++       if (length == 0)
++         png_ptr->unknown_chunk.data = NULL;
++       else
++       {
++         png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
++         png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
++       }
+ #if defined(PNG_READ_USER_CHUNKS_SUPPORTED)
+        if(png_ptr->read_user_chunk_fn != NULL)
+        {
+           /* callback to user unknown chunk handler */
+@@ -2251,10 +2256,13 @@
+        }
+        else
+ #endif
+          png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1);
+-       png_free(png_ptr, png_ptr->unknown_chunk.data);
+-       png_ptr->unknown_chunk.data = NULL;
++       if (png_ptr->unknown_chunk.data)
++       {
++         png_free(png_ptr, png_ptr->unknown_chunk.data);
++         png_ptr->unknown_chunk.data = NULL;
++       }
+    }
+    else
+ #endif
+       skip = length;
+diff -ru4N libpng-1.2.26/pngset.c libpng-1.2.27beta01/pngset.c
+--- libpng-1.2.26/pngset.c	2008-04-02 12:27:30.621225067 -0500
++++ libpng-1.2.27beta01/pngset.c	2008-04-05 21:41:15.248946598 -0500
+@@ -1,8 +1,8 @@
+ 
+ /* pngset.c - storage of image information into info struct
+  *
+- * Last changed in libpng 1.2.25 [February 18, 2008]
++ * Last changed in libpng 1.2.27 [April 6, 2008]
+  * For conditions of distribution and use, see copyright notice in png.h
+  * Copyright (c) 1998-2008 Glenn Randers-Pehrson
+  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
+  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
+@@ -1039,30 +1039,33 @@
+     info_ptr->unknown_chunks=NULL;
+ 
+     for (i = 0; i < num_unknowns; i++)
+     {
+-        png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i;
+-        png_unknown_chunkp from = unknowns + i;
++       png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i;
++       png_unknown_chunkp from = unknowns + i;
+ 
+-        png_memcpy((png_charp)to->name, 
+-                   (png_charp)from->name, 
+-                   png_sizeof(from->name));
+-        to->name[png_sizeof(to->name)-1] = '\0';
++       png_memcpy((png_charp)to->name, 
++                  (png_charp)from->name, 
++                  png_sizeof(from->name));
++       to->name[png_sizeof(to->name)-1] = '\0';
++       to->size = from->size;
++       /* note our location in the read or write sequence */
++       to->location = (png_byte)(png_ptr->mode & 0xff);
+ 
+-        to->data = (png_bytep)png_malloc_warn(png_ptr, from->size);
+-        if (to->data == NULL)
+-        {
+-           png_warning(png_ptr,
++       if (from->size == 0)
++          to->data=NULL;
++       else
++       {
++          to->data = (png_bytep)png_malloc_warn(png_ptr, from->size);
++          if (to->data == NULL)
++          {
++             png_warning(png_ptr,
+               "Out of memory while processing unknown chunk.");
+-        }
+-        else
+-        {
+-           png_memcpy(to->data, from->data, from->size);
+-           to->size = from->size;
+-
+-           /* note our location in the read or write sequence */
+-           to->location = (png_byte)(png_ptr->mode & 0xff);
+-        }
++             to->size=0;
++          }
++          else
++             png_memcpy(to->data, from->data, from->size);
++       }
+     }
+ 
+     info_ptr->unknown_chunks = np;
+     info_ptr->unknown_chunks_num += num_unknowns;
+diff -ru4N libpng-1.2.26/pngwrite.c libpng-1.2.27beta01/pngwrite.c
+--- libpng-1.2.26/pngwrite.c	2008-04-02 12:27:30.775542734 -0500
++++ libpng-1.2.27beta01/pngwrite.c	2008-04-05 21:41:15.402698604 -0500
+@@ -111,8 +111,10 @@
+             !(up->location & PNG_HAVE_IDAT) &&
+             ((up->name[3] & 0x20) || keep == PNG_HANDLE_CHUNK_ALWAYS ||
+             (png_ptr->flags & PNG_FLAG_KEEP_UNSAFE_CHUNKS)))
+          {
++            if (up->size == 0)
++               png_warning(png_ptr, "Writing zero-length unknown chunk");
+             png_write_chunk(png_ptr, up->name, up->data, up->size);
+          }
+        }
+    }
================================================================


More information about the pld-cvs-commit mailing list