File libpng12-CVE-2017-12652.patch of Package libpng12.12012

Overview Repositories Revisions Requests Users Attributes Meta

File libpng12-CVE-2017-12652.patch of Package libpng12.12012

Index: libpng-1.2.50/png.h
===================================================================
--- libpng-1.2.50.orig/png.h	2012-07-10 02:36:56.000000000 +0200
+++ libpng-1.2.50/png.h	2019-07-17 14:18:23.438248574 +0200
@@ -3668,6 +3668,9 @@ PNG_EXTERN void png_handle_unknown PNGAR
 PNG_EXTERN void png_check_chunk_name PNGARG((png_structp png_ptr,
    png_bytep chunk_name)) PNG_PRIVATE;
 
+PNG_EXTERN void png_check_chunk_length PNGARG((png_structp png_ptr,
+   png_uint_32 chunk_length)) PNG_PRIVATE;
+
 /* Handle the transformations for reading and writing */
 PNG_EXTERN void png_do_read_transformations
    PNGARG((png_structp png_ptr)) PNG_PRIVATE;
Index: libpng-1.2.50/pngpread.c
===================================================================
--- libpng-1.2.50.orig/pngpread.c	2012-07-10 02:36:56.000000000 +0200
+++ libpng-1.2.50/pngpread.c	2019-07-17 14:18:57.938435773 +0200
@@ -205,6 +205,7 @@ png_push_read_chunk(png_structp png_ptr,
       png_reset_crc(png_ptr);
       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
       png_check_chunk_name(png_ptr, png_ptr->chunk_name);
+      png_check_chunk_length(png_ptr, png_ptr->push_length);
       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
    }
 
Index: libpng-1.2.50/pngrutil.c
===================================================================
--- libpng-1.2.50.orig/pngrutil.c	2019-07-17 14:16:26.865616099 +0200
+++ libpng-1.2.50/pngrutil.c	2019-07-17 14:21:22.975221982 +0200
@@ -131,6 +131,9 @@ png_read_chunk_header(png_structp png_pt
    /* Check to see if chunk name is valid */
    png_check_chunk_name(png_ptr, png_ptr->chunk_name);
 
+   /* Check for too-large chunk length */
+   png_check_chunk_length(png_ptr, length);
+
    return length;
 }
 
@@ -2501,6 +2504,40 @@ png_check_chunk_name(png_structp png_ptr
    }
 }
 
+void /* PRIVATE */
+png_check_chunk_length(png_structp png_ptr, png_uint_32 length)
+{
+   png_uint_32 limit = PNG_UINT_31_MAX;
+# if PNG_USER_CHUNK_MALLOC_MAX > 0
+      if (PNG_USER_CHUNK_MALLOC_MAX < limit)
+         limit = PNG_USER_CHUNK_MALLOC_MAX;
+# endif
+   /* if (png_ptr->chunk_name == png_IDAT) */
+   if (png_ptr->chunk_name[0] != 73 || png_ptr->chunk_name[1] !=68 ||
+       png_ptr->chunk_name[2] != 65 || png_ptr->chunk_name[3] !=84)
+   {
+      png_uint_32 idat_limit = PNG_UINT_31_MAX;
+      size_t row_factor =
+         (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+          + 1 + (png_ptr->interlaced? 6: 0));
+      if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+         idat_limit=PNG_UINT_31_MAX;
+      else
+         idat_limit = png_ptr->height * row_factor;
+      row_factor = row_factor > 32566? 32566 : row_factor;
+      idat_limit += 6 + 5*(idat_limit/row_factor+1); /* zlib+deflate overhead */
+      idat_limit=idat_limit < PNG_UINT_31_MAX? idat_limit : PNG_UINT_31_MAX;
+      limit = limit < idat_limit? idat_limit : limit;
+   }
+
+   if (length > limit)
+   {
+      png_debug2(0," length = %lu, limit = %lu",
+         (unsigned long)length,(unsigned long)limit);
+      png_chunk_error(png_ptr, "chunk data is too large");
+   }
+}
+
 /* Combines the row recently read in with the existing pixels in the
    row.  This routine takes care of alpha and transparency if requested.
    This routine also handles the two methods of progressive display

Places

File libpng12-CVE-2017-12652.patch of Package libpng12.12012

Places