File libpng15-CVE-2017-12652.patch of Package libpng15.12011

Overview Repositories Revisions Requests Users Attributes Meta

File libpng15-CVE-2017-12652.patch of Package libpng15.12011

Index: libpng-1.5.22/pngpread.c
===================================================================
--- libpng-1.5.22.orig/pngpread.c	2015-03-26 14:04:47.000000000 +0100
+++ libpng-1.5.22/pngpread.c	2019-07-17 13:49:05.112783438 +0200
@@ -210,6 +210,7 @@ png_push_read_chunk(png_structp png_ptr,
       png_crc_read(png_ptr, chunk_tag, 4);
       png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
       png_check_chunk_name(png_ptr, png_ptr->chunk_name);
+      png_check_chunk_length(png_ptr, png_ptr->push_length);
       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
    }
 
Index: libpng-1.5.22/pngrutil.c
===================================================================
--- libpng-1.5.22.orig/pngrutil.c	2019-07-17 13:49:05.068783203 +0200
+++ libpng-1.5.22/pngrutil.c	2019-07-17 13:59:56.748264423 +0200
@@ -175,6 +175,9 @@ png_read_chunk_header(png_structp png_pt
    /* Check to see if chunk name is valid. */
    png_check_chunk_name(png_ptr, png_ptr->chunk_name);
 
+   /* Check for too-large chunk length */
+   png_check_chunk_length(png_ptr, length);
+
 #ifdef PNG_IO_STATE_SUPPORTED
    png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
 #endif
@@ -2809,6 +2812,43 @@ png_check_chunk_name(png_structp png_ptr
    }
 }
 
+void /* PRIVATE */
+png_check_chunk_length(png_structp png_ptr, png_uint_32 length)
+{
+   png_uint_32 limit = PNG_UINT_31_MAX;
+
+# ifdef PNG_SET_USER_LIMITS_SUPPORTED
+   if (png_ptr->user_chunk_malloc_max > 0 &&
+       png_ptr->user_chunk_malloc_max < limit)
+      limit = png_ptr->user_chunk_malloc_max;
+# elif PNG_USER_CHUNK_MALLOC_MAX > 0
+   if (PNG_USER_CHUNK_MALLOC_MAX < limit)
+      limit = PNG_USER_CHUNK_MALLOC_MAX;
+# endif
+   if (png_ptr->chunk_name == png_IDAT)
+   {
+      png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
+      size_t row_factor =
+         (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+          + 1 + (png_ptr->interlaced? 6: 0));
+      if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+         idat_limit=PNG_UINT_31_MAX;
+      else
+         idat_limit = png_ptr->height * row_factor;
+      row_factor = row_factor > 32566? 32566 : row_factor;
+      idat_limit += 6 + 5*(idat_limit/row_factor+1); /* zlib+deflate overhead */
+      idat_limit=idat_limit < PNG_UINT_31_MAX? idat_limit : PNG_UINT_31_MAX;
+      limit = limit < idat_limit? idat_limit : limit;
+   }
+
+   if (length > limit)
+   {
+      png_debug2(0," length = %lu, limit = %lu",
+         (unsigned long)length,(unsigned long)limit);
+      png_chunk_error(png_ptr, "chunk data is too large");
+   }
+}
+
 /* Combines the row recently read in with the existing pixels in the row.  This
  * routine takes care of alpha and transparency if requested.  This routine also
  * handles the two methods of progressive display of interlaced images,
Index: libpng-1.5.22/pngpriv.h
===================================================================
--- libpng-1.5.22.orig/pngpriv.h	2019-07-17 13:49:05.116783460 +0200
+++ libpng-1.5.22/pngpriv.h	2019-07-17 13:49:52.157034743 +0200
@@ -1289,6 +1289,9 @@ PNG_EXTERN void png_handle_unknown PNGAR
 PNG_EXTERN void png_check_chunk_name PNGARG((png_structp png_ptr,
     png_uint_32 chunk_name));
 
+PNG_EXTERN void png_check_chunk_length PNGARG((png_structp png_ptr,
+    png_uint_32 chunk_length));
+
 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
 /* Exactly as png_handle_as_unknown() except that the argument is a 32-bit chunk
  * name, not a string.

Places

File libpng15-CVE-2017-12652.patch of Package libpng15.12011

Places