[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
rpms/libpng/FC-6 libpng-1222-fixes.patch, NONE, 1.1 libpng.spec, 1.39, 1.40 libpng-1.2.8-multilib.patch, 1.1, NONE libpng-rhconf.patch, 1.2, NONE libpng-trns-bug.patch, 1.1, NONE
- From: fedora-cvs-commits redhat com
- To: fedora-cvs-commits redhat com
- Subject: rpms/libpng/FC-6 libpng-1222-fixes.patch, NONE, 1.1 libpng.spec, 1.39, 1.40 libpng-1.2.8-multilib.patch, 1.1, NONE libpng-rhconf.patch, 1.2, NONE libpng-trns-bug.patch, 1.1, NONE
- Date: Thu, 18 Oct 2007 14:36:09 -0400
Author: tgl
Update of /cvs/dist/rpms/libpng/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv18808
Modified Files:
libpng.spec
Added Files:
libpng-1222-fixes.patch
Removed Files:
libpng-1.2.8-multilib.patch libpng-rhconf.patch
libpng-trns-bug.patch
Log Message:
Back-port critical fixes from libpng 1.2.22, primarily to fix CVE-2007-5269
libpng-1222-fixes.patch:
pngpread.c | 16 ++++++++++------
pngrtran.c | 37 +++++++++++++++++++++++--------------
pngrutil.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++-------------
3 files changed, 81 insertions(+), 33 deletions(-)
--- NEW FILE libpng-1222-fixes.patch ---
This patch back-ports some critical fixes that were made upstream between
libpng releases 1.2.16 and 1.2.22.
CVE-2007-5269: prevent potential crashes when reading malformed pCAL,
sCAL, tEXt, iTXt, and zTXt chunks, by taking more care with tests for
end of chunk.
CVE-2007-2445: libpng crashes if CRC error is detected in a grayscale tRNS
chunk, because png_handle_tRNS leaves inconsistent state which eventually
leads to attempting to free() unallocated memory. (Note: this patch
supersedes libpng-trns-bug.patch, which fixed only this problem.)
Take care to mask off invalid bits of transparency values. (Not a crash
risk but seems worth fixing anyway.)
diff -Naur libpng-1.2.10.orig/pngpread.c libpng-1.2.10/pngpread.c
--- libpng-1.2.10.orig/pngpread.c 2006-04-23 14:45:34.000000000 -0400
+++ libpng-1.2.10/pngpread.c 2007-10-18 13:50:35.000000000 -0400
@@ -1118,7 +1118,7 @@
for (text = key; *text; text++)
/* empty loop */ ;
- if (text != key + png_ptr->current_text_size)
+ if (text < key + png_ptr->current_text_size)
text++;
text_ptr = (png_textp)png_malloc(png_ptr,
@@ -1214,7 +1214,7 @@
/* empty loop */ ;
/* zTXt can't have zero text */
- if (text == key + png_ptr->current_text_size)
+ if (text >= key + png_ptr->current_text_size)
{
png_ptr->current_text = NULL;
png_free(png_ptr, key);
@@ -1412,7 +1412,7 @@
for (lang = key; *lang; lang++)
/* empty loop */ ;
- if (lang != key + png_ptr->current_text_size)
+ if (lang < key + png_ptr->current_text_size - 3)
lang++;
comp_flag = *lang++;
@@ -1422,10 +1422,14 @@
/* empty loop */ ;
lang_key++; /* skip NUL separator */
- for (text = lang_key; *text; text++)
- /* empty loop */ ;
+ text=lang_key;
+ if (lang_key < key + png_ptr->current_text_size - 1)
+ {
+ for (; *text; text++)
+ /* empty loop */ ;
+ }
- if (text != key + png_ptr->current_text_size)
+ if (text < key + png_ptr->current_text_size)
text++;
text_ptr = (png_textp)png_malloc(png_ptr,
diff -Naur libpng-1.2.10.orig/pngrtran.c libpng-1.2.10/pngrtran.c
--- libpng-1.2.10.orig/pngrtran.c 2006-04-23 14:45:34.000000000 -0400
+++ libpng-1.2.10/pngrtran.c 2007-10-18 13:50:35.000000000 -0400
@@ -3671,7 +3671,7 @@
{
case 1:
{
- gray = (png_uint_16)(gray*0xff);
+ gray = (png_uint_16)((gray&0x01)*0xff);
sp = row + (png_size_t)((row_width - 1) >> 3);
dp = row + (png_size_t)row_width - 1;
shift = 7 - (int)((row_width + 7) & 0x07);
@@ -3695,7 +3695,7 @@
}
case 2:
{
- gray = (png_uint_16)(gray*0x55);
+ gray = (png_uint_16)((gray&0x03)*0x55);
sp = row + (png_size_t)((row_width - 1) >> 2);
dp = row + (png_size_t)row_width - 1;
shift = (int)((3 - ((row_width + 3) & 0x03)) << 1);
@@ -3718,7 +3718,7 @@
}
case 4:
{
- gray = (png_uint_16)(gray*0x11);
+ gray = (png_uint_16)((gray&0x0f)*0x11);
sp = row + (png_size_t)((row_width - 1) >> 1);
dp = row + (png_size_t)row_width - 1;
shift = (int)((1 - ((row_width + 1) & 0x01)) << 2);
@@ -3748,6 +3748,7 @@
{
if (row_info->bit_depth == 8)
{
+ gray = gray & 0xff;
sp = row + (png_size_t)row_width - 1;
dp = row + (png_size_t)(row_width << 1) - 1;
for (i = 0; i < row_width; i++)
@@ -3761,12 +3762,13 @@
}
else if (row_info->bit_depth == 16)
{
+ png_byte gray_high = (gray >> 8) & 0xff;
+ png_byte gray_low = gray & 0xff;
sp = row + row_info->rowbytes - 1;
dp = row + (row_info->rowbytes << 1) - 1;
for (i = 0; i < row_width; i++)
{
- if (((png_uint_16)*(sp) |
- ((png_uint_16)*(sp - 1) << 8)) == gray)
+ if (*(sp-1) == gray_high && *(sp) == gray_low)
{
*dp-- = 0;
*dp-- = 0;
@@ -3791,13 +3793,14 @@
{
if (row_info->bit_depth == 8)
{
+ png_byte red = trans_value->red & 0xff;
+ png_byte green = trans_value->green & 0xff;
+ png_byte blue = trans_value->blue & 0xff;
sp = row + (png_size_t)row_info->rowbytes - 1;
dp = row + (png_size_t)(row_width << 2) - 1;
for (i = 0; i < row_width; i++)
{
- if (*(sp - 2) == trans_value->red &&
- *(sp - 1) == trans_value->green &&
- *(sp - 0) == trans_value->blue)
+ if (*(sp - 2) == red && *(sp - 1) == green && *(sp) == blue)
*dp-- = 0;
else
*dp-- = 0xff;
@@ -3808,16 +3811,22 @@
}
else if (row_info->bit_depth == 16)
{
+ png_byte red_high = (trans_value->red >> 8) & 0xff;
+ png_byte green_high = (trans_value->green >> 8) & 0xff;
+ png_byte blue_high = (trans_value->blue >> 8) & 0xff;
+ png_byte red_low = trans_value->red & 0xff;
+ png_byte green_low = trans_value->green & 0xff;
+ png_byte blue_low = trans_value->blue & 0xff;
sp = row + row_info->rowbytes - 1;
dp = row + (png_size_t)(row_width << 3) - 1;
for (i = 0; i < row_width; i++)
{
- if ((((png_uint_16)*(sp - 4) |
- ((png_uint_16)*(sp - 5) << 8)) == trans_value->red) &&
- (((png_uint_16)*(sp - 2) |
- ((png_uint_16)*(sp - 3) << 8)) == trans_value->green) &&
- (((png_uint_16)*(sp - 0) |
- ((png_uint_16)*(sp - 1) << 8)) == trans_value->blue))
+ if (*(sp - 5) == red_high &&
+ *(sp - 4) == red_low &&
+ *(sp - 3) == green_high &&
+ *(sp - 2) == green_low &&
+ *(sp - 1) == blue_high &&
+ *(sp ) == blue_low)
{
*dp-- = 0;
*dp-- = 0;
diff -Naur libpng-1.2.10.orig/pngrutil.c libpng-1.2.10/pngrutil.c
--- libpng-1.2.10.orig/pngrutil.c 2006-04-23 14:45:34.000000000 -0400
+++ libpng-1.2.10/pngrutil.c 2007-10-18 13:50:35.000000000 -0400
@@ -1035,7 +1035,7 @@
/* there should be at least one zero (the compression type byte)
following the separator, and we should be on it */
- if ( profile >= chunkdata + slength)
+ if ( profile >= chunkdata + slength - 1)
{
png_free(png_ptr, chunkdata);
png_warning(png_ptr, "Malformed iCCP chunk");
@@ -1139,7 +1139,7 @@
++entry_start;
/* a sample depth should follow the separator, and we should be on it */
- if (entry_start > chunkdata + slength)
+ if (entry_start > chunkdata + slength - 2)
{
png_free(png_ptr, chunkdata);
png_warning(png_ptr, "malformed sPLT chunk");
@@ -1232,9 +1232,15 @@
png_handle_tRNS(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
{
png_byte readbuf[PNG_MAX_PALETTE_LENGTH];
+ int bit_mask;
png_debug(1, "in png_handle_tRNS\n");
+ /* For non-indexed color, mask off any bits in the tRNS value that
+ * exceed the bit depth. Some creators were writing extra bits there.
+ * This is not needed for indexed color. */
+ bit_mask = (1 << png_ptr->bit_depth) - 1;
+
if (!(png_ptr->mode & PNG_HAVE_IHDR))
png_error(png_ptr, "Missing IHDR before tRNS");
else if (png_ptr->mode & PNG_HAVE_IDAT)
@@ -1263,7 +1269,7 @@
png_crc_read(png_ptr, buf, 2);
png_ptr->num_trans = 1;
- png_ptr->trans_values.gray = png_get_uint_16(buf);
+ png_ptr->trans_values.gray = png_get_uint_16(buf) & bit_mask;
}
else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
{
@@ -1277,9 +1283,9 @@
}
png_crc_read(png_ptr, buf, (png_size_t)length);
png_ptr->num_trans = 1;
- png_ptr->trans_values.red = png_get_uint_16(buf);
- png_ptr->trans_values.green = png_get_uint_16(buf + 2);
- png_ptr->trans_values.blue = png_get_uint_16(buf + 4);
+ png_ptr->trans_values.red = png_get_uint_16(buf) & bit_mask;
+ png_ptr->trans_values.green = png_get_uint_16(buf + 2) & bit_mask;
+ png_ptr->trans_values.blue = png_get_uint_16(buf + 4) & bit_mask;
}
else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
{
@@ -1312,7 +1318,10 @@
}
if (png_crc_finish(png_ptr, 0))
+ {
+ png_ptr->num_trans = 0;
return;
+ }
png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
&(png_ptr->trans_values));
@@ -1655,7 +1664,7 @@
buf++; /* Skip the null string terminator from previous parameter. */
png_debug1(3, "Reading pCAL parameter %d\n", i);
- for (params[i] = buf; *buf != 0x00 && buf <= endptr; buf++)
+ for (params[i] = buf; buf <= endptr && *buf != 0x00; buf++)
/* Empty loop to move past each parameter string */ ;
/* Make sure we haven't run out of data yet */
@@ -1753,6 +1762,17 @@
/* empty loop */ ;
ep++;
+ if (buffer + slength < ep)
+ {
+ png_warning(png_ptr, "Truncated sCAL chunk");
+#if defined(PNG_FIXED_POINT_SUPPORTED) && \
+ !defined(PNG_FLOATING_POINT_SUPPORTED)
+ png_free(png_ptr, swidth);
+#endif
+ png_free(png_ptr, buffer);
+ return;
+ }
+
#ifdef PNG_FLOATING_POINT_SUPPORTED
height = strtod(ep, &vp);
if (*vp)
@@ -1976,10 +1996,11 @@
/* empty loop */ ;
/* zTXt must have some text after the chunkdataword */
- if (text == chunkdata + slength)
+ if (text >= chunkdata + slength - 2)
{
- comp_type = PNG_TEXT_COMPRESSION_NONE;
- png_warning(png_ptr, "Zero length zTXt chunk");
+ png_warning(png_ptr, "Truncated zTXt chunk");
+ png_free(png_ptr, chunkdata);
+ return;
}
else
{
@@ -2079,10 +2100,11 @@
translated keyword (possibly empty), and possibly some text after the
keyword */
- if (lang >= chunkdata + slength)
+ if (lang >= chunkdata + slength - 3)
{
- comp_flag = PNG_TEXT_COMPRESSION_NONE;
- png_warning(png_ptr, "Zero length iTXt chunk");
+ png_warning(png_ptr, "Truncated iTXt chunk");
+ png_free(png_ptr, chunkdata);
+ return;
}
else
{
@@ -2094,9 +2116,22 @@
/* empty loop */ ;
lang_key++; /* skip NUL separator */
+ if (lang_key >= chunkdata + slength)
+ {
+ png_warning(png_ptr, "Truncated iTXt chunk");
+ png_free(png_ptr, chunkdata);
+ return;
+ }
+
for (text = lang_key; *text; text++)
/* empty loop */ ;
text++; /* skip NUL separator */
+ if (text >= chunkdata + slength)
+ {
+ png_warning(png_ptr, "Malformed iTXt chunk");
+ png_free(png_ptr, chunkdata);
+ return;
+ }
prefix_len = text - chunkdata;
Index: libpng.spec
===================================================================
RCS file: /cvs/dist/rpms/libpng/FC-6/libpng.spec,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- libpng.spec 23 May 2007 21:38:38 -0000 1.39
+++ libpng.spec 18 Oct 2007 18:36:06 -0000 1.40
@@ -1,21 +1,21 @@
Summary: A library of functions for manipulating PNG image format files
Name: libpng
+Epoch: 2
Version: 1.2.10
-Release: 9%{?dist}
-License: OSI certified
+Release: 10%{?dist}
+License: zlib
Group: System Environment/Libraries
-Source: ftp://swrinde.nde.swri.edu/pub/png/src/libpng-%{version}.tar.bz2
+URL: http://www.libpng.org/pub/png/
+
+Source: ftp://ftp.simplesystems.org/pub/png/src/libpng-%{version}.tar.bz2
Patch0: libpng-1.2.10-multilib.patch
Patch1: libpng-1.2.10-pngconf.patch
-Patch2: libpng-trns-bug.patch
+Patch2: libpng-1222-fixes.patch
Patch3: libpng-splt-bug.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root
-BuildPrereq: zlib-devel
+BuildRequires: zlib-devel
Provides: libpng.so.3
-URL: http://www.libpng.org/pub/png/
-%define LIBVER 3.%{version}
-Epoch: 2
Conflicts: qt < 0:2.2.2
%description
@@ -84,6 +84,11 @@
rm -rf $RPM_BUILD_ROOT
%changelog
+* Thu Oct 18 2007 Tom Lane <tgl redhat com> 2:1.2.10-10
+- Back-port critical fixes from libpng 1.2.22, primarily to fix CVE-2007-5269
+Related: #324771
+- Update License tag and some other obsolete bits in specfile
+
* Wed May 23 2007 Tom Lane <tgl redhat com> 2:1.2.10-9
- Add patch to fix CVE-2006-5793
Related: #215405
--- libpng-1.2.8-multilib.patch DELETED ---
--- libpng-rhconf.patch DELETED ---
--- libpng-trns-bug.patch DELETED ---
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]