yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch

From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Fri, 30 Oct 2015 07:57:49 -0500
Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin
 Truta).

Upstream-Status: Backport
https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d

Many changes involved date and version updates with don't apply in this case.

CVE: CVE-2015-8126 patch #2
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 ANNOUNCE          |  6 +++---
 CHANGES           |  4 ++--
 libpng-manual.txt | 11 +++++------
 libpng.3          | 19 +++++++++----------
 pngrutil.c        |  3 +++
 pngset.c          | 13 +++++++++----
 pngwutil.c        |  6 +++---
 7 files changed, 34 insertions(+), 28 deletions(-)

Index: libpng-1.6.17/libpng-manual.txt
===================================================================
--- libpng-1.6.17.orig/libpng-manual.txt
+++ libpng-1.6.17/libpng-manual.txt
@@ -5109,10 +5109,9 @@ length, which resulted in PNG files that
 chunk.  This error was fixed in libpng-1.6.3, and a tool (called
 contrib/tools/png-fix-itxt) has been added to the libpng distribution.
 
-Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk
 is an error. Previously this requirement of the PNG specification was not
-enforced. Libpng continues to accept over-length PLTE chunks when reading,
-but does not make any use of the extra entries.
+enforced, and the palette was always limited to 256 entries.
 
 XIII.  Detecting libpng
 
Index: libpng-1.6.17/libpng.3
===================================================================
--- libpng-1.6.17.orig/libpng.3
+++ libpng-1.6.17/libpng.3
@@ -5613,10 +5613,9 @@ length, which resulted in PNG files that
 chunk.  This error was fixed in libpng-1.6.3, and a tool (called
 contrib/tools/png-fix-itxt) has been added to the libpng distribution.
 
-Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk
 is an error. Previously this requirement of the PNG specification was not
-enforced. Libpng continues to accept over-length PLTE chunks when reading,
-but does not make any use of the extra entries.
+enforced, and the palette was always limited to 256 entries.
 
 .SH XIII.  Detecting libpng
 
Index: libpng-1.6.17/pngrutil.c
===================================================================
--- libpng-1.6.17.orig/pngrutil.c
+++ libpng-1.6.17/pngrutil.c
@@ -997,6 +997,9 @@ png_handle_PLTE(png_structrp png_ptr, pn
     * confusing.
     *
     * Fix this by not sharing the palette in this way.
+    *
+    * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
+    * it attempts to set a palette length that is too large for the bit depth.
     */
    png_set_PLTE(png_ptr, info_ptr, palette, num);
 
Index: libpng-1.6.17/pngset.c
===================================================================
--- libpng-1.6.17.orig/pngset.c
+++ libpng-1.6.17/pngset.c
@@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_i
     png_const_colorp palette, int num_palette)
 {
 
+   png_uint_32 max_palette_length;
+
    png_debug1(1, "in %s storage function", "PLTE");
 
    if (png_ptr == NULL || info_ptr == NULL)
       return;
 
-   if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)
+   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
+   if (num_palette < 0 || num_palette > max_palette_length)
    {
       if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
          png_error(png_ptr, "Invalid palette length");
@@ -551,8 +556,8 @@ png_set_PLTE(png_structrp png_ptr, png_i
    png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
 
    /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
-    * of num_palette entries, in case of an invalid PNG file that has
-    * too-large sample values.
+    * of num_palette entries, in case of an invalid PNG file or incorrect
+    * call to png_set_PLTE() with too-large sample values.
     */
    png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
        PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
Index: libpng-1.6.17/pngwutil.c
===================================================================
--- libpng-1.6.17.orig/pngwutil.c
+++ libpng-1.6.17/pngwutil.c
@@ -922,20 +922,20 @@ void /* PRIVATE */
 png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
     png_uint_32 num_pal)
 {
-   png_uint_32 max_num_pal, i;
+   png_uint_32 max_palette_length, i;
    png_const_colorp pal_ptr;
    png_byte buf[3];
 
    png_debug(1, "in png_write_PLTE");
 
-   max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+   max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
       (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
 
    if ((
 #ifdef PNG_MNG_FEATURES_SUPPORTED
        (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
 #endif
-       num_pal == 0) || num_pal > max_num_pal)
+       num_pal == 0) || num_pal > max_palette_length)
    {
       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
       {