yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch

From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Thu, 29 Oct 2015 09:26:41 -0500
Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk

Upstream-Status: Backport
https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766

CVE: CVE-2015-8126 patch #1

Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 libpng-manual.txt | 5 +++++
 libpng.3          | 5 +++++
 pngwrite.c        | 4 ++--
 pngwutil.c        | 7 +++++--
 4 files changed, 17 insertions(+), 4 deletions(-)

Index: libpng-1.6.17/libpng-manual.txt
===================================================================
--- libpng-1.6.17.orig/libpng-manual.txt
+++ libpng-1.6.17/libpng-manual.txt
@@ -5109,6 +5109,11 @@ length, which resulted in PNG files that
 chunk.  This error was fixed in libpng-1.6.3, and a tool (called
 contrib/tools/png-fix-itxt) has been added to the libpng distribution.
 
+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+is an error. Previously this requirement of the PNG specification was not
+enforced. Libpng continues to accept over-length PLTE chunks when reading,
+but does not make any use of the extra entries.
+
 XIII.  Detecting libpng
 
 The png_get_io_ptr() function has been present since libpng-0.88, has never
Index: libpng-1.6.17/libpng.3
===================================================================
--- libpng-1.6.17.orig/libpng.3
+++ libpng-1.6.17/libpng.3
@@ -5613,6 +5613,11 @@ length, which resulted in PNG files that
 chunk.  This error was fixed in libpng-1.6.3, and a tool (called
 contrib/tools/png-fix-itxt) has been added to the libpng distribution.
 
+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
+is an error. Previously this requirement of the PNG specification was not
+enforced. Libpng continues to accept over-length PLTE chunks when reading,
+but does not make any use of the extra entries.
+
 .SH XIII.  Detecting libpng
 
 The png_get_io_ptr() function has been present since libpng-0.88, has never
Index: libpng-1.6.17/pngwrite.c
===================================================================
--- libpng-1.6.17.orig/pngwrite.c
+++ libpng-1.6.17/pngwrite.c
@@ -205,7 +205,7 @@ png_write_info(png_structrp png_ptr, png
       png_write_PLTE(png_ptr, info_ptr->palette,
           (png_uint_32)info_ptr->num_palette);
 
-   else if ((info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) !=0)
+   else if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
       png_error(png_ptr, "Valid palette required for paletted images");
 
 #ifdef PNG_WRITE_tRNS_SUPPORTED
Index: libpng-1.6.17/pngwutil.c
===================================================================
--- libpng-1.6.17.orig/pngwutil.c
+++ libpng-1.6.17/pngwutil.c
@@ -922,17 +922,20 @@ void /* PRIVATE */
 png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
     png_uint_32 num_pal)
 {
-   png_uint_32 i;
+   png_uint_32 max_num_pal, i;
    png_const_colorp pal_ptr;
    png_byte buf[3];
 
    png_debug(1, "in png_write_PLTE");
 
+   max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+      (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
    if ((
 #ifdef PNG_MNG_FEATURES_SUPPORTED
        (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
 #endif
-       num_pal == 0) || num_pal > 256)
+       num_pal == 0) || num_pal > max_num_pal)
    {
       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
       {