From 8b3833ca92c02f7b9f9c4f0939c0d966c7a331a4 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Sat, 18 Feb 2012 19:14:44 +0000 Subject: [PATCH] [packages_10.03.2] merge r30633 SVN-Revision: 30634 --- libs/libpng/Makefile | 4 +-- libs/libpng/patches/200-CVE-2011-3026.patch | 40 +++++++++++++++++++++ 2 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 libs/libpng/patches/200-CVE-2011-3026.patch diff --git a/libs/libpng/Makefile b/libs/libpng/Makefile index fb7dc80e98..43a1e6a497 100644 --- a/libs/libpng/Makefile +++ b/libs/libpng/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2006-2011 OpenWrt.org +# Copyright (C) 2006-2012 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libpng PKG_VERSION:=1.2.46 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=@SF/libpng diff --git a/libs/libpng/patches/200-CVE-2011-3026.patch b/libs/libpng/patches/200-CVE-2011-3026.patch new file mode 100644 index 0000000000..beb0d60d52 --- /dev/null +++ b/libs/libpng/patches/200-CVE-2011-3026.patch @@ -0,0 +1,40 @@ +--- a/pngrutil.c ++++ b/pngrutil.c +@@ -339,15 +339,18 @@ png_decompress_chunk(png_structp png_ptr + /* Now check the limits on this chunk - if the limit fails the + * compressed data will be removed, the prefix will remain. + */ ++ if (prefix_size >= (~(png_size_t)0) - 1 || ++ expanded_size >= (~(png_size_t)0) - 1 - prefix_size + #ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED +- if (png_ptr->user_chunk_malloc_max && ++ || (png_ptr->user_chunk_malloc_max && + (prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1)) + #else + # ifdef PNG_USER_CHUNK_MALLOC_MAX +- if ((PNG_USER_CHUNK_MALLOC_MAX > 0) && ++ || ((PNG_USER_CHUNK_MALLOC_MAX > 0) && + prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1) + # endif + #endif ++ ) + png_warning(png_ptr, "Exceeded size limit while expanding chunk"); + + /* If the size is zero either there was an error and a message +@@ -355,14 +358,11 @@ png_decompress_chunk(png_structp png_ptr + * and we have nothing to do - the code will exit through the + * error case below. + */ +-#if defined(PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED) || \ +- defined(PNG_USER_CHUNK_MALLOC_MAX) +- else +-#endif +- if (expanded_size > 0) ++ else if (expanded_size > 0) + { + /* Success (maybe) - really uncompress the chunk. */ + png_size_t new_size = 0; ++ + png_charp text = png_malloc_warn(png_ptr, + prefix_size + expanded_size + 1); + -- 2.30.2