X-Git-Url: http://git.openwrt.org/?a=blobdiff_plain;f=libs%2Flibpng%2Fpatches%2F200-CVE-2011-3026.patch;fp=libs%2Flibpng%2Fpatches%2F200-CVE-2011-3026.patch;h=beb0d60d525303feeb74659712ed2f685116ff02;hb=8b3833ca92c02f7b9f9c4f0939c0d966c7a331a4;hp=0000000000000000000000000000000000000000;hpb=45c295ae8c71ee17f7328f893f02d89277a470d1;p=openwrt%2Fsvn-archive%2Farchive.git diff --git a/libs/libpng/patches/200-CVE-2011-3026.patch b/libs/libpng/patches/200-CVE-2011-3026.patch new file mode 100644 index 0000000000..beb0d60d52 --- /dev/null +++ b/libs/libpng/patches/200-CVE-2011-3026.patch @@ -0,0 +1,40 @@ +--- a/pngrutil.c ++++ b/pngrutil.c +@@ -339,15 +339,18 @@ png_decompress_chunk(png_structp png_ptr + /* Now check the limits on this chunk - if the limit fails the + * compressed data will be removed, the prefix will remain. + */ ++ if (prefix_size >= (~(png_size_t)0) - 1 || ++ expanded_size >= (~(png_size_t)0) - 1 - prefix_size + #ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED +- if (png_ptr->user_chunk_malloc_max && ++ || (png_ptr->user_chunk_malloc_max && + (prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1)) + #else + # ifdef PNG_USER_CHUNK_MALLOC_MAX +- if ((PNG_USER_CHUNK_MALLOC_MAX > 0) && ++ || ((PNG_USER_CHUNK_MALLOC_MAX > 0) && + prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1) + # endif + #endif ++ ) + png_warning(png_ptr, "Exceeded size limit while expanding chunk"); + + /* If the size is zero either there was an error and a message +@@ -355,14 +358,11 @@ png_decompress_chunk(png_structp png_ptr + * and we have nothing to do - the code will exit through the + * error case below. + */ +-#if defined(PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED) || \ +- defined(PNG_USER_CHUNK_MALLOC_MAX) +- else +-#endif +- if (expanded_size > 0) ++ else if (expanded_size > 0) + { + /* Success (maybe) - really uncompress the chunk. */ + png_size_t new_size = 0; ++ + png_charp text = png_malloc_warn(png_ptr, + prefix_size + expanded_size + 1); +