cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security fixes for optipng:

Browse Source 
- CVE-2017-16938 (Global buffer overflow)
  Details: https://sourceforge.net/p/optipng/bugs/69/

- CVE-2017-1000229 (Integer overflow)
  Detailes: https://sourceforge.net/p/optipng/bugs/65/

OK jca@
This commit is contained in:
fcambus 2017-12-12 15:51:44 +00:00
parent 8380f7ebb7
commit 639794bf5b
3 changed files with 36 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
graphics/optipng/Makefile
View File

@ -1,7 +1,8 @@
# $OpenBSD: Makefile,v 1.3 2016/07/01 07:44:19 jasper Exp $
# $OpenBSD: Makefile,v 1.4 2017/12/12 15:51:44 fcambus Exp $
COMMENT = lossless PNG optimizer
DISTNAME = optipng-0.7.6
REVISION = 0
CATEGORIES = graphics
HOMEPAGE = http://optipng.sourceforge.net/

17
graphics/optipng/patches/patch-src_gifread_gifread_c Normal file
View File

@ -0,0 +1,17 @@
$OpenBSD: patch-src_gifread_gifread_c,v 1.1 2017/12/12 15:51:44 fcambus Exp $
Fix for CVE-2017-16938 (Global buffer overflow)
https://sourceforge.net/p/optipng/bugs/69/
Index: src/gifread/gifread.c
--- src/gifread/gifread.c.orig
+++ src/gifread/gifread.c
@@ -499,6 +499,8 @@ static int LZWReadByte(int init_flag, int input_code_s
*sp++ = table[1][code];
if (code == table[0][code])
GIFError("GIF/LZW error: circular table entry");
+ if ((size_t)(sp - stack) >= sizeof(stack) / sizeof(stack[0]))
+ GIFError("GIF/LZW error: circular table");
code = table[0][code];
}

17
graphics/optipng/patches/patch-src_minitiff_tiffread_c Normal file
View File

@ -0,0 +1,17 @@
$OpenBSD: patch-src_minitiff_tiffread_c,v 1.1 2017/12/12 15:51:44 fcambus Exp $
Fix for CVE-2017-1000229 (Integer overflow)
https://sourceforge.net/p/optipng/bugs/65/
Index: src/minitiff/tiffread.c
--- src/minitiff/tiffread.c.orig
+++ src/minitiff/tiffread.c
@@ -350,6 +350,8 @@ minitiff_read_info(struct minitiff_info *tiff_ptr, FIL
count = tiff_ptr->strip_offsets_count;
if (count == 0 || count > tiff_ptr->height)
goto err_invalid;
+ if (count > (size_t)-1 / sizeof(long))
+ goto err_memory;
tiff_ptr->strip_offsets = (long *)malloc(count * sizeof(long));
if (tiff_ptr->strip_offsets == NULL)
goto err_memory;