cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add pieces of the libpng jumbo security patch not already in the port.

Browse Source 
http://www.us-cert.gov/cas/techalerts/TA04-217A.html
This commit is contained in:
brad 2004-08-05 19:17:14 +00:00
parent fa224cdc8f
commit 9d09e74a0f
7 changed files with 258 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
graphics/png/Makefile
View File

@ -1,9 +1,9 @@
# $OpenBSD: Makefile,v 1.46 2004/07/06 22:17:48 brad Exp $
# $OpenBSD: Makefile,v 1.47 2004/08/05 19:17:14 brad Exp $
COMMENT= "library for manipulating PNG images"
DISTNAME= libpng-1.2.5
PKGNAME= ${DISTNAME:S/lib//}p4
PKGNAME= ${DISTNAME:S/lib//}p5
CATEGORIES= graphics
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=libpng/}

25
graphics/png/patches/patch-png_h Normal file
View File

@ -0,0 +1,25 @@
$OpenBSD: patch-png_h,v 1.1 2004/08/05 19:17:14 brad Exp $
--- png.h.orig Thu Oct 3 07:32:26 2002
+++ png.h Thu Aug 5 14:29:45 2004
@@ -833,7 +833,11 @@ typedef png_info FAR * png_infop;
typedef png_info FAR * FAR * png_infopp;
/* Maximum positive integer used in PNG is (2^31)-1 */
-#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL)
+#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL)
+#define PNG_UINT_32_MAX (~((png_uint_32)0))
+#define PNG_SIZE_MAX (~((png_size_t)0))
+/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */
+#define PNG_MAX_UINT PNG_UINT_31_MAX
/* These describe the color_type field in png_info. */
/* color type masks */
@@ -2655,6 +2659,8 @@ PNG_EXTERN png_int_32 png_get_int_32 PNG
PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf));
PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf));
#endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */
+PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr,
+ png_bytep buf));
/* Initialize png_ptr struct for reading, and allocate any other memory.
* (old interface - DEPRECATED - use png_create_read_struct instead).

24
graphics/png/patches/patch-pngconf_h
View File

@ -1,7 +1,21 @@
$OpenBSD: patch-pngconf_h,v 1.1 2004/07/10 23:19:21 brad Exp $
--- pngconf.h.orig Sat Jul 10 19:07:13 2004
+++ pngconf.h Sat Jul 10 19:09:02 2004
@@ -1280,6 +1280,7 @@ typedef z_stream FAR * png_zstreamp;
$OpenBSD: patch-pngconf_h,v 1.2 2004/08/05 19:17:14 brad Exp $
--- pngconf.h.orig Thu Oct 3 07:32:27 2002
+++ pngconf.h Thu Aug 5 14:29:45 2004
@@ -663,6 +663,13 @@
#endif
#endif /* PNG_1_0_X */
+#ifndef PNG_USER_WIDTH_MAX
+# define PNG_USER_WIDTH_MAX 1000000L
+#endif
+#ifndef PNG_USER_HEIGHT_MAX
+# define PNG_USER_HEIGHT_MAX 1000000L
+#endif
+
/* These are currently experimental features, define them if you want */
/* very little testing */
@@ -1280,6 +1287,7 @@ typedef z_stream FAR * png_zstreamp;
# define CVT_PTR(ptr) (png_far_to_near(png_ptr,ptr,CHECK))
# define CVT_PTR_NOCHECK(ptr) (png_far_to_near(png_ptr,ptr,NOCHECK))
# define png_strcpy _fstrcpy
@ -9,7 +23,7 @@ $OpenBSD: patch-pngconf_h,v 1.1 2004/07/10 23:19:21 brad Exp $
# define png_strlen _fstrlen
# define png_memcmp _fmemcmp /* SJT: added */
# define png_memcpy _fmemcpy
@@ -1288,6 +1289,7 @@ typedef z_stream FAR * png_zstreamp;
@@ -1288,6 +1296,7 @@ typedef z_stream FAR * png_zstreamp;
# define CVT_PTR(ptr) (ptr)
# define CVT_PTR_NOCHECK(ptr) (ptr)
# define png_strcpy strcpy

34
graphics/png/patches/patch-pngpread_c Normal file
View File

@ -0,0 +1,34 @@
$OpenBSD: patch-pngpread_c,v 1.1 2004/08/05 19:17:14 brad Exp $
--- pngpread.c.orig Thu Oct 3 07:32:28 2002
+++ pngpread.c Thu Aug 5 14:29:45 2004
@@ -208,7 +208,7 @@ png_push_read_chunk(png_structp png_ptr,
}
png_push_fill_buffer(png_ptr, chunk_length, 4);
- png_ptr->push_length = png_get_uint_32(chunk_length);
+ png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length);
png_reset_crc(png_ptr);
png_crc_read(png_ptr, png_ptr->chunk_name, 4);
png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
@@ -591,6 +591,11 @@ png_push_save_buffer(png_structp png_ptr
png_size_t new_max;
png_bytep old_buffer;
+ if (png_ptr->save_buffer_size > PNG_SIZE_MAX -
+ (png_ptr->current_buffer_size + 256))
+ {
+ png_error(png_ptr, "Potential overflow of save_buffer");
+ }
new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256;
old_buffer = png_ptr->save_buffer;
png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr,
@@ -637,8 +642,7 @@ png_push_read_IDAT(png_structp png_ptr)
}
png_push_fill_buffer(png_ptr, chunk_length, 4);
- png_ptr->push_length = png_get_uint_32(chunk_length);
-
+ png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length);
png_reset_crc(png_ptr);
png_crc_read(png_ptr, png_ptr->chunk_name, 4);
png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;

63
graphics/png/patches/patch-pngread_c Normal file
View File

@ -0,0 +1,63 @@
$OpenBSD: patch-pngread_c,v 1.1 2004/08/05 19:17:14 brad Exp $
--- pngread.c.orig Thu Oct 3 07:32:29 2002
+++ pngread.c Thu Aug 5 14:29:45 2004
@@ -384,7 +384,7 @@ png_read_info(png_structp png_ptr, png_i
png_uint_32 length;
png_read_data(png_ptr, chunk_length, 4);
- length = png_get_uint_32(chunk_length);
+ length = png_get_uint_31(png_ptr,chunk_length);
png_reset_crc(png_ptr);
png_crc_read(png_ptr, png_ptr->chunk_name, 4);
@@ -392,9 +392,6 @@ png_read_info(png_structp png_ptr, png_i
png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name,
length);
- if (length > PNG_MAX_UINT)
- png_error(png_ptr, "Invalid chunk length.");
-
/* This should be a binary subdivision search or a hash for
* matching the chunk name rather than a linear search.
*/
@@ -673,11 +670,8 @@ png_read_row(png_structp png_ptr, png_by
png_crc_finish(png_ptr, 0);
png_read_data(png_ptr, chunk_length, 4);
- png_ptr->idat_size = png_get_uint_32(chunk_length);
+ png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length);
- if (png_ptr->idat_size > PNG_MAX_UINT)
- png_error(png_ptr, "Invalid chunk length.");
-
png_reset_crc(png_ptr);
png_crc_read(png_ptr, png_ptr->chunk_name, 4);
if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4))
@@ -946,16 +940,13 @@ png_read_end(png_structp png_ptr, png_in
#endif /* PNG_GLOBAL_ARRAYS */
png_read_data(png_ptr, chunk_length, 4);
- length = png_get_uint_32(chunk_length);
+ length = png_get_uint_31(png_ptr,chunk_length);
png_reset_crc(png_ptr);
png_crc_read(png_ptr, png_ptr->chunk_name, 4);
png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name);
- if (length > PNG_MAX_UINT)
- png_error(png_ptr, "Invalid chunk length.");
-
if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4))
png_handle_IHDR(png_ptr, info_ptr, length);
else if (!png_memcmp(png_ptr->chunk_name, png_IEND, 4))
@@ -1298,6 +1289,9 @@ png_read_png(png_structp png_ptr, png_in
* PNG file before the first IDAT (image data chunk).
*/
png_read_info(png_ptr, info_ptr);
+
+ if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep))
+ png_error(png_ptr,"Image is too high to process with png_read_png()");
/* -------------- image transformations start here ------------------- */

103
graphics/png/patches/patch-pngrutil_c Normal file
View File

@ -0,0 +1,103 @@
$OpenBSD: patch-pngrutil_c,v 1.1 2004/08/05 19:17:14 brad Exp $
--- pngrutil.c.orig Thu Oct 3 07:32:30 2002
+++ pngrutil.c Thu Aug 5 14:29:45 2004
@@ -38,6 +38,14 @@ __inline double strtod(const char *nptr,
# endif
#endif
+png_uint_32 /* PRIVATE */
+png_get_uint_31(png_structp png_ptr, png_bytep buf)
+{
+ png_uint_32 i = png_get_uint_32(buf);
+ if (i > PNG_UINT_31_MAX)
+ png_error(png_ptr, "PNG unsigned integer out of range.\n");
+ return (i);
+}
#ifndef PNG_READ_BIG_ENDIAN_SUPPORTED
/* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
png_uint_32 /* PRIVATE */
@@ -579,7 +587,7 @@ png_handle_gAMA(png_structp png_ptr, png
/* Should be an error, but we can cope with it */
png_warning(png_ptr, "Out of place gAMA chunk");
- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
+ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
#if defined(PNG_READ_sRGB_SUPPORTED)
&& !(info_ptr->valid & PNG_INFO_sRGB)
#endif
@@ -660,7 +668,7 @@ png_handle_sBIT(png_structp png_ptr, png
/* Should be an error, but we can cope with it */
png_warning(png_ptr, "Out of place sBIT chunk");
}
- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
+ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
{
png_warning(png_ptr, "Duplicate sBIT chunk");
png_crc_finish(png_ptr, length);
@@ -729,7 +737,7 @@ png_handle_cHRM(png_structp png_ptr, png
/* Should be an error, but we can cope with it */
png_warning(png_ptr, "Missing PLTE before cHRM");
- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
+ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
#if defined(PNG_READ_sRGB_SUPPORTED)
&& !(info_ptr->valid & PNG_INFO_sRGB)
#endif
@@ -891,7 +899,7 @@ png_handle_sRGB(png_structp png_ptr, png
/* Should be an error, but we can cope with it */
png_warning(png_ptr, "Out of place sRGB chunk");
- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
+ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
{
png_warning(png_ptr, "Duplicate sRGB chunk");
png_crc_finish(png_ptr, length);
@@ -977,8 +985,7 @@ png_handle_iCCP(png_structp png_ptr, png
png_bytep pC;
png_charp profile;
png_uint_32 skip = 0;
- png_uint_32 profile_size = 0;
- png_uint_32 profile_length = 0;
+ png_uint_32 profile_size, profile_length;
png_size_t slength, prefix_length, data_length;
png_debug(1, "in png_handle_iCCP\n");
@@ -995,7 +1002,7 @@ png_handle_iCCP(png_structp png_ptr, png
/* Should be an error, but we can cope with it */
png_warning(png_ptr, "Out of place iCCP chunk");
- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
+ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
{
png_warning(png_ptr, "Duplicate iCCP chunk");
png_crc_finish(png_ptr, length);
@@ -1154,8 +1161,18 @@ png_handle_sPLT(png_structp png_ptr, png
}
new_palette.nentries = data_length / entry_size;
- new_palette.entries = (png_sPLT_entryp)png_malloc(
+ if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry))
+ {
+ png_warning(png_ptr, "sPLT chunk too long");
+ return;
+ }
+ new_palette.entries = (png_sPLT_entryp)png_malloc_warn(
png_ptr, new_palette.nentries * sizeof(png_sPLT_entry));
+ if (new_palette.entries == NULL)
+ {
+ png_warning(png_ptr, "sPLT chunk requires too much memory");
+ return;
+ }
#ifndef PNG_NO_POINTER_INDEXING
for (i = 0; i < new_palette.nentries; i++)
@@ -1241,7 +1258,8 @@ png_handle_tRNS(png_structp png_ptr, png
/* Should be an error, but we can cope with it */
png_warning(png_ptr, "Missing PLTE before tRNS");
}
- else if (length > (png_uint_32)png_ptr->num_palette)
+ if (length > (png_uint_32)png_ptr->num_palette ||
+ length > PNG_MAX_PALETTE_LENGTH)
{
png_warning(png_ptr, "Incorrect tRNS chunk length");
png_crc_finish(png_ptr, length);

12
graphics/png/patches/patch-pngset_c Normal file
View File

@ -0,0 +1,12 @@
$OpenBSD: patch-pngset_c,v 1.1 2004/08/05 19:17:14 brad Exp $
--- pngset.c.orig Thu Oct 3 07:32:30 2002
+++ pngset.c Thu Aug 5 14:29:45 2004
@@ -253,6 +253,8 @@ png_set_IHDR(png_structp png_ptr, png_in
png_error(png_ptr, "Image width or height is zero in IHDR");
if (width > PNG_MAX_UINT || height > PNG_MAX_UINT)
png_error(png_ptr, "Invalid image size in IHDR");
+ if (width > PNG_USER_WIDTH_MAX || height > PNG_USER_HEIGHT_MAX)
+ png_error(png_ptr, "image size exceeds user limits in IHDR");
/* check other values */
if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&