From f0431b4d0c2e0346e782b73ec22a0b330b78d251 Mon Sep 17 00:00:00 2001 From: robert Date: Mon, 3 May 2004 05:13:04 +0000 Subject: [PATCH] Fix for CAN-2004-0421: Steve Grubb reports a buffer read overrun in libpng's png_format_buffer function. A specially constructed PNG image processed by an application using libpng may trigger the buffer read overrun and possibly result in an application crash. ok brad@ --- graphics/png/Makefile | 4 ++-- graphics/png/patches/patch-pngerror_c | 20 ++++++++++++++++++++ 2 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 graphics/png/patches/patch-pngerror_c diff --git a/graphics/png/Makefile b/graphics/png/Makefile index 804735bd718..37259444d38 100644 --- a/graphics/png/Makefile +++ b/graphics/png/Makefile @@ -1,9 +1,9 @@ -# $OpenBSD: Makefile,v 1.44 2004/02/24 23:18:57 brad Exp $ +# $OpenBSD: Makefile,v 1.45 2004/05/03 05:13:04 robert Exp $ COMMENT= "library for manipulating PNG images" DISTNAME= libpng-1.2.5 -PKGNAME= ${DISTNAME:S/lib//}p2 +PKGNAME= ${DISTNAME:S/lib//}p3 CATEGORIES= graphics MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=libpng/} diff --git a/graphics/png/patches/patch-pngerror_c b/graphics/png/patches/patch-pngerror_c new file mode 100644 index 00000000000..70f9286d306 --- /dev/null +++ b/graphics/png/patches/patch-pngerror_c @@ -0,0 +1,20 @@ +$OpenBSD: patch-pngerror_c,v 1.1 2004/05/03 05:13:04 robert Exp $ +--- pngerror.c.orig Sun May 2 22:47:58 2004 ++++ pngerror.c Sun May 2 22:49:36 2004 +@@ -135,10 +135,14 @@ + buffer[iout] = 0; + else + { ++ int len = strlen(error_message); ++ ++ if (len > 64) ++ len = 64; + buffer[iout++] = ':'; + buffer[iout++] = ' '; +- png_memcpy(buffer+iout, error_message, 64); +- buffer[iout+63] = 0; ++ png_memcpy(buffer+iout, error_message, len); ++ buffer[iout+len-1] = 0; + } + } +