aboutsummaryrefslogtreecommitdiff
path: root/libraries/libglpng/patches
diff options
context:
space:
mode:
authorMatteo Bernardini <ponce@slackbuilds.org>2015-04-23 06:16:23 +0200
committerWilly Sudiarto Raharjo <willysr@slackbuilds.org>2016-01-17 09:40:16 +0700
commita8bc7e8ef047a7c2191a30968b68158a13b1b043 (patch)
tree3b9e6a679561c7e56becb48e47eb5b78efe7bb05 /libraries/libglpng/patches
parent53897510745f57b10474930e822b86ca4e9f2cd9 (diff)
libraries/libglpng: Add two more patches (from fedora).
One for a CVE and another fix building against the newer libpng Signed-off-by: Matteo Bernardini <ponce@slackbuilds.org> Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
Diffstat (limited to 'libraries/libglpng/patches')
-rw-r--r--libraries/libglpng/patches/libglpng-1.45-CVE-2010-1519.patch159
-rw-r--r--libraries/libglpng/patches/libglpng-1.45-extra_cflags.patch9
-rw-r--r--libraries/libglpng/patches/libglpng-1.45-libpng15.patch48
3 files changed, 216 insertions, 0 deletions
diff --git a/libraries/libglpng/patches/libglpng-1.45-CVE-2010-1519.patch b/libraries/libglpng/patches/libglpng-1.45-CVE-2010-1519.patch
new file mode 100644
index 0000000000000..bc45ffe48ff0f
--- /dev/null
+++ b/libraries/libglpng/patches/libglpng-1.45-CVE-2010-1519.patch
@@ -0,0 +1,159 @@
+diff -up libglpng-1.45.orig/src/glpng.c.cve libglpng-1.45.orig/src/glpng.c
+--- libglpng-1.45.orig/src/glpng.c.cve 2010-09-10 14:13:37.105046660 +0200
++++ libglpng-1.45.orig/src/glpng.c 2010-09-10 14:14:46.158045715 +0200
+@@ -28,6 +28,7 @@
+ #include <GL/glpng.h>
+ #include <GL/gl.h>
+ #include <stdlib.h>
++#include <stdint.h>
+ #include <math.h>
+ #include <png.h>
+
+@@ -259,9 +260,9 @@ int APIENTRY pngLoadRawF(FILE *fp, pngRa
+ png_structp png;
+ png_infop info;
+ png_infop endinfo;
+- png_bytep data;
+- png_bytep *row_p;
+- double fileGamma;
++ png_bytep data = NULL;
++ png_bytep *row_p = NULL;
++ double fileGamma;
+
+ png_uint_32 width, height;
+ int depth, color;
+@@ -274,13 +275,19 @@ int APIENTRY pngLoadRawF(FILE *fp, pngRa
+ if (!png_check_sig(header, 8)) return 0;
+
+ png = png_create_read_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL);
++ if (!png) return 0;
+ info = png_create_info_struct(png);
++ if (!info) return 0;
+ endinfo = png_create_info_struct(png);
++ if (!endinfo) return 0;
+
+ // DH: added following lines
+ if (setjmp(png->jmpbuf))
+ {
++error:
+ png_destroy_read_struct(&png, &info, &endinfo);
++ free(data);
++ free(row_p);
+ return 0;
+ }
+ // ~DH
+@@ -303,8 +310,16 @@ int APIENTRY pngLoadRawF(FILE *fp, pngRa
+
+ png_read_update_info(png, info);
+
++ /* HDG: We allocate all the png data in one linear array, thus
++ height * png_get_rowbytes() may not be > PNG_UINT_32_MAX !
++ This check fixes CVE-2010-1519. */
++ if ((uint64_t)height * png_get_rowbytes(png, info) > PNG_UINT_32_MAX)
++ goto error;
++
+ data = (png_bytep) malloc(png_get_rowbytes(png, info)*height);
+ row_p = (png_bytep *) malloc(sizeof(png_bytep)*height);
++ if (!data || !row_p)
++ goto error;
+
+ for (i = 0; i < height; i++) {
+ if (StandardOrientation)
+@@ -315,6 +330,7 @@ int APIENTRY pngLoadRawF(FILE *fp, pngRa
+
+ png_read_image(png, row_p);
+ free(row_p);
++ row_p = NULL;
+
+ if (color == PNG_COLOR_TYPE_PALETTE) {
+ int cols;
+@@ -365,9 +381,10 @@ int APIENTRY pngLoadF(FILE *fp, int mipm
+ png_structp png;
+ png_infop info;
+ png_infop endinfo;
+- png_bytep data, data2;
+- png_bytep *row_p;
+- double fileGamma;
++ png_bytep data = NULL;
++ png_bytep data2 = NULL;
++ png_bytep *row_p = NULL;
++ double fileGamma;
+
+ png_uint_32 width, height, rw, rh;
+ int depth, color;
+@@ -378,13 +395,20 @@ int APIENTRY pngLoadF(FILE *fp, int mipm
+ if (!png_check_sig(header, 8)) return 0;
+
+ png = png_create_read_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL);
++ if (!png) return 0;
+ info = png_create_info_struct(png);
++ if (!info) return 0;
+ endinfo = png_create_info_struct(png);
++ if (!endinfo) return 0;
+
+ // DH: added following lines
+ if (setjmp(png->jmpbuf))
+ {
++error:
+ png_destroy_read_struct(&png, &info, &endinfo);
++ free(data);
++ free(data2);
++ free(row_p);
+ return 0;
+ }
+ // ~DH
+@@ -442,8 +466,16 @@ int APIENTRY pngLoadF(FILE *fp, int mipm
+
+ png_read_update_info(png, info);
+
++ /* HDG: We allocate all the png data in one linear array, thus
++ height * png_get_rowbytes() may not be > PNG_UINT_32_MAX !
++ This check fixes CVE-2010-1519. */
++ if ((uint64_t)height * png_get_rowbytes(png, info) > PNG_UINT_32_MAX)
++ goto error;
++
+ data = (png_bytep) malloc(png_get_rowbytes(png, info)*height);
+ row_p = (png_bytep *) malloc(sizeof(png_bytep)*height);
++ if (!data || !row_p)
++ goto error;
+
+ for (i = 0; i < height; i++) {
+ if (StandardOrientation)
+@@ -454,6 +486,7 @@ int APIENTRY pngLoadF(FILE *fp, int mipm
+
+ png_read_image(png, row_p);
+ free(row_p);
++ row_p = NULL;
+
+ rw = SafeSize(width), rh = SafeSize(height);
+
+@@ -461,6 +494,8 @@ int APIENTRY pngLoadF(FILE *fp, int mipm
+ const int channels = png_get_rowbytes(png, info)/width;
+
+ data2 = (png_bytep) malloc(rw*rh*channels);
++ if (!data2)
++ goto error;
+
+ /* Doesn't work on certain sizes */
+ /* if (gluScaleImage(glformat, width, height, GL_UNSIGNED_BYTE, data, rw, rh, GL_UNSIGNED_BYTE, data2) != 0)
+@@ -471,6 +506,7 @@ int APIENTRY pngLoadF(FILE *fp, int mipm
+ width = rw, height = rh;
+ free(data);
+ data = data2;
++ data2 = NULL;
+ }
+
+ { /* OpenGL stuff */
+@@ -540,6 +576,12 @@ int APIENTRY pngLoadF(FILE *fp, int mipm
+ png_bytep p, endp, q;
+ int r, g, b, a;
+
++ /* HDG another potential 32 bit address overflow, the
++ original png had 3 channels and we are going to
++ 4 channels now! */
++ if ((uint64_t)width * height > (PNG_UINT_32_MAX >> 2))
++ goto error;
++
+ p = data, endp = p+width*height*3;
+ q = data2 = (png_bytep) malloc(sizeof(png_byte)*width*height*4);
+
diff --git a/libraries/libglpng/patches/libglpng-1.45-extra_cflags.patch b/libraries/libglpng/patches/libglpng-1.45-extra_cflags.patch
new file mode 100644
index 0000000000000..16dd4db3fb67c
--- /dev/null
+++ b/libraries/libglpng/patches/libglpng-1.45-extra_cflags.patch
@@ -0,0 +1,9 @@
+diff -Nur libglpng-1.45.orig/Makefile libglpng-1.45/Makefile
+--- libglpng-1.45.orig/Makefile 2008-03-27 19:33:50.000000000 -0500
++++ libglpng-1.45/Makefile 2009-07-03 14:53:28.900650418 -0500
+@@ -1,4 +1,4 @@
+-CFLAGS=-Wall -g -O3 -fPIC -I$(shell pwd)/include
++CFLAGS=-Wall -g $(EXTRA_CFLAGS) -I$(shell pwd)/include
+ LDFLAGS=-lpng -lGL
+ SHAREDLIBFLAGS=-shared
+ DESTDIR=/usr/local
diff --git a/libraries/libglpng/patches/libglpng-1.45-libpng15.patch b/libraries/libglpng/patches/libglpng-1.45-libpng15.patch
new file mode 100644
index 0000000000000..dcafea8fe319c
--- /dev/null
+++ b/libraries/libglpng/patches/libglpng-1.45-libpng15.patch
@@ -0,0 +1,48 @@
+diff -up libglpng-1.45.orig/include/GL/glpng.h~ libglpng-1.45.orig/include/GL/glpng.h
+--- libglpng-1.45.orig/include/GL/glpng.h~ 2011-12-06 22:14:59.000000000 +0100
++++ libglpng-1.45.orig/include/GL/glpng.h 2011-12-06 22:15:48.900673919 +0100
+@@ -57,7 +57,7 @@ extern "C" {
+ #define PNG_SIMPLEMIPMAP PNG_SIMPLEMIPMAPS
+
+ /* Transparency parameters */
+-#define PNG_CALLBACK -3 /* Call the callback function to generate alpha */
++#define PNG_CALLBACK_FUNC -3 /* Call the callback function to generate alpha */
+ #define PNG_ALPHA -2 /* Use alpha channel in PNG file, if there is one */
+ #define PNG_SOLID -1 /* No transparency */
+ #define PNG_STENCIL 0 /* Sets alpha to 0 for r=g=b=0, 1 otherwise */
+diff -up libglpng-1.45.orig/src/glpng.c~ libglpng-1.45.orig/src/glpng.c
+--- libglpng-1.45.orig/src/glpng.c~ 2011-12-06 19:38:53.000000000 +0100
++++ libglpng-1.45.orig/src/glpng.c 2011-12-06 22:13:34.501354149 +0100
+@@ -282,7 +282,11 @@ int APIENTRY pngLoadRawF(FILE *fp, pngRa
+ if (!endinfo) return 0;
+
+ // DH: added following lines
++#if PNG_LIBPNG_VER >= 10400
++ if (setjmp(png_jmpbuf(png)))
++#else
+ if (setjmp(png->jmpbuf))
++#endif
+ {
+ error:
+ png_destroy_read_struct(&png, &info, &endinfo);
+@@ -402,7 +406,11 @@ int APIENTRY pngLoadF(FILE *fp, int mipm
+ if (!endinfo) return 0;
+
+ // DH: added following lines
++#if PNG_LIBPNG_VER >= 10400
++ if (setjmp(png_jmpbuf(png)))
++#else
+ if (setjmp(png->jmpbuf))
++#endif
+ {
+ error:
+ png_destroy_read_struct(&png, &info, &endinfo);
+@@ -603,7 +611,7 @@ error:
+ #define ALPHA *q
+
+ switch (trans) {
+- case PNG_CALLBACK:
++ case PNG_CALLBACK_FUNC:
+ FORSTART
+ ALPHA = AlphaCallback((unsigned char) r, (unsigned char) g, (unsigned char) b);
+ FOREND