diff options
Diffstat (limited to 'libraries/libglpng')
-rw-r--r-- | libraries/libglpng/libglpng.SlackBuild | 2 | ||||
-rw-r--r-- | libraries/libglpng/patches/libglpng-1.45-CVE-2010-1519.patch | 159 | ||||
-rw-r--r-- | libraries/libglpng/patches/libglpng-1.45-extra_cflags.patch (renamed from libraries/libglpng/libglpng-1.45-extra_cflags.patch) | 0 | ||||
-rw-r--r-- | libraries/libglpng/patches/libglpng-1.45-libpng15.patch | 48 |
4 files changed, 208 insertions, 1 deletions
diff --git a/libraries/libglpng/libglpng.SlackBuild b/libraries/libglpng/libglpng.SlackBuild index 2a4a063ee148c..7fbc0afac0028 100644 --- a/libraries/libglpng/libglpng.SlackBuild +++ b/libraries/libglpng/libglpng.SlackBuild @@ -69,7 +69,7 @@ find -L . \ \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \ -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \; -patch -p1 < $CWD/libglpng-1.45-extra_cflags.patch +for i in $CWD/patches/* ; do patch -p1 < $i ; done make EXTRA_CFLAGS="$SLKCFLAGS" make install DOCDIR=$PKG/usr/doc/$PRGNAM-$VERSION DESTDIR=$PKG/usr diff --git a/libraries/libglpng/patches/libglpng-1.45-CVE-2010-1519.patch b/libraries/libglpng/patches/libglpng-1.45-CVE-2010-1519.patch new file mode 100644 index 0000000000000..bc45ffe48ff0f --- /dev/null +++ b/libraries/libglpng/patches/libglpng-1.45-CVE-2010-1519.patch @@ -0,0 +1,159 @@ +diff -up libglpng-1.45.orig/src/glpng.c.cve libglpng-1.45.orig/src/glpng.c +--- libglpng-1.45.orig/src/glpng.c.cve 2010-09-10 14:13:37.105046660 +0200 ++++ libglpng-1.45.orig/src/glpng.c 2010-09-10 14:14:46.158045715 +0200 +@@ -28,6 +28,7 @@ + #include <GL/glpng.h> + #include <GL/gl.h> + #include <stdlib.h> ++#include <stdint.h> + #include <math.h> + #include <png.h> + +@@ -259,9 +260,9 @@ int APIENTRY pngLoadRawF(FILE *fp, pngRa + png_structp png; + png_infop info; + png_infop endinfo; +- png_bytep data; +- png_bytep *row_p; +- double fileGamma; ++ png_bytep data = NULL; ++ png_bytep *row_p = NULL; ++ double fileGamma; + + png_uint_32 width, height; + int depth, color; +@@ -274,13 +275,19 @@ int APIENTRY pngLoadRawF(FILE *fp, pngRa + if (!png_check_sig(header, 8)) return 0; + + png = png_create_read_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL); ++ if (!png) return 0; + info = png_create_info_struct(png); ++ if (!info) return 0; + endinfo = png_create_info_struct(png); ++ if (!endinfo) return 0; + + // DH: added following lines + if (setjmp(png->jmpbuf)) + { ++error: + png_destroy_read_struct(&png, &info, &endinfo); ++ free(data); ++ free(row_p); + return 0; + } + // ~DH +@@ -303,8 +310,16 @@ int APIENTRY pngLoadRawF(FILE *fp, pngRa + + png_read_update_info(png, info); + ++ /* HDG: We allocate all the png data in one linear array, thus ++ height * png_get_rowbytes() may not be > PNG_UINT_32_MAX ! ++ This check fixes CVE-2010-1519. */ ++ if ((uint64_t)height * png_get_rowbytes(png, info) > PNG_UINT_32_MAX) ++ goto error; ++ + data = (png_bytep) malloc(png_get_rowbytes(png, info)*height); + row_p = (png_bytep *) malloc(sizeof(png_bytep)*height); ++ if (!data || !row_p) ++ goto error; + + for (i = 0; i < height; i++) { + if (StandardOrientation) +@@ -315,6 +330,7 @@ int APIENTRY pngLoadRawF(FILE *fp, pngRa + + png_read_image(png, row_p); + free(row_p); ++ row_p = NULL; + + if (color == PNG_COLOR_TYPE_PALETTE) { + int cols; +@@ -365,9 +381,10 @@ int APIENTRY pngLoadF(FILE *fp, int mipm + png_structp png; + png_infop info; + png_infop endinfo; +- png_bytep data, data2; +- png_bytep *row_p; +- double fileGamma; ++ png_bytep data = NULL; ++ png_bytep data2 = NULL; ++ png_bytep *row_p = NULL; ++ double fileGamma; + + png_uint_32 width, height, rw, rh; + int depth, color; +@@ -378,13 +395,20 @@ int APIENTRY pngLoadF(FILE *fp, int mipm + if (!png_check_sig(header, 8)) return 0; + + png = png_create_read_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL); ++ if (!png) return 0; + info = png_create_info_struct(png); ++ if (!info) return 0; + endinfo = png_create_info_struct(png); ++ if (!endinfo) return 0; + + // DH: added following lines + if (setjmp(png->jmpbuf)) + { ++error: + png_destroy_read_struct(&png, &info, &endinfo); ++ free(data); ++ free(data2); ++ free(row_p); + return 0; + } + // ~DH +@@ -442,8 +466,16 @@ int APIENTRY pngLoadF(FILE *fp, int mipm + + png_read_update_info(png, info); + ++ /* HDG: We allocate all the png data in one linear array, thus ++ height * png_get_rowbytes() may not be > PNG_UINT_32_MAX ! ++ This check fixes CVE-2010-1519. */ ++ if ((uint64_t)height * png_get_rowbytes(png, info) > PNG_UINT_32_MAX) ++ goto error; ++ + data = (png_bytep) malloc(png_get_rowbytes(png, info)*height); + row_p = (png_bytep *) malloc(sizeof(png_bytep)*height); ++ if (!data || !row_p) ++ goto error; + + for (i = 0; i < height; i++) { + if (StandardOrientation) +@@ -454,6 +486,7 @@ int APIENTRY pngLoadF(FILE *fp, int mipm + + png_read_image(png, row_p); + free(row_p); ++ row_p = NULL; + + rw = SafeSize(width), rh = SafeSize(height); + +@@ -461,6 +494,8 @@ int APIENTRY pngLoadF(FILE *fp, int mipm + const int channels = png_get_rowbytes(png, info)/width; + + data2 = (png_bytep) malloc(rw*rh*channels); ++ if (!data2) ++ goto error; + + /* Doesn't work on certain sizes */ + /* if (gluScaleImage(glformat, width, height, GL_UNSIGNED_BYTE, data, rw, rh, GL_UNSIGNED_BYTE, data2) != 0) +@@ -471,6 +506,7 @@ int APIENTRY pngLoadF(FILE *fp, int mipm + width = rw, height = rh; + free(data); + data = data2; ++ data2 = NULL; + } + + { /* OpenGL stuff */ +@@ -540,6 +576,12 @@ int APIENTRY pngLoadF(FILE *fp, int mipm + png_bytep p, endp, q; + int r, g, b, a; + ++ /* HDG another potential 32 bit address overflow, the ++ original png had 3 channels and we are going to ++ 4 channels now! */ ++ if ((uint64_t)width * height > (PNG_UINT_32_MAX >> 2)) ++ goto error; ++ + p = data, endp = p+width*height*3; + q = data2 = (png_bytep) malloc(sizeof(png_byte)*width*height*4); + diff --git a/libraries/libglpng/libglpng-1.45-extra_cflags.patch b/libraries/libglpng/patches/libglpng-1.45-extra_cflags.patch index 16dd4db3fb67c..16dd4db3fb67c 100644 --- a/libraries/libglpng/libglpng-1.45-extra_cflags.patch +++ b/libraries/libglpng/patches/libglpng-1.45-extra_cflags.patch diff --git a/libraries/libglpng/patches/libglpng-1.45-libpng15.patch b/libraries/libglpng/patches/libglpng-1.45-libpng15.patch new file mode 100644 index 0000000000000..dcafea8fe319c --- /dev/null +++ b/libraries/libglpng/patches/libglpng-1.45-libpng15.patch @@ -0,0 +1,48 @@ +diff -up libglpng-1.45.orig/include/GL/glpng.h~ libglpng-1.45.orig/include/GL/glpng.h +--- libglpng-1.45.orig/include/GL/glpng.h~ 2011-12-06 22:14:59.000000000 +0100 ++++ libglpng-1.45.orig/include/GL/glpng.h 2011-12-06 22:15:48.900673919 +0100 +@@ -57,7 +57,7 @@ extern "C" { + #define PNG_SIMPLEMIPMAP PNG_SIMPLEMIPMAPS + + /* Transparency parameters */ +-#define PNG_CALLBACK -3 /* Call the callback function to generate alpha */ ++#define PNG_CALLBACK_FUNC -3 /* Call the callback function to generate alpha */ + #define PNG_ALPHA -2 /* Use alpha channel in PNG file, if there is one */ + #define PNG_SOLID -1 /* No transparency */ + #define PNG_STENCIL 0 /* Sets alpha to 0 for r=g=b=0, 1 otherwise */ +diff -up libglpng-1.45.orig/src/glpng.c~ libglpng-1.45.orig/src/glpng.c +--- libglpng-1.45.orig/src/glpng.c~ 2011-12-06 19:38:53.000000000 +0100 ++++ libglpng-1.45.orig/src/glpng.c 2011-12-06 22:13:34.501354149 +0100 +@@ -282,7 +282,11 @@ int APIENTRY pngLoadRawF(FILE *fp, pngRa + if (!endinfo) return 0; + + // DH: added following lines ++#if PNG_LIBPNG_VER >= 10400 ++ if (setjmp(png_jmpbuf(png))) ++#else + if (setjmp(png->jmpbuf)) ++#endif + { + error: + png_destroy_read_struct(&png, &info, &endinfo); +@@ -402,7 +406,11 @@ int APIENTRY pngLoadF(FILE *fp, int mipm + if (!endinfo) return 0; + + // DH: added following lines ++#if PNG_LIBPNG_VER >= 10400 ++ if (setjmp(png_jmpbuf(png))) ++#else + if (setjmp(png->jmpbuf)) ++#endif + { + error: + png_destroy_read_struct(&png, &info, &endinfo); +@@ -603,7 +611,7 @@ error: + #define ALPHA *q + + switch (trans) { +- case PNG_CALLBACK: ++ case PNG_CALLBACK_FUNC: + FORSTART + ALPHA = AlphaCallback((unsigned char) r, (unsigned char) g, (unsigned char) b); + FOREND |