Package: libpng / 1.2.50-2+deb8u3

CVE-2015-8472/0001-Avoid-potential-pointer-overflow-in-png_han.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
From 7e1ca9ceba4e64259863efdd98bab9b55bdc0b9c Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Fri, 13 Nov 2015 23:07:39 -0600
Subject: [PATCH] [libpng12] Avoid potential pointer overflow in
 png_handle_iTXt(),

png_handle_zTXt(), png_handle_sPLT(), and png_handle_pCAL() (Bug report
by John Regehr).
---
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1108,7 +1108,7 @@ png_handle_iCCP(png_structp png_ptr, png
    /* There should be at least one zero (the compression type byte)
     * following the separator, and we should be on it
     */
-   if ( profile >= png_ptr->chunkdata + slength - 1)
+   if (slength < 1 ||  profile >= png_ptr->chunkdata + slength - 1)
    {
       png_free(png_ptr, png_ptr->chunkdata);
       png_ptr->chunkdata = NULL;
@@ -1236,7 +1236,7 @@ png_handle_sPLT(png_structp png_ptr, png
    ++entry_start;
 
    /* A sample depth should follow the separator, and we should be on it  */
-   if (entry_start > (png_bytep)png_ptr->chunkdata + slength - 2)
+   if (slength < 2 || entry_start > (png_bytep)png_ptr->chunkdata + slength - 2)
    {
       png_free(png_ptr, png_ptr->chunkdata);
       png_ptr->chunkdata = NULL;
@@ -1710,7 +1710,7 @@ png_handle_pCAL(png_structp png_ptr, png
 
    /* We need to have at least 12 bytes after the purpose string
       in order to get the parameter information. */
-   if (endptr <= buf + 12)
+   if (slength < 12 || endptr <= buf + 12)
    {
       png_warning(png_ptr, "Invalid pCAL data");
       png_free(png_ptr, png_ptr->chunkdata);
@@ -2166,7 +2166,7 @@ png_handle_zTXt(png_structp png_ptr, png
       /* Empty loop */ ;
 
    /* zTXt must have some text after the chunkdataword */
-   if (text >= png_ptr->chunkdata + slength - 2)
+   if (slength < 2 || text >= png_ptr->chunkdata + slength - 2)
    {
       png_warning(png_ptr, "Truncated zTXt chunk");
       png_free(png_ptr, png_ptr->chunkdata);
@@ -2292,7 +2292,7 @@ png_handle_iTXt(png_structp png_ptr, png
     * keyword
     */
 
-   if (lang >= png_ptr->chunkdata + slength - 3)
+   if (slength < 3 || lang >= png_ptr->chunkdata + slength - 3)
    {
       png_warning(png_ptr, "Truncated iTXt chunk");
       png_free(png_ptr, png_ptr->chunkdata);