Package: libpng / 1.2.50-2+deb8u3

CVE-2015-8472/0002-Use-unsigned-constants-in-buffer-length-com.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
From 4488a96126bbefda51d07835411d8e847a88b2b7 Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Sat, 21 Nov 2015 14:35:23 -0600
Subject: [PATCH] [libpng12] Use unsigned constants in buffer length
 comparisons

---
 pngrutil.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- a/pngrutil.c
+++ b/pngrutil.c
@@ -1108,7 +1108,7 @@ png_handle_iCCP(png_structp png_ptr, png
    /* There should be at least one zero (the compression type byte)
     * following the separator, and we should be on it
     */
-   if (slength < 1 ||  profile >= png_ptr->chunkdata + slength - 1)
+   if (slength < 1U ||  profile >= png_ptr->chunkdata + slength - 1U)
    {
       png_free(png_ptr, png_ptr->chunkdata);
       png_ptr->chunkdata = NULL;
@@ -1236,7 +1236,8 @@ png_handle_sPLT(png_structp png_ptr, png
    ++entry_start;
 
    /* A sample depth should follow the separator, and we should be on it  */
-   if (slength < 2 || entry_start > (png_bytep)png_ptr->chunkdata + slength - 2)
+   if (slength < 2U ||
+       entry_start > (png_bytep)png_ptr->chunkdata + slength - 2U)
    {
       png_free(png_ptr, png_ptr->chunkdata);
       png_ptr->chunkdata = NULL;
@@ -1710,7 +1711,7 @@ png_handle_pCAL(png_structp png_ptr, png
 
    /* We need to have at least 12 bytes after the purpose string
       in order to get the parameter information. */
-   if (slength < 12 || endptr <= buf + 12)
+   if (slength < 12U || endptr - buf <= 12)
    {
       png_warning(png_ptr, "Invalid pCAL data");
       png_free(png_ptr, png_ptr->chunkdata);
@@ -2166,7 +2167,7 @@ png_handle_zTXt(png_structp png_ptr, png
       /* Empty loop */ ;
 
    /* zTXt must have some text after the chunkdataword */
-   if (slength < 2 || text >= png_ptr->chunkdata + slength - 2)
+   if (slength < 2U || text >= png_ptr->chunkdata + slength - 2U)
    {
       png_warning(png_ptr, "Truncated zTXt chunk");
       png_free(png_ptr, png_ptr->chunkdata);
@@ -2292,7 +2293,7 @@ png_handle_iTXt(png_structp png_ptr, png
     * keyword
     */
 
-   if (slength < 3 || lang >= png_ptr->chunkdata + slength - 3)
+   if (slength < 3U || lang >= png_ptr->chunkdata + slength - 3U)
    {
       png_warning(png_ptr, "Truncated iTXt chunk");
       png_free(png_ptr, png_ptr->chunkdata);