Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1:kernel-2.6.32
optipng
optipng-CVE-2008-5101.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File optipng-CVE-2008-5101.patch of Package optipng
diff -ru optipng-0.6.1/lib/pngxtern/pngx.h optipng-0.6.1.1/lib/pngxtern/pngx.h --- optipng-0.6.1/lib/pngxtern/pngx.h 2008-04-21 09:25:00.000000000 -0400 +++ optipng-0.6.1.1/lib/pngxtern/pngx.h 2008-11-04 09:09:00.000000000 -0500 @@ -41,6 +41,14 @@ PNGARG((png_structp png_ptr, png_infop info_ptr, int interlace_method)); +#if PNG_LIBPNG_VER >= 10400 +typedef png_alloc_size_t pngx_alloc_size_t; +#else +/* Compatibility backport of png_alloc_size_t */ +typedef png_uint_32 pngx_alloc_size_t; +#endif + +#ifdef PNG_INFO_IMAGE_SUPPORTED /* Allocate memory for the row pointers. * Use filler to initialize the rows if it is non-negative. * On success return the newly-allocated row pointers. @@ -49,6 +57,10 @@ */ extern PNG_EXPORT(png_bytepp, pngx_malloc_rows) PNGARG((png_structp png_ptr, png_infop info_ptr, int filler)); +extern PNG_EXPORT(png_bytepp, pngx_malloc_rows_extended) + PNGARG((png_structp png_ptr, png_infop info_ptr, + pngx_alloc_size_t min_row_size, int filler)); +#endif #if PNG_LIBPNG_VER >= 10400 @@ -77,9 +89,9 @@ #else /* PNG_LIBPNG_VER < 10400 */ /* Compatibility backports of functions added to libpng 1.4 */ -extern PNG_EXPORT(png_uint_32,pngx_get_io_state) +extern PNG_EXPORT(png_uint_32, pngx_get_io_state) PNGARG((png_structp png_ptr)); -extern PNG_EXPORT(png_bytep,pngx_get_io_chunk_name) +extern PNG_EXPORT(png_bytep, pngx_get_io_chunk_name) PNGARG((png_structp png_ptr)); /* Note: although these backports have several limitations in comparison * to the actual libpng 1.4 functions, they work properly in OptiPNG, @@ -87,11 +99,11 @@ */ /* Compatibility wrappers for old libpng functions */ -extern PNG_EXPORT(void,pngx_set_read_fn) PNGARG((png_structp png_ptr, +extern PNG_EXPORT(void, pngx_set_read_fn) PNGARG((png_structp png_ptr, png_voidp io_ptr, png_rw_ptr read_data_fn)); -extern PNG_EXPORT(void,pngx_set_write_fn) PNGARG((png_structp png_ptr, +extern PNG_EXPORT(void, pngx_set_write_fn) PNGARG((png_structp png_ptr, png_voidp io_ptr, png_rw_ptr write_data_fn, png_flush_ptr output_flush_fn)); -extern PNG_EXPORT(void,pngx_write_sig) PNGARG((png_structp png_ptr)); +extern PNG_EXPORT(void, pngx_write_sig) PNGARG((png_structp png_ptr)); /* Flags returned by png_get_io_state() */ #define PNGX_IO_NONE 0x0000 /* no I/O at this moment */ diff -ru optipng-0.6.1/lib/pngxtern/pngxio.c optipng-0.6.1.1/lib/pngxtern/pngxio.c --- optipng-0.6.1/lib/pngxtern/pngxio.c 2008-06-17 19:42:00.000000000 -0400 +++ optipng-0.6.1.1/lib/pngxtern/pngxio.c 2008-10-16 20:03:00.000000000 -0400 @@ -5,12 +5,13 @@ * This software is distributed under the same licensing and warranty terms * as libpng. * - * CAUTION: - * Currently, these functions have a limited and thread-unsafe - * implementation that allows only one reading and one writing png_ptr. - * They are now part of libpng starting with libpng-1.4.0. - * Their libpng counterparts are much simpler, as well as thread-safe, - * due to the presence of io_state inside png_struct. + * NOTE: + * The functionality provided in this module has "graduated", and is now + * part of libpng-1.4. The original code is used here as a back-port, for + * compatibility with libpng-1.2 and earlier. However, it has limitations: + * is thread-unsafe and only supports one reading and one writing png_ptr. + * (The libpng-1.4 code is much simpler and does not have these limitations, + * due to the presence of io_state inside png_struct.) * * For more info, see pngx.h. */ @@ -156,8 +157,8 @@ } -/* In libpng-1.4, the proper implementation if this function - * simply retrieves png_ptr->io_state. +/* In libpng-1.4, the implementation of this function simply retrieves + * png_ptr->io_state. */ png_uint_32 PNGAPI pngx_get_io_state(png_structp png_ptr) @@ -173,8 +174,8 @@ return PNGX_IO_NONE; } -/* In libpng-1.4, the proper implementation if this function - * simply retrieves png_ptr->chunk_name. +/* In libpng-1.4, the implementation of this function simply retrieves + * png_ptr->chunk_name. */ png_bytep PNGAPI pngx_get_io_chunk_name(png_structp png_ptr) @@ -218,8 +219,11 @@ void PNGAPI pngx_write_sig(png_structp png_ptr) { -#if (PNG_LIBPNG_BUILD_TYPE & PNG_LIBPNG_BUILD_PRIVATE) +#if 0 /* png_write_sig is not exported from libpng-1.2. */ png_write_sig(png_ptr); + /* TODO: Add png_write_sig to the list of libpng-1.2 exports. + * This would complement well the group png_write_chunk{_start,_data,_end}. + */ #else static png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10}; pngx_priv_read_write(png_ptr, png_signature, 8); diff -ru optipng-0.6.1/lib/pngxtern/pngxmem.c optipng-0.6.1.1/lib/pngxtern/pngxmem.c --- optipng-0.6.1/lib/pngxtern/pngxmem.c 2008-04-21 09:14:00.000000000 -0400 +++ optipng-0.6.1.1/lib/pngxtern/pngxmem.c 2008-11-04 09:18:00.000000000 -0500 @@ -11,36 +11,43 @@ #include "pngx.h" -#if PNG_LIBPNG_VER < 10400 -typedef png_uint_32 png_alloc_size_t; -/* Since libpng-1.4.x, png_alloc_size_t is either png_size_t or png_uint_32, - * whichever is larger. - */ -#endif +#ifdef PNG_INFO_IMAGE_SUPPORTED png_bytepp PNGAPI pngx_malloc_rows(png_structp png_ptr, png_infop info_ptr, int filler) { + return pngx_malloc_rows_extended(png_ptr, info_ptr, 0, filler); +} + + +png_bytepp PNGAPI +pngx_malloc_rows_extended(png_structp png_ptr, png_infop info_ptr, + pngx_alloc_size_t min_row_size, int filler) +{ + pngx_alloc_size_t row_size; png_bytep row; png_bytepp rows; - png_alloc_size_t row_size; png_uint_32 height, i; + /* Calculate the row size. */ + row_size = png_get_rowbytes(png_ptr, info_ptr); + if (row_size == 0) + return NULL; + if (row_size < min_row_size) + row_size = min_row_size; + /* Deallocate the currently-existing rows. */ -#ifdef PNG_FREE_ME_SUPPORTED png_free_data(png_ptr, info_ptr, PNG_FREE_ROWS, 0); -#endif /* Allocate memory for the row index. */ height = png_get_image_height(png_ptr, info_ptr); rows = (png_bytepp)png_malloc(png_ptr, - (png_alloc_size_t)(height * sizeof(png_bytep))); + (pngx_alloc_size_t)(height * sizeof(png_bytep))); if (rows == NULL) return NULL; /* Allocate memory for each row. */ - row_size = png_get_rowbytes(png_ptr, info_ptr); for (i = 0; i < height; ++i) { row = (png_bytep)png_malloc(png_ptr, row_size); @@ -61,3 +68,15 @@ png_set_rows(png_ptr, info_ptr, rows); return rows; } + + +#if 0 /* not necessary */ +void PNGAPI +pngx_free_rows(png_structp png_ptr, png_infop info_ptr) +{ + png_free_data(png_ptr, info_ptr, PNG_FREE_ROWS, 0); +} +#endif + + +#endif /* PNG_INFO_IMAGE_SUPPORTED */ diff -ru optipng-0.6.1/lib/pngxtern/pngxrbmp.c optipng-0.6.1.1/lib/pngxtern/pngxrbmp.c --- optipng-0.6.1/lib/pngxtern/pngxrbmp.c 2008-05-10 18:21:00.000000000 -0400 +++ optipng-0.6.1.1/lib/pngxtern/pngxrbmp.c 2008-11-04 09:45:00.000000000 -0500 @@ -13,11 +13,9 @@ #include <string.h> -/** - * BMP file header macros - * Public domain by MIYASAKA Masaru - * Updated by Cosmin Truta - **/ +/*****************************************************************************/ +/* BMP file header macros */ +/*****************************************************************************/ /* BMP file signature */ #define BMP_SIGNATURE 0x4d42 /* "BM" */ @@ -482,7 +480,7 @@ png_bytep const bih = bfh + FILEHED_SIZE; png_byte rgbq[RGBQUAD_SIZE]; png_uint_32 offbits, bihsize, skip; - png_uint_32 width, height; + png_uint_32 width, height, rowsize; int topdown; unsigned int pixdepth; png_uint_32 compression; @@ -492,7 +490,6 @@ int bit_depth, color_type; png_color palette[256]; png_color_8 sig_bit; - png_size_t rowsize, rowbytes; png_bytepp row_pointers, begin_row, end_row; unsigned int i; png_size_t y; @@ -531,7 +528,7 @@ return 0; skip = offbits - bihsize - FILEHED_SIZE; /* new skip */ topdown = 0; - if (bihsize == COREHED_SIZE) /* OS/2 BMP */ + if (bihsize < INFOHED_SIZE) /* OS/2 BMP */ { width = bmp_get_word(bih + BCH_WWIDTH); height = bmp_get_word(bih + BCH_WHEIGHT); @@ -539,7 +536,7 @@ compression = BI_RGB; palsize = RGBTRIPLE_SIZE; } - else /* bihsize >= INFOHED_SIZE: Windows BMP */ + else /* Windows BMP */ { width = bmp_get_dword(bih + BIH_LWIDTH); height = bmp_get_dword(bih + BIH_LHEIGHT); @@ -551,19 +548,20 @@ height = PNG_UINT_32_MAX - height + 1; topdown = 1; } + if (bihsize == INFOHED_SIZE && compression == BI_BITFIELDS) + { + /* Read the RGB[A] mask. */ + i = (skip <= 16) ? (unsigned int)skip : 16; + if (fread(bih + B4H_DREDMASK, i, 1, stream) != 1) + return 0; + bihsize += i; + skip -= i; + } } png_memset(rgba_mask, 0, sizeof(rgba_mask)); if (pixdepth > 8) { - if (bihsize <= INFOHED_SIZE) - png_memset(bih + B4H_DREDMASK, 0, 16); - if (bihsize == INFOHED_SIZE && skip >= 12) - { - if (fread(bih + B4H_DREDMASK, 12, 1, stream) != 1) - bihsize = 0; - skip -= 12; - } if (compression == BI_RGB) { if (pixdepth == 16) @@ -582,11 +580,17 @@ } else if (compression == BI_BITFIELDS) { - rgba_mask[0] = bmp_get_dword(bih + B4H_DREDMASK); - rgba_mask[1] = bmp_get_dword(bih + B4H_DGREENMASK); - rgba_mask[2] = bmp_get_dword(bih + B4H_DBLUEMASK); + if (bihsize >= INFOHED_SIZE + 12) + { + rgba_mask[0] = bmp_get_dword(bih + B4H_DREDMASK); + rgba_mask[1] = bmp_get_dword(bih + B4H_DGREENMASK); + rgba_mask[2] = bmp_get_dword(bih + B4H_DBLUEMASK); + } + else + png_error(png_ptr, "Missing color mask in BMP file"); } - rgba_mask[3] = bmp_get_dword(bih + B4H_DALPHAMASK); + if (bihsize >= INFOHED_SIZE + 16) + rgba_mask[3] = bmp_get_dword(bih + B4H_DALPHAMASK); } switch (compression) @@ -637,7 +641,8 @@ if (palnum > 256) palnum = 256; skip -= palsize * palnum; - rowsize = rowbytes = (width + (32 / pixdepth) - 1) / (32 / pixdepth) * 4; + rowsize = (width + (32 / pixdepth) - 1) / (32 / pixdepth) * 4; + /* rowsize becomes 0 on overflow. */ bit_depth = pixdepth; color_type = (palnum > 0) ? PNG_COLOR_TYPE_PALETTE : PNG_COLOR_TYPE_GRAY; } @@ -645,28 +650,28 @@ { palnum = 0; bit_depth = 8; - if (width > (png_size_t)(-4) / (pixdepth / 8)) - png_error(png_ptr, "Can't handle exceedingly large BMP dimensions"); - /* Overflow in rowbytes is checked inside png_set_IHDR(). */ switch (pixdepth) { case 16: - rowsize = (png_size_t)((width * 2 + 3) & (~3)); - rowbytes = (width * 3 + 3) & (~3); + rowsize = (width * 2 + 3) & (~3); break; case 24: - rowbytes = rowsize = (png_size_t)((width * 3 + 3) & (~3)); + rowsize = (width * 3 + 3) & (~3); break; case 32: - rowbytes = rowsize = (png_size_t)(width * 4); + rowsize = width * 4; break; default: /* never get here */ bit_depth = 0; - rowbytes = rowsize = 0; + rowsize = 0; } + if (rowsize / width < pixdepth / 8) + rowsize = 0; /* overflow */ color_type = (rgba_mask[3] != 0) ? PNG_COLOR_TYPE_RGBA : PNG_COLOR_TYPE_RGB; } + if (rowsize == 0) + png_error(png_ptr, "Exceedingly large image dimensions in BMP file"); /* Set the PNG image type. */ png_set_IHDR(png_ptr, info_ptr, @@ -706,7 +711,7 @@ } /* Allocate memory and read the image data. */ - row_pointers = pngx_malloc_rows(png_ptr, info_ptr, -1); + row_pointers = pngx_malloc_rows_extended(png_ptr, info_ptr, rowsize, -1); if (topdown) { begin_row = row_pointers;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor