File libpng-1.2.51-CVE-2013-7353.patch of Package libpng12
http://sourceforge.net/p/libpng/code/ci/1a3d6e3cf3082a0da998dbf402d384a589488859
http://sourceforge.net/p/libpng/code/ci/77a817bfc298a221e3e623acf73c2a1e726c4ec6
http://sourceforge.net/p/libpng/code/ci/bec9ca9b8aa0cf16d2cde1757379afbe9adbe7d9
Index: pngset.c
===================================================================
--- pngset.c.orig 2014-04-22 16:08:23.458978035 +0200
+++ pngset.c 2014-04-22 16:09:15.921977136 +0200
@@ -986,9 +986,17 @@
if (png_ptr == NULL || info_ptr == NULL || num_unknowns == 0)
return;
- np = (png_unknown_chunkp)png_malloc_warn(png_ptr,
- (png_uint_32)((info_ptr->unknown_chunks_num + num_unknowns) *
- png_sizeof(png_unknown_chunk)));
+ if (num_unknowns < 0 ||
+ num_unknowns > INT_MAX-info_ptr->unknown_chunks_num ||
+ (unsigned int)/*SAFE*/(num_unknowns +/*SAFE*/
+ info_ptr->unknown_chunks_num) >=
+ PNG_SIZE_MAX/png_sizeof(png_unknown_chunk))
+ np=NULL;
+
+ else
+ np = (png_unknown_chunkp)png_malloc_warn(png_ptr,
+ (png_size_t)(info_ptr->unknown_chunks_num + num_unknowns) *
+ png_sizeof(png_unknown_chunk));
if (np == NULL)
{
png_warning(png_ptr,