File libpng-1.2.51-CVE-2013-7354.patch of Package libpng12
http://sourceforge.net/p/libpng/code/ci/798d3de5f66b6df6d6605f968da641c24725b15e
http://sourceforge.net/p/libpng/code/ci/77a0a2ea113e699c7021caf1a530d2e2dd90b497
Index: pngset.c
===================================================================
--- pngset.c.orig 2014-04-24 14:13:43.144134631 +0200
+++ pngset.c 2014-04-24 14:23:31.461124549 +0200
@@ -19,6 +19,7 @@
#define PNG_INTERNAL
#define PNG_NO_PEDANTIC_WARNINGS
#include "png.h"
+#include <limits.h>
#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
#ifdef PNG_bKGD_SUPPORTED
@@ -664,6 +664,17 @@
/* Make sure we have enough space in the "text" array in info_struct
* to hold all of the incoming text_ptr objects.
*/
+
+ if (num_text < 0 ||
+ num_text > INT_MAX - info_ptr->num_text - 8 ||
+ (unsigned int)/*SAFE*/(num_text +/*SAFE*/
+ info_ptr->num_text + 8) >=
+ PNG_SIZE_MAX/png_sizeof(png_text))
+ {
+ png_warning(png_ptr, "too many text chunks");
+ return(0);
+ }
+
if (info_ptr->num_text + num_text > info_ptr->max_text)
{
int old_max_text = info_ptr->max_text;
@@ -921,9 +932,19 @@
if (png_ptr == NULL || info_ptr == NULL)
return;
- np = (png_sPLT_tp)png_malloc_warn(png_ptr,
- (info_ptr->splt_palettes_num + nentries) *
- (png_uint_32)png_sizeof(png_sPLT_t));
+ if (nentries < 0 ||
+ nentries > INT_MAX-info_ptr->splt_palettes_num ||
+ (unsigned int)/*SAFE*/(nentries +/*SAFE*/
+ info_ptr->splt_palettes_num) >=
+ PNG_SIZE_MAX/png_sizeof(png_sPLT_t))
+ np=NULL;
+
+ else
+
+ np = (png_sPLT_tp)png_malloc_warn(png_ptr,
+ (info_ptr->splt_palettes_num + nentries) *
+ (png_size_t)png_sizeof(png_sPLT_t));
+
if (np == NULL)
{
png_warning(png_ptr, "No memory for sPLT palettes.");