[packages/libpng.git] / libpng-cve.patch

diff -ru4N libpng-1.2.26/png.h libpng-1.2.27beta01/png.h
--- libpng-1.2.26/png.h	2008-04-02 12:27:29.867681595 -0500
+++ libpng-1.2.27beta01/png.h	2008-04-05 21:41:14.644268554 -0500
@@ -180,8 +180,11 @@
  *    1.0.31                  10    10031  10.so.0.31[.0]
  *    1.2.25                  13    10225  12.so.0.25[.0]
  *    1.2.26beta01-06         13    10226  12.so.0.26[.0]
  *    1.2.26rc01              13    10226  12.so.0.26[.0]
+ *    1.2.26                  13    10226  12.so.0.26[.0]
+ *    1.0.32                  10    10032  10.so.0.32[.0]
+ *    1.2.27beta01            13    10227  12.so.0.27[.0]
  *
  *    Henceforth the source version will match the shared-library major
  *    and minor numbers; the shared-library major version number will be
  *    used for changes in backward compatibility, as it is intended.  The
diff -ru4N libpng-1.2.26/pngpread.c libpng-1.2.27beta01/pngpread.c
--- libpng-1.2.26/pngpread.c	2008-04-05 21:37:29.944173338 -0500
+++ libpng-1.2.27beta01/pngpread.c	2008-04-05 21:41:14.898914350 -0500
@@ -1,8 +1,8 @@
 
 /* pngpread.c - read a png file in push mode
  *
- * Last changed in libpng 1.2.26 [April 2, 2008]
+ * Last changed in libpng 1.2.27 [April 6, 2008]
  * For conditions of distribution and use, see copyright notice in png.h
  * Copyright (c) 1998-2008 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -1501,11 +1501,16 @@
                  (png_charp)png_ptr->chunk_name, 
                  png_sizeof(png_ptr->unknown_chunk.name));
       png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1]='\0';
 
-      png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
       png_ptr->unknown_chunk.size = (png_size_t)length;
-      png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
+      if (length == 0)
+         png_ptr->unknown_chunk.data = NULL;
+      else
+      {
+         png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
+         png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
+      }
 #if defined(PNG_READ_USER_CHUNKS_SUPPORTED)
       if(png_ptr->read_user_chunk_fn != NULL)
       {
          /* callback to user unknown chunk handler */
@@ -1526,10 +1531,13 @@
       }
       else
 #endif
         png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1);
-      png_free(png_ptr, png_ptr->unknown_chunk.data);
-      png_ptr->unknown_chunk.data = NULL;
+      if (png_ptr->unknown_chunk.data)
+      {
+        png_free(png_ptr, png_ptr->unknown_chunk.data);
+        png_ptr->unknown_chunk.data = NULL;
+      }
    }
    else
 #endif
       skip=length;
diff -ru4N libpng-1.2.26/pngrutil.c libpng-1.2.27beta01/pngrutil.c
--- libpng-1.2.26/pngrutil.c	2008-04-05 21:37:32.785260077 -0500
+++ libpng-1.2.27beta01/pngrutil.c	2008-04-05 21:41:15.202296784 -0500
@@ -1,8 +1,8 @@
 
 /* pngrutil.c - utilities to read a PNG file
  *
- * Last changed in libpng 1.2.26 [April 2, 2008]
+ * Last changed in libpng 1.2.27 [April 6, 2008]
  * For conditions of distribution and use, see copyright notice in png.h
  * Copyright (c) 1998-2008 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -2226,11 +2226,16 @@
        png_memcpy((png_charp)png_ptr->unknown_chunk.name,
                   (png_charp)png_ptr->chunk_name, 
                   png_sizeof(png_ptr->unknown_chunk.name));
        png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1] = '\0';
-       png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
        png_ptr->unknown_chunk.size = (png_size_t)length;
-       png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
+       if (length == 0)
+         png_ptr->unknown_chunk.data = NULL;
+       else
+       {
+         png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
+         png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
+       }
 #if defined(PNG_READ_USER_CHUNKS_SUPPORTED)
        if(png_ptr->read_user_chunk_fn != NULL)
        {
           /* callback to user unknown chunk handler */
@@ -2251,10 +2256,13 @@
        }
        else
 #endif
          png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1);
-       png_free(png_ptr, png_ptr->unknown_chunk.data);
-       png_ptr->unknown_chunk.data = NULL;
+       if (png_ptr->unknown_chunk.data)
+       {
+         png_free(png_ptr, png_ptr->unknown_chunk.data);
+         png_ptr->unknown_chunk.data = NULL;
+       }
    }
    else
 #endif
       skip = length;
diff -ru4N libpng-1.2.26/pngset.c libpng-1.2.27beta01/pngset.c
--- libpng-1.2.26/pngset.c	2008-04-02 12:27:30.621225067 -0500
+++ libpng-1.2.27beta01/pngset.c	2008-04-05 21:41:15.248946598 -0500
@@ -1,8 +1,8 @@
 
 /* pngset.c - storage of image information into info struct
  *
- * Last changed in libpng 1.2.25 [February 18, 2008]
+ * Last changed in libpng 1.2.27 [April 6, 2008]
  * For conditions of distribution and use, see copyright notice in png.h
  * Copyright (c) 1998-2008 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -1039,30 +1039,33 @@
     info_ptr->unknown_chunks=NULL;
 
     for (i = 0; i < num_unknowns; i++)
     {
-        png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i;
-        png_unknown_chunkp from = unknowns + i;
+       png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i;
+       png_unknown_chunkp from = unknowns + i;
 
-        png_memcpy((png_charp)to->name, 
-                   (png_charp)from->name, 
-                   png_sizeof(from->name));
-        to->name[png_sizeof(to->name)-1] = '\0';
+       png_memcpy((png_charp)to->name, 
+                  (png_charp)from->name, 
+                  png_sizeof(from->name));
+       to->name[png_sizeof(to->name)-1] = '\0';
+       to->size = from->size;
+       /* note our location in the read or write sequence */
+       to->location = (png_byte)(png_ptr->mode & 0xff);
 
-        to->data = (png_bytep)png_malloc_warn(png_ptr, from->size);
-        if (to->data == NULL)
-        {
-           png_warning(png_ptr,
+       if (from->size == 0)
+          to->data=NULL;
+       else
+       {
+          to->data = (png_bytep)png_malloc_warn(png_ptr, from->size);
+          if (to->data == NULL)
+          {
+             png_warning(png_ptr,
               "Out of memory while processing unknown chunk.");
-        }
-        else
-        {
-           png_memcpy(to->data, from->data, from->size);
-           to->size = from->size;
-
-           /* note our location in the read or write sequence */
-           to->location = (png_byte)(png_ptr->mode & 0xff);
-        }
+             to->size=0;
+          }
+          else
+             png_memcpy(to->data, from->data, from->size);
+       }
     }
 
     info_ptr->unknown_chunks = np;
     info_ptr->unknown_chunks_num += num_unknowns;
diff -ru4N libpng-1.2.26/pngwrite.c libpng-1.2.27beta01/pngwrite.c
--- libpng-1.2.26/pngwrite.c	2008-04-02 12:27:30.775542734 -0500
+++ libpng-1.2.27beta01/pngwrite.c	2008-04-05 21:41:15.402698604 -0500
@@ -111,8 +111,10 @@
             !(up->location & PNG_HAVE_IDAT) &&
             ((up->name[3] & 0x20) || keep == PNG_HANDLE_CHUNK_ALWAYS ||
             (png_ptr->flags & PNG_FLAG_KEEP_UNSAFE_CHUNKS)))
          {
+            if (up->size == 0)
+               png_warning(png_ptr, "Writing zero-length unknown chunk");
             png_write_chunk(png_ptr, up->name, up->data, up->size);
          }
        }
    }
Commit	Line	Data
c0468822 MB	1	diff -ru4N libpng-1.2.26/png.h libpng-1.2.27beta01/png.h
	2	--- libpng-1.2.26/png.h 2008-04-02 12:27:29.867681595 -0500
	3	+++ libpng-1.2.27beta01/png.h 2008-04-05 21:41:14.644268554 -0500
	4	@@ -180,8 +180,11 @@
	5	* 1.0.31 10 10031 10.so.0.31[.0]
	6	* 1.2.25 13 10225 12.so.0.25[.0]
	7	* 1.2.26beta01-06 13 10226 12.so.0.26[.0]
	8	* 1.2.26rc01 13 10226 12.so.0.26[.0]
	9	+ * 1.2.26 13 10226 12.so.0.26[.0]
	10	+ * 1.0.32 10 10032 10.so.0.32[.0]
	11	+ * 1.2.27beta01 13 10227 12.so.0.27[.0]
	12	*
	13	* Henceforth the source version will match the shared-library major
	14	* and minor numbers; the shared-library major version number will be
	15	* used for changes in backward compatibility, as it is intended. The
	16	diff -ru4N libpng-1.2.26/pngpread.c libpng-1.2.27beta01/pngpread.c
	17	--- libpng-1.2.26/pngpread.c 2008-04-05 21:37:29.944173338 -0500
	18	+++ libpng-1.2.27beta01/pngpread.c 2008-04-05 21:41:14.898914350 -0500
	19	@@ -1,8 +1,8 @@
	20
	21	/* pngpread.c - read a png file in push mode
	22	*
	23	- * Last changed in libpng 1.2.26 [April 2, 2008]
	24	+ * Last changed in libpng 1.2.27 [April 6, 2008]
	25	* For conditions of distribution and use, see copyright notice in png.h
	26	* Copyright (c) 1998-2008 Glenn Randers-Pehrson
	27	* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
	28	* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
	29	@@ -1501,11 +1501,16 @@
	30	(png_charp)png_ptr->chunk_name,
	31	png_sizeof(png_ptr->unknown_chunk.name));
	32	png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1]='\0';
	33
	34	- png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
	35	png_ptr->unknown_chunk.size = (png_size_t)length;
	36	- png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
	37	+ if (length == 0)
	38	+ png_ptr->unknown_chunk.data = NULL;
	39	+ else
	40	+ {
	41	+ png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
	42	+ png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
	43	+ }
	44	#if defined(PNG_READ_USER_CHUNKS_SUPPORTED)
	45	if(png_ptr->read_user_chunk_fn != NULL)
	46	{
	47	/* callback to user unknown chunk handler */
	48	@@ -1526,10 +1531,13 @@
	49	}
	50	else
	51	#endif
	52	png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1);
	53	- png_free(png_ptr, png_ptr->unknown_chunk.data);
	54	- png_ptr->unknown_chunk.data = NULL;
	55	+ if (png_ptr->unknown_chunk.data)
	56	+ {
	57	+ png_free(png_ptr, png_ptr->unknown_chunk.data);
	58	+ png_ptr->unknown_chunk.data = NULL;
	59	+ }
	60	}
	61	else
	62	#endif
	63	skip=length;
	64	diff -ru4N libpng-1.2.26/pngrutil.c libpng-1.2.27beta01/pngrutil.c
65	--- libpng-1.2.26/pngrutil.c 2008-04-05 21:37:32.785260077 -0500
66	+++ libpng-1.2.27beta01/pngrutil.c 2008-04-05 21:41:15.202296784 -0500
67	@@ -1,8 +1,8 @@
68
69	/* pngrutil.c - utilities to read a PNG file
70	*
71	- * Last changed in libpng 1.2.26 [April 2, 2008]
72	+ * Last changed in libpng 1.2.27 [April 6, 2008]
73	* For conditions of distribution and use, see copyright notice in png.h
74	* Copyright (c) 1998-2008 Glenn Randers-Pehrson
75	* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
76	* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
77	@@ -2226,11 +2226,16 @@
78	png_memcpy((png_charp)png_ptr->unknown_chunk.name,
79	(png_charp)png_ptr->chunk_name,
80	png_sizeof(png_ptr->unknown_chunk.name));
81	png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1] = '\0';
82	- png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
83	png_ptr->unknown_chunk.size = (png_size_t)length;
84	- png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
85	+ if (length == 0)
86	+ png_ptr->unknown_chunk.data = NULL;
87	+ else
88	+ {
89	+ png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length);
90	+ png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length);
91	+ }
92	#if defined(PNG_READ_USER_CHUNKS_SUPPORTED)
93	if(png_ptr->read_user_chunk_fn != NULL)
94	{
95	/* callback to user unknown chunk handler */
96	@@ -2251,10 +2256,13 @@
97	}
98	else
99	#endif
100	png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1);
101	- png_free(png_ptr, png_ptr->unknown_chunk.data);
102	- png_ptr->unknown_chunk.data = NULL;
103	+ if (png_ptr->unknown_chunk.data)
104	+ {
105	+ png_free(png_ptr, png_ptr->unknown_chunk.data);
106	+ png_ptr->unknown_chunk.data = NULL;
107	+ }
108	}
109	else
110	#endif
111	skip = length;
112	diff -ru4N libpng-1.2.26/pngset.c libpng-1.2.27beta01/pngset.c
113	--- libpng-1.2.26/pngset.c 2008-04-02 12:27:30.621225067 -0500
114	+++ libpng-1.2.27beta01/pngset.c 2008-04-05 21:41:15.248946598 -0500
115	@@ -1,8 +1,8 @@
116
117	/* pngset.c - storage of image information into info struct
118	*
119	- * Last changed in libpng 1.2.25 [February 18, 2008]
120	+ * Last changed in libpng 1.2.27 [April 6, 2008]
121	* For conditions of distribution and use, see copyright notice in png.h
122	* Copyright (c) 1998-2008 Glenn Randers-Pehrson
123	* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
124	* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
125	@@ -1039,30 +1039,33 @@
126	info_ptr->unknown_chunks=NULL;
127
128	for (i = 0; i < num_unknowns; i++)
129	{
130	- png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i;
131	- png_unknown_chunkp from = unknowns + i;
132	+ png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i;
133	+ png_unknown_chunkp from = unknowns + i;
134
135	- png_memcpy((png_charp)to->name,
136	- (png_charp)from->name,
137	- png_sizeof(from->name));
138	- to->name[png_sizeof(to->name)-1] = '\0';
139	+ png_memcpy((png_charp)to->name,
140	+ (png_charp)from->name,
141	+ png_sizeof(from->name));
142	+ to->name[png_sizeof(to->name)-1] = '\0';
143	+ to->size = from->size;
144	+ /* note our location in the read or write sequence */
145	+ to->location = (png_byte)(png_ptr->mode & 0xff);
146
147	- to->data = (png_bytep)png_malloc_warn(png_ptr, from->size);
148	- if (to->data == NULL)
149	- {
150	- png_warning(png_ptr,
151	+ if (from->size == 0)
152	+ to->data=NULL;
153	+ else
154	+ {
155	+ to->data = (png_bytep)png_malloc_warn(png_ptr, from->size);
156	+ if (to->data == NULL)
157	+ {
158	+ png_warning(png_ptr,
159	"Out of memory while processing unknown chunk.");
160	- }
161	- else
162	- {
163	- png_memcpy(to->data, from->data, from->size);
164	- to->size = from->size;
165	-
166	- /* note our location in the read or write sequence */
167	- to->location = (png_byte)(png_ptr->mode & 0xff);
168	- }
169	+ to->size=0;
170	+ }
171	+ else
172	+ png_memcpy(to->data, from->data, from->size);
173	+ }
174	}
175
176	info_ptr->unknown_chunks = np;
177	info_ptr->unknown_chunks_num += num_unknowns;
178	diff -ru4N libpng-1.2.26/pngwrite.c libpng-1.2.27beta01/pngwrite.c
179	--- libpng-1.2.26/pngwrite.c 2008-04-02 12:27:30.775542734 -0500
180	+++ libpng-1.2.27beta01/pngwrite.c 2008-04-05 21:41:15.402698604 -0500
181	@@ -111,8 +111,10 @@
182	!(up->location & PNG_HAVE_IDAT) &&
183	((up->name[3] & 0x20) \|\| keep == PNG_HANDLE_CHUNK_ALWAYS \|\|
184	(png_ptr->flags & PNG_FLAG_KEEP_UNSAFE_CHUNKS)))
185	{
186	+ if (up->size == 0)
187	+ png_warning(png_ptr, "Writing zero-length unknown chunk");
188	png_write_chunk(png_ptr, up->name, up->data, up->size);
189	}
190	}
191	}