From 9eece9cd07682fabfd0349e763edbade5d0d7d3b Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 06 2019 10:03:12 +0000
Subject: import advancecomp-1.15-21.el7


---

diff --git a/SOURCES/advancecomp-1.15-CVE-2019-8379.patch b/SOURCES/advancecomp-1.15-CVE-2019-8379.patch
new file mode 100644
index 0000000..5bb32a7
--- /dev/null
+++ b/SOURCES/advancecomp-1.15-CVE-2019-8379.patch
@@ -0,0 +1,85 @@
+commit 7894a6e684ce68ddff9f4f4919ab8e3911ac8040
+Author: Andrea Mazzoleni <amadvance@gmail.com>
+Date:   Fri Jan 4 20:49:48 2019 +0100
+
+    Fix a buffer overflow caused by invalid chunks
+
+diff --git a/pngex.cc b/pngex.cc
+index 55d16f5..3f5b49f 100644
+--- a/pngex.cc
++++ b/pngex.cc
+@@ -163,6 +163,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
+ 
+ 	switch (type) {
+ 		case ADV_MNG_CN_MHDR :
++			if (size < 28) {
++				cout << " invalid chunk size";
++				break;
++			}
+ 			cout << " width:" << be_uint32_read(data+0) << " height:" << be_uint32_read(data+4) << " frequency:" << be_uint32_read(data+8);
+ 			cout << " simplicity:" << be_uint32_read(data+24);
+ 			cout << "(bit";
+@@ -174,6 +178,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
+ 			cout << ")";
+ 		break;
+ 		case ADV_MNG_CN_DHDR :
++			if (size < 4) {
++				cout << " invalid chunk size";
++				break;
++			}
+ 			cout << " id:" << be_uint16_read(data+0);
+ 			switch (data[2]) {
+ 				case 0 : cout << " img:unspecified"; break;
+@@ -243,6 +251,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
+ 			}
+ 			break;
+ 		case ADV_MNG_CN_DEFI :
++			if (size < 2) {
++				cout << " invalid chunk size";
++				break;
++			}
+ 			cout << " id:" << be_uint16_read(data+0);
+ 			if (size >= 3) {
+ 				switch (data[2]) {
+@@ -266,6 +278,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
+ 			}
+ 		break;
+ 		case ADV_MNG_CN_MOVE :
++			if (size < 13) {
++				cout << " invalid chunk size";
++				break;
++			}
+ 			cout << " id_from:" << be_uint16_read(data+0) << " id_to:" << be_uint16_read(data+2);
+ 			switch (data[4]) {
+ 				case 0 : cout << " type:replace"; break;
+@@ -275,6 +291,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
+ 			cout << " x:" << (int)be_uint32_read(data + 5) << " y:" << (int)be_uint32_read(data + 9);
+ 			break;
+ 		case ADV_MNG_CN_PPLT :
++			if (size < 1) {
++				cout << " invalid chunk size";
++				break;
++			}
+ 			switch (data[0]) {
+ 				case 0 : cout << " type:replacement_rgb"; break;
+ 				case 1 : cout << " type:delta_rgb"; break;
+@@ -285,7 +305,7 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
+ 				default : cout << " type:?"; break;
+ 			}
+ 			i = 1;
+-			while (i<size) {
++			while (i + 1 < size) {
+ 				unsigned ssize;
+ 				cout << " " << (unsigned)data[i] << ":" << (unsigned)data[i+1];
+ 				if (data[0] == 0 || data[1] == 1)
+@@ -298,6 +318,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
+ 			}
+ 			break;
+ 		case ADV_PNG_CN_IHDR :
++			if (size < 13) {
++				cout << " invalid chunk size";
++				break;
++			}
+ 			cout << " width:" << be_uint32_read(data) << " height:" << be_uint32_read(data + 4);
+ 			cout << " depth:" << (unsigned)data[8];
+ 			cout << " color_type:" << (unsigned)data[9];
diff --git a/SOURCES/advancecomp-1.15-CVE-2019-8383.patch b/SOURCES/advancecomp-1.15-CVE-2019-8383.patch
new file mode 100644
index 0000000..b4edf8b
--- /dev/null
+++ b/SOURCES/advancecomp-1.15-CVE-2019-8383.patch
@@ -0,0 +1,55 @@
+commit 78a56b21340157775be2462a19276b4d31d2bd01
+Author: Andrea Mazzoleni <amadvance@gmail.com>
+Date:   Fri Jan 4 20:49:25 2019 +0100
+
+    Fix a buffer overflow caused by invalid images
+
+diff --git a/lib/png.c b/lib/png.c
+index 0939a5a..cbf140b 100644
+--- a/lib/png.c
++++ b/lib/png.c
+@@ -603,6 +603,7 @@ adv_error adv_png_read_ihdr(
+ 	unsigned pixel;
+ 	unsigned width;
+ 	unsigned width_align;
++	unsigned scanline;
+ 	unsigned height;
+ 	unsigned depth;
+ 	int r;
+@@ -719,9 +720,23 @@ adv_error adv_png_read_ihdr(
+ 		goto err_ptr;
+ 	}
+ 
+-	*dat_size = height * (width_align * pixel + 1);
++	/* check for overflow */
++	if (pixel == 0 || width_align >= UINT_MAX / pixel) {
++		error_set("Invalid image size");
++		goto err_ptr;
++	}
++
++	scanline = width_align * pixel + 1;
++
++	/* check for overflow */
++	if (scanline == 0 || height >= UINT_MAX / scanline) {
++		error_set("Invalid image size");
++		goto err_ptr;
++	}
++
++	*dat_size = height * scanline;
+ 	*dat_ptr = malloc(*dat_size);
+-	*pix_scanline = width_align * pixel + 1;
++	*pix_scanline = scanline;
+ 	*pix_ptr = *dat_ptr + 1;
+ 
+ 	z.zalloc = 0;
+diff -up advancecomp-1.15/portable.h.me advancecomp-1.15/portable.h
+--- advancecomp-1.15/portable.h.me	2019-05-17 15:15:08.109528451 +0200
++++ advancecomp-1.15/portable.h	2019-05-17 15:15:38.318620937 +0200
+@@ -39,6 +39,7 @@ extern "C" {
+ #include <assert.h>
+ #include <errno.h>
+ #include <signal.h>
++#include <limits.h>
+ 
+ #if HAVE_UNISTD_H
+ #include <unistd.h>
diff --git a/SPECS/advancecomp.spec b/SPECS/advancecomp.spec
index 8ddd938..dc86cb8 100644
--- a/SPECS/advancecomp.spec
+++ b/SPECS/advancecomp.spec
@@ -1,11 +1,13 @@
 Summary: Recompression utilities for .PNG, .MNG and .ZIP files
 Name: advancecomp
 Version: 1.15
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: GPLv2+
 Group: Applications/Emulators
 URL: http://advancemame.sourceforge.net/
 Source: http://downloads.sf.net/advancemame/advancecomp-%{version}.tar.gz
+Patch0: advancecomp-1.15-CVE-2019-8379.patch
+Patch1: advancecomp-1.15-CVE-2019-8383.patch
 BuildRequires: zlib-devel
 
 %description
@@ -17,6 +19,8 @@ The main features are :
 
 %prep
 %setup -q
+%patch0 -p1 -b .CVE-2019-8379
+%patch1 -p1 -b .CVE-2019-8383
 
 
 %build
@@ -36,6 +40,10 @@ make install DESTDIR=%{buildroot}
 
 
 %changelog
+* Fri May 17 2019 Than Ngo <than@redhat.com> - 1.15-21
+- Resolves: #1711051, CVE-2019-8383 denial of service
+- Resolves: #1710910, CVE-2019-8379 null pointer dereference
+
 * Wed Jan 29 2014 Daniel Mach <dmach@redhat.com> - 1.15-20
 - Mass rebuild 2014-01-24