rpms / libpng

Clone
Source Code
GIT

Blame SOURCES/libpng-CVE-2018-13785.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c9 c9-beta
  1.   c8-beta
  2.   SOURCES
  3.   libpng-CVE-2018-13785.patch
Blob History Raw
3f692f 
From 9821583a771bfe2c75b7449d8ff83cb348291b3f Mon Sep 17 00:00:00 2001
3f692f 
From: Cosmin Truta <ctruta@gmail.com>
3f692f 
Date: Sun, 17 Jun 2018 22:56:29 -0400
3f692f 
Subject: [PATCH] Fix the calculation of row_factor in png_check_chunk_length
3f692f
3f692f 
(Bug report by Thuan Pham, SourceForge issue #278)
3f692f 
---
3f692f 
 pngrutil.c | 9 ++++++---
3f692f 
 1 file changed, 6 insertions(+), 3 deletions(-)
3f692f
3f692f 
diff --git a/pngrutil.c b/pngrutil.c
3f692f 
index 8692933..eab2973 100644
3f692f 
--- a/pngrutil.c
3f692f 
+++ b/pngrutil.c
3f692f 
@@ -3149,10 +3149,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
3f692f 
    {
3f692f 
       png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
3f692f 
       size_t row_factor =
3f692f 
-         (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
3f692f 
-          + 1 + (png_ptr->interlaced? 6: 0));
3f692f 
+         (size_t)png_ptr->width
3f692f 
+         * (size_t)png_ptr->channels
3f692f 
+         * (png_ptr->bit_depth > 8? 2: 1)
3f692f 
+         + 1
3f692f 
+         + (png_ptr->interlaced? 6: 0);
3f692f 
       if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
3f692f 
-         idat_limit=PNG_UINT_31_MAX;
3f692f 
+         idat_limit = PNG_UINT_31_MAX;
3f692f 
       else
3f692f 
          idat_limit = png_ptr->height * row_factor;
3f692f 
       row_factor = row_factor > 32566? 32566 : row_factor;
3f692f 
--
3f692f 
2.17.1
3f692f

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation