wok-6.x view advancecomp/stuff/CVE-2019-9210.patch @ rev 24695
advancecomp: CVE-2019-8383 & CVE-2019-9210
author | Pascal Bellard <pascal.bellard@slitaz.org> |
---|---|
date | Sun Mar 13 15:13:28 2022 +0000 (2022-03-13) |
parents | |
children |
line source
1 commit 7894a6e684ce68ddff9f4f4919ab8e3911ac8040
2 Author: Andrea Mazzoleni <amadvance@gmail.com>
3 Date: Fri Jan 4 20:49:48 2019 +0100
5 Fix a buffer overflow caused by invalid chunks
7 diff --git a/pngex.cc b/pngex.cc
8 index 55d16f5..3f5b49f 100644
9 --- a/pngex.cc
10 +++ b/pngex.cc
11 @@ -163,6 +163,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
13 switch (type) {
14 case ADV_MNG_CN_MHDR :
15 + if (size < 28) {
16 + cout << " invalid chunk size";
17 + break;
18 + }
19 cout << " width:" << be_uint32_read(data+0) << " height:" << be_uint32_read(data+4) << " frequency:" << be_uint32_read(data+8);
20 cout << " simplicity:" << be_uint32_read(data+24);
21 cout << "(bit";
22 @@ -174,6 +178,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
23 cout << ")";
24 break;
25 case ADV_MNG_CN_DHDR :
26 + if (size < 4) {
27 + cout << " invalid chunk size";
28 + break;
29 + }
30 cout << " id:" << be_uint16_read(data+0);
31 switch (data[2]) {
32 case 0 : cout << " img:unspecified"; break;
33 @@ -243,6 +251,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
34 }
35 break;
36 case ADV_MNG_CN_DEFI :
37 + if (size < 2) {
38 + cout << " invalid chunk size";
39 + break;
40 + }
41 cout << " id:" << be_uint16_read(data+0);
42 if (size >= 3) {
43 switch (data[2]) {
44 @@ -266,6 +278,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
45 }
46 break;
47 case ADV_MNG_CN_MOVE :
48 + if (size < 13) {
49 + cout << " invalid chunk size";
50 + break;
51 + }
52 cout << " id_from:" << be_uint16_read(data+0) << " id_to:" << be_uint16_read(data+2);
53 switch (data[4]) {
54 case 0 : cout << " type:replace"; break;
55 @@ -275,6 +291,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
56 cout << " x:" << (int)be_uint32_read(data + 5) << " y:" << (int)be_uint32_read(data + 9);
57 break;
58 case ADV_MNG_CN_PPLT :
59 + if (size < 1) {
60 + cout << " invalid chunk size";
61 + break;
62 + }
63 switch (data[0]) {
64 case 0 : cout << " type:replacement_rgb"; break;
65 case 1 : cout << " type:delta_rgb"; break;
66 @@ -285,7 +305,7 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
67 default : cout << " type:?"; break;
68 }
69 i = 1;
70 - while (i<size) {
71 + while (i + 1 < size) {
72 unsigned ssize;
73 cout << " " << (unsigned)data[i] << ":" << (unsigned)data[i+1];
74 if (data[0] == 0 || data[1] == 1)
75 @@ -298,6 +318,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
76 }
77 break;
78 case ADV_PNG_CN_IHDR :
79 + if (size < 13) {
80 + cout << " invalid chunk size";
81 + break;
82 + }
83 cout << " width:" << be_uint32_read(data) << " height:" << be_uint32_read(data + 4);
84 cout << " depth:" << (unsigned)data[8];
85 cout << " color_type:" << (unsigned)data[9];
86 diff -up advancecomp-2.1/lib/png.c.me advancecomp-2.1/lib/png.c
87 --- advancecomp-2.1/lib/png.c.me 2019-03-06 21:38:19.099210846 +0100
88 +++ advancecomp-2.1/lib/png.c 2019-03-06 21:38:49.193040592 +0100
89 @@ -655,6 +655,11 @@ adv_error adv_png_read_ihdr(
90 }
91 *pix_pixel = pixel;
93 + if (width_align < width) {
94 + error_unsupported_set("Invalid image size");
95 + goto err;
96 + }
97 +
98 if (data[10] != 0) { /* compression */
99 error_unsupported_set("Unsupported compression, %d instead of 0", (unsigned)data[10]);
100 goto err;