wok diff advancecomp/stuff/CVE-2019-9210.patch @ rev 24721
updated libburn and libburn-dev (1.5.2 -> 1.5.4)
author | Hans-G?nter Theisgen |
---|---|
date | Tue Mar 15 09:33:23 2022 +0100 (2022-03-15) |
parents | |
children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/advancecomp/stuff/CVE-2019-9210.patch Tue Mar 15 09:33:23 2022 +0100 1.3 @@ -0,0 +1,100 @@ 1.4 +commit 7894a6e684ce68ddff9f4f4919ab8e3911ac8040 1.5 +Author: Andrea Mazzoleni <amadvance@gmail.com> 1.6 +Date: Fri Jan 4 20:49:48 2019 +0100 1.7 + 1.8 + Fix a buffer overflow caused by invalid chunks 1.9 + 1.10 +diff --git a/pngex.cc b/pngex.cc 1.11 +index 55d16f5..3f5b49f 100644 1.12 +--- a/pngex.cc 1.13 ++++ b/pngex.cc 1.14 +@@ -163,6 +163,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) 1.15 + 1.16 + switch (type) { 1.17 + case ADV_MNG_CN_MHDR : 1.18 ++ if (size < 28) { 1.19 ++ cout << " invalid chunk size"; 1.20 ++ break; 1.21 ++ } 1.22 + cout << " width:" << be_uint32_read(data+0) << " height:" << be_uint32_read(data+4) << " frequency:" << be_uint32_read(data+8); 1.23 + cout << " simplicity:" << be_uint32_read(data+24); 1.24 + cout << "(bit"; 1.25 +@@ -174,6 +178,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) 1.26 + cout << ")"; 1.27 + break; 1.28 + case ADV_MNG_CN_DHDR : 1.29 ++ if (size < 4) { 1.30 ++ cout << " invalid chunk size"; 1.31 ++ break; 1.32 ++ } 1.33 + cout << " id:" << be_uint16_read(data+0); 1.34 + switch (data[2]) { 1.35 + case 0 : cout << " img:unspecified"; break; 1.36 +@@ -243,6 +251,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) 1.37 + } 1.38 + break; 1.39 + case ADV_MNG_CN_DEFI : 1.40 ++ if (size < 2) { 1.41 ++ cout << " invalid chunk size"; 1.42 ++ break; 1.43 ++ } 1.44 + cout << " id:" << be_uint16_read(data+0); 1.45 + if (size >= 3) { 1.46 + switch (data[2]) { 1.47 +@@ -266,6 +278,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) 1.48 + } 1.49 + break; 1.50 + case ADV_MNG_CN_MOVE : 1.51 ++ if (size < 13) { 1.52 ++ cout << " invalid chunk size"; 1.53 ++ break; 1.54 ++ } 1.55 + cout << " id_from:" << be_uint16_read(data+0) << " id_to:" << be_uint16_read(data+2); 1.56 + switch (data[4]) { 1.57 + case 0 : cout << " type:replace"; break; 1.58 +@@ -275,6 +291,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) 1.59 + cout << " x:" << (int)be_uint32_read(data + 5) << " y:" << (int)be_uint32_read(data + 9); 1.60 + break; 1.61 + case ADV_MNG_CN_PPLT : 1.62 ++ if (size < 1) { 1.63 ++ cout << " invalid chunk size"; 1.64 ++ break; 1.65 ++ } 1.66 + switch (data[0]) { 1.67 + case 0 : cout << " type:replacement_rgb"; break; 1.68 + case 1 : cout << " type:delta_rgb"; break; 1.69 +@@ -285,7 +305,7 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) 1.70 + default : cout << " type:?"; break; 1.71 + } 1.72 + i = 1; 1.73 +- while (i<size) { 1.74 ++ while (i + 1 < size) { 1.75 + unsigned ssize; 1.76 + cout << " " << (unsigned)data[i] << ":" << (unsigned)data[i+1]; 1.77 + if (data[0] == 0 || data[1] == 1) 1.78 +@@ -298,6 +318,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) 1.79 + } 1.80 + break; 1.81 + case ADV_PNG_CN_IHDR : 1.82 ++ if (size < 13) { 1.83 ++ cout << " invalid chunk size"; 1.84 ++ break; 1.85 ++ } 1.86 + cout << " width:" << be_uint32_read(data) << " height:" << be_uint32_read(data + 4); 1.87 + cout << " depth:" << (unsigned)data[8]; 1.88 + cout << " color_type:" << (unsigned)data[9]; 1.89 +diff -up advancecomp-2.1/lib/png.c.me advancecomp-2.1/lib/png.c 1.90 +--- advancecomp-2.1/lib/png.c.me 2019-03-06 21:38:19.099210846 +0100 1.91 ++++ advancecomp-2.1/lib/png.c 2019-03-06 21:38:49.193040592 +0100 1.92 +@@ -655,6 +655,11 @@ adv_error adv_png_read_ihdr( 1.93 + } 1.94 + *pix_pixel = pixel; 1.95 + 1.96 ++ if (width_align < width) { 1.97 ++ error_unsupported_set("Invalid image size"); 1.98 ++ goto err; 1.99 ++ } 1.100 ++ 1.101 + if (data[10] != 0) { /* compression */ 1.102 + error_unsupported_set("Unsupported compression, %d instead of 0", (unsigned)data[10]); 1.103 + goto err;