wok diff advancecomp/stuff/CVE-2019-9210.patch @ rev 25037

Up glza (0.11.4)
author Pascal Bellard <pascal.bellard@slitaz.org>
date Sat May 21 21:38:29 2022 +0000 (2022-05-21)
parents
children
line diff
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/advancecomp/stuff/CVE-2019-9210.patch	Sat May 21 21:38:29 2022 +0000
     1.3 @@ -0,0 +1,100 @@
     1.4 +commit 7894a6e684ce68ddff9f4f4919ab8e3911ac8040
     1.5 +Author: Andrea Mazzoleni <amadvance@gmail.com>
     1.6 +Date:   Fri Jan 4 20:49:48 2019 +0100
     1.7 +
     1.8 +    Fix a buffer overflow caused by invalid chunks
     1.9 +
    1.10 +diff --git a/pngex.cc b/pngex.cc
    1.11 +index 55d16f5..3f5b49f 100644
    1.12 +--- a/pngex.cc
    1.13 ++++ b/pngex.cc
    1.14 +@@ -163,6 +163,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
    1.15 + 
    1.16 + 	switch (type) {
    1.17 + 		case ADV_MNG_CN_MHDR :
    1.18 ++			if (size < 28) {
    1.19 ++				cout << " invalid chunk size";
    1.20 ++				break;
    1.21 ++			}
    1.22 + 			cout << " width:" << be_uint32_read(data+0) << " height:" << be_uint32_read(data+4) << " frequency:" << be_uint32_read(data+8);
    1.23 + 			cout << " simplicity:" << be_uint32_read(data+24);
    1.24 + 			cout << "(bit";
    1.25 +@@ -174,6 +178,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
    1.26 + 			cout << ")";
    1.27 + 		break;
    1.28 + 		case ADV_MNG_CN_DHDR :
    1.29 ++			if (size < 4) {
    1.30 ++				cout << " invalid chunk size";
    1.31 ++				break;
    1.32 ++			}
    1.33 + 			cout << " id:" << be_uint16_read(data+0);
    1.34 + 			switch (data[2]) {
    1.35 + 				case 0 : cout << " img:unspecified"; break;
    1.36 +@@ -243,6 +251,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
    1.37 + 			}
    1.38 + 			break;
    1.39 + 		case ADV_MNG_CN_DEFI :
    1.40 ++			if (size < 2) {
    1.41 ++				cout << " invalid chunk size";
    1.42 ++				break;
    1.43 ++			}
    1.44 + 			cout << " id:" << be_uint16_read(data+0);
    1.45 + 			if (size >= 3) {
    1.46 + 				switch (data[2]) {
    1.47 +@@ -266,6 +278,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
    1.48 + 			}
    1.49 + 		break;
    1.50 + 		case ADV_MNG_CN_MOVE :
    1.51 ++			if (size < 13) {
    1.52 ++				cout << " invalid chunk size";
    1.53 ++				break;
    1.54 ++			}
    1.55 + 			cout << " id_from:" << be_uint16_read(data+0) << " id_to:" << be_uint16_read(data+2);
    1.56 + 			switch (data[4]) {
    1.57 + 				case 0 : cout << " type:replace"; break;
    1.58 +@@ -275,6 +291,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
    1.59 + 			cout << " x:" << (int)be_uint32_read(data + 5) << " y:" << (int)be_uint32_read(data + 9);
    1.60 + 			break;
    1.61 + 		case ADV_MNG_CN_PPLT :
    1.62 ++			if (size < 1) {
    1.63 ++				cout << " invalid chunk size";
    1.64 ++				break;
    1.65 ++			}
    1.66 + 			switch (data[0]) {
    1.67 + 				case 0 : cout << " type:replacement_rgb"; break;
    1.68 + 				case 1 : cout << " type:delta_rgb"; break;
    1.69 +@@ -285,7 +305,7 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
    1.70 + 				default : cout << " type:?"; break;
    1.71 + 			}
    1.72 + 			i = 1;
    1.73 +-			while (i<size) {
    1.74 ++			while (i + 1 < size) {
    1.75 + 				unsigned ssize;
    1.76 + 				cout << " " << (unsigned)data[i] << ":" << (unsigned)data[i+1];
    1.77 + 				if (data[0] == 0 || data[1] == 1)
    1.78 +@@ -298,6 +318,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
    1.79 + 			}
    1.80 + 			break;
    1.81 + 		case ADV_PNG_CN_IHDR :
    1.82 ++			if (size < 13) {
    1.83 ++				cout << " invalid chunk size";
    1.84 ++				break;
    1.85 ++			}
    1.86 + 			cout << " width:" << be_uint32_read(data) << " height:" << be_uint32_read(data + 4);
    1.87 + 			cout << " depth:" << (unsigned)data[8];
    1.88 + 			cout << " color_type:" << (unsigned)data[9];
    1.89 +diff -up advancecomp-2.1/lib/png.c.me advancecomp-2.1/lib/png.c
    1.90 +--- advancecomp-2.1/lib/png.c.me	2019-03-06 21:38:19.099210846 +0100
    1.91 ++++ advancecomp-2.1/lib/png.c	2019-03-06 21:38:49.193040592 +0100
    1.92 +@@ -655,6 +655,11 @@ adv_error adv_png_read_ihdr(
    1.93 + 	}
    1.94 + 	*pix_pixel = pixel;
    1.95 + 
    1.96 ++	if (width_align < width) {
    1.97 ++		error_unsupported_set("Invalid image size");
    1.98 ++		goto err;
    1.99 ++	}
   1.100 ++
   1.101 + 	if (data[10] != 0) { /* compression */
   1.102 + 		error_unsupported_set("Unsupported compression, %d instead of 0", (unsigned)data[10]);
   1.103 + 		goto err;