head 1.18; access; symbols OPENPKG_E1_MP_HEAD:1.14 OPENPKG_E1_MP:1.14 OPENPKG_E1_MP_2_STABLE:1.14 OPENPKG_E1_FP:1.14 OPENPKG_2_STABLE_MP:1.14 OPENPKG_2_STABLE_20061018:1.14 OPENPKG_2_STABLE_20060622:1.14 OPENPKG_2_STABLE:1.14.0.2 OPENPKG_2_STABLE_BP:1.14 OPENPKG_2_5_RELEASE:1.13 OPENPKG_2_5_SOLID:1.13.0.2 OPENPKG_2_5_SOLID_BP:1.13 OPENPKG_2_4_RELEASE:1.11 OPENPKG_2_4_SOLID:1.11.0.2 OPENPKG_2_4_SOLID_BP:1.11 OPENPKG_CW_FP:1.10 OPENPKG_2_3_RELEASE:1.10 OPENPKG_2_3_SOLID:1.10.0.4 OPENPKG_2_3_SOLID_BP:1.10 OPENPKG_2_2_RELEASE:1.10 OPENPKG_2_2_SOLID:1.10.0.2 OPENPKG_2_2_SOLID_BP:1.10 OPENPKG_2_1_RELEASE:1.7 OPENPKG_2_1_SOLID:1.7.0.2 OPENPKG_2_1_SOLID_BP:1.7 OPENPKG_1_3_SOLID:1.6.0.2 OPENPKG_2_0_RELEASE:1.5 OPENPKG_2_0_SOLID:1.5.0.2 OPENPKG_2_0_SOLID_BP:1.5 OPENPKG_1_1_SOLID:1.1.0.2; locks; strict; comment @# @; 1.18 date 2009.02.07.18.52.22; author rse; state Exp; branches; next 1.17; commitid WxM7mVHsAFbSbxBt; 1.17 date 2007.11.22.07.14.58; author cs; state Exp; branches; next 1.16; commitid bHQiSqYs7j3tzxGs; 1.16 date 2007.08.28.07.53.57; author rse; state Exp; branches; next 1.15; commitid pqBj2pFKy7Teyuvs; 1.15 date 2007.08.03.10.57.25; author rse; state Exp; branches; next 1.14; commitid dhytMGiCppn0niss; 1.14 date 2006.06.14.19.47.59; author rse; state Exp; branches; next 1.13; commitid 17WKQYLB47u4E0Br; 1.13 date 2005.07.22.06.35.13; author rse; state Exp; branches; next 1.12; 1.12 date 2005.07.06.17.55.59; author rse; state Exp; branches; next 1.11; 1.11 date 2005.04.23.18.36.57; author rse; state Exp; branches 1.11.2.1; next 1.10; 1.10 date 2004.08.25.11.20.26; author rse; state Exp; branches 1.10.4.1; next 1.9; 1.9 date 2004.08.16.18.22.29; author rse; state Exp; branches; next 1.8; 1.8 date 2004.08.04.14.01.50; author thl; state Exp; branches; next 1.7; 1.7 date 2004.06.30.14.23.14; author tho; state Exp; branches 1.7.2.1; next 1.6; 1.6 date 2004.04.29.15.06.54; author thl; state Exp; branches 1.6.2.1; next 1.5; 1.5 date 2004.01.03.09.08.22; author rse; state Exp; branches 1.5.2.1; next 1.4; 1.4 date 2003.12.19.11.56.05; author ms; state Exp; branches; next 1.3; 1.3 date 2003.12.10.20.13.50; author rse; state Exp; branches; next 1.2; 1.2 date 2003.11.24.10.51.45; author thl; state Exp; branches; next 1.1; 1.1 date 2003.06.03.12.11.19; author thl; state dead; branches 1.1.2.1; next ; 1.11.2.1 date 2005.07.06.17.57.13; author rse; state Exp; branches; next 1.11.2.2; 1.11.2.2 date 2005.07.28.06.33.44; author rse; state Exp; branches; next ; 1.10.4.1 date 2005.07.06.18.04.00; author rse; state Exp; branches; next 1.10.4.2; 1.10.4.2 date 2005.07.28.06.35.13; author rse; state Exp; branches; next ; 1.7.2.1 date 2004.08.04.14.02.57; author thl; state Exp; branches; next 1.7.2.2; 1.7.2.2 date 2004.08.25.11.22.53; author rse; state Exp; branches; next ; 1.6.2.1 date 2004.04.29.19.56.25; author thl; state Exp; branches; next 1.6.2.2; 1.6.2.2 date 2004.07.06.13.41.38; author tho; state Exp; branches; next ; 1.5.2.1 date 2004.04.29.16.17.49; author thl; state Exp; branches; next 1.5.2.2; 1.5.2.2 date 2004.07.06.13.33.22; author tho; state Exp; branches; next 1.5.2.3; 1.5.2.3 date 2004.08.04.14.05.37; author thl; state Exp; branches; next 1.5.2.4; 1.5.2.4 date 2004.08.25.11.24.30; author rse; state Exp; branches; next ; 1.1.2.1 date 2003.06.03.12.11.19; author thl; state Exp; branches; next ; desc @@ 1.18 log @upgrading package: ghostscript 8.63 -> 8.64 @ text @Index: base/stdint_.h --- base/stdint_.h.orig 2008-02-24 02:12:18 +0100 +++ base/stdint_.h 2009-02-07 18:47:17 +0100 @@@@ -68,6 +68,13 @@@@ typedef unsigned long long uint64_t; # define STDINT_TYPES_DEFINED # endif +#ifdef __sun__ +# include +# define STDINT_TYPES_DEFINED +#endif +#ifdef __FreeBSD__ +# define STDINT_TYPES_DEFINED +#endif /* other archs may want to add defines here, or use the fallbacks in std.h */ #endif Index: base/unix-gcc.mak --- base/unix-gcc.mak.orig 2008-10-02 21:33:22 +0200 +++ base/unix-gcc.mak 2009-02-07 18:48:04 +0100 @@@@ -229,7 +229,7 @@@@ # gcc to accept ANSI-style function prototypes and function definitions. XCFLAGS=-DGS_DEVS_SHARED -DGS_DEVS_SHARED_DIR=\"$(gssharedir)\" -CFLAGS=$(CFLAGS_STANDARD) $(GCFLAGS) $(XCFLAGS) +CFLAGS=$(CFLAGS_STANDARD) $(GCFLAGS) $(XCFLAGS) $(XINCLUDE) # Define platform flags for ld. # SunOS 4.n may need -Bstatic. @@@@ -240,7 +240,7 @@@@ # XLDFLAGS can be set from the command line. XLDFLAGS= -LDFLAGS=$(XLDFLAGS) +LDFLAGS=$(XLDFLAGS) $(XLIBDIRS) # Define any extra libraries to link into the executable. # ISC Unix 2.2 wants -linet. @@@@ -389,8 +389,8 @@@@ DEVICE_DEVS21=$(DD)spotcmyk.dev $(DD)devicen.dev $(DD)xcf.dev $(DD)bmpsep1.dev $(DD)bmpsep8.dev $(DD)bmp16m.dev $(DD)bmp32b.dev $(DD)psdcmyk.dev $(DD)psdrgb.dev $(DD)pamcmyk32.dev # Shared library target to build. -GS_SHARED_OBJS=$(GLOBJDIR)/X11.so $(GLOBJDIR)/lvga256.so $(GLOBJDIR)/vgalib.so -#GS_SHARED_OBJS=$(GLOBJDIR)/X11.so +#GS_SHARED_OBJS=$(GLOBJDIR)/X11.so $(GLOBJDIR)/lvga256.so $(GLOBJDIR)/vgalib.so +GS_SHARED_OBJS= # ---------------------------- End of options --------------------------- # @ 1.17 log @upgrading package: ghostscript 8.60 -> 8.61 @ text @d1 5 a5 5 Index: src/stdint_.h --- src/stdint_.h.orig 2004-06-17 23:42:53 +0200 +++ src/stdint_.h 2005-04-23 20:30:33 +0200 @@@@ -72,6 +72,13 @@@@ typedef u_int64_t uint64_t; d18 23 a40 5 Index: src/unix-gcc.mak --- src/unix-gcc.mak.orig 2007-08-03 10:14:48 +0200 +++ src/unix-gcc.mak 2007-08-03 12:32:08 +0200 @@@@ -418,8 +418,8 @@@@ DEVICE_DEVS21=$(DD)spotcmyk.dev $(DD)devicen.dev $(DD)xcf.dev $(DD)bmpsep1.dev $(DD)bmpsep8.dev $(DD)bmp16m.dev $(DD)bmp32b.dev $(DD)psdcmyk.dev $(DD)psdrgb.dev @ 1.16 log @disable not portable enough fdopen64 use @ text @a17 13 Index: src/gdevpdfe.c --- src/gdevpdfe.c.orig 2006-03-13 21:53:43.000000000 +0100 +++ src/gdevpdfe.c 2006-06-14 21:38:30.123121530 +0200 @@@@ -185,6 +185,9 @@@@ stream_puts(s, default_value); } +#undef uint64_t +#define uint64_t GX_COLOR_INDEX_TYPE + private uint64_t pdf_uuid_time(gx_device_pdf *pdev) { a31 12 Index: src/gpmisc.c --- src/gpmisc.c.orig 2007-06-06 00:23:38 +0200 +++ src/gpmisc.c 2007-08-28 09:48:55 +0200 @@@@ -93,7 +93,7 @@@@ * fdopen as (char *), rather than following the POSIX.1 standard, * which defines it as (const char *). Patch this here. */ -#if defined (O_LARGEFILE) +#if 0 /* defined (O_LARGEFILE) */ file = (b64 ? fdopen64 : fdopen)(fildes, (char *)mode); /* still really const */ #else file = fdopen(fildes, (char *)mode); /* still really const */ @ 1.15 log @upgrading package: ghostscript 8.57 -> 8.60 @ text @d45 12 @ 1.14 log @use the already determined 64bit integer type @ text @d31 14 @ 1.13 log @modifying package: ghostscript-8.51 20050706 -> 20050722 @ text @d18 13 @ 1.12 log @Fix zlib security issue (OpenPKG-SA-2005.013, CAN-2005-2096) @ text @a17 15 Fix Security Issue (OpenPKG-SA-2005.013, CAN-2005-2096) Index: zlib/inftrees.c --- zlib/inftrees.c.orig 2004-09-15 16:30:06 +0200 +++ zlib/inftrees.c 2005-07-06 18:31:14 +0200 @@@@ -134,7 +134,7 @@@@ left -= count[len]; if (left < 0) return -1; /* over-subscribed */ } - if (left > 0 && (type == CODES || (codes - count[0] != 1))) + if (left > 0 && (type == CODES || max != 1)) return -1; /* incomplete set */ /* generate offsets into symbol table for each length for sorting */ @ 1.11 log @upgrading package: ghostscript 8.14 -> 8.51 @ text @d18 15 @ 1.11.2.1 log @Fix zlib security issue (OpenPKG-SA-2005.013, CAN-2005-2096) @ text @a17 15 Fix Security Issue (OpenPKG-SA-2005.013, CAN-2005-2096) Index: zlib/inftrees.c --- zlib/inftrees.c.orig 2004-09-15 16:30:06 +0200 +++ zlib/inftrees.c 2005-07-06 18:31:14 +0200 @@@@ -134,7 +134,7 @@@@ left -= count[len]; if (left < 0) return -1; /* over-subscribed */ } - if (left > 0 && (type == CODES || (codes - count[0] != 1))) + if (left > 0 && (type == CODES || max != 1)) return -1; /* incomplete set */ /* generate offsets into symbol table for each length for sorting */ @ 1.11.2.2 log @Security Bugfix (OpenPKG-SA-2005.014-zlib; CAN-2005-1849) @ text @d19 1 a19 1 Security Bugfix (OpenPKG-SA-2005.013-zlib; CAN-2005-2096) a32 23 Security Bugfix (OpenPKG-SA-2005.014-zlib; CAN-2005-1849) Index: zlib/inftrees.h --- zlib/inftrees.h.orig 2003-08-11 00:15:50 +0200 +++ zlib/inftrees.h 2005-07-11 08:50:37 +0200 @@@@ -36,12 +36,12 @@@@ */ /* Maximum size of dynamic tree. The maximum found in a long but non- - exhaustive search was 1004 code structures (850 for length/literals - and 154 for distances, the latter actually the result of an + exhaustive search was 1444 code structures (852 for length/literals + and 592 for distances, the latter actually the result of an exhaustive search). The true maximum is not known, but the value below is more than safe. */ -#define ENOUGH 1440 -#define MAXD 154 +#define ENOUGH 2048 +#define MAXD 592 /* Type of code to build for inftable() */ typedef enum { @ 1.10 log @Security Bugfixes (CAN-2004-0797, OpenPKG-SA-2004.038-zlib) @ text @d2 3 a4 3 --- src/stdint_.h.orig 2003-12-22 22:19:59.000000000 +0100 +++ src/stdint_.h 2004-01-03 09:45:26.000000000 +0100 @@@@ -75,6 +75,13 @@@@ d17 1 a17 71 #endif /* !HAVE_STDINT_H */ ----------------------------------------------------------------------------- Port to ZLIB 1.2.1 Index: src/zlib.mak --- src/zlib.mak.orig 2002-05-09 18:29:16.000000000 +0200 +++ src/zlib.mak 2004-01-03 09:39:03.000000000 +0100 @@@@ -84,7 +84,7 @@@@ $(ZGEN)zlibe_1.dev : $(TOP_MAKEFILES) $(ZLIB_MAK) $(ECHOGS_XE) $(SETMOD) $(ZGEN)zlibe_1 -lib $(ZLIB_NAME) -zlibe_=$(ZOBJ)adler32.$(OBJ) $(ZOBJ)deflate.$(OBJ) $(ZOBJ)trees.$(OBJ) +zlibe_=$(ZOBJ)adler32.$(OBJ) $(ZOBJ)deflate.$(OBJ) $(ZOBJ)compress.$(OBJ) $(ZOBJ)trees.$(OBJ) $(ZGEN)zlibe_0.dev : $(ZLIB_MAK) $(ECHOGS_XE) $(ZGEN)zlibc.dev $(zlibe_) $(SETMOD) $(ZGEN)zlibe_0 $(zlibe_) $(ADDMOD) $(ZGEN)zlibe_0 -include $(ZGEN)zlibc.dev @@@@ -95,6 +95,9 @@@@ $(ZOBJ)deflate.$(OBJ) : $(ZSRC)deflate.c $(ZDEP) $(ZCC) $(ZO_)deflate.$(OBJ) $(C_) $(ZSRC)deflate.c +$(ZOBJ)compress.$(OBJ) : $(ZSRC)compress.c $(ZDEP) + $(ZCC) $(ZO_)compress.$(OBJ) $(C_) $(ZSRC)compress.c + $(ZOBJ)trees.$(OBJ) : $(ZSRC)trees.c $(ZDEP) $(ZCC) $(ZO_)trees.$(OBJ) $(C_) $(ZSRC)trees.c @@@@ -123,8 +126,8 @@@@ $(ZGEN)zlibd_1.dev : $(TOP_MAKEFILES) $(ZLIB_MAK) $(ECHOGS_XE) $(SETMOD) $(ZGEN)zlibd_1 -lib $(ZLIB_NAME) -zlibd1_=$(ZOBJ)infblock.$(OBJ) $(ZOBJ)infcodes.$(OBJ) $(ZOBJ)inffast.$(OBJ) -zlibd2_=$(ZOBJ)inflate.$(OBJ) $(ZOBJ)inftrees.$(OBJ) $(ZOBJ)infutil.$(OBJ) +zlibd1_=$(ZOBJ)inffast.$(OBJ) +zlibd2_=$(ZOBJ)inflate.$(OBJ) $(ZOBJ)inftrees.$(OBJ) zlibd_ = $(zlibd1_) $(zlibd2_) $(ZGEN)zlibd_0.dev : $(ZLIB_MAK) $(ECHOGS_XE) $(ZGEN)zlibc.dev $(zlibd_) $(SETMOD) $(ZGEN)zlibd_0 $(zlibd1_) ----------------------------------------------------------------------------- Security Bugfixes (CAN-2004-0797, OpenPKG-SA-2004.038-zlib): Index: zlib/infback.c --- zlib/infback.c.orig 2003-08-12 01:48:06 +0200 +++ zlib/infback.c 2004-08-25 12:37:07 +0200 @@@@ -434,6 +434,9 @@@@ } } + if (state->mode == BAD) + break; + /* build code tables */ state->next = state->codes; state->lencode = (code const FAR *)(state->next); Index: zlib/inflate.c --- zlib/inflate.c.orig 2003-10-26 07:15:36 +0100 +++ zlib/inflate.c 2004-08-25 12:37:07 +0200 @@@@ -861,6 +861,9 @@@@ } } + if (state->mode == BAD) + break; + /* build code tables */ state->next = state->codes; state->lencode = (code const FAR *)(state->next); @ 1.10.4.1 log @Fix zlib security issue (OpenPKG-SA-2005.013, CAN-2005-2096) @ text @a87 17 ----------------------------------------------------------------------------- Security Bugfixes (CAN-2005-2096, OpenPKG-SA-2005.013) Index: zlib/inftrees.c --- zlib/inftrees.c.orig 2004-09-15 16:30:06 +0200 +++ zlib/inftrees.c 2005-07-06 18:31:14 +0200 @@@@ -134,7 +134,7 @@@@ left -= count[len]; if (left < 0) return -1; /* over-subscribed */ } - if (left > 0 && (type == CODES || (codes - count[0] != 1))) + if (left > 0 && (type == CODES || max != 1)) return -1; /* incomplete set */ /* generate offsets into symbol table for each length for sorting */ @ 1.10.4.2 log @Security Bugfix (OpenPKG-SA-2005.014-zlib; CAN-2005-1849) @ text @d90 1 a90 1 Security Bugfix (OpenPKG-SA-2005.013-zlib; CAN-2005-2096) a104 24 ----------------------------------------------------------------------------- Security Bugfix (OpenPKG-SA-2005.014-zlib; CAN-2005-1849) Index: zlib/inftrees.h --- zlib/inftrees.h.orig 2003-08-11 00:15:50 +0200 +++ zlib/inftrees.h 2005-07-11 08:50:37 +0200 @@@@ -36,12 +36,12 @@@@ */ /* Maximum size of dynamic tree. The maximum found in a long but non- - exhaustive search was 1004 code structures (850 for length/literals - and 154 for distances, the latter actually the result of an + exhaustive search was 1444 code structures (852 for length/literals + and 592 for distances, the latter actually the result of an exhaustive search). The true maximum is not known, but the value below is more than safe. */ -#define ENOUGH 1440 -#define MAXD 154 +#define ENOUGH 2048 +#define MAXD 592 /* Type of code to build for inftable() */ typedef enum { @ 1.9 log @modifying package: ghostscript-8.14 20040804 -> 20040816 @ text @d18 5 d57 31 @ 1.8 log @SA-2004.035-png; CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 @ text @a51 469 Index: libpng/pngconf.h --- libpng/pngconf.h.orig 2002-10-03 13:32:27 +0200 +++ libpng/pngconf.h 2004-06-30 15:40:45 +0200 @@@@ -251,10 +251,6 @@@@ # define PNG_SAVE_BSD_SOURCE # undef _BSD_SOURCE # endif -# ifdef _SETJMP_H - __png.h__ already includes setjmp.h; - __dont__ include it again.; -# endif # endif /* __linux__ */ /* include setjmp.h for error handling */ Steve G Libpng accesses memory that is out of bounds when creating an error message Index: libpng/pngerror.c --- libpng/pngerror.c.orig 2002-10-03 13:32:27 +0200 +++ libpng/pngerror.c 2004-06-30 15:11:51 +0200 @@@@ -135,10 +135,13 @@@@ buffer[iout] = 0; else { + png_size_t len; + if ((len = png_strlen(error_message)) > 63) + len = 63; buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer+iout, error_message, 64); - buffer[iout+63] = 0; + png_memcpy(buffer+iout, error_message, len); + buffer[iout+len] = 0; } } Index: libpng/pngrtran.c --- libpng/pngrtran.c.orig 2004-06-30 15:42:18 +0200 +++ libpng/pngrtran.c 2004-06-30 15:40:24 +0200 @@@@ -1889,8 +1889,8 @@@@ /* This changes the data from GG to GGXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1907,8 +1907,8 @@@@ /* This changes the data from GG to XXGG */ else { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); @@@@ -1929,8 +1929,8 @@@@ /* This changes the data from RGB to RGBX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = lo_filler; @@@@ -1965,8 +1965,8 @@@@ /* This changes the data from RRGGBB to RRGGBBXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1987,8 +1987,8 @@@@ /* This changes the data from RRGGBB to XXRRGGBB */ else { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); http://www.graphicsmagick.org/libpng/beta/patches/INFO.txt > [Problems discovered and fixed by] Chris Evans > > 1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS (pngrutil.c) > 2) Dangerous code in png_handle_sBIT (pngrutil.c) CAN-2004-0597 > 3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c) > this flaw is duplicated in multiple other locations. CAN-2004-0598 > 4) Theoretical integer overflow in allocation in png_handle_sPLT (pngrutil.c) > 5) Integer overflow in png_read_png (pngread.c) > 6) Integer overflows during progressive reading. > 7) Other flaws. [integer overflows] CAN-2004-0599 http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch03-trns-chunk-overflow.txt Use to patch libpng-1.0.9 through 1.2.5 This fixes the most dangerous of the newly reported vulnerabilities diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch03/pngrutil.c --- libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libpng/pngrutil.c Fri Jul 23 18:54:36 2004 @@@@ -1241,7 +1241,8 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before tRNS"); } - else if (length > (png_uint_32)png_ptr->num_palette) + if (length > (png_uint_32)png_ptr->num_palette || + length > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect tRNS chunk length"); png_crc_finish(png_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch04-get-uint-31.txt Use to patch libpng-1.0.6 through 1.2.5 This patch defines PNG_UINT_31_MAX, PNG_UINT_32_MAX, PNG_SIZE_MAX, and png_get_uint_31(), which are needed by patches 05-08. diff -r -U 3 libpng-1.2.5/png.h libpng-1.2.5patch04/png.h --- libpng/png.h.orig Thu Oct 3 06:32:26 2002 +++ libpng/png.h Fri Jul 23 18:56:27 2004 @@@@ -833,7 +833,11 @@@@ typedef png_info FAR * FAR * png_infopp; /* Maximum positive integer used in PNG is (2^31)-1 */ -#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL) +#define PNG_UINT_32_MAX (~((png_uint_32)0)) +#define PNG_SIZE_MAX (~((png_size_t)0)) +/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */ +#define PNG_MAX_UINT PNG_UINT_31_MAX /* These describe the color_type field in png_info. */ /* color type masks */ @@@@ -2655,6 +2659,8 @@@@ PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf)); PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf)); #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */ +PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr, + png_bytep buf)); /* Initialize png_ptr struct for reading, and allocate any other memory. * (old interface - DEPRECATED - use png_create_read_struct instead). diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch04/pngrutil.c --- libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libpng/pngrutil.c Fri Jul 23 18:56:27 2004 @@@@ -38,6 +38,14 @@@@ # endif #endif +png_uint_32 /* PRIVATE */ +png_get_uint_31(png_structp png_ptr, png_bytep buf) +{ + png_uint_32 i = png_get_uint_32(buf); + if (i > PNG_UINT_31_MAX) + png_error(png_ptr, "PNG unsigned integer out of range.\n"); + return (i); +} #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ png_uint_32 /* PRIVATE */ http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch05-pngpread-chunklength.txt Use to patch libpng-1.0.0 through 1.2.5 Requires one of libpng-patch04* diff -r -U 3 libpng-1.2.5/pngpread.c libpng-1.2.5patch05/pngpread.c --- libpng/pngpread.c.orig Thu Oct 3 06:32:28 2002 +++ libpng/pngpread.c Fri Jul 23 18:57:39 2004 @@@@ -208,7 +208,7 @@@@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; @@@@ -591,6 +591,11 @@@@ png_size_t new_max; png_bytep old_buffer; + if (png_ptr->save_buffer_size > PNG_SIZE_MAX - + (png_ptr->current_buffer_size + 256)) + { + png_error(png_ptr, "Potential overflow of save_buffer"); + } new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; old_buffer = png_ptr->save_buffer; png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr, @@@@ -637,8 +642,7 @@@@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); - + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch06-pngread-chunklength.txt Use to patch libpng-1.0.13 through 1.0.15 and 1.2.2 through 1.2.5. Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch06/pngread.c --- libpng/pngread.c.orig Thu Oct 3 06:32:29 2002 +++ libpng/pngread.c Fri Jul 23 18:59:57 2004 @@@@ -384,7 +384,7 @@@@ png_uint_32 length; png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -392,9 +392,6 @@@@ png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name, length); - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); - /* This should be a binary subdivision search or a hash for * matching the chunk name rather than a linear search. */ @@@@ -673,10 +670,7 @@@@ png_crc_finish(png_ptr, 0); png_read_data(png_ptr, chunk_length, 4); - png_ptr->idat_size = png_get_uint_32(chunk_length); - - if (png_ptr->idat_size > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); + png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -946,15 +940,12 @@@@ #endif /* PNG_GLOBAL_ARRAYS */ png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name); - - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4)) png_handle_IHDR(png_ptr, info_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch07-png-read-png-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch07/pngread.c --- libpng/pngread.c.orig Thu Oct 3 06:32:29 2002 +++ libpng/pngread.c Fri Jul 23 19:01:39 2004 @@@@ -1299,6 +1299,9 @@@@ */ png_read_info(png_ptr, info_ptr); + if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep)) + png_error(png_ptr,"Image is too high to process with png_read_png()"); + /* -------------- image transformations start here ------------------- */ #if defined(PNG_READ_16_TO_8_SUPPORTED) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch08-splt-buffer-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* The "sPLT chunk too long" check from Matthias Clasen (RedHat libpng package maintainer) diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch08/pngrutil.c --- libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libpng/pngrutil.c Fri Jul 23 19:02:48 2004 @@@@ -1154,8 +1154,18 @@@@ } new_palette.nentries = data_length / entry_size; - new_palette.entries = (png_sPLT_entryp)png_malloc( + if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry)) + { + png_warning(png_ptr, "sPLT chunk too long"); + return; + } + new_palette.entries = (png_sPLT_entryp)png_malloc_warn( png_ptr, new_palette.nentries * sizeof(png_sPLT_entry)); + if (new_palette.entries == NULL) + { + png_warning(png_ptr, "sPLT chunk requires too much memory"); + return; + } #ifndef PNG_NO_POINTER_INDEXING for (i = 0; i < new_palette.nentries; i++) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch09-null-iccp-profile.txt Use to patch libpng-1.0.9 through 1.2.5. Does not work with libpng-1.0.6-1.0.8. Libpng-1.0.5 and earlier didn't implement iCCP chunk reading. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch09/pngrutil.c --- libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libpng/pngrutil.c Fri Jul 23 19:04:28 2004 @@@@ -977,8 +977,7 @@@@ png_bytep pC; png_charp profile; png_uint_32 skip = 0; - png_uint_32 profile_size = 0; - png_uint_32 profile_length = 0; + png_uint_32 profile_size, profile_length; png_size_t slength, prefix_length, data_length; png_debug(1, "in png_handle_iCCP\n"); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch10-find-duplicate-chunk.txt Use to patch libpng-1.0.6 through 1.2.5 Does not work with libpng-1.0.5 and earlier. No security problem. The bugs are similar to the one fixed in patch 03, but the only effect is that libpng will fail to detect misplaced harmless duplicate chunks. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch10/pngrutil.c --- libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libpng/pngrutil.c Fri Jul 23 19:05:40 2004 @@@@ -579,7 +579,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place gAMA chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -660,7 +660,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sBIT chunk"); } - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) { png_warning(png_ptr, "Duplicate sBIT chunk"); png_crc_finish(png_ptr, length); @@@@ -729,7 +729,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before cHRM"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -891,7 +891,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sRGB chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) { png_warning(png_ptr, "Duplicate sRGB chunk"); png_crc_finish(png_ptr, length); @@@@ -995,7 +995,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place iCCP chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) { png_warning(png_ptr, "Duplicate iCCP chunk"); png_crc_finish(png_ptr, length); This patch from Chris Evans avoids a host of security problems related to buffer overflows that might occur when processing very large images. It causes the reader to reject any images claiming to have more rows or columns the png format supports. diff -ru libpng-1.2.5/png.h libpng-1.2.5.fix/png.h --- libpng/png.h.orig 2002-10-03 12:32:26.000000000 +0100 +++ libpng/png.h 2004-07-13 23:18:10.000000000 +0100 @@@@ -835,6 +835,9 @@@@ /* Maximum positive integer used in PNG is (2^31)-1 */ #define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +/* Constraints on width, height, (2 ^ 24) - 1*/ +#define PNG_MAX_DIMENSION 16777215 + /* These describe the color_type field in png_info. */ /* color type masks */ #define PNG_COLOR_MASK_PALETTE 1 diff -ru libpng-1.2.5/pngrutil.c libpng-1.2.5.fix/pngrutil.c --- libpng/pngrutil.c.orig 2004-07-13 13:36:37.000000000 +0100 +++ libpng/pngrutil.c 2004-07-13 23:43:02.000000000 +0100 @@@@ -350,7 +350,11 @@@@ png_crc_finish(png_ptr, 0); width = png_get_uint_32(buf); + if (width > PNG_MAX_DIMENSION) + png_error(png_ptr, "Width is too large"); height = png_get_uint_32(buf + 4); + if (height > PNG_MAX_DIMENSION) + png_error(png_ptr, "Height is too large"); bit_depth = buf[8]; color_type = buf[9]; compression_type = buf[10]; @@@@ -675,7 +679,7 @@@@ else truelen = (png_size_t)png_ptr->channels; - if (length != truelen) + if (length != truelen || length > 4) { png_warning(png_ptr, "Incorrect sBIT chunk length"); png_crc_finish(png_ptr, length); @@@@ -1400,7 +1405,7 @@@@ void /* PRIVATE */ png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { - int num, i; + unsigned int num, i; png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; png_debug(1, "in png_handle_hIST\n"); @@@@ -1426,8 +1431,8 @@@@ return; } - num = (int)length / 2 ; - if (num != png_ptr->num_palette) + num = length / 2 ; + if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect hIST chunk length"); png_crc_finish(png_ptr, length); @@@@ -2868,6 +2873,9 @@@@ png_read_data(png_ptr, chunk_length, 4); png_ptr->idat_size = png_get_uint_32(chunk_length); + if (png_ptr->idat_size > PNG_MAX_UINT) + png_error(png_ptr, "Invalid chunk length."); + png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) @ 1.7 log @ added Security Fix (CAN-2004-0421) for png @ text @d146 375 @ 1.7.2.1 log @SA-2004.035-png; CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 @ text @a145 375 http://www.graphicsmagick.org/libpng/beta/patches/INFO.txt > [Problems discovered and fixed by] Chris Evans > > 1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS (pngrutil.c) > 2) Dangerous code in png_handle_sBIT (pngrutil.c) CAN-2004-0597 > 3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c) > this flaw is duplicated in multiple other locations. CAN-2004-0598 > 4) Theoretical integer overflow in allocation in png_handle_sPLT (pngrutil.c) > 5) Integer overflow in png_read_png (pngread.c) > 6) Integer overflows during progressive reading. > 7) Other flaws. [integer overflows] CAN-2004-0599 http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch03-trns-chunk-overflow.txt Use to patch libpng-1.0.9 through 1.2.5 This fixes the most dangerous of the newly reported vulnerabilities diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch03/pngrutil.c --- libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libpng/pngrutil.c Fri Jul 23 18:54:36 2004 @@@@ -1241,7 +1241,8 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before tRNS"); } - else if (length > (png_uint_32)png_ptr->num_palette) + if (length > (png_uint_32)png_ptr->num_palette || + length > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect tRNS chunk length"); png_crc_finish(png_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch04-get-uint-31.txt Use to patch libpng-1.0.6 through 1.2.5 This patch defines PNG_UINT_31_MAX, PNG_UINT_32_MAX, PNG_SIZE_MAX, and png_get_uint_31(), which are needed by patches 05-08. diff -r -U 3 libpng-1.2.5/png.h libpng-1.2.5patch04/png.h --- libpng/png.h.orig Thu Oct 3 06:32:26 2002 +++ libpng/png.h Fri Jul 23 18:56:27 2004 @@@@ -833,7 +833,11 @@@@ typedef png_info FAR * FAR * png_infopp; /* Maximum positive integer used in PNG is (2^31)-1 */ -#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL) +#define PNG_UINT_32_MAX (~((png_uint_32)0)) +#define PNG_SIZE_MAX (~((png_size_t)0)) +/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */ +#define PNG_MAX_UINT PNG_UINT_31_MAX /* These describe the color_type field in png_info. */ /* color type masks */ @@@@ -2655,6 +2659,8 @@@@ PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf)); PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf)); #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */ +PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr, + png_bytep buf)); /* Initialize png_ptr struct for reading, and allocate any other memory. * (old interface - DEPRECATED - use png_create_read_struct instead). diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch04/pngrutil.c --- libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libpng/pngrutil.c Fri Jul 23 18:56:27 2004 @@@@ -38,6 +38,14 @@@@ # endif #endif +png_uint_32 /* PRIVATE */ +png_get_uint_31(png_structp png_ptr, png_bytep buf) +{ + png_uint_32 i = png_get_uint_32(buf); + if (i > PNG_UINT_31_MAX) + png_error(png_ptr, "PNG unsigned integer out of range.\n"); + return (i); +} #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ png_uint_32 /* PRIVATE */ http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch05-pngpread-chunklength.txt Use to patch libpng-1.0.0 through 1.2.5 Requires one of libpng-patch04* diff -r -U 3 libpng-1.2.5/pngpread.c libpng-1.2.5patch05/pngpread.c --- libpng/pngpread.c.orig Thu Oct 3 06:32:28 2002 +++ libpng/pngpread.c Fri Jul 23 18:57:39 2004 @@@@ -208,7 +208,7 @@@@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; @@@@ -591,6 +591,11 @@@@ png_size_t new_max; png_bytep old_buffer; + if (png_ptr->save_buffer_size > PNG_SIZE_MAX - + (png_ptr->current_buffer_size + 256)) + { + png_error(png_ptr, "Potential overflow of save_buffer"); + } new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; old_buffer = png_ptr->save_buffer; png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr, @@@@ -637,8 +642,7 @@@@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); - + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch06-pngread-chunklength.txt Use to patch libpng-1.0.13 through 1.0.15 and 1.2.2 through 1.2.5. Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch06/pngread.c --- libpng/pngread.c.orig Thu Oct 3 06:32:29 2002 +++ libpng/pngread.c Fri Jul 23 18:59:57 2004 @@@@ -384,7 +384,7 @@@@ png_uint_32 length; png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -392,9 +392,6 @@@@ png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name, length); - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); - /* This should be a binary subdivision search or a hash for * matching the chunk name rather than a linear search. */ @@@@ -673,10 +670,7 @@@@ png_crc_finish(png_ptr, 0); png_read_data(png_ptr, chunk_length, 4); - png_ptr->idat_size = png_get_uint_32(chunk_length); - - if (png_ptr->idat_size > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); + png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -946,15 +940,12 @@@@ #endif /* PNG_GLOBAL_ARRAYS */ png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name); - - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4)) png_handle_IHDR(png_ptr, info_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch07-png-read-png-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch07/pngread.c --- libpng/pngread.c.orig Thu Oct 3 06:32:29 2002 +++ libpng/pngread.c Fri Jul 23 19:01:39 2004 @@@@ -1299,6 +1299,9 @@@@ */ png_read_info(png_ptr, info_ptr); + if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep)) + png_error(png_ptr,"Image is too high to process with png_read_png()"); + /* -------------- image transformations start here ------------------- */ #if defined(PNG_READ_16_TO_8_SUPPORTED) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch08-splt-buffer-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* The "sPLT chunk too long" check from Matthias Clasen (RedHat libpng package maintainer) diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch08/pngrutil.c --- libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libpng/pngrutil.c Fri Jul 23 19:02:48 2004 @@@@ -1154,8 +1154,18 @@@@ } new_palette.nentries = data_length / entry_size; - new_palette.entries = (png_sPLT_entryp)png_malloc( + if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry)) + { + png_warning(png_ptr, "sPLT chunk too long"); + return; + } + new_palette.entries = (png_sPLT_entryp)png_malloc_warn( png_ptr, new_palette.nentries * sizeof(png_sPLT_entry)); + if (new_palette.entries == NULL) + { + png_warning(png_ptr, "sPLT chunk requires too much memory"); + return; + } #ifndef PNG_NO_POINTER_INDEXING for (i = 0; i < new_palette.nentries; i++) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch09-null-iccp-profile.txt Use to patch libpng-1.0.9 through 1.2.5. Does not work with libpng-1.0.6-1.0.8. Libpng-1.0.5 and earlier didn't implement iCCP chunk reading. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch09/pngrutil.c --- libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libpng/pngrutil.c Fri Jul 23 19:04:28 2004 @@@@ -977,8 +977,7 @@@@ png_bytep pC; png_charp profile; png_uint_32 skip = 0; - png_uint_32 profile_size = 0; - png_uint_32 profile_length = 0; + png_uint_32 profile_size, profile_length; png_size_t slength, prefix_length, data_length; png_debug(1, "in png_handle_iCCP\n"); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch10-find-duplicate-chunk.txt Use to patch libpng-1.0.6 through 1.2.5 Does not work with libpng-1.0.5 and earlier. No security problem. The bugs are similar to the one fixed in patch 03, but the only effect is that libpng will fail to detect misplaced harmless duplicate chunks. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch10/pngrutil.c --- libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libpng/pngrutil.c Fri Jul 23 19:05:40 2004 @@@@ -579,7 +579,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place gAMA chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -660,7 +660,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sBIT chunk"); } - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) { png_warning(png_ptr, "Duplicate sBIT chunk"); png_crc_finish(png_ptr, length); @@@@ -729,7 +729,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before cHRM"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -891,7 +891,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sRGB chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) { png_warning(png_ptr, "Duplicate sRGB chunk"); png_crc_finish(png_ptr, length); @@@@ -995,7 +995,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place iCCP chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) { png_warning(png_ptr, "Duplicate iCCP chunk"); png_crc_finish(png_ptr, length); This patch from Chris Evans avoids a host of security problems related to buffer overflows that might occur when processing very large images. It causes the reader to reject any images claiming to have more rows or columns the png format supports. diff -ru libpng-1.2.5/png.h libpng-1.2.5.fix/png.h --- libpng/png.h.orig 2002-10-03 12:32:26.000000000 +0100 +++ libpng/png.h 2004-07-13 23:18:10.000000000 +0100 @@@@ -835,6 +835,9 @@@@ /* Maximum positive integer used in PNG is (2^31)-1 */ #define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +/* Constraints on width, height, (2 ^ 24) - 1*/ +#define PNG_MAX_DIMENSION 16777215 + /* These describe the color_type field in png_info. */ /* color type masks */ #define PNG_COLOR_MASK_PALETTE 1 diff -ru libpng-1.2.5/pngrutil.c libpng-1.2.5.fix/pngrutil.c --- libpng/pngrutil.c.orig 2004-07-13 13:36:37.000000000 +0100 +++ libpng/pngrutil.c 2004-07-13 23:43:02.000000000 +0100 @@@@ -350,7 +350,11 @@@@ png_crc_finish(png_ptr, 0); width = png_get_uint_32(buf); + if (width > PNG_MAX_DIMENSION) + png_error(png_ptr, "Width is too large"); height = png_get_uint_32(buf + 4); + if (height > PNG_MAX_DIMENSION) + png_error(png_ptr, "Height is too large"); bit_depth = buf[8]; color_type = buf[9]; compression_type = buf[10]; @@@@ -675,7 +679,7 @@@@ else truelen = (png_size_t)png_ptr->channels; - if (length != truelen) + if (length != truelen || length > 4) { png_warning(png_ptr, "Incorrect sBIT chunk length"); png_crc_finish(png_ptr, length); @@@@ -1400,7 +1405,7 @@@@ void /* PRIVATE */ png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { - int num, i; + unsigned int num, i; png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; png_debug(1, "in png_handle_hIST\n"); @@@@ -1426,8 +1431,8 @@@@ return; } - num = (int)length / 2 ; - if (num != png_ptr->num_palette) + num = length / 2 ; + if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect hIST chunk length"); png_crc_finish(png_ptr, length); @@@@ -2868,6 +2873,9 @@@@ png_read_data(png_ptr, chunk_length, 4); png_ptr->idat_size = png_get_uint_32(chunk_length); + if (png_ptr->idat_size > PNG_MAX_UINT) + png_error(png_ptr, "Invalid chunk length."); + png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) @ 1.7.2.2 log @Security Bugfixes (CAN-2004-0797, OpenPKG-SA-2004.038-zlib) @ text @a17 3 ----------------------------------------------------------------------------- a51 2 ----------------------------------------------------------------------------- a520 31 ----------------------------------------------------------------------------- Security Bugfixes (CAN-2004-0797, OpenPKG-SA-2004.038-zlib): Index: zlib/infback.c --- zlib/infback.c.orig 2003-08-12 01:48:06 +0200 +++ zlib/infback.c 2004-08-25 12:37:07 +0200 @@@@ -434,6 +434,9 @@@@ } } + if (state->mode == BAD) + break; + /* build code tables */ state->next = state->codes; state->lencode = (code const FAR *)(state->next); Index: zlib/inflate.c --- zlib/inflate.c.orig 2003-10-26 07:15:36 +0100 +++ zlib/inflate.c 2004-08-25 12:37:07 +0200 @@@@ -861,6 +861,9 @@@@ } } + if (state->mode == BAD) + break; + /* build code tables */ state->next = state->codes; state->lencode = (code const FAR *)(state->next); @ 1.6 log @SA-2004.017-png @ text @d52 72 a123 2 --- ../libpng-1.2.5/pngrtran.c.orig Wed Oct 2 20:20:24 2002 +++ ../libpng-1.2.5/pngrtran.c Wed Jan 15 11:30:23 2003 a145 23 Steve G Libpng accesses memory that is out of bounds when creating an error message Index: pngerror.c --- ../libpng-1.2.5/pngerror.c.orig 2002-10-03 13:32:27.000000000 +0200 +++ ../libpng-1.2.5/pngerror.c 2004-04-28 13:24:22.000000000 +0200 @@@@ -135,10 +135,13 @@@@ buffer[iout] = 0; else { + png_size_t len; + if ((len = png_strlen(error_message)) > 63) + len = 63; buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer+iout, error_message, 64); - buffer[iout+63] = 0; + png_memcpy(buffer+iout, error_message, len); + buffer[iout+len] = 0; } } @ 1.6.2.1 log @SA-2004.017-png @ text @d1 53 a53 2 --- libpng-1.2.5/pngrtran.c.orig Wed Oct 2 20:20:24 2002 +++ libpng-1.2.5/pngrtran.c Wed Jan 15 11:30:23 2003 d81 2 a82 2 --- libpng-1.2.5/pngerror.c.orig 2002-10-03 13:32:27.000000000 +0200 +++ libpng-1.2.5/pngerror.c 2004-04-28 13:24:22.000000000 +0200 @ 1.6.2.2 log @SA-2004.030; CAN-2002-1363 @ text @d1 2 a2 44 Index: libpng-1.2.5/pngerror.c --- libpng-1.2.5/pngerror.c.orig 2002-10-03 13:32:27 +0200 +++ libpng-1.2.5/pngerror.c 2004-07-05 16:21:07 +0200 @@@@ -135,10 +135,13 @@@@ buffer[iout] = 0; else { + png_size_t len; + if ((len = png_strlen(error_message)) > 63) + len = 63; buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer+iout, error_message, 64); - buffer[iout+63] = 0; + png_memcpy(buffer+iout, error_message, len); + buffer[iout+len] = 0; } } Index: libpng-1.2.5/pngrtran.c --- libpng-1.2.5/pngrtran.c.orig 2002-10-03 13:32:29 +0200 +++ libpng-1.2.5/pngrtran.c 2004-07-05 16:21:07 +0200 @@@@ -1889,8 +1889,8 @@@@ /* This changes the data from GG to GGXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1907,8 +1907,8 @@@@ /* This changes the data from GG to XXGG */ else { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); d25 23 @ 1.5 log @upgrading package: ghostscript 8.12 -> 8.13 @ text @d51 48 @ 1.5.2.1 log @SA-2004.017-png @ text @a50 48 --- ../libpng-1.2.5/pngrtran.c.orig Wed Oct 2 20:20:24 2002 +++ ../libpng-1.2.5/pngrtran.c Wed Jan 15 11:30:23 2003 @@@@ -1965,8 +1965,8 @@@@ /* This changes the data from RRGGBB to RRGGBBXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1987,8 +1987,8 @@@@ /* This changes the data from RRGGBB to XXRRGGBB */ else { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); Steve G Libpng accesses memory that is out of bounds when creating an error message Index: pngerror.c --- ../libpng-1.2.5/pngerror.c.orig 2002-10-03 13:32:27.000000000 +0200 +++ ../libpng-1.2.5/pngerror.c 2004-04-28 13:24:22.000000000 +0200 @@@@ -135,10 +135,13 @@@@ buffer[iout] = 0; else { + png_size_t len; + if ((len = png_strlen(error_message)) > 63) + len = 63; buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer+iout, error_message, 64); - buffer[iout+63] = 0; + png_memcpy(buffer+iout, error_message, len); + buffer[iout+len] = 0; } } @ 1.5.2.2 log @SA-2004.030; CAN-2002-1363 @ text @d52 2 a53 44 Index: libpng/pngerror.c --- libpng/pngerror.c.orig 2002-10-03 13:32:27 +0200 +++ libpng/pngerror.c 2004-07-05 14:12:29 +0200 @@@@ -135,10 +135,13 @@@@ buffer[iout] = 0; else { + png_size_t len; + if ((len = png_strlen(error_message)) > 63) + len = 63; buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer+iout, error_message, 64); - buffer[iout+63] = 0; + png_memcpy(buffer+iout, error_message, len); + buffer[iout+len] = 0; } } Index: libpng/pngrtran.c --- libpng/pngrtran.c.orig 2002-10-03 13:32:29 +0200 +++ libpng/pngrtran.c 2004-07-05 14:12:29 +0200 @@@@ -1889,8 +1889,8 @@@@ /* This changes the data from GG to GGXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1907,8 +1907,8 @@@@ /* This changes the data from GG to XXGG */ else { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); d76 23 @ 1.5.2.3 log @SA-2004.035-png; CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 @ text @a117 375 http://www.graphicsmagick.org/libpng/beta/patches/INFO.txt > [Problems discovered and fixed by] Chris Evans > > 1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS (pngrutil.c) > 2) Dangerous code in png_handle_sBIT (pngrutil.c) CAN-2004-0597 > 3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c) > this flaw is duplicated in multiple other locations. CAN-2004-0598 > 4) Theoretical integer overflow in allocation in png_handle_sPLT (pngrutil.c) > 5) Integer overflow in png_read_png (pngread.c) > 6) Integer overflows during progressive reading. > 7) Other flaws. [integer overflows] CAN-2004-0599 http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch03-trns-chunk-overflow.txt Use to patch libpng-1.0.9 through 1.2.5 This fixes the most dangerous of the newly reported vulnerabilities diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch03/pngrutil.c --- libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libpng/pngrutil.c Fri Jul 23 18:54:36 2004 @@@@ -1241,7 +1241,8 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before tRNS"); } - else if (length > (png_uint_32)png_ptr->num_palette) + if (length > (png_uint_32)png_ptr->num_palette || + length > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect tRNS chunk length"); png_crc_finish(png_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch04-get-uint-31.txt Use to patch libpng-1.0.6 through 1.2.5 This patch defines PNG_UINT_31_MAX, PNG_UINT_32_MAX, PNG_SIZE_MAX, and png_get_uint_31(), which are needed by patches 05-08. diff -r -U 3 libpng-1.2.5/png.h libpng-1.2.5patch04/png.h --- libpng/png.h.orig Thu Oct 3 06:32:26 2002 +++ libpng/png.h Fri Jul 23 18:56:27 2004 @@@@ -833,7 +833,11 @@@@ typedef png_info FAR * FAR * png_infopp; /* Maximum positive integer used in PNG is (2^31)-1 */ -#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL) +#define PNG_UINT_32_MAX (~((png_uint_32)0)) +#define PNG_SIZE_MAX (~((png_size_t)0)) +/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */ +#define PNG_MAX_UINT PNG_UINT_31_MAX /* These describe the color_type field in png_info. */ /* color type masks */ @@@@ -2655,6 +2659,8 @@@@ PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf)); PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf)); #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */ +PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr, + png_bytep buf)); /* Initialize png_ptr struct for reading, and allocate any other memory. * (old interface - DEPRECATED - use png_create_read_struct instead). diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch04/pngrutil.c --- libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libpng/pngrutil.c Fri Jul 23 18:56:27 2004 @@@@ -38,6 +38,14 @@@@ # endif #endif +png_uint_32 /* PRIVATE */ +png_get_uint_31(png_structp png_ptr, png_bytep buf) +{ + png_uint_32 i = png_get_uint_32(buf); + if (i > PNG_UINT_31_MAX) + png_error(png_ptr, "PNG unsigned integer out of range.\n"); + return (i); +} #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ png_uint_32 /* PRIVATE */ http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch05-pngpread-chunklength.txt Use to patch libpng-1.0.0 through 1.2.5 Requires one of libpng-patch04* diff -r -U 3 libpng-1.2.5/pngpread.c libpng-1.2.5patch05/pngpread.c --- libpng/pngpread.c.orig Thu Oct 3 06:32:28 2002 +++ libpng/pngpread.c Fri Jul 23 18:57:39 2004 @@@@ -208,7 +208,7 @@@@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; @@@@ -591,6 +591,11 @@@@ png_size_t new_max; png_bytep old_buffer; + if (png_ptr->save_buffer_size > PNG_SIZE_MAX - + (png_ptr->current_buffer_size + 256)) + { + png_error(png_ptr, "Potential overflow of save_buffer"); + } new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; old_buffer = png_ptr->save_buffer; png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr, @@@@ -637,8 +642,7 @@@@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); - + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch06-pngread-chunklength.txt Use to patch libpng-1.0.13 through 1.0.15 and 1.2.2 through 1.2.5. Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch06/pngread.c --- libpng/pngread.c.orig Thu Oct 3 06:32:29 2002 +++ libpng/pngread.c Fri Jul 23 18:59:57 2004 @@@@ -384,7 +384,7 @@@@ png_uint_32 length; png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -392,9 +392,6 @@@@ png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name, length); - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); - /* This should be a binary subdivision search or a hash for * matching the chunk name rather than a linear search. */ @@@@ -673,10 +670,7 @@@@ png_crc_finish(png_ptr, 0); png_read_data(png_ptr, chunk_length, 4); - png_ptr->idat_size = png_get_uint_32(chunk_length); - - if (png_ptr->idat_size > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); + png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -946,15 +940,12 @@@@ #endif /* PNG_GLOBAL_ARRAYS */ png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name); - - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4)) png_handle_IHDR(png_ptr, info_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch07-png-read-png-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch07/pngread.c --- libpng/pngread.c.orig Thu Oct 3 06:32:29 2002 +++ libpng/pngread.c Fri Jul 23 19:01:39 2004 @@@@ -1299,6 +1299,9 @@@@ */ png_read_info(png_ptr, info_ptr); + if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep)) + png_error(png_ptr,"Image is too high to process with png_read_png()"); + /* -------------- image transformations start here ------------------- */ #if defined(PNG_READ_16_TO_8_SUPPORTED) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch08-splt-buffer-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* The "sPLT chunk too long" check from Matthias Clasen (RedHat libpng package maintainer) diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch08/pngrutil.c --- libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libpng/pngrutil.c Fri Jul 23 19:02:48 2004 @@@@ -1154,8 +1154,18 @@@@ } new_palette.nentries = data_length / entry_size; - new_palette.entries = (png_sPLT_entryp)png_malloc( + if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry)) + { + png_warning(png_ptr, "sPLT chunk too long"); + return; + } + new_palette.entries = (png_sPLT_entryp)png_malloc_warn( png_ptr, new_palette.nentries * sizeof(png_sPLT_entry)); + if (new_palette.entries == NULL) + { + png_warning(png_ptr, "sPLT chunk requires too much memory"); + return; + } #ifndef PNG_NO_POINTER_INDEXING for (i = 0; i < new_palette.nentries; i++) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch09-null-iccp-profile.txt Use to patch libpng-1.0.9 through 1.2.5. Does not work with libpng-1.0.6-1.0.8. Libpng-1.0.5 and earlier didn't implement iCCP chunk reading. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch09/pngrutil.c --- libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libpng/pngrutil.c Fri Jul 23 19:04:28 2004 @@@@ -977,8 +977,7 @@@@ png_bytep pC; png_charp profile; png_uint_32 skip = 0; - png_uint_32 profile_size = 0; - png_uint_32 profile_length = 0; + png_uint_32 profile_size, profile_length; png_size_t slength, prefix_length, data_length; png_debug(1, "in png_handle_iCCP\n"); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch10-find-duplicate-chunk.txt Use to patch libpng-1.0.6 through 1.2.5 Does not work with libpng-1.0.5 and earlier. No security problem. The bugs are similar to the one fixed in patch 03, but the only effect is that libpng will fail to detect misplaced harmless duplicate chunks. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch10/pngrutil.c --- libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ libpng/pngrutil.c Fri Jul 23 19:05:40 2004 @@@@ -579,7 +579,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place gAMA chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -660,7 +660,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sBIT chunk"); } - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) { png_warning(png_ptr, "Duplicate sBIT chunk"); png_crc_finish(png_ptr, length); @@@@ -729,7 +729,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before cHRM"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -891,7 +891,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sRGB chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) { png_warning(png_ptr, "Duplicate sRGB chunk"); png_crc_finish(png_ptr, length); @@@@ -995,7 +995,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place iCCP chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) { png_warning(png_ptr, "Duplicate iCCP chunk"); png_crc_finish(png_ptr, length); This patch from Chris Evans avoids a host of security problems related to buffer overflows that might occur when processing very large images. It causes the reader to reject any images claiming to have more rows or columns the png format supports. diff -ru libpng-1.2.5/png.h libpng-1.2.5.fix/png.h --- libpng/png.h.orig 2002-10-03 12:32:26.000000000 +0100 +++ libpng/png.h 2004-07-13 23:18:10.000000000 +0100 @@@@ -835,6 +835,9 @@@@ /* Maximum positive integer used in PNG is (2^31)-1 */ #define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +/* Constraints on width, height, (2 ^ 24) - 1*/ +#define PNG_MAX_DIMENSION 16777215 + /* These describe the color_type field in png_info. */ /* color type masks */ #define PNG_COLOR_MASK_PALETTE 1 diff -ru libpng-1.2.5/pngrutil.c libpng-1.2.5.fix/pngrutil.c --- libpng/pngrutil.c.orig 2004-07-13 13:36:37.000000000 +0100 +++ libpng/pngrutil.c 2004-07-13 23:43:02.000000000 +0100 @@@@ -350,7 +350,11 @@@@ png_crc_finish(png_ptr, 0); width = png_get_uint_32(buf); + if (width > PNG_MAX_DIMENSION) + png_error(png_ptr, "Width is too large"); height = png_get_uint_32(buf + 4); + if (height > PNG_MAX_DIMENSION) + png_error(png_ptr, "Height is too large"); bit_depth = buf[8]; color_type = buf[9]; compression_type = buf[10]; @@@@ -675,7 +679,7 @@@@ else truelen = (png_size_t)png_ptr->channels; - if (length != truelen) + if (length != truelen || length > 4) { png_warning(png_ptr, "Incorrect sBIT chunk length"); png_crc_finish(png_ptr, length); @@@@ -1400,7 +1405,7 @@@@ void /* PRIVATE */ png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { - int num, i; + unsigned int num, i; png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; png_debug(1, "in png_handle_hIST\n"); @@@@ -1426,8 +1431,8 @@@@ return; } - num = (int)length / 2 ; - if (num != png_ptr->num_palette) + num = length / 2 ; + if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect hIST chunk length"); png_crc_finish(png_ptr, length); @@@@ -2868,6 +2873,9 @@@@ png_read_data(png_ptr, chunk_length, 4); png_ptr->idat_size = png_get_uint_32(chunk_length); + if (png_ptr->idat_size > PNG_MAX_UINT) + png_error(png_ptr, "Invalid chunk length."); + png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) @ 1.5.2.4 log @Security Bugfixes (CAN-2004-0797, OpenPKG-SA-2004.038-zlib) @ text @a17 3 ----------------------------------------------------------------------------- a51 2 ----------------------------------------------------------------------------- a492 31 ----------------------------------------------------------------------------- Security Bugfixes (CAN-2004-0797, OpenPKG-SA-2004.038-zlib): Index: zlib/infback.c --- zlib/infback.c.orig 2003-08-12 01:48:06 +0200 +++ zlib/infback.c 2004-08-25 12:37:07 +0200 @@@@ -434,6 +434,9 @@@@ } } + if (state->mode == BAD) + break; + /* build code tables */ state->next = state->codes; state->lencode = (code const FAR *)(state->next); Index: zlib/inflate.c --- zlib/inflate.c.orig 2003-10-26 07:15:36 +0100 +++ zlib/inflate.c 2004-08-25 12:37:07 +0200 @@@@ -861,6 +861,9 @@@@ } } + if (state->mode == BAD) + break; + /* build code tables */ state->next = state->codes; state->lencode = (code const FAR *)(state->next); @ 1.4 log @include type correction for solaris as well as already patched FreeBSD correction @ text @d1 4 a4 4 Index: src/stdpre.h --- src/stdpre.h.orig 2003-12-01 19:19:24.000000000 +0100 +++ src/stdpre.h 2003-12-10 20:56:46.000000000 +0100 @@@@ -311,6 +311,13 @@@@ d17 1 a17 1 #endif /* STDINT_H */ d20 1 a20 1 +++ src/zlib.mak 2003-12-10 20:28:10.000000000 +0100 @ 1.3 log @upgrading package: ghostscript 8.11 -> 8.12 @ text @d4 1 a4 1 @@@@ -311,6 +311,9 @@@@ d8 4 @ 1.2 log @create/add patch to make build work with zlib 1.2.1 @ text @d1 13 d16 1 a16 1 +++ src/zlib.mak 2003-11-24 11:32:29.000000000 +0100 @ 1.1 log @file ghostscript.patch was initially added on branch OPENPKG_1_1_SOLID. @ text @d1 33 @ 1.1.2.1 log @SA-2003.030-ghostscript; CAN-2003-0354; execute arbitrary commands @ text @a0 104 --- gs7.04/src/zfile.c.orig Wed Jan 30 21:08:31 2002 +++ gs7.04/src/zfile.c Tue Jun 3 12:58:31 2003 @@@@ -53,7 +53,7 @@@@ extern const char iodev_dtype_stdio[]; /* Forward references: file name parsing. */ -private int parse_file_name(P2(const ref * op, gs_parsed_file_name_t * pfn)); +private int parse_file_name(P3(const ref * op, gs_parsed_file_name_t * pfn, bool safemode)); private int parse_real_file_name(P4(const ref * op, gs_parsed_file_name_t * pfn, gs_memory_t *mem, client_name_t cname)); @@@@ -153,20 +153,6 @@@@ /* recognized as a file name separator as on DOS & Windows */ const char *filenamesep = gp_file_name_concat_string("\\", 1); - /* - * We can't know where we will get to if we reference the parent - * directory, so don't allow access if LockFilePermissions is true - * Also check here for the %pipe device which is illegal when - * LockFilePermissions is true. In the future we might want to allow - * the %pipe device to be included on the PermitFile... paths, but - * for now it is simply disallowed. - */ - if (i_ctx_p->LockFilePermissions && - (gp_file_name_references_parent(fname, len) || - string_match(fname, len, "%pipe*", 5, NULL)) - ) { - return e_invalidfileaccess; - } if (dict_find_string(&(i_ctx_p->userparams), permitgroup, &permitlist) <= 0) return 0; /* if Permissions not found, just allow access */ for (i=0; iLockFilePermissions); if (code < 0) return code; /* @@@@ -382,7 +368,7 @@@@ if (pname1.iodev != pname2.iodev || (check_file_permissions(i_ctx_p, pname1.fname, pname1.len, "PermitFileControl") < 0 && - !file_is_tempfile(i_ctx_p, op - 1) < 0) || + !file_is_tempfile(i_ctx_p, op - 1)) || check_file_permissions(i_ctx_p, pname2.fname, pname2.len, "PermitFileControl") < 0 || check_file_permissions(i_ctx_p, pname2.fname, pname2.len, @@@@ -422,7 +408,7 @@@@ { gs_parsed_file_name_t pname; struct stat fstat; - int code = parse_file_name(op, &pname); + int code = parse_file_name(op, &pname, i_ctx_p->LockFilePermissions); if (code < 0) return code; @@@@ -558,7 +544,7 @@@@ stream *s; check_ostack(2); - code = parse_file_name(op, &pname); + code = parse_file_name(op, &pname, i_ctx_p->LockFilePermissions); if (code < 0) return code; if (pname.iodev == NULL) @@@@ -609,7 +595,7 @@@@ } } if (code < 0) { - if (code == e_VMerror) + if (code == e_VMerror || code == e_invalidfileaccess) return code; push(1); make_false(op); @@@@ -712,11 +698,24 @@@@ /* Parse a file name into device and individual name. */ /* See gsfname.c for details. */ private int -parse_file_name(const ref * op, gs_parsed_file_name_t * pfn) +parse_file_name(const ref * op, gs_parsed_file_name_t * pfn, bool safemode) { + int code; + check_read_type(*op, t_string); - return gs_parse_file_name(pfn, (const char *)op->value.const_bytes, + code = gs_parse_file_name(pfn, (const char *)op->value.const_bytes, r_size(op)); + if (code < 0) + return code; + /* + * Check here for the %pipe device which is illegal when + * LockFilePermissions is true. In the future we might want to allow + * the %pipe device to be included on the PermitFile... paths, but + * for now it is simply disallowed. + */ + if (pfn->iodev && safemode && strcmp(pfn->iodev->dname, "%pipe%") == 0) + return e_invalidfileaccess; + return code; } /* Parse a real (non-device) file name and convert to a C string. */ @