diff options
| author |   Ned Ludd <solar@gentoo.org> | 2004-05-09 06:32:23 +0000 |
|---|---|---|
| committer | Ned Ludd <solar@gentoo.org> | 2004-05-09 06:32:23 +0000 |
| commit | b0b7de5b009dd759313b4234f16146218f14ab58 (patch) | |
| tree | 9a0f42f81f2a33af53971d51ea12b3d6e27bd15e /media-libs/libpng | |
| parent | (no commit message) (diff) | |
| download | historical-b0b7de5b009dd759313b4234f16146218f14ab58.tar.gz historical-b0b7de5b009dd759313b4234f16146218f14ab58.tar.bz2 historical-b0b7de5b009dd759313b4234f16146218f14ab58.zip | |
The library provides 2 calls png_chunk_error and png_chunk_warning for default error and warning messages handling. Inside the code a fixed size buffer is used and 64 bytes are used to store the caller supplied message. But there are no bounds checking and this limitation is not documented. Programs linked against libpng may crash or even execute arbitrary code if the caller message is dependent on external inputs. Bugzilla bug #49887
Diffstat (limited to 'media-libs/libpng')
| -rw-r--r-- | media-libs/libpng/ChangeLog | 11 | ||||
| -rw-r--r-- | media-libs/libpng/Manifest | 18 | ||||
| -rw-r--r-- | media-libs/libpng/files/libpng-1.0.15-gentoo.diff | 16 | ||||
| -rw-r--r-- | media-libs/libpng/files/libpng-1.2.5-gentoo.diff | 16 |
4 files changed, 51 insertions, 10 deletions
diff --git a/media-libs/libpng/ChangeLog b/media-libs/libpng/ChangeLog index 98f05ff7e732..00a22a198a13 100644 --- a/media-libs/libpng/ChangeLog +++ b/media-libs/libpng/ChangeLog @@ -1,6 +1,15 @@ # ChangeLog for media-libs/libpng # Copyright 2002-2004 Gentoo Technologies, Inc.; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/media-libs/libpng/ChangeLog,v 1.35 2004/04/02 16:11:00 randy Exp $ +# $Header: /var/cvsroot/gentoo-x86/media-libs/libpng/ChangeLog,v 1.36 2004/05/09 06:32:23 solar Exp $ + + 09 May 2004; <solar@gentoo.org> files/libpng-1.0.15-gentoo.diff, + files/libpng-1.2.5-gentoo.diff: + The library provides 2 calls png_chunk_error and png_chunk_warning for default + error and warning messages handling. Inside the code a fixed size buffer is + used and 64 bytes are used to store the caller supplied message. But there are + no bounds checking and this limitation is not documented. Programs linked + against libpng may crash or even execute arbitrary code if the caller message + is dependent on external inputs. Bugzilla bug #49887 02 Apr 2004; <randy@gentoo.org> libpng-1.2.5-r4.ebuild: adding s390 keywords diff --git a/media-libs/libpng/Manifest b/media-libs/libpng/Manifest index a83fe2e94ebc..e0f0c5c6aa6d 100644 --- a/media-libs/libpng/Manifest +++ b/media-libs/libpng/Manifest @@ -1,3 +1,10 @@ +MD5 369f6fe9ea3ee2de1f8f5f337cda4f85 ChangeLog 6741 +MD5 715d8c5f921a8315141902b4ae0e4f2d libpng-1.0.12-r2.ebuild 958 +MD5 a7e44158011831ead567a1478a9cdd09 libpng-1.0.15-r1.ebuild 1858 +MD5 dd70c9bd9d3707ce120546479724d61b libpng-1.0.15.ebuild 1797 +MD5 9d278512fe1660d14db5cbdea5e1f8d2 libpng-1.2.5-r2.ebuild 1340 +MD5 a9610e1bdfe6644ac07e41277b41ad76 libpng-1.2.5-r3.ebuild 1340 +MD5 08786c08e2bf51b01e5bd0b19061546a libpng-1.2.5-r4.ebuild 1313 MD5 43ce91760c00b690a06ebfa09ef68938 files/digest-libpng-1.0.12-r2 66 MD5 0f74a3acf75488cf44f857e870379d0d files/digest-libpng-1.0.15 66 MD5 0f74a3acf75488cf44f857e870379d0d files/digest-libpng-1.0.15-r1 66 @@ -5,14 +12,7 @@ MD5 82c75412d0c6a4a86704a7a4545ee502 files/digest-libpng-1.2.5-r2 65 MD5 82c75412d0c6a4a86704a7a4545ee502 files/digest-libpng-1.2.5-r3 65 MD5 82c75412d0c6a4a86704a7a4545ee502 files/digest-libpng-1.2.5-r4 65 MD5 eee5672e220f4356c2649991b913d82d files/libpng-1.0.12-gentoo.diff 2732 -MD5 134f203cd0443e87ace23962abb74e8e files/libpng-1.0.15-gentoo.diff 1926 -MD5 cd28c9269522d40fc8fb8674ae6ca460 files/libpng-1.2.5-gentoo.diff 1657 +MD5 41148c3ecb7b1ff7b2e1e57f4663db1a files/libpng-1.0.15-gentoo.diff 2413 +MD5 b178287f568a5b244249546276d44d9a files/libpng-1.2.5-gentoo.diff 2145 MD5 f7540df1d3b40b59b17a3caf1216079f files/libpng-update-bins.sh 836 MD5 9be0a40434a7fed964059730ccd09027 files/libpng-update-libs.sh 857 -MD5 aea71e9b1a67a7694353a48e1d477d33 ChangeLog 6188 -MD5 715d8c5f921a8315141902b4ae0e4f2d libpng-1.0.12-r2.ebuild 958 -MD5 a7e44158011831ead567a1478a9cdd09 libpng-1.0.15-r1.ebuild 1858 -MD5 dd70c9bd9d3707ce120546479724d61b libpng-1.0.15.ebuild 1797 -MD5 9d278512fe1660d14db5cbdea5e1f8d2 libpng-1.2.5-r2.ebuild 1340 -MD5 a9610e1bdfe6644ac07e41277b41ad76 libpng-1.2.5-r3.ebuild 1340 -MD5 08786c08e2bf51b01e5bd0b19061546a libpng-1.2.5-r4.ebuild 1313 diff --git a/media-libs/libpng/files/libpng-1.0.15-gentoo.diff b/media-libs/libpng/files/libpng-1.0.15-gentoo.diff index 60604a458a5e..5a375bfeabc3 100644 --- a/media-libs/libpng/files/libpng-1.0.15-gentoo.diff +++ b/media-libs/libpng/files/libpng-1.0.15-gentoo.diff @@ -42,3 +42,19 @@ diff -urN libpng-1.0.15-old/pngrtran.c libpng-1.0.15/pngrtran.c for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); +--- libpng-1.0.15-old/pngerror.c 2002-10-03 05:32:27.000000000 -0600 ++++ libpng-1.0.15/pngerror.c 2004-04-29 09:26:18.000000000 -0600 +@@ -135,10 +135,12 @@ + buffer[iout] = 0; + else + { ++ png_size_t len = strnlen(error_message, 63); ++ + buffer[iout++] = ':'; + buffer[iout++] = ' '; +- png_memcpy(buffer+iout, error_message, 64); +- buffer[iout+63] = 0; ++ png_memcpy(buffer+iout, error_message, len); ++ buffer[iout+len] = 0; + } + } diff --git a/media-libs/libpng/files/libpng-1.2.5-gentoo.diff b/media-libs/libpng/files/libpng-1.2.5-gentoo.diff index 755cd8a79fa6..4fee583ccd04 100644 --- a/media-libs/libpng/files/libpng-1.2.5-gentoo.diff +++ b/media-libs/libpng/files/libpng-1.2.5-gentoo.diff @@ -40,3 +40,19 @@ for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); +--- libpng3-1.2.5.orig/pngerror.c 2002-10-03 05:32:27.000000000 -0600 ++++ libpng3-1.2.5/pngerror.c 2004-04-29 09:26:18.000000000 -0600 +@@ -135,10 +135,12 @@ + buffer[iout] = 0; + else + { ++ png_size_t len = strnlen(error_message, 63); ++ + buffer[iout++] = ':'; + buffer[iout++] = ' '; +- png_memcpy(buffer+iout, error_message, 64); +- buffer[iout+63] = 0; ++ png_memcpy(buffer+iout, error_message, len); ++ buffer[iout+len] = 0; + } + } |