Security bump for bug #59424.

author: Tim Yamin <plasmaroo@gentoo.org> 2004-08-05 10:02:19 +0000
committer: Tim Yamin <plasmaroo@gentoo.org> 2004-08-05 10:02:19 +0000
commit: b854481c8fcbaab5f7a8d4c698ad673b3239da15 (patch)
tree: 2c5486e814ec96018b9c76dfd8d3e5308b311a2a /media-libs/libpng
parent: added local USE flag cross because bzip2 will to run itself after it has comp... (diff)
download: historical-b854481c8fcbaab5f7a8d4c698ad673b3239da15.tar.gz
historical-b854481c8fcbaab5f7a8d4c698ad673b3239da15.tar.bz2
historical-b854481c8fcbaab5f7a8d4c698ad673b3239da15.zip
5 files changed, 348 insertions, 5 deletions
diff --git a/media-libs/libpng/ChangeLog b/media-libs/libpng/ChangeLog
index 9c5612e013ed..4a3274426771 100644
--- a/media-libs/libpng/ChangeLog
+++ b/media-libs/libpng/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for media-libs/libpng
 # Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/libpng/ChangeLog,v 1.42 2004/07/07 14:37:03 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-libs/libpng/ChangeLog,v 1.43 2004/08/05 10:02:19 plasmaroo Exp $
+
+*libpng-1.2.5-r8 (05 Aug 2004)
+
+  05 Aug 2004; <plasmaroo@gentoo.org> +libpng-1.2.5-r8.ebuild,
+  +files/libpng-1.2.5-security.diff:
+  Security bump for bug #59424.
 
 *libpng-1.2.5-r7 (07 Jul 2004)
 
diff --git a/media-libs/libpng/Manifest b/media-libs/libpng/Manifest
index 46de76c331fe..9f27f90be940 100644
--- a/media-libs/libpng/Manifest
+++ b/media-libs/libpng/Manifest
@@ -1,8 +1,11 @@
-MD5 e66ae1d0c3cd402badd8e16ae2f1e5e0 ChangeLog 7912
-MD5 d1beee5aaa5daf6100554a7afee08ed9 libpng-1.2.5-r7.ebuild 1813
+MD5 07e5f3118c5c8fce92cbdb2d284f23c2 ChangeLog 8080
 MD5 c3f6e4decd490e5d6e65ab197228ec66 libpng-1.0.15-r2.ebuild 1845
+MD5 bbc69af4c7bb4f0924abf23a6c977b21 libpng-1.2.5-r8.ebuild 1792
+MD5 d1beee5aaa5daf6100554a7afee08ed9 libpng-1.2.5-r7.ebuild 1813
 MD5 82c75412d0c6a4a86704a7a4545ee502 files/digest-libpng-1.2.5-r7 65
-MD5 7443cfcd027ad293e56ec7bed76ee21c files/macos.patch 589
+MD5 82c75412d0c6a4a86704a7a4545ee502 files/digest-libpng-1.2.5-r8 65
+MD5 0f74a3acf75488cf44f857e870379d0d files/digest-libpng-1.0.15-r2 66
 MD5 41148c3ecb7b1ff7b2e1e57f4663db1a files/libpng-1.0.15-gentoo.diff 2413
+MD5 d1cb64b64c0652863c89a3eb1f7c5f66 files/libpng-1.2.5-security.diff 10114
 MD5 b664d38f024a7b21f299727e4aa76d2e files/libpng-1.2.5-gentoo.diff 3470
-MD5 0f74a3acf75488cf44f857e870379d0d files/digest-libpng-1.0.15-r2 66
+MD5 7443cfcd027ad293e56ec7bed76ee21c files/macos.patch 589
diff --git a/media-libs/libpng/files/digest-libpng-1.2.5-r8 b/media-libs/libpng/files/digest-libpng-1.2.5-r8
new file mode 100644
index 000000000000..794c1d47d26f
--- /dev/null
+++ b/media-libs/libpng/files/digest-libpng-1.2.5-r8
@@ -0,0 +1 @@
+MD5 3fc28af730f12ace49b14568de4ad934 libpng-1.2.5.tar.bz2 378030
diff --git a/media-libs/libpng/files/libpng-1.2.5-security.diff b/media-libs/libpng/files/libpng-1.2.5-security.diff
new file mode 100644
index 000000000000..3cc329bc8cfa
--- /dev/null
+++ b/media-libs/libpng/files/libpng-1.2.5-security.diff
@@ -0,0 +1,269 @@
+diff -r -U 3 libpng-1.2.5/png.h libpng-1.2.5p/png.h
+--- libpng-1.2.5/png.h	Thu Oct  3 06:32:26 2002
++++ libpng-1.2.5p/png.h	Tue Aug  3 21:45:21 2004
+@@ -833,7 +833,11 @@
+ typedef png_info FAR * FAR * png_infopp;
+ 
+ /* Maximum positive integer used in PNG is (2^31)-1 */
+-#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL)
++#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL)
++#define PNG_UINT_32_MAX (~((png_uint_32)0))
++#define PNG_SIZE_MAX (~((png_size_t)0))
++/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */
++#define PNG_MAX_UINT PNG_UINT_31_MAX
+ 
+ /* These describe the color_type field in png_info. */
+ /* color type masks */
+@@ -2655,6 +2659,8 @@
+ PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf));
+ PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf));
+ #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */
++PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr,
++  png_bytep buf));
+ 
+ /* Initialize png_ptr struct for reading, and allocate any other memory.
+  * (old interface - DEPRECATED - use png_create_read_struct instead).
+diff -r -U 3 libpng-1.2.5/pngconf.h libpng-1.2.5p/pngconf.h
+--- libpng-1.2.5/pngconf.h	Thu Oct  3 06:32:27 2002
++++ libpng-1.2.5p/pngconf.h	Tue Aug  3 21:45:29 2004
+@@ -663,6 +663,13 @@
+ #endif
+ #endif /* PNG_1_0_X */
+ 
++#ifndef PNG_USER_WIDTH_MAX
++#  define PNG_USER_WIDTH_MAX 1000000L
++#endif
++#ifndef PNG_USER_HEIGHT_MAX
++#  define PNG_USER_HEIGHT_MAX 1000000L
++#endif
++
+ /* These are currently experimental features, define them if you want */
+ 
+ /* very little testing */
+@@ -1280,6 +1287,7 @@
+ #  define CVT_PTR(ptr) (png_far_to_near(png_ptr,ptr,CHECK))
+ #  define CVT_PTR_NOCHECK(ptr) (png_far_to_near(png_ptr,ptr,NOCHECK))
+ #  define png_strcpy _fstrcpy
++#  define png_strncpy _fstrncpy    /* Added to v 1.2.6 */
+ #  define png_strlen _fstrlen
+ #  define png_memcmp _fmemcmp      /* SJT: added */
+ #  define png_memcpy _fmemcpy
+@@ -1288,6 +1296,7 @@
+ #  define CVT_PTR(ptr)         (ptr)
+ #  define CVT_PTR_NOCHECK(ptr) (ptr)
+ #  define png_strcpy strcpy
++#  define png_strncpy strncpy   /* Added to v 1.2.6 */
+ #  define png_strlen strlen
+ #  define png_memcmp memcmp     /* SJT: added */
+ #  define png_memcpy memcpy
+diff -r -U 3 libpng-1.2.5/pngpread.c libpng-1.2.5p/pngpread.c
+--- libpng-1.2.5/pngpread.c	Thu Oct  3 06:32:28 2002
++++ libpng-1.2.5p/pngpread.c	Tue Aug  3 21:45:22 2004
+@@ -208,7 +208,7 @@
+       }
+ 
+       png_push_fill_buffer(png_ptr, chunk_length, 4);
+-      png_ptr->push_length = png_get_uint_32(chunk_length);
++      png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length);
+       png_reset_crc(png_ptr);
+       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
+       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
+@@ -591,6 +591,11 @@
+       png_size_t new_max;
+       png_bytep old_buffer;
+ 
++      if (png_ptr->save_buffer_size > PNG_SIZE_MAX - 
++         (png_ptr->current_buffer_size + 256))
++      {
++        png_error(png_ptr, "Potential overflow of save_buffer");
++      }
+       new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256;
+       old_buffer = png_ptr->save_buffer;
+       png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr,
+@@ -637,8 +642,7 @@
+       }
+ 
+       png_push_fill_buffer(png_ptr, chunk_length, 4);
+-      png_ptr->push_length = png_get_uint_32(chunk_length);
+-
++      png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length);
+       png_reset_crc(png_ptr);
+       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
+       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
+diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5p/pngread.c
+--- libpng-1.2.5/pngread.c	Thu Oct  3 06:32:29 2002
++++ libpng-1.2.5p/pngread.c	Tue Aug  3 21:45:22 2004
+@@ -384,7 +384,7 @@
+       png_uint_32 length;
+ 
+       png_read_data(png_ptr, chunk_length, 4);
+-      length = png_get_uint_32(chunk_length);
++      length = png_get_uint_31(png_ptr,chunk_length);
+ 
+       png_reset_crc(png_ptr);
+       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
+@@ -392,9 +392,6 @@
+       png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name,
+          length);
+ 
+-      if (length > PNG_MAX_UINT)
+-         png_error(png_ptr, "Invalid chunk length.");
+-
+       /* This should be a binary subdivision search or a hash for
+        * matching the chunk name rather than a linear search.
+        */
+@@ -673,10 +670,7 @@
+             png_crc_finish(png_ptr, 0);
+ 
+             png_read_data(png_ptr, chunk_length, 4);
+-            png_ptr->idat_size = png_get_uint_32(chunk_length);
+-
+-            if (png_ptr->idat_size > PNG_MAX_UINT)
+-              png_error(png_ptr, "Invalid chunk length.");
++            png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length);
+ 
+             png_reset_crc(png_ptr);
+             png_crc_read(png_ptr, png_ptr->chunk_name, 4);
+@@ -946,16 +940,13 @@
+ #endif /* PNG_GLOBAL_ARRAYS */
+ 
+       png_read_data(png_ptr, chunk_length, 4);
+-      length = png_get_uint_32(chunk_length);
++      length = png_get_uint_31(png_ptr,chunk_length);
+ 
+       png_reset_crc(png_ptr);
+       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
+ 
+       png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name);
+ 
+-      if (length > PNG_MAX_UINT)
+-         png_error(png_ptr, "Invalid chunk length.");
+-
+       if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4))
+          png_handle_IHDR(png_ptr, info_ptr, length);
+       else if (!png_memcmp(png_ptr->chunk_name, png_IEND, 4))
+@@ -1298,6 +1289,9 @@
+     * PNG file before the first IDAT (image data chunk).
+     */
+    png_read_info(png_ptr, info_ptr);
++
++   if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep))
++      png_error(png_ptr,"Image is too high to process with png_read_png()");
+ 
+    /* -------------- image transformations start here ------------------- */
+ 
+diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5p/pngrutil.c
+--- libpng-1.2.5/pngrutil.c	Thu Oct  3 06:32:30 2002
++++ libpng-1.2.5p/pngrutil.c	Tue Aug  3 21:45:22 2004
+@@ -38,6 +38,14 @@
+ #  endif
+ #endif
+ 
++png_uint_32 /* PRIVATE */
++png_get_uint_31(png_structp png_ptr, png_bytep buf)
++{
++   png_uint_32 i = png_get_uint_32(buf);
++   if (i > PNG_UINT_31_MAX)
++     png_error(png_ptr, "PNG unsigned integer out of range.\n");
++   return (i);
++}
+ #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED
+ /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
+ png_uint_32 /* PRIVATE */
+@@ -579,7 +587,7 @@
+       /* Should be an error, but we can cope with it */
+       png_warning(png_ptr, "Out of place gAMA chunk");
+ 
+-   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
++   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
+ #if defined(PNG_READ_sRGB_SUPPORTED)
+       && !(info_ptr->valid & PNG_INFO_sRGB)
+ #endif
+@@ -660,7 +668,7 @@
+       /* Should be an error, but we can cope with it */
+       png_warning(png_ptr, "Out of place sBIT chunk");
+    }
+-   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
++   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
+    {
+       png_warning(png_ptr, "Duplicate sBIT chunk");
+       png_crc_finish(png_ptr, length);
+@@ -729,7 +737,7 @@
+       /* Should be an error, but we can cope with it */
+       png_warning(png_ptr, "Missing PLTE before cHRM");
+ 
+-   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
++   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
+ #if defined(PNG_READ_sRGB_SUPPORTED)
+       && !(info_ptr->valid & PNG_INFO_sRGB)
+ #endif
+@@ -891,7 +899,7 @@
+       /* Should be an error, but we can cope with it */
+       png_warning(png_ptr, "Out of place sRGB chunk");
+ 
+-   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
++   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
+    {
+       png_warning(png_ptr, "Duplicate sRGB chunk");
+       png_crc_finish(png_ptr, length);
+@@ -977,8 +985,7 @@
+    png_bytep pC;
+    png_charp profile;
+    png_uint_32 skip = 0;
+-   png_uint_32 profile_size = 0;
+-   png_uint_32 profile_length = 0;
++   png_uint_32 profile_size, profile_length;
+    png_size_t slength, prefix_length, data_length;
+ 
+    png_debug(1, "in png_handle_iCCP\n");
+@@ -995,7 +1002,7 @@
+       /* Should be an error, but we can cope with it */
+       png_warning(png_ptr, "Out of place iCCP chunk");
+ 
+-   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
++   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
+    {
+       png_warning(png_ptr, "Duplicate iCCP chunk");
+       png_crc_finish(png_ptr, length);
+@@ -1154,8 +1161,18 @@
+    }
+ 
+    new_palette.nentries = data_length / entry_size;
+-   new_palette.entries = (png_sPLT_entryp)png_malloc(
++   if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry))
++   {
++       png_warning(png_ptr, "sPLT chunk too long");
++       return;
++   }
++   new_palette.entries = (png_sPLT_entryp)png_malloc_warn(
+        png_ptr, new_palette.nentries * sizeof(png_sPLT_entry));
++   if (new_palette.entries == NULL)
++   {
++       png_warning(png_ptr, "sPLT chunk requires too much memory");
++       return;
++   }
+ 
+ #ifndef PNG_NO_POINTER_INDEXING
+    for (i = 0; i < new_palette.nentries; i++)
+@@ -1241,7 +1258,8 @@
+          /* Should be an error, but we can cope with it */
+          png_warning(png_ptr, "Missing PLTE before tRNS");
+       }
+-      else if (length > (png_uint_32)png_ptr->num_palette)
++      if (length > (png_uint_32)png_ptr->num_palette ||
++          length > PNG_MAX_PALETTE_LENGTH)
+       {
+          png_warning(png_ptr, "Incorrect tRNS chunk length");
+          png_crc_finish(png_ptr, length);
+diff -r -U 3 libpng-1.2.5/pngset.c libpng-1.2.5p/pngset.c
+--- libpng-1.2.5/pngset.c	Thu Oct  3 06:32:30 2002
++++ libpng-1.2.5p/pngset.c	Tue Aug  3 21:45:29 2004
+@@ -253,6 +253,8 @@
+       png_error(png_ptr, "Image width or height is zero in IHDR");
+    if (width > PNG_MAX_UINT || height > PNG_MAX_UINT)
+       png_error(png_ptr, "Invalid image size in IHDR");
++   if (width > PNG_USER_WIDTH_MAX || height > PNG_USER_HEIGHT_MAX)
++      png_error(png_ptr, "image size exceeds user limits in IHDR");
+ 
+    /* check other values */
+    if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
diff --git a/media-libs/libpng/libpng-1.2.5-r8.ebuild b/media-libs/libpng/libpng-1.2.5-r8.ebuild
new file mode 100644
index 000000000000..0b726de920c2
--- /dev/null
+++ b/media-libs/libpng/libpng-1.2.5-r8.ebuild
@@ -0,0 +1,64 @@
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-libs/libpng/libpng-1.2.5-r8.ebuild,v 1.1 2004/08/05 10:02:19 plasmaroo Exp $
+
+inherit flag-o-matic eutils gcc
+
+DESCRIPTION="Portable Network Graphics library"
+HOMEPAGE="http://www.libpng.org/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2"
+
+LICENSE="as-is"
+SLOT="1.2"
+KEYWORDS="x86"
+IUSE=""
+
+DEPEND="sys-libs/zlib"
+
+src_unpack() {
+	unpack ${A}
+	cd ${S}
+
+	epatch ${FILESDIR}/${P}-gentoo.diff
+	epatch ${FILESDIR}/${P}-security.diff
+	use macos && epatch ${FILESDIR}/macos.patch # implements strnlen
+
+	[ "`gcc-version`" == "3.2" ] && replace-cpu-flags i586 k6 k6-2 k6-3
+	[ "`gcc-version`" == "3.3" ] && replace-cpu-flags i586 k6 k6-2 k6-3
+
+	sed \
+		-e "s:ZLIBLIB=.*:ZLIBLIB=/usr/lib:" \
+		-e "s:ZLIBINC=.*:ZLIBINC=/usr/include:" \
+		-e "s:-O3:${CFLAGS}:" \
+		-e "s:prefix=/usr/local:prefix=/usr:" \
+		-e "s:OBJSDLL = :OBJSDLL = -lz -lm :" \
+		scripts/makefile.linux > Makefile
+
+	if use macos; then
+		einfo "Patching the source for Mac OS X / Darwin compatibility"
+		sed \
+			-e "s:ZLIBLIB=.*:ZLIBLIB=/usr/lib:" \
+			-e "s:ZLIBINC=.*:ZLIBINC=/usr/include:" \
+			-e "s:-O3:${CFLAGS}:" \
+			-e "s:prefix=/usr/local:prefix=/usr:" \
+			scripts/makefile.darwin > Makefile
+	fi
+}
+
+src_compile() {
+	emake CC="$(gcc-getCC)" CXX="$(gcc-getCXX)" || die "Make failed"
+}
+
+src_install() {
+	dodir /usr/{include,lib}
+	dodir /usr/share/man
+	einstall MANPATH=${D}/usr/share/man || die "Failed to install"
+
+	doman libpng.3 libpngpf.3 png.5
+	dodoc ANNOUNCE CHANGES KNOWNBUG README TODO Y2KINFO
+}
+
+pkg_postinst() {
+	# the libpng authors really screwed around between 1.2.1 and 1.2.3
+	[ -f ${ROOT}/usr/lib/libpng.so.3.1.2.1 ] && rm ${ROOT}/usr/lib/libpng.so.3.1.2.1
+}
author	Tim Yamin <plasmaroo@gentoo.org>	2004-08-05 10:02:19 +0000
committer	Tim Yamin <plasmaroo@gentoo.org>	2004-08-05 10:02:19 +0000
commit	b854481c8fcbaab5f7a8d4c698ad673b3239da15 (patch)
tree	2c5486e814ec96018b9c76dfd8d3e5308b311a2a /media-libs/libpng
parent	added local USE flag cross because bzip2 will to run itself after it has comp... (diff)
download	historical-b854481c8fcbaab5f7a8d4c698ad673b3239da15.tar.gz historical-b854481c8fcbaab5f7a8d4c698ad673b3239da15.tar.bz2 historical-b854481c8fcbaab5f7a8d4c698ad673b3239da15.zip