head 1.15; access; symbols OPENPKG_E1_MP_HEAD:1.15 OPENPKG_E1_MP:1.15 OPENPKG_E1_MP_2_STABLE:1.15 OPENPKG_E1_FP:1.15 OPENPKG_2_STABLE_MP:1.15 OPENPKG_2_STABLE_20061018:1.15 OPENPKG_2_STABLE_20060622:1.15 OPENPKG_2_STABLE:1.15.0.2 OPENPKG_2_STABLE_BP:1.15 OPENPKG_2_5_RELEASE:1.14 OPENPKG_2_5_SOLID:1.14.0.2 OPENPKG_2_5_SOLID_BP:1.14 OPENPKG_2_4_RELEASE:1.11 OPENPKG_2_4_SOLID:1.11.0.2 OPENPKG_2_4_SOLID_BP:1.11 OPENPKG_CW_FP:1.10 OPENPKG_2_3_RELEASE:1.10 OPENPKG_2_3_SOLID:1.10.0.2 OPENPKG_2_3_SOLID_BP:1.10 OPENPKG_2_2_RELEASE:1.9 OPENPKG_2_2_SOLID:1.9.0.2 OPENPKG_2_2_SOLID_BP:1.9 OPENPKG_2_1_RELEASE:1.6 OPENPKG_2_1_SOLID:1.6.0.2 OPENPKG_2_1_SOLID_BP:1.6 OPENPKG_2_0_RELEASE:1.1 OPENPKG_2_0_SOLID:1.1.0.2 OPENPKG_2_0_SOLID_BP:1.1; locks; strict; comment @# @; 1.15 date 2006.03.15.21.06.50; author rse; state Exp; branches; next 1.14; commitid KkLjLOV76Rqt0kpr; 1.14 date 2005.09.27.11.51.49; author thl; state Exp; branches; next 1.13; 1.13 date 2005.07.28.06.36.51; author rse; state Exp; branches; next 1.12; 1.12 date 2005.07.07.09.35.51; author rse; state Exp; branches; next 1.11; 1.11 date 2005.05.03.13.25.54; author ms; state Exp; branches 1.11.2.1; next 1.10; 1.10 date 2005.02.01.09.15.37; author ms; state Exp; branches 1.10.2.1; next 1.9; 1.9 date 2004.08.20.18.08.50; author ms; state Exp; branches; next 1.8; 1.8 date 2004.08.11.15.06.37; author ms; state Exp; branches; next 1.7; 1.7 date 2004.08.04.14.01.55; author thl; state Exp; branches; next 1.6; 1.6 date 2004.07.02.08.01.19; author tho; state Exp; branches 1.6.2.1; next 1.5; 1.5 date 2004.04.29.15.06.58; author thl; state Exp; branches; next 1.4; 1.4 date 2004.04.28.15.41.03; author ms; state Exp; branches; next 1.3; 1.3 date 2004.04.10.10.13.59; author rse; state Exp; branches; next 1.2; 1.2 date 2004.03.03.13.39.04; author ms; state Exp; branches; next 1.1; 1.1 date 2003.11.20.12.07.44; author ms; state Exp; branches 1.1.2.1; next ; 1.11.2.1 date 2005.07.07.09.37.18; author rse; state Exp; branches; next 1.11.2.2; 1.11.2.2 date 2005.07.28.06.38.02; author rse; state Exp; branches; next ; 1.10.2.1 date 2005.07.07.09.39.06; author rse; state Exp; branches; next 1.10.2.2; 1.10.2.2 date 2005.07.28.06.40.23; author rse; state Exp; branches; next ; 1.6.2.1 date 2004.08.04.14.03.00; author thl; state Exp; branches; next ; 1.1.2.1 date 2004.04.29.16.17.52; author thl; state Exp; branches; next 1.1.2.2; 1.1.2.2 date 2004.07.06.13.33.25; author tho; state Exp; branches; next 1.1.2.3; 1.1.2.3 date 2004.08.04.14.05.40; author thl; state Exp; branches; next ; desc @@ 1.15 log @upgrading package: qt 3.3.5 -> 3.3.6 @ text @Index: config.tests/x11/xfreetype.test --- config.tests/x11/xfreetype.test.orig 2004-08-09 22:16:57 +0200 +++ config.tests/x11/xfreetype.test 2006-03-15 21:01:02 +0100 @@@@ -56,7 +56,7 @@@@ XFT=no [ "$VERBOSE" = "yes" ] && echo " Could not find Xft lib anywhere in $LIBDIRS" fi -LIBXFT="-l$F -lfreetype" +LIBXFT="-l$F -lfontconfig -lexpat -lfreetype" # check for X11/Xft/Xft.h XFT_H= @@@@ -90,7 +90,7 @@@@ [ "$VERBOSE" = "yes" ] && echo " Found Xft version $XFT_MAJOR.$XFT_MINOR.$XFT_REVISION" if [ "$XFT_MAJOR" = "2" ]; then XFT2=yes - LIBXFT="$LIBXFT -lfontconfig" + LIBXFT="$LIBXFT" fi fi Index: configure --- configure.orig 2006-03-08 13:11:24 +0100 +++ configure 2006-03-15 21:01:02 +0100 @@@@ -1788,21 +1788,6 @@@@ CFG_FREETYPE=yes fi fi - # add freetype2 include path - if [ "$CFG_FREETYPE" = "yes" ] && [ -f $outpath/config.tests/x11/xft.inc ];then - QMAKE_VARS="$QMAKE_VARS \"INCLUDEPATH+=`cat $outpath/config.tests/x11/xft.inc`\"" - fi - rm -f $outpath/config.tests/x11/xft.inc - # add Xft specific libraries - if [ "$CFG_FREETYPE" = "yes" ] && [ -f $outpath/config.tests/x11/xft.lib ]; then - QMAKE_VARS="$QMAKE_VARS \"QMAKE_LIBS_X11=`cat $outpath/config.tests/x11/xft.lib` \$\$QMAKE_LIBS_X11\"" - fi - rm -f $outpath/config.tests/x11/xft.lib - # add Xft specific config options - if [ "$CFG_FREETYPE" = "yes" ] && [ -f $outpath/config.tests/x11/xft.cfg ]; then - QMAKE_CONFIG="$QMAKE_CONFIG `cat $outpath/config.tests/x11/xft.cfg`" - fi - rm -f $outpath/config.tests/x11/xft.cfg # auto-detect Session Management support if [ "$CFG_SM" = "auto" ]; then if $x11tests/sm.test $XQMAKESPEC $OPT_VERBOSE $L_FLAGS $I_FLAGS; then @@@@ -2981,6 +2966,21 @@@@ if [ "$CFG_XKB" = "yes" ]; then QMAKE_CONFIG="$QMAKE_CONFIG xkb" fi + # add freetype2 include path + if [ "$CFG_FREETYPE" = "yes" ] && [ -f $outpath/config.tests/x11/xft.inc ];then + QMAKE_VARS="$QMAKE_VARS \"INCLUDEPATH+=`cat $outpath/config.tests/x11/xft.inc`\"" + fi + rm -f $outpath/config.tests/x11/xft.inc + # add Xft specific libraries + if [ "$CFG_FREETYPE" = "yes" ] && [ -f $outpath/config.tests/x11/xft.lib ]; then + QMAKE_VARS="$QMAKE_VARS \"QMAKE_LIBS_X11=`cat $outpath/config.tests/x11/xft.lib` \$\$QMAKE_LIBS_X11\"" + fi + rm -f $outpath/config.tests/x11/xft.lib + # add Xft specific config options + if [ "$CFG_FREETYPE" = "yes" ] && [ -f $outpath/config.tests/x11/xft.cfg ]; then + QMAKE_CONFIG="$QMAKE_CONFIG `cat $outpath/config.tests/x11/xft.cfg`" + fi + rm -f $outpath/config.tests/x11/xft.cfg elif [ "$PLATFORM_MAC" = "yes" ]; then if [ "$CFG_TABLET" = "yes" ]; then QMAKE_CONFIG="$QMAKE_CONFIG tablet" Index: src/3rdparty/libpng/png.h --- src/3rdparty/libpng/png.h.orig 2004-09-03 20:17:23 +0200 +++ src/3rdparty/libpng/png.h 2006-03-15 21:01:02 +0100 @@@@ -839,6 +839,9 @@@@ /* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */ #define PNG_MAX_UINT PNG_UINT_31_MAX +/* Constraints on width, height, (2 ^ 24) - 1*/ +#define PNG_MAX_DIMENSION 16777215 + /* These describe the color_type field in png_info. */ /* color type masks */ #define PNG_COLOR_MASK_PALETTE 1 Index: src/3rdparty/libpng/pngconf.h --- src/3rdparty/libpng/pngconf.h.orig 2004-09-03 20:37:07 +0200 +++ src/3rdparty/libpng/pngconf.h 2006-03-15 21:01:02 +0100 @@@@ -251,10 +251,6 @@@@ # define PNG_SAVE_BSD_SOURCE # undef _BSD_SOURCE # endif -# ifdef _SETJMP_H - __png.h__ already includes setjmp.h; - __dont__ include it again.; -# endif # endif /* __linux__ */ /* include setjmp.h for error handling */ Index: src/3rdparty/libpng/pngerror.c --- src/3rdparty/libpng/pngerror.c.orig 2004-09-03 20:06:36 +0200 +++ src/3rdparty/libpng/pngerror.c 2006-03-15 21:01:02 +0100 @@@@ -135,10 +135,13 @@@@ buffer[iout] = 0; else { + png_size_t len; + if ((len = png_strlen(error_message)) > 63) + len = 63; buffer[iout++] = ':'; buffer[iout++] = ' '; - png_strncpy(buffer+iout, error_message, 63); - buffer[iout+63] = 0; + png_strncpy(buffer+iout, error_message, len); + buffer[iout+len] = 0; } } Index: src/3rdparty/libpng/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig 2004-09-03 20:34:00 +0200 +++ src/3rdparty/libpng/pngrutil.c 2006-03-15 21:01:03 +0100 @@@@ -355,7 +355,11 @@@@ png_crc_finish(png_ptr, 0); width = png_get_uint_32(buf); + if (width > PNG_MAX_DIMENSION) + png_error(png_ptr, "Width is too large"); height = png_get_uint_32(buf + 4); + if (height > PNG_MAX_DIMENSION) + png_error(png_ptr, "Height is too large"); bit_depth = buf[8]; color_type = buf[9]; compression_type = buf[10]; @@@@ -680,7 +684,7 @@@@ else truelen = (png_size_t)png_ptr->channels; - if (length != truelen) + if (length != truelen || length > 4) { png_warning(png_ptr, "Incorrect sBIT chunk length"); png_crc_finish(png_ptr, length); @@@@ -1415,7 +1419,7 @@@@ void /* PRIVATE */ png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { - int num, i; + unsigned int num, i; png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; png_debug(1, "in png_handle_hIST\n"); @@@@ -1441,8 +1445,8 @@@@ return; } - num = (int)length / 2 ; - if (num != png_ptr->num_palette) + num = length / 2 ; + if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect hIST chunk length"); png_crc_finish(png_ptr, length); @@@@ -2883,6 +2887,9 @@@@ png_read_data(png_ptr, chunk_length, 4); png_ptr->idat_size = png_get_uint_32(chunk_length); + if (png_ptr->idat_size > PNG_MAX_UINT) + png_error(png_ptr, "Invalid chunk length."); + png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) @ 1.14 log @make sure fontconfig dependency libiconv is found @ text @d1 21 d23 3 a25 4 diff -Nau configure.orig configure --- configure.orig 2004-06-14 11:18:55 +0200 +++ configure 2004-08-11 16:13:39 +0200 @@@@ -1783,21 +1783,6 @@@@ d47 1 a47 1 @@@@ -2927,6 +2912,21 @@@@ d69 6 a74 21 Index: config.test/x11/xfreetype.test diff -Nau config.tests/x11/xfreetype.test.orig config.tests/x11/xfreetype.test --- config.tests/x11/xfreetype.test.orig 2003-12-08 10:04:06 +0100 +++ config.tests/x11/xfreetype.test 2004-08-11 16:14:43 +0200 @@@@ -56,7 +56,7 @@@@ XFT=no [ "$VERBOSE" = "yes" ] && echo " Could not find Xft lib anywhere in $LIBDIRS" fi -LIBXFT="-l$F -lfreetype" +LIBXFT="-l$F -lfontconfig -lexpat -lfreetype" # check for X11/Xft/Xft.h XFT_H= @@@@ -90,7 +90,7 @@@@ [ "$VERBOSE" = "yes" ] && echo " Found Xft version $XFT_MAJOR.$XFT_MINOR.$XFT_REVISION" if [ "$XFT_MAJOR" = "2" ]; then XFT2=yes - LIBXFT="$LIBXFT -lfontconfig" + LIBXFT="$LIBXFT" fi fi d76 6 d83 2 a84 3 diff -Nau src/3rdparty/libpng/pngconf.h.orig src/3rdparty/libpng/pngconf.h --- src/3rdparty/libpng/pngconf.h.orig 2003-05-27 17:19:23 +0200 +++ src/3rdparty/libpng/pngconf.h 2004-08-11 16:18:06 +0200 d97 2 a98 3 diff -Nau src/3rdparty/libpng/pngerror.c.orig src/3rdparty/libpng/pngerror.c --- src/3rdparty/libpng/pngerror.c.orig 2003-05-27 17:19:23 +0200 +++ src/3rdparty/libpng/pngerror.c 2004-08-11 16:19:27 +0200 a114 37 http://www.graphicsmagick.org/libpng/beta/patches/INFO.txt > [Problems discovered and fixed by] Chris Evans > > 1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS (pngrutil.c) > 2) Dangerous code in png_handle_sBIT (pngrutil.c) CAN-2004-0597 > 3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c) > this flaw is duplicated in multiple other locations. CAN-2004-0598 > 4) Theoretical integer overflow in allocation in png_handle_sPLT (pngrutil.c) > 5) Integer overflow in png_read_png (pngread.c) > 6) Integer overflows during progressive reading. > 7) Other flaws. [integer overflows] CAN-2004-0599 http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch03-trns-chunk-overflow.txt Use to patch libpng-1.0.9 through 1.2.5 This fixes the most dangerous of the newly reported vulnerabilities Index: src/3rdparty/libpng/png.h diff -Nau src/3rdparty/libpng/png.h.orig src/3rdparty/libpng/png.h --- src/3rdparty/libpng/png.h.orig 2004-08-11 16:31:06 +0200 +++ src/3rdparty/libpng/png.h 2004-08-11 16:44:14 +0200 @@@@ -839,6 +839,9 @@@@ /* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */ #define PNG_MAX_UINT PNG_UINT_31_MAX +/* Constraints on width, height, (2 ^ 24) - 1*/ +#define PNG_MAX_DIMENSION 16777215 + /* These describe the color_type field in png_info. */ /* color type masks */ #define PNG_COLOR_MASK_PALETTE 1 d116 2 a117 3 diff -Nau src/3rdparty/libpng/pngrutil.c.orig src/3rdparty/libpng/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig 2004-08-11 16:42:31 +0200 +++ src/3rdparty/libpng/pngrutil.c 2004-08-11 16:45:38 +0200 a168 151 Index: src/xml/qxml.cpp diff -Nau src/xml/qxml.cpp.orig src/xml/qxml.cpp --- src/xml/qxml.cpp.orig 2005-01-21 18:16:02.000000000 +0100 +++ src/xml/qxml.cpp 2005-05-03 14:48:42.080658900 +0200 @@@@ -5999,38 +5999,38 @@@@ */ bool QXmlSimpleReader::parseChoiceSeq() { - const signed char Init = 0; - const signed char Ws1 = 1; // eat whitespace - const signed char CS = 2; // choice or set - const signed char Ws2 = 3; // eat whitespace - const signed char More = 4; // more cp to read - const signed char Name = 5; // read name - const signed char Done = 6; // - - const signed char InpWs = 0; // S - const signed char InpOp = 1; // ( - const signed char InpCp = 2; // ) - const signed char InpQm = 3; // ? - const signed char InpAst = 4; // * - const signed char InpPlus = 5; // + - const signed char InpPipe = 6; // | - const signed char InpComm = 7; // , - const signed char InpUnknown = 8; + const signed char Qt_Init = 0; + const signed char Qt_Ws1 = 1; // eat whitespace + const signed char Qt_CS = 2; // choice or set + const signed char Qt_Ws2 = 3; // eat whitespace + const signed char Qt_More = 4; // more cp to read + const signed char Qt_Name = 5; // read name + const signed char Qt_Done = 6; // + + const signed char Qt_InpWs = 0; // S + const signed char Qt_InpOp = 1; // ( + const signed char Qt_InpCp = 2; // ) + const signed char Qt_InpQm = 3; // ? + const signed char Qt_InpAst = 4; // * + const signed char Qt_InpPlus = 5; // + + const signed char Qt_InpPipe = 6; // | + const signed char Qt_InpComm = 7; // , + const signed char Qt_InpUnknown = 8; static const signed char table[6][9] = { /* InpWs InpOp InpCp InpQm InpAst InpPlus InpPipe InpComm InpUnknown */ - { -1, Ws1, -1, -1, -1, -1, -1, -1, Name }, // Init - { -1, CS, -1, -1, -1, -1, -1, -1, CS }, // Ws1 - { Ws2, -1, Done, Ws2, Ws2, Ws2, More, More, -1 }, // CS - { -1, -1, Done, -1, -1, -1, More, More, -1 }, // Ws2 - { -1, Ws1, -1, -1, -1, -1, -1, -1, Name }, // More (same as Init) - { Ws2, -1, Done, Ws2, Ws2, Ws2, More, More, -1 } // Name (same as CS) + { -1, Qt_Ws1, -1, -1, -1, -1, -1, -1, Qt_Name }, // Qt_Init + { -1, Qt_CS, -1, -1, -1, -1, -1, -1, Qt_CS }, // Qt_Ws1 + { Qt_Ws2, -1, Qt_Done, Qt_Ws2, Qt_Ws2, Qt_Ws2, Qt_More, Qt_More, -1 }, // Qt_CS + { -1, -1, Qt_Done, -1, -1, -1, Qt_More, Qt_More, -1 }, // Qt_Ws2 + { -1, Qt_Ws1, -1, -1, -1, -1, -1, -1, Qt_Name }, // More (same as Qt_Init) + { Qt_Ws2, -1, Qt_Done, Qt_Ws2, Qt_Ws2, Qt_Ws2, Qt_More, Qt_More, -1 } // Name (same as Qt_CS) }; signed char state; signed char input; if ( d->parseStack==0 || d->parseStack->isEmpty() ) { - state = Init; + state = Qt_Init; } else { state = d->parseStack->pop().state; #if defined(QT_QXML_DEBUG) @@@@ -6053,7 +6053,7 @@@@ for (;;) { switch ( state ) { - case Done: + case Qt_Done: return TRUE; case -1: // Error @@@@ -6066,59 +6066,59 @@@@ return FALSE; } if ( is_S(c) ) { - input = InpWs; + input = Qt_InpWs; } else if ( c.unicode() == '(' ) { - input = InpOp; + input = Qt_InpOp; } else if ( c.unicode() == ')' ) { - input = InpCp; + input = Qt_InpCp; } else if ( c.unicode() == '?' ) { - input = InpQm; + input = Qt_InpQm; } else if ( c.unicode() == '*' ) { - input = InpAst; + input = Qt_InpAst; } else if ( c.unicode() == '+' ) { - input = InpPlus; + input = Qt_InpPlus; } else if ( c.unicode() == '|' ) { - input = InpPipe; + input = Qt_InpPipe; } else if ( c.unicode() == ',' ) { - input = InpComm; + input = Qt_InpComm; } else { - input = InpUnknown; + input = Qt_InpUnknown; } state = table[state][input]; switch ( state ) { - case Ws1: + case Qt_Ws1: if ( !next_eat_ws() ) { parseFailed( &QXmlSimpleReader::parseChoiceSeq, state ); return FALSE; } break; - case CS: + case Qt_CS: if ( !parseChoiceSeq() ) { parseFailed( &QXmlSimpleReader::parseChoiceSeq, state ); return FALSE; } break; - case Ws2: + case Qt_Ws2: if ( !next_eat_ws() ) { parseFailed( &QXmlSimpleReader::parseChoiceSeq, state ); return FALSE; } break; - case More: + case Qt_More: if ( !next_eat_ws() ) { parseFailed( &QXmlSimpleReader::parseChoiceSeq, state ); return FALSE; } break; - case Name: + case Qt_Name: d->parseName_useRef = FALSE; if ( !parseName() ) { parseFailed( &QXmlSimpleReader::parseChoiceSeq, state ); return FALSE; } break; - case Done: + case Qt_Done: next(); break; } @ 1.13 log @Security Bugfix (OpenPKG-SA-2005.014-zlib; CAN-2005-1849) @ text @a348 32 Index: src/3rdparty/zlib/inftrees.c --- src/3rdparty/zlib/inftrees.c.orig 2004-09-15 16:30:06 +0200 +++ src/3rdparty/zlib/inftrees.c 2005-07-07 11:33:34 +0200 @@@@ -134,7 +134,7 @@@@ left -= count[len]; if (left < 0) return -1; /* over-subscribed */ } - if (left > 0 && (type == CODES || (codes - count[0] != 1))) + if (left > 0 && (type == CODES || max != 1)) return -1; /* incomplete set */ /* generate offsets into symbol table for each length for sorting */ Index: src/3rdparty/zlib/inftrees.h --- src/3rdparty/zlib/inftrees.h.orig 2003-08-11 00:15:50 +0200 +++ src/3rdparty/zlib/inftrees.h 2005-07-11 08:50:37 +0200 @@@@ -36,12 +36,12 @@@@ */ /* Maximum size of dynamic tree. The maximum found in a long but non- - exhaustive search was 1004 code structures (850 for length/literals - and 154 for distances, the latter actually the result of an + exhaustive search was 1444 code structures (852 for length/literals + and 592 for distances, the latter actually the result of an exhaustive search). The true maximum is not known, but the value below is more than safe. */ -#define ENOUGH 1440 -#define MAXD 154 +#define ENOUGH 2048 +#define MAXD 592 /* Type of code to build for inftable() */ typedef enum { @ 1.12 log @Fix zlib security issue (OpenPKG-SA-2005.013, CAN-2005-2096) @ text @d361 20 @ 1.11 log @rename conflicting identifiers in the global C++ namespace @ text @d349 12 @ 1.11.2.1 log @Fix zlib security issue (OpenPKG-SA-2005.013, CAN-2005-2096) @ text @a348 12 Index: src/3rdparty/zlib/inftrees.c --- src/3rdparty/zlib/inftrees.c.orig 2004-09-15 16:30:06 +0200 +++ src/3rdparty/zlib/inftrees.c 2005-07-07 11:33:34 +0200 @@@@ -134,7 +134,7 @@@@ left -= count[len]; if (left < 0) return -1; /* over-subscribed */ } - if (left > 0 && (type == CODES || (codes - count[0] != 1))) + if (left > 0 && (type == CODES || max != 1)) return -1; /* incomplete set */ /* generate offsets into symbol table for each length for sorting */ @ 1.11.2.2 log @Security Bugfix (OpenPKG-SA-2005.014-zlib; CAN-2005-1849) @ text @a360 20 Index: src/3rdparty/zlib/inftrees.h --- src/3rdparty/zlib/inftrees.h.orig 2003-08-11 00:15:50 +0200 +++ src/3rdparty/zlib/inftrees.h 2005-07-11 08:50:37 +0200 @@@@ -36,12 +36,12 @@@@ */ /* Maximum size of dynamic tree. The maximum found in a long but non- - exhaustive search was 1004 code structures (850 for length/literals - and 154 for distances, the latter actually the result of an + exhaustive search was 1444 code structures (852 for length/literals + and 592 for distances, the latter actually the result of an exhaustive search). The true maximum is not known, but the value below is more than safe. */ -#define ENOUGH 1440 -#define MAXD 154 +#define ENOUGH 2048 +#define MAXD 592 /* Type of code to build for inftable() */ typedef enum { @ 1.10 log @upgrading package: qt 3.3.3 -> 3.3.4 @ text @d198 151 @ 1.10.2.1 log @Fix zlib security issue (OpenPKG-SA-2005.013, CAN-2005-2096) @ text @a197 12 Index: src/3rdparty/zlib/inftrees.c --- src/3rdparty/zlib/inftrees.c.orig 2004-09-15 16:30:06 +0200 +++ src/3rdparty/zlib/inftrees.c 2005-07-07 11:33:34 +0200 @@@@ -134,7 +134,7 @@@@ left -= count[len]; if (left < 0) return -1; /* over-subscribed */ } - if (left > 0 && (type == CODES || (codes - count[0] != 1))) + if (left > 0 && (type == CODES || max != 1)) return -1; /* incomplete set */ /* generate offsets into symbol table for each length for sorting */ @ 1.10.2.2 log @Security Bugfix (OpenPKG-SA-2005.014-zlib; CAN-2005-1849) @ text @a209 20 Index: src/3rdparty/zlib/inftrees.h --- src/3rdparty/zlib/inftrees.h.orig 2003-08-11 00:15:50 +0200 +++ src/3rdparty/zlib/inftrees.h 2005-07-11 08:50:37 +0200 @@@@ -36,12 +36,12 @@@@ */ /* Maximum size of dynamic tree. The maximum found in a long but non- - exhaustive search was 1004 code structures (850 for length/literals - and 154 for distances, the latter actually the result of an + exhaustive search was 1444 code structures (852 for length/literals + and 592 for distances, the latter actually the result of an exhaustive search). The true maximum is not known, but the value below is more than safe. */ -#define ENOUGH 1440 -#define MAXD 154 +#define ENOUGH 2048 +#define MAXD 592 /* Type of code to build for inftable() */ typedef enum { @ 1.9 log @add more diff(1) context and correct LIBDIRS substitution pattern @ text @d5 1 a5 1 @@@@ -1782,21 +1782,6 @@@@ d27 1 a27 1 @@@@ -2926,6 +2911,21 @@@@ d99 1 a99 1 - png_memcpy(buffer+iout, error_message, 64); d101 1 a101 1 + png_memcpy(buffer+iout, error_message, len); a105 48 Index: src/3rdparty/libpng/pngrtran.c diff -Nau src/3rdparty/libpng/pngrtran.c.orig src/3rdparty/libpng/pngrtran.c --- src/3rdparty/libpng/pngrtran.c.orig 2003-05-27 17:19:23 +0200 +++ src/3rdparty/libpng/pngrtran.c 2004-08-11 16:26:04 +0200 @@@@ -1889,8 +1889,8 @@@@ /* This changes the data from GG to GGXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1907,8 +1907,8 @@@@ /* This changes the data from GG to XXGG */ else { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); @@@@ -1965,8 +1965,8 @@@@ /* This changes the data from RRGGBB to RRGGBBXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1987,8 +1987,8 @@@@ /* This changes the data from RRGGBB to XXRRGGBB */ else { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); a128 294 Index: src/3rdparty/libpng/pngrutil.c diff -Nau src/3rdparty/libpng/pngrutil.c.orig src/3rdparty/libpng/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig 2004-08-11 16:29:37 +0200 +++ src/3rdparty/libpng/pngrutil.c 2004-08-11 16:30:11 +0200 @@@@ -1241,7 +1241,8 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before tRNS"); } - if (length > (png_uint_32)png_ptr->num_palette) + if (length > (png_uint_32)png_ptr->num_palette || + length > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect tRNS chunk length"); png_crc_finish(png_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch04-get-uint-31.txt Use to patch libpng-1.0.6 through 1.2.5 This patch defines PNG_UINT_31_MAX, PNG_UINT_32_MAX, PNG_SIZE_MAX, and png_get_uint_31(), which are needed by patches 05-08. Index: src/3rdparty/libpng/png.h diff -Nau src/3rdparty/libpng/png.h.orig src/3rdparty/libpng/png.h --- src/3rdparty/libpng/png.h.orig 2003-05-27 17:19:23 +0200 +++ src/3rdparty/libpng/png.h 2004-08-11 16:31:06 +0200 @@@@ -833,7 +833,11 @@@@ typedef png_info FAR * FAR * png_infopp; /* Maximum positive integer used in PNG is (2^31)-1 */ -#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL) +#define PNG_UINT_32_MAX (~((png_uint_32)0)) +#define PNG_SIZE_MAX (~((png_size_t)0)) +/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */ +#define PNG_MAX_UINT PNG_UINT_31_MAX /* These describe the color_type field in png_info. */ /* color type masks */ @@@@ -2655,6 +2659,8 @@@@ PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf)); PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf)); #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */ +PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr, + png_bytep buf)); /* Initialize png_ptr struct for reading, and allocate any other memory. * (old interface - DEPRECATED - use png_create_read_struct instead). Index: src/3rdparty/libpng/pngrutil.c diff -Nau src/3rdparty/libpng/pngrutil.c.orig src/3rdparty/libpng/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig 2004-08-11 16:29:37 +0200 +++ src/3rdparty/libpng/pngrutil.c 2004-08-11 16:32:11 +0200 @@@@ -38,6 +38,14 @@@@ # endif #endif +png_uint_32 /* PRIVATE */ +png_get_uint_31(png_structp png_ptr, png_bytep buf) +{ + png_uint_32 i = png_get_uint_32(buf); + if (i > PNG_UINT_31_MAX) + png_error(png_ptr, "PNG unsigned integer out of range.\n"); + return (i); +} #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ png_uint_32 /* PRIVATE */ http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch05-pngpread-chunklength.txt Use to patch libpng-1.0.0 through 1.2.5 Requires one of libpng-patch04* Index: src/3rdparty/libpng/pngpread.c diff -Nau src/3rdparty/libpng/pngpread.c.orig src/3rdparty/libpng/pngpread.c --- src/3rdparty/libpng/pngpread.c.orig 2003-05-27 17:19:23 +0200 +++ src/3rdparty/libpng/pngpread.c 2004-08-11 16:34:45 +0200 @@@@ -208,7 +208,7 @@@@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; @@@@ -591,6 +591,11 @@@@ png_size_t new_max; png_bytep old_buffer; + if (png_ptr->save_buffer_size > PNG_SIZE_MAX - + (png_ptr->current_buffer_size + 256)) + { + png_error(png_ptr, "Potential overflow of save_buffer"); + } new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; old_buffer = png_ptr->save_buffer; png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr, @@@@ -637,8 +642,7 @@@@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); - + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch06-pngread-chunklength.txt Use to patch libpng-1.0.13 through 1.0.15 and 1.2.2 through 1.2.5. Requires libpng-patch04-* Index: src/3rdparty/libpng/pngpread.c diff -Nau src/3rdparty/libpng/pngread.c.orig src/3rdparty/libpng/pngread.c --- src/3rdparty/libpng/pngread.c.orig 2003-05-27 17:19:23 +0200 +++ src/3rdparty/libpng/pngread.c 2004-08-11 16:36:04 +0200 @@@@ -384,7 +384,7 @@@@ png_uint_32 length; png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -392,9 +392,6 @@@@ png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name, length); - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); - /* This should be a binary subdivision search or a hash for * matching the chunk name rather than a linear search. */ @@@@ -673,10 +670,7 @@@@ png_crc_finish(png_ptr, 0); png_read_data(png_ptr, chunk_length, 4); - png_ptr->idat_size = png_get_uint_32(chunk_length); - - if (png_ptr->idat_size > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); + png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -946,16 +940,13 @@@@ #endif /* PNG_GLOBAL_ARRAYS */ png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name); - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); - if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4)) png_handle_IHDR(png_ptr, info_ptr, length); else if (!png_memcmp(png_ptr->chunk_name, png_IEND, 4)) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch07-png-read-png-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* Index: src/3rdparty/libpng/pngread.c diff -Nau src/3rdparty/libpng/pngread.c.orig src/3rdparty/libpng/pngread.c --- src/3rdparty/libpng/pngread.c.orig 2004-08-11 16:36:04 +0200 +++ src/3rdparty/libpng/pngread.c 2004-08-11 16:37:39 +0200 @@@@ -1290,6 +1290,9 @@@@ */ png_read_info(png_ptr, info_ptr); + if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep)) + png_error(png_ptr,"Image is too high to process with png_read_png()"); + /* -------------- image transformations start here ------------------- */ #if defined(PNG_READ_16_TO_8_SUPPORTED) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch08-splt-buffer-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* The "sPLT chunk too long" check from Matthias Clasen (RedHat libpng package maintainer) Index: src/3rdparty/libpng/pngrutil.c diff -Nau src/3rdparty/libpng/pngrutil.c.orig src/3rdparty/libpng/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig 2004-08-05 15:27:41 +0200 +++ src/3rdparty/libpng/pngrutil.c 2004-08-11 16:38:53 +0200 @@@@ -1154,8 +1162,18 @@@@ } new_palette.nentries = data_length / entry_size; - new_palette.entries = (png_sPLT_entryp)png_malloc( + if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry)) + { + png_warning(png_ptr, "sPLT chunk too long"); + return; + } + new_palette.entries = (png_sPLT_entryp)png_malloc_warn( png_ptr, new_palette.nentries * sizeof(png_sPLT_entry)); + if (new_palette.entries == NULL) + { + png_warning(png_ptr, "sPLT chunk requires too much memory"); + return; + } #ifndef PNG_NO_POINTER_INDEXING for (i = 0; i < new_palette.nentries; i++) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch09-null-iccp-profile.txt Use to patch libpng-1.0.9 through 1.2.5. Does not work with libpng-1.0.6-1.0.8. Libpng-1.0.5 and earlier didn't implement iCCP chunk reading. Index: src/3rdparty/libpng/pngrutil.c diff -Nau src/3rdparty/libpng/pngrutil.c.orig src/3rdparty/libpng/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig 2004-08-05 15:27:41 +0200 +++ src/3rdparty/libpng/pngrutil.c 2004-08-11 16:40:46 +0200 @@@@ -977,8 +985,7 @@@@ png_bytep pC; png_charp profile; png_uint_32 skip = 0; - png_uint_32 profile_size = 0; - png_uint_32 profile_length = 0; + png_uint_32 profile_size, profile_length; png_size_t slength, prefix_length, data_length; png_debug(1, "in png_handle_iCCP\n"); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch10-find-duplicate-chunk.txt Use to patch libpng-1.0.6 through 1.2.5 Does not work with libpng-1.0.5 and earlier. No security problem. The bugs are similar to the one fixed in patch 03, but the only effect is that libpng will fail to detect misplaced harmless duplicate chunks. Index: src/3rdparty/libpng/pngrutil.c diff -Nau src/3rdparty/libpng/pngrutil.c.orig src/3rdparty/libpng/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig 2004-08-11 16:40:46 +0200 +++ src/3rdparty/libpng/pngrutil.c 2004-08-11 16:42:31 +0200 @@@@ -587,7 +587,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place gAMA chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -668,7 +668,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sBIT chunk"); } - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) { png_warning(png_ptr, "Duplicate sBIT chunk"); png_crc_finish(png_ptr, length); @@@@ -737,7 +737,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before cHRM"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -899,7 +899,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sRGB chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) { png_warning(png_ptr, "Duplicate sRGB chunk"); png_crc_finish(png_ptr, length); @@@@ -1002,7 +1002,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place iCCP chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) { png_warning(png_ptr, "Duplicate iCCP chunk"); png_crc_finish(png_ptr, length); This patch from Chris Evans avoids a host of security problems related to buffer overflows that might occur when processing very large images. It causes the reader to reject any images claiming to have more rows or columns the png format supports. @ 1.8 log @upgrading package: qt 3.3.2 -> 3.3.3 @ text @d2 1 d50 1 d72 1 d87 1 d107 1 d178 1 d198 1 d224 1 d248 1 d288 1 d346 1 d367 1 d396 1 d417 1 d472 1 d486 1 @ 1.7 log @SA-2004.035-png; CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 @ text @d2 3 a4 3 --- configure 2004-02-11 11:21:42.000000000 +0100 +++ configure 2004-03-03 12:16:46.847102980 +0100 @@@@ -1754,21 +1754,6 @@@@ d26 1 a26 1 @@@@ -2878,6 +2863,21 @@@@ d48 3 a50 3 Index: config.tests/x11/xfreetype.test --- config.tests/x11/xfreetype.test 2004-03-03 10:41:51.522773000 +0100 +++ config.tests/x11/xfreetype.test 2004-03-03 10:43:42.588911196 +0100 d71 1 a71 1 +++ src/3rdparty/libpng/pngconf.h 2004-07-02 09:22:17 +0200 d85 1 a85 1 +++ src/3rdparty/libpng/pngerror.c 2004-07-02 09:22:17 +0200 d104 1 a104 1 +++ src/3rdparty/libpng/pngrtran.c 2004-07-02 09:22:17 +0200 d172 3 a174 3 diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch03/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ src/3rdparty/libpng/pngrutil.c Fri Jul 23 18:54:36 2004 d179 1 a179 1 - else if (length > (png_uint_32)png_ptr->num_palette) d191 3 a193 3 diff -r -U 3 libpng-1.2.5/png.h libpng-1.2.5patch04/png.h --- src/3rdparty/libpng/png.h.orig Thu Oct 3 06:32:26 2002 +++ src/3rdparty/libpng/png.h Fri Jul 23 18:56:27 2004 d216 3 a218 3 diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch04/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ src/3rdparty/libpng/pngrutil.c Fri Jul 23 18:56:27 2004 d239 3 a241 3 diff -r -U 3 libpng-1.2.5/pngpread.c libpng-1.2.5patch05/pngpread.c --- src/3rdparty/libpng/pngpread.c.orig Thu Oct 3 06:32:28 2002 +++ src/3rdparty/libpng/pngpread.c Fri Jul 23 18:57:39 2004 d278 3 a280 3 diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch06/pngread.c --- src/3rdparty/libpng/pngread.c.orig Thu Oct 3 06:32:29 2002 +++ src/3rdparty/libpng/pngread.c Fri Jul 23 18:59:57 2004 d312 1 a312 1 @@@@ -946,15 +940,12 @@@@ d323 1 a323 1 - d326 1 a326 1 d329 1 d334 5 a338 5 diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch07/pngread.c --- src/3rdparty/libpng/pngread.c.orig Thu Oct 3 06:32:29 2002 +++ src/3rdparty/libpng/pngread.c Fri Jul 23 19:01:39 2004 @@@@ -1299,6 +1299,9 @@@@ d355 4 a358 4 diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch08/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ src/3rdparty/libpng/pngrutil.c Fri Jul 23 19:02:48 2004 @@@@ -1154,8 +1154,18 @@@@ d383 4 a386 4 diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch09/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ src/3rdparty/libpng/pngrutil.c Fri Jul 23 19:04:28 2004 @@@@ -977,8 +977,7 @@@@ d403 4 a406 4 diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch10/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ src/3rdparty/libpng/pngrutil.c Fri Jul 23 19:05:40 2004 @@@@ -579,7 +579,7 @@@@ d415 1 a415 1 @@@@ -660,7 +660,7 @@@@ d424 1 a424 1 @@@@ -729,7 +729,7 @@@@ d433 1 a433 1 @@@@ -891,7 +891,7 @@@@ d442 1 a442 1 @@@@ -995,7 +995,7 @@@@ d457 7 a463 7 diff -ru libpng-1.2.5/png.h libpng-1.2.5.fix/png.h --- src/3rdparty/libpng/png.h.orig 2002-10-03 12:32:26.000000000 +0100 +++ src/3rdparty/libpng/png.h 2004-07-13 23:18:10.000000000 +0100 @@@@ -835,6 +835,9 @@@@ /* Maximum positive integer used in PNG is (2^31)-1 */ #define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) d470 4 a473 4 diff -ru libpng-1.2.5/pngrutil.c libpng-1.2.5.fix/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig 2004-07-13 13:36:37.000000000 +0100 +++ src/3rdparty/libpng/pngrutil.c 2004-07-13 23:43:02.000000000 +0100 @@@@ -350,7 +350,11 @@@@ d475 1 a475 1 d485 1 a485 1 @@@@ -675,7 +679,7 @@@@ d488 1 a488 1 d494 1 a494 1 @@@@ -1400,7 +1405,7 @@@@ d501 1 a501 1 d503 1 a503 1 @@@@ -1426,8 +1431,8 @@@@ d506 1 a506 1 d514 1 a514 1 @@@@ -2868,6 +2873,9 @@@@ d517 1 a517 1 a523 1 @ 1.6 log @added Security Fix (CAN-2002-1363) for png @ text @d149 375 @ 1.6.2.1 log @SA-2004.035-png; CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 @ text @a148 375 http://www.graphicsmagick.org/libpng/beta/patches/INFO.txt > [Problems discovered and fixed by] Chris Evans > > 1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS (pngrutil.c) > 2) Dangerous code in png_handle_sBIT (pngrutil.c) CAN-2004-0597 > 3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c) > this flaw is duplicated in multiple other locations. CAN-2004-0598 > 4) Theoretical integer overflow in allocation in png_handle_sPLT (pngrutil.c) > 5) Integer overflow in png_read_png (pngread.c) > 6) Integer overflows during progressive reading. > 7) Other flaws. [integer overflows] CAN-2004-0599 http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch03-trns-chunk-overflow.txt Use to patch libpng-1.0.9 through 1.2.5 This fixes the most dangerous of the newly reported vulnerabilities diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch03/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ src/3rdparty/libpng/pngrutil.c Fri Jul 23 18:54:36 2004 @@@@ -1241,7 +1241,8 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before tRNS"); } - else if (length > (png_uint_32)png_ptr->num_palette) + if (length > (png_uint_32)png_ptr->num_palette || + length > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect tRNS chunk length"); png_crc_finish(png_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch04-get-uint-31.txt Use to patch libpng-1.0.6 through 1.2.5 This patch defines PNG_UINT_31_MAX, PNG_UINT_32_MAX, PNG_SIZE_MAX, and png_get_uint_31(), which are needed by patches 05-08. diff -r -U 3 libpng-1.2.5/png.h libpng-1.2.5patch04/png.h --- src/3rdparty/libpng/png.h.orig Thu Oct 3 06:32:26 2002 +++ src/3rdparty/libpng/png.h Fri Jul 23 18:56:27 2004 @@@@ -833,7 +833,11 @@@@ typedef png_info FAR * FAR * png_infopp; /* Maximum positive integer used in PNG is (2^31)-1 */ -#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL) +#define PNG_UINT_32_MAX (~((png_uint_32)0)) +#define PNG_SIZE_MAX (~((png_size_t)0)) +/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */ +#define PNG_MAX_UINT PNG_UINT_31_MAX /* These describe the color_type field in png_info. */ /* color type masks */ @@@@ -2655,6 +2659,8 @@@@ PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf)); PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf)); #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */ +PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr, + png_bytep buf)); /* Initialize png_ptr struct for reading, and allocate any other memory. * (old interface - DEPRECATED - use png_create_read_struct instead). diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch04/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ src/3rdparty/libpng/pngrutil.c Fri Jul 23 18:56:27 2004 @@@@ -38,6 +38,14 @@@@ # endif #endif +png_uint_32 /* PRIVATE */ +png_get_uint_31(png_structp png_ptr, png_bytep buf) +{ + png_uint_32 i = png_get_uint_32(buf); + if (i > PNG_UINT_31_MAX) + png_error(png_ptr, "PNG unsigned integer out of range.\n"); + return (i); +} #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ png_uint_32 /* PRIVATE */ http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch05-pngpread-chunklength.txt Use to patch libpng-1.0.0 through 1.2.5 Requires one of libpng-patch04* diff -r -U 3 libpng-1.2.5/pngpread.c libpng-1.2.5patch05/pngpread.c --- src/3rdparty/libpng/pngpread.c.orig Thu Oct 3 06:32:28 2002 +++ src/3rdparty/libpng/pngpread.c Fri Jul 23 18:57:39 2004 @@@@ -208,7 +208,7 @@@@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; @@@@ -591,6 +591,11 @@@@ png_size_t new_max; png_bytep old_buffer; + if (png_ptr->save_buffer_size > PNG_SIZE_MAX - + (png_ptr->current_buffer_size + 256)) + { + png_error(png_ptr, "Potential overflow of save_buffer"); + } new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; old_buffer = png_ptr->save_buffer; png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr, @@@@ -637,8 +642,7 @@@@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); - + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch06-pngread-chunklength.txt Use to patch libpng-1.0.13 through 1.0.15 and 1.2.2 through 1.2.5. Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch06/pngread.c --- src/3rdparty/libpng/pngread.c.orig Thu Oct 3 06:32:29 2002 +++ src/3rdparty/libpng/pngread.c Fri Jul 23 18:59:57 2004 @@@@ -384,7 +384,7 @@@@ png_uint_32 length; png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -392,9 +392,6 @@@@ png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name, length); - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); - /* This should be a binary subdivision search or a hash for * matching the chunk name rather than a linear search. */ @@@@ -673,10 +670,7 @@@@ png_crc_finish(png_ptr, 0); png_read_data(png_ptr, chunk_length, 4); - png_ptr->idat_size = png_get_uint_32(chunk_length); - - if (png_ptr->idat_size > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); + png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -946,15 +940,12 @@@@ #endif /* PNG_GLOBAL_ARRAYS */ png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name); - - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4)) png_handle_IHDR(png_ptr, info_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch07-png-read-png-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch07/pngread.c --- src/3rdparty/libpng/pngread.c.orig Thu Oct 3 06:32:29 2002 +++ src/3rdparty/libpng/pngread.c Fri Jul 23 19:01:39 2004 @@@@ -1299,6 +1299,9 @@@@ */ png_read_info(png_ptr, info_ptr); + if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep)) + png_error(png_ptr,"Image is too high to process with png_read_png()"); + /* -------------- image transformations start here ------------------- */ #if defined(PNG_READ_16_TO_8_SUPPORTED) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch08-splt-buffer-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* The "sPLT chunk too long" check from Matthias Clasen (RedHat libpng package maintainer) diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch08/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ src/3rdparty/libpng/pngrutil.c Fri Jul 23 19:02:48 2004 @@@@ -1154,8 +1154,18 @@@@ } new_palette.nentries = data_length / entry_size; - new_palette.entries = (png_sPLT_entryp)png_malloc( + if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry)) + { + png_warning(png_ptr, "sPLT chunk too long"); + return; + } + new_palette.entries = (png_sPLT_entryp)png_malloc_warn( png_ptr, new_palette.nentries * sizeof(png_sPLT_entry)); + if (new_palette.entries == NULL) + { + png_warning(png_ptr, "sPLT chunk requires too much memory"); + return; + } #ifndef PNG_NO_POINTER_INDEXING for (i = 0; i < new_palette.nentries; i++) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch09-null-iccp-profile.txt Use to patch libpng-1.0.9 through 1.2.5. Does not work with libpng-1.0.6-1.0.8. Libpng-1.0.5 and earlier didn't implement iCCP chunk reading. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch09/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ src/3rdparty/libpng/pngrutil.c Fri Jul 23 19:04:28 2004 @@@@ -977,8 +977,7 @@@@ png_bytep pC; png_charp profile; png_uint_32 skip = 0; - png_uint_32 profile_size = 0; - png_uint_32 profile_length = 0; + png_uint_32 profile_size, profile_length; png_size_t slength, prefix_length, data_length; png_debug(1, "in png_handle_iCCP\n"); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch10-find-duplicate-chunk.txt Use to patch libpng-1.0.6 through 1.2.5 Does not work with libpng-1.0.5 and earlier. No security problem. The bugs are similar to the one fixed in patch 03, but the only effect is that libpng will fail to detect misplaced harmless duplicate chunks. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch10/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ src/3rdparty/libpng/pngrutil.c Fri Jul 23 19:05:40 2004 @@@@ -579,7 +579,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place gAMA chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -660,7 +660,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sBIT chunk"); } - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) { png_warning(png_ptr, "Duplicate sBIT chunk"); png_crc_finish(png_ptr, length); @@@@ -729,7 +729,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before cHRM"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -891,7 +891,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sRGB chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) { png_warning(png_ptr, "Duplicate sRGB chunk"); png_crc_finish(png_ptr, length); @@@@ -995,7 +995,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place iCCP chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) { png_warning(png_ptr, "Duplicate iCCP chunk"); png_crc_finish(png_ptr, length); This patch from Chris Evans avoids a host of security problems related to buffer overflows that might occur when processing very large images. It causes the reader to reject any images claiming to have more rows or columns the png format supports. diff -ru libpng-1.2.5/png.h libpng-1.2.5.fix/png.h --- src/3rdparty/libpng/png.h.orig 2002-10-03 12:32:26.000000000 +0100 +++ src/3rdparty/libpng/png.h 2004-07-13 23:18:10.000000000 +0100 @@@@ -835,6 +835,9 @@@@ /* Maximum positive integer used in PNG is (2^31)-1 */ #define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +/* Constraints on width, height, (2 ^ 24) - 1*/ +#define PNG_MAX_DIMENSION 16777215 + /* These describe the color_type field in png_info. */ /* color type masks */ #define PNG_COLOR_MASK_PALETTE 1 diff -ru libpng-1.2.5/pngrutil.c libpng-1.2.5.fix/pngrutil.c --- src/3rdparty/libpng/pngrutil.c.orig 2004-07-13 13:36:37.000000000 +0100 +++ src/3rdparty/libpng/pngrutil.c 2004-07-13 23:43:02.000000000 +0100 @@@@ -350,7 +350,11 @@@@ png_crc_finish(png_ptr, 0); width = png_get_uint_32(buf); + if (width > PNG_MAX_DIMENSION) + png_error(png_ptr, "Width is too large"); height = png_get_uint_32(buf + 4); + if (height > PNG_MAX_DIMENSION) + png_error(png_ptr, "Height is too large"); bit_depth = buf[8]; color_type = buf[9]; compression_type = buf[10]; @@@@ -675,7 +679,7 @@@@ else truelen = (png_size_t)png_ptr->channels; - if (length != truelen) + if (length != truelen || length > 4) { png_warning(png_ptr, "Incorrect sBIT chunk length"); png_crc_finish(png_ptr, length); @@@@ -1400,7 +1405,7 @@@@ void /* PRIVATE */ png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { - int num, i; + unsigned int num, i; png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; png_debug(1, "in png_handle_hIST\n"); @@@@ -1426,8 +1431,8 @@@@ return; } - num = (int)length / 2 ; - if (num != png_ptr->num_palette) + num = length / 2 ; + if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect hIST chunk length"); png_crc_finish(png_ptr, length); @@@@ -2868,6 +2873,9 @@@@ png_read_data(png_ptr, chunk_length, 4); png_ptr->idat_size = png_get_uint_32(chunk_length); + if (png_ptr->idat_size > PNG_MAX_UINT) + png_error(png_ptr, "Invalid chunk length."); + png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) @ 1.5 log @SA-2004.017-png @ text @d69 58 a126 2 --- src/3rdparty/libpng/pngrtran.c.orig Wed Oct 2 20:20:24 2002 +++ src/3rdparty/libpng/pngrtran.c Wed Jan 15 11:30:23 2003 a148 23 Steve G Libpng accesses memory that is out of bounds when creating an error message Index: pngerror.c --- src/3rdparty/libpng/pngerror.c.orig 2002-10-03 13:32:27.000000000 +0200 +++ src/3rdparty/libpng/pngerror.c 2004-04-28 13:24:22.000000000 +0200 @@@@ -135,10 +135,13 @@@@ buffer[iout] = 0; else { + png_size_t len; + if ((len = png_strlen(error_message)) > 63) + len = 63; buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer+iout, error_message, 64); - buffer[iout+63] = 0; + png_memcpy(buffer+iout, error_message, len); + buffer[iout+len] = 0; } } @ 1.4 log @realign patch hunk against new version 3.3.2 @ text @d69 47 @ 1.3 log @flush pending changes which cleanup this area a little bit more (the old README is still in the CVS Attic in case one needs it again, but most of it seems obsolete anyway because related to Qt 3.0) @ text @d26 1 a26 1 @@@@ -2875,6 +2860,21 @@@@ @ 1.2 log @upgrading package: qt 3.2.3 -> 3.3.1 @ text @d1 3 a3 3 diff -Naur qt-x11-free-3.3.1.orig/configure qt-x11-free-3.3.1/configure --- qt-x11-free-3.3.1.orig/configure 2004-02-11 11:21:42.000000000 +0100 +++ qt-x11-free-3.3.1/configure 2004-03-03 12:16:46.847102980 +0100 d48 3 a50 3 diff -Naur qt-x11-free-3.3.1.orig/config.tests/x11/xfreetype.test qt-x11-free-3.3.1/config.tests/x11/xfreetype.test --- qt-x11-free-3.3.1.orig/config.tests/x11/xfreetype.test 2004-03-03 10:41:51.522773000 +0100 +++ qt-x11-free-3.3.1/config.tests/x11/xfreetype.test 2004-03-03 10:43:42.588911196 +0100 @ 1.1 log @Resolve missing patch file problem by adding the forgotten patch file @ text @d1 4 a4 4 diff -Naur qt-x11-free-3.2.3.orig/configure qt-x11-free-3.2.3/configure --- qt-x11-free-3.2.3.orig/configure 2003-10-21 12:04:20.000000000 +0200 +++ qt-x11-free-3.2.3/configure 2003-11-19 11:40:38.000000000 +0100 @@@@ -1684,21 +1684,6 @@@@ d26 1 a26 1 @@@@ -2692,6 +2677,21 @@@@ d45 6 a50 6 fi [ '!' -z "$D_FLAGS" ] && QMAKE_VARS="$QMAKE_VARS \"DEFINES+=$D_FLAGS\"" diff -Naur qt-x11-free-3.2.3.orig/config.tests/x11/xfreetype.test qt-x11-free-3.2.3/config.tests/x11/xfreetype.test --- qt-x11-free-3.2.3.orig/config.tests/x11/xfreetype.test Wed Nov 19 11:45:11 2003 +++ qt-x11-free-3.2.3/config.tests/x11/xfreetype.test Wed Nov 19 12:59:54 2003 d57 1 a57 1 d60 2 a61 2 @@@@ -89,7 +89,7 @@@@ [ "$VERBOSE" = "yes" ] && echo " Found Xft version $XFT_MAJOR.$XFT_MINOR" @ 1.1.2.1 log @SA-2004.017-png @ text @a68 47 --- DUMMY/src/3rdparty/libpng/pngrtran.c.orig Wed Oct 2 20:20:24 2002 +++ DUMMY/src/3rdparty/libpng/pngrtran.c Wed Jan 15 11:30:23 2003 @@@@ -1965,8 +1965,8 @@@@ /* This changes the data from RRGGBB to RRGGBBXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1987,8 +1987,8 @@@@ /* This changes the data from RRGGBB to XXRRGGBB */ else { - png_bytep sp = row + (png_size_t)row_width * 3; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 6; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); Steve G Libpng accesses memory that is out of bounds when creating an error message Index: pngerror.c --- DUMMY/src/3rdparty/libpng/pngerror.c.orig 2002-10-03 13:32:27.000000000 +0200 +++ DUMMY/src/3rdparty/libpng/pngerror.c 2004-04-28 13:24:22.000000000 +0200 @@@@ -135,10 +135,13 @@@@ buffer[iout] = 0; else { + png_size_t len; + if ((len = png_strlen(error_message)) > 63) + len = 63; buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer+iout, error_message, 64); - buffer[iout+63] = 0; + png_memcpy(buffer+iout, error_message, len); + buffer[iout+len] = 0; } } @ 1.1.2.2 log @SA-2004.030; CAN-2002-1363 @ text @d69 2 a70 44 Index: src/3rdparty/libpng/pngerror.c --- DUMMY/src/3rdparty/libpng/pngerror.c.orig 2003-05-13 09:08:31 +0200 +++ DUMMY/src/3rdparty/libpng/pngerror.c 2004-07-05 15:27:19 +0200 @@@@ -135,10 +135,13 @@@@ buffer[iout] = 0; else { + png_size_t len; + if ((len = png_strlen(error_message)) > 63) + len = 63; buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer+iout, error_message, 64); - buffer[iout+63] = 0; + png_memcpy(buffer+iout, error_message, len); + buffer[iout+len] = 0; } } Index: src/3rdparty/libpng/pngrtran.c --- DUMMY/src/3rdparty/libpng/pngrtran.c.orig 2003-05-13 09:08:31 +0200 +++ DUMMY/src/3rdparty/libpng/pngrtran.c 2004-07-05 15:27:19 +0200 @@@@ -1889,8 +1889,8 @@@@ /* This changes the data from GG to GGXX */ if (flags & PNG_FLAG_FILLER_AFTER) { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { *(--dp) = hi_filler; @@@@ -1907,8 +1907,8 @@@@ /* This changes the data from GG to XXGG */ else { - png_bytep sp = row + (png_size_t)row_width; - png_bytep dp = sp + (png_size_t)row_width; + png_bytep sp = row + (png_size_t)row_width * 2; + png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 0; i < row_width; i++) { *(--dp) = *(--sp); d93 23 @ 1.1.2.3 log @SA-2004.035-png; CAN-2004-0597, CAN-2004-0598, CAN-2004-0599 @ text @a134 375 http://www.graphicsmagick.org/libpng/beta/patches/INFO.txt > [Problems discovered and fixed by] Chris Evans > > 1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS (pngrutil.c) > 2) Dangerous code in png_handle_sBIT (pngrutil.c) CAN-2004-0597 > 3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c) > this flaw is duplicated in multiple other locations. CAN-2004-0598 > 4) Theoretical integer overflow in allocation in png_handle_sPLT (pngrutil.c) > 5) Integer overflow in png_read_png (pngread.c) > 6) Integer overflows during progressive reading. > 7) Other flaws. [integer overflows] CAN-2004-0599 http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch03-trns-chunk-overflow.txt Use to patch libpng-1.0.9 through 1.2.5 This fixes the most dangerous of the newly reported vulnerabilities diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch03/pngrutil.c --- DUMMY/src/3rdparty/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ DUMMY/src/3rdparty/libpng/pngrutil.c Fri Jul 23 18:54:36 2004 @@@@ -1241,7 +1241,8 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before tRNS"); } - else if (length > (png_uint_32)png_ptr->num_palette) + if (length > (png_uint_32)png_ptr->num_palette || + length > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect tRNS chunk length"); png_crc_finish(png_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch04-get-uint-31.txt Use to patch libpng-1.0.6 through 1.2.5 This patch defines PNG_UINT_31_MAX, PNG_UINT_32_MAX, PNG_SIZE_MAX, and png_get_uint_31(), which are needed by patches 05-08. diff -r -U 3 libpng-1.2.5/png.h libpng-1.2.5patch04/png.h --- DUMMY/src/3rdparty/libpng/png.h.orig Thu Oct 3 06:32:26 2002 +++ DUMMY/src/3rdparty/libpng/png.h Fri Jul 23 18:56:27 2004 @@@@ -833,7 +833,11 @@@@ typedef png_info FAR * FAR * png_infopp; /* Maximum positive integer used in PNG is (2^31)-1 */ -#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL) +#define PNG_UINT_32_MAX (~((png_uint_32)0)) +#define PNG_SIZE_MAX (~((png_size_t)0)) +/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */ +#define PNG_MAX_UINT PNG_UINT_31_MAX /* These describe the color_type field in png_info. */ /* color type masks */ @@@@ -2655,6 +2659,8 @@@@ PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf)); PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf)); #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */ +PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr, + png_bytep buf)); /* Initialize png_ptr struct for reading, and allocate any other memory. * (old interface - DEPRECATED - use png_create_read_struct instead). diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch04/pngrutil.c --- DUMMY/src/3rdparty/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ DUMMY/src/3rdparty/libpng/pngrutil.c Fri Jul 23 18:56:27 2004 @@@@ -38,6 +38,14 @@@@ # endif #endif +png_uint_32 /* PRIVATE */ +png_get_uint_31(png_structp png_ptr, png_bytep buf) +{ + png_uint_32 i = png_get_uint_32(buf); + if (i > PNG_UINT_31_MAX) + png_error(png_ptr, "PNG unsigned integer out of range.\n"); + return (i); +} #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ png_uint_32 /* PRIVATE */ http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch05-pngpread-chunklength.txt Use to patch libpng-1.0.0 through 1.2.5 Requires one of libpng-patch04* diff -r -U 3 libpng-1.2.5/pngpread.c libpng-1.2.5patch05/pngpread.c --- DUMMY/src/3rdparty/libpng/pngpread.c.orig Thu Oct 3 06:32:28 2002 +++ DUMMY/src/3rdparty/libpng/pngpread.c Fri Jul 23 18:57:39 2004 @@@@ -208,7 +208,7 @@@@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; @@@@ -591,6 +591,11 @@@@ png_size_t new_max; png_bytep old_buffer; + if (png_ptr->save_buffer_size > PNG_SIZE_MAX - + (png_ptr->current_buffer_size + 256)) + { + png_error(png_ptr, "Potential overflow of save_buffer"); + } new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; old_buffer = png_ptr->save_buffer; png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr, @@@@ -637,8 +642,7 @@@@ } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_32(chunk_length); - + png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch06-pngread-chunklength.txt Use to patch libpng-1.0.13 through 1.0.15 and 1.2.2 through 1.2.5. Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch06/pngread.c --- DUMMY/src/3rdparty/libpng/pngread.c.orig Thu Oct 3 06:32:29 2002 +++ DUMMY/src/3rdparty/libpng/pngread.c Fri Jul 23 18:59:57 2004 @@@@ -384,7 +384,7 @@@@ png_uint_32 length; png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -392,9 +392,6 @@@@ png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name, length); - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); - /* This should be a binary subdivision search or a hash for * matching the chunk name rather than a linear search. */ @@@@ -673,10 +670,7 @@@@ png_crc_finish(png_ptr, 0); png_read_data(png_ptr, chunk_length, 4); - png_ptr->idat_size = png_get_uint_32(chunk_length); - - if (png_ptr->idat_size > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); + png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); @@@@ -946,15 +940,12 @@@@ #endif /* PNG_GLOBAL_ARRAYS */ png_read_data(png_ptr, chunk_length, 4); - length = png_get_uint_32(chunk_length); + length = png_get_uint_31(png_ptr,chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name); - - if (length > PNG_MAX_UINT) - png_error(png_ptr, "Invalid chunk length."); if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4)) png_handle_IHDR(png_ptr, info_ptr, length); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch07-png-read-png-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch07/pngread.c --- DUMMY/src/3rdparty/libpng/pngread.c.orig Thu Oct 3 06:32:29 2002 +++ DUMMY/src/3rdparty/libpng/pngread.c Fri Jul 23 19:01:39 2004 @@@@ -1299,6 +1299,9 @@@@ */ png_read_info(png_ptr, info_ptr); + if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep)) + png_error(png_ptr,"Image is too high to process with png_read_png()"); + /* -------------- image transformations start here ------------------- */ #if defined(PNG_READ_16_TO_8_SUPPORTED) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch08-splt-buffer-overflow.txt Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png(). Requires libpng-patch04-* The "sPLT chunk too long" check from Matthias Clasen (RedHat libpng package maintainer) diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch08/pngrutil.c --- DUMMY/src/3rdparty/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ DUMMY/src/3rdparty/libpng/pngrutil.c Fri Jul 23 19:02:48 2004 @@@@ -1154,8 +1154,18 @@@@ } new_palette.nentries = data_length / entry_size; - new_palette.entries = (png_sPLT_entryp)png_malloc( + if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry)) + { + png_warning(png_ptr, "sPLT chunk too long"); + return; + } + new_palette.entries = (png_sPLT_entryp)png_malloc_warn( png_ptr, new_palette.nentries * sizeof(png_sPLT_entry)); + if (new_palette.entries == NULL) + { + png_warning(png_ptr, "sPLT chunk requires too much memory"); + return; + } #ifndef PNG_NO_POINTER_INDEXING for (i = 0; i < new_palette.nentries; i++) http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch09-null-iccp-profile.txt Use to patch libpng-1.0.9 through 1.2.5. Does not work with libpng-1.0.6-1.0.8. Libpng-1.0.5 and earlier didn't implement iCCP chunk reading. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch09/pngrutil.c --- DUMMY/src/3rdparty/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ DUMMY/src/3rdparty/libpng/pngrutil.c Fri Jul 23 19:04:28 2004 @@@@ -977,8 +977,7 @@@@ png_bytep pC; png_charp profile; png_uint_32 skip = 0; - png_uint_32 profile_size = 0; - png_uint_32 profile_length = 0; + png_uint_32 profile_size, profile_length; png_size_t slength, prefix_length, data_length; png_debug(1, "in png_handle_iCCP\n"); http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch10-find-duplicate-chunk.txt Use to patch libpng-1.0.6 through 1.2.5 Does not work with libpng-1.0.5 and earlier. No security problem. The bugs are similar to the one fixed in patch 03, but the only effect is that libpng will fail to detect misplaced harmless duplicate chunks. diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch10/pngrutil.c --- DUMMY/src/3rdparty/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002 +++ DUMMY/src/3rdparty/libpng/pngrutil.c Fri Jul 23 19:05:40 2004 @@@@ -579,7 +579,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place gAMA chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -660,7 +660,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sBIT chunk"); } - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) { png_warning(png_ptr, "Duplicate sBIT chunk"); png_crc_finish(png_ptr, length); @@@@ -729,7 +729,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before cHRM"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@@@ -891,7 +891,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sRGB chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) { png_warning(png_ptr, "Duplicate sRGB chunk"); png_crc_finish(png_ptr, length); @@@@ -995,7 +995,7 @@@@ /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place iCCP chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) { png_warning(png_ptr, "Duplicate iCCP chunk"); png_crc_finish(png_ptr, length); This patch from Chris Evans avoids a host of security problems related to buffer overflows that might occur when processing very large images. It causes the reader to reject any images claiming to have more rows or columns the png format supports. diff -ru libpng-1.2.5/png.h libpng-1.2.5.fix/png.h --- DUMMY/src/3rdparty/libpng/png.h.orig 2002-10-03 12:32:26.000000000 +0100 +++ DUMMY/src/3rdparty/libpng/png.h 2004-07-13 23:18:10.000000000 +0100 @@@@ -835,6 +835,9 @@@@ /* Maximum positive integer used in PNG is (2^31)-1 */ #define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) +/* Constraints on width, height, (2 ^ 24) - 1*/ +#define PNG_MAX_DIMENSION 16777215 + /* These describe the color_type field in png_info. */ /* color type masks */ #define PNG_COLOR_MASK_PALETTE 1 diff -ru libpng-1.2.5/pngrutil.c libpng-1.2.5.fix/pngrutil.c --- DUMMY/src/3rdparty/libpng/pngrutil.c.orig 2004-07-13 13:36:37.000000000 +0100 +++ DUMMY/src/3rdparty/libpng/pngrutil.c 2004-07-13 23:43:02.000000000 +0100 @@@@ -350,7 +350,11 @@@@ png_crc_finish(png_ptr, 0); width = png_get_uint_32(buf); + if (width > PNG_MAX_DIMENSION) + png_error(png_ptr, "Width is too large"); height = png_get_uint_32(buf + 4); + if (height > PNG_MAX_DIMENSION) + png_error(png_ptr, "Height is too large"); bit_depth = buf[8]; color_type = buf[9]; compression_type = buf[10]; @@@@ -675,7 +679,7 @@@@ else truelen = (png_size_t)png_ptr->channels; - if (length != truelen) + if (length != truelen || length > 4) { png_warning(png_ptr, "Incorrect sBIT chunk length"); png_crc_finish(png_ptr, length); @@@@ -1400,7 +1405,7 @@@@ void /* PRIVATE */ png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { - int num, i; + unsigned int num, i; png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; png_debug(1, "in png_handle_hIST\n"); @@@@ -1426,8 +1431,8 @@@@ return; } - num = (int)length / 2 ; - if (num != png_ptr->num_palette) + num = length / 2 ; + if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect hIST chunk length"); png_crc_finish(png_ptr, length); @@@@ -2868,6 +2873,9 @@@@ png_read_data(png_ptr, chunk_length, 4); png_ptr->idat_size = png_get_uint_32(chunk_length); + if (png_ptr->idat_size > PNG_MAX_UINT) + png_error(png_ptr, "Invalid chunk length."); + png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) @