diff options
Diffstat (limited to 'extra/libpng/CVE-2011-3026.patch')
| -rw-r--r-- | extra/libpng/CVE-2011-3026.patch | 26 |
1 files changed, 0 insertions, 26 deletions
diff --git a/extra/libpng/CVE-2011-3026.patch b/extra/libpng/CVE-2011-3026.patch deleted file mode 100644 index 209b0691e..000000000 --- a/extra/libpng/CVE-2011-3026.patch +++ /dev/null @@ -1,26 +0,0 @@ -http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660026 -http://src.chromium.org/viewvc/chrome/branches/963/src/third_party/libpng/pngrutil.c?r1=121492&r2=121491&pathrev=121492 - -Check for both truncation (64-bit platforms) and integer overflow. - ---- a/pngrutil.c 2012-02-01 16:00:34.000000000 +1100 -+++ b/pngrutil.c 2012-02-16 09:05:45.000000000 +1100 -@@ -457,8 +457,16 @@ png_decompress_chunk(png_structp png_ptr - { - /* Success (maybe) - really uncompress the chunk. */ - png_size_t new_size = 0; -- png_charp text = (png_charp)png_malloc_warn(png_ptr, -- prefix_size + expanded_size + 1); -+ png_charp text = NULL; -+ /* Need to check for both truncation (64-bit platforms) and integer -+ * overflow. -+ */ -+ if (prefix_size + expanded_size > prefix_size && -+ prefix_size + expanded_size < 0xffffffffU) -+ { -+ png_charp text = (png_charp)png_malloc_warn(png_ptr, -+ prefix_size + expanded_size + 1); -+ } - - if (text != NULL) - { |