ofz#372757014 png_fp_sub Integer-overflow
Change-Id: I0dfe44f8e8f20c137a12eafb4fa108d266f89370 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/174875 Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com> Tested-by: Jenkins
This commit is contained in:
parent
59c5a7d5c7
commit
c43454149e
3 changed files with 136 additions and 0 deletions
99
external/libpng/0001-fix-Avoid-integer-overflows-in-function-png_xy_from_.patch.1
vendored
Normal file
99
external/libpng/0001-fix-Avoid-integer-overflows-in-function-png_xy_from_.patch.1
vendored
Normal file
|
@ -0,0 +1,99 @@
|
|||
From 65470ac86c9d479e18c58c181170163925b5f9a1 Mon Sep 17 00:00:00 2001
|
||||
From: John Bowler <jbowler@acm.org>
|
||||
Date: Sat, 12 Oct 2024 14:55:03 -0700
|
||||
Subject: [PATCH] fix: Avoid integer overflows in function `png_xy_from_XYZ`
|
||||
|
||||
This is a cherry-picked of commit f45531cc141dc20dc7a4046bbe92270b1e799a5d
|
||||
from branch 'libpng18'.
|
||||
|
||||
Reviewed-by: Cosmin Truta <ctruta@gmail.com>
|
||||
Signed-off-by: John Bowler <jbowler@acm.org>
|
||||
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
|
||||
---
|
||||
png.c | 40 ++++++++++++++++++++++++----------------
|
||||
1 file changed, 24 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/png.c b/png.c
|
||||
index 8cd0179a8..d99e2643b 100644
|
||||
--- a/png.c
|
||||
+++ b/png.c
|
||||
@@ -1272,7 +1272,7 @@ png_safe_add(png_int_32 *addend0_and_result, png_int_32 addend1,
|
||||
static int
|
||||
png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
|
||||
{
|
||||
- png_int_32 d, dred, dgreen, dwhite, whiteX, whiteY;
|
||||
+ png_int_32 d, dred, dgreen, dblue, dwhite, whiteX, whiteY;
|
||||
|
||||
/* 'd' in each of the blocks below is just X+Y+Z for each component,
|
||||
* x, y and z are X,Y,Z/(X+Y+Z).
|
||||
@@ -1280,44 +1280,52 @@ png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
|
||||
d = XYZ->red_X;
|
||||
if (png_safe_add(&d, XYZ->red_Y, XYZ->red_Z))
|
||||
return 1;
|
||||
- if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0)
|
||||
+ dred = d;
|
||||
+ if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, dred) == 0)
|
||||
return 1;
|
||||
- if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0)
|
||||
+ if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, dred) == 0)
|
||||
return 1;
|
||||
- dred = d;
|
||||
- whiteX = XYZ->red_X;
|
||||
- whiteY = XYZ->red_Y;
|
||||
|
||||
d = XYZ->green_X;
|
||||
if (png_safe_add(&d, XYZ->green_Y, XYZ->green_Z))
|
||||
return 1;
|
||||
- if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0)
|
||||
+ dgreen = d;
|
||||
+ if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, dgreen) == 0)
|
||||
return 1;
|
||||
- if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0)
|
||||
+ if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, dgreen) == 0)
|
||||
return 1;
|
||||
- dgreen = d;
|
||||
- whiteX += XYZ->green_X;
|
||||
- whiteY += XYZ->green_Y;
|
||||
|
||||
d = XYZ->blue_X;
|
||||
if (png_safe_add(&d, XYZ->blue_Y, XYZ->blue_Z))
|
||||
return 1;
|
||||
- if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0)
|
||||
+ dblue = d;
|
||||
+ if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, dblue) == 0)
|
||||
return 1;
|
||||
- if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0)
|
||||
+ if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, dblue) == 0)
|
||||
return 1;
|
||||
- whiteX += XYZ->blue_X;
|
||||
- whiteY += XYZ->blue_Y;
|
||||
|
||||
/* The reference white is simply the sum of the end-point (X,Y,Z) vectors so
|
||||
* the fillowing calculates (X+Y+Z) of the reference white (media white,
|
||||
* encoding white) itself:
|
||||
*/
|
||||
+ d = dblue;
|
||||
if (png_safe_add(&d, dred, dgreen))
|
||||
return 1;
|
||||
-
|
||||
dwhite = d;
|
||||
|
||||
+ /* Find the white X,Y values from the sum of the red, green and blue X,Y
|
||||
+ * values.
|
||||
+ */
|
||||
+ d = XYZ->red_X;
|
||||
+ if (png_safe_add(&d, XYZ->green_X, XYZ->blue_X))
|
||||
+ return 1;
|
||||
+ whiteX = d;
|
||||
+
|
||||
+ d = XYZ->red_Y;
|
||||
+ if (png_safe_add(&d, XYZ->green_Y, XYZ->blue_Y))
|
||||
+ return 1;
|
||||
+ whiteY = d;
|
||||
+
|
||||
if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)
|
||||
return 1;
|
||||
if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)
|
||||
--
|
||||
2.46.1
|
||||
|
35
external/libpng/0001-libpng16-fix-Correct-the-function-png_fp_sub-in-png.patch.1
vendored
Normal file
35
external/libpng/0001-libpng16-fix-Correct-the-function-png_fp_sub-in-png.patch.1
vendored
Normal file
|
@ -0,0 +1,35 @@
|
|||
From f14d5fcd1efec749d0137162efbee6013757494b Mon Sep 17 00:00:00 2001
|
||||
From: John Bowler <jbowler@acm.org>
|
||||
Date: Thu, 10 Oct 2024 08:40:41 -0700
|
||||
Subject: [PATCH] [libpng16] fix: Correct the function `png_fp_sub` in png.c
|
||||
|
||||
The code erroneously evaluated `addend0+addend1` in the case where
|
||||
`addend1` is less than zero. The function is meant to subtract the
|
||||
second argument from the first.
|
||||
|
||||
This is a cherry-pick of commit 79fd6d1edc8fe8c41ed58c6318bd57761d8f007e
|
||||
from branch 'libpng18'.
|
||||
|
||||
Reviewed-by: Cosmin Truta <ctruta@gmail.com>
|
||||
Signed-off-by: John Bowler <jbowler@acm.org>
|
||||
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
|
||||
---
|
||||
png.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/png.c b/png.c
|
||||
index 8a1e2a451..240db5ab9 100644
|
||||
--- a/png.c
|
||||
+++ b/png.c
|
||||
@@ -1241,7 +1241,7 @@ png_fp_sub(png_int_32 addend0, png_int_32 addend1, int *error)
|
||||
else if (addend1 < 0)
|
||||
{
|
||||
if (0x7fffffff + addend1 >= addend0)
|
||||
- return addend0+addend1;
|
||||
+ return addend0-addend1;
|
||||
}
|
||||
else
|
||||
return addend0;
|
||||
--
|
||||
2.46.1
|
||||
|
2
external/libpng/UnpackedTarball_libpng.mk
vendored
2
external/libpng/UnpackedTarball_libpng.mk
vendored
|
@ -17,6 +17,8 @@ $(eval $(call gb_UnpackedTarball_add_files,libpng,.,\
|
|||
|
||||
$(eval $(call gb_UnpackedTarball_add_patches,libpng,\
|
||||
external/libpng/0001-ACES-AP0-adjusted-fixes.patch.1 \
|
||||
external/libpng/0001-libpng16-fix-Correct-the-function-png_fp_sub-in-png.patch.1 \
|
||||
external/libpng/0001-fix-Avoid-integer-overflows-in-function-png_xy_from_.patch.1 \
|
||||
))
|
||||
|
||||
# vim: set noet sw=4 ts=4:
|
||||
|
|
Loading…
Reference in a new issue