head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.4
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.2
	pkgsrc-2012Q4-base:1.2;
locks; strict;
comment	@# @;


1.2
date	2012.02.18.15.42.57;	author wiz;	state dead;
branches;
next	1.1;

1.1
date	2012.02.18.15.16.59;	author drochner;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Update to 1.5.9rc01, which includes the official patch for CVE-2011-3026.

Version 1.5.9beta01 [February 3, 2012]
  Rebuilt configure scripts in the tar distributions.

Version 1.5.9beta02 [February 16, 2012]
  Removed two unused definitions from scripts/pnglibconf.h.prebuilt
  Removed some unused arrays (with #ifdef) from png_read_push_finish_row().
  Removed tests for no-longer-used *_EMPTY_PLTE_SUPPORTED from pngstruct.h

Version 1.5.9rc01 [February 17, 2012]
  Fixed CVE-2011-3026 buffer overrun bug.  Deal more correctly with the test
    on iCCP chunk length. Also removed spurious casts that may hide problems
    on 16-bit systems.
@
text
@$NetBSD: patch-CVE-2011-3026,v 1.1 2012/02/18 15:16:59 drochner Exp $

from chromium rev.121492

--- pngrutil.c.orig	2012-02-01 05:00:34.000000000 +0000
+++ pngrutil.c
@@@@ -457,8 +457,15 @@@@ png_decompress_chunk(png_structp png_ptr
       {
          /* Success (maybe) - really uncompress the chunk. */
          png_size_t new_size = 0;
-         png_charp text = (png_charp)png_malloc_warn(png_ptr,
-             prefix_size + expanded_size + 1);
+	 png_charp text = NULL;
+	 /* Need to check for both truncation (64-bit platforms) and integer
+	  * overflow.
+	  */
+	 if (prefix_size + expanded_size > prefix_size &&
+	     prefix_size + expanded_size < 0xffffffffU)
+	 {
+	    text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1);
+	 }
 
          if (text != NULL)
          {
@


1.1
log
@fix possible buffer overflow due to integer overflow in malloc()
size calculation (2011-3026), patch from Chromium via Redhat/Debian
bump PKGREV
@
text
@d1 1
a1 1
$NetBSD$
@