← Back to branch summary

~ubuntu-branches/ubuntu/oneiric/libpng/oneiric-security

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2011-3048.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2012-04-05 08:27:19 UTC
  • Revision ID: package-import@ubuntu.com-20120405082719-s27s9db1oovye3w7
Tags: 1.2.46-3ubuntu1.3
* SECURITY UPDATE: denial of service and possible code execution via
  memory corruption issue.
  - debian/patches/CVE-2011-3048.patch: correctly restore to previous
    condition in pngset.c.
  - CVE-2011-3048

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/CVE-2011-3048.patch
 
1
Description: fix denial of service and possible code execution via
 
2
 memory corruption issue.
 
3
Origin: Debian's 1.2.44-1+squeeze4 update
 
4
 
 
5
diff -Naur libpng-1.2.44/pngset.c libpng-1.2.44/pngset.c
 
6
--- libpng-1.2.44/pngset.c      2012-03-08 14:46:43.000000000 +0100
 
7
+++ libpng-1.2.44/pngset.c      2012-03-29 06:46:53.000000000 +0200
 
8
@@ -667,22 +667,26 @@
 
9
     */
 
10
    if (info_ptr->num_text + num_text > info_ptr->max_text)
 
11
    {
 
12
+      int old_max_text = info_ptr->max_text;
 
13
+      int old_num_text = info_ptr->num_text;
 
14
+
 
15
       if (info_ptr->text != NULL)
 
16
       {
 
17
          png_textp old_text;
 
18
-         int old_max;
 
19
 
 
20
-         old_max = info_ptr->max_text;
 
21
          info_ptr->max_text = info_ptr->num_text + num_text + 8;
 
22
          old_text = info_ptr->text;
 
23
+
 
24
          info_ptr->text = (png_textp)png_malloc_warn(png_ptr,
 
25
             (png_uint_32)(info_ptr->max_text * png_sizeof(png_text)));
 
26
          if (info_ptr->text == NULL)
 
27
          {
 
28
-            png_free(png_ptr, old_text);
 
29
+            /* Restore to previous condition */
 
30
+            info_ptr->max_text = old_max_text;
 
31
+            info_ptr->text = old_text;
 
32
             return(1);
 
33
          }
 
34
-         png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max *
 
35
+         png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max_text *
 
36
             png_sizeof(png_text)));
 
37
          png_free(png_ptr, old_text);
 
38
       }
 
39
@@ -693,7 +697,12 @@
 
40
          info_ptr->text = (png_textp)png_malloc_warn(png_ptr,
 
41
             (png_uint_32)(info_ptr->max_text * png_sizeof(png_text)));
 
42
          if (info_ptr->text == NULL)
 
43
+         {
 
44
+            /* Restore to previous condition */
 
45
+            info_ptr->num_text = old_num_text;
 
46
+            info_ptr->max_text = old_max_text;
 
47
             return(1);
 
48
+         }
 
49
 #ifdef PNG_FREE_ME_SUPPORTED
 
50
          info_ptr->free_me |= PNG_FREE_TEXT;
 
51
 #endif