diff options
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch')
| -rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch new file mode 100644 index 0000000000..818d369b26 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch @@ -0,0 +1,54 @@ +From 94899f849e50a765bb26420f5c70d49002d6673f Mon Sep 17 00:00:00 2001 +From: Glenn Randers-Pehrson <glennrp+bmo@gmail.com> +Date: Mon, 26 Jan 2015 16:07:00 -0500 +Subject: [PATCH] Bug 1117406 - Fix handling of out-of-range PNG tRNS values. + r=jmuizelaar, a=abillings + +--- + image/decoders/nsPNGDecoder.cpp | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/image/decoders/nsPNGDecoder.cpp b/image/decoders/nsPNGDecoder.cpp +index acaa835..8e6bc2d 100644 +--- a/image/decoders/nsPNGDecoder.cpp ++++ b/image/decoders/nsPNGDecoder.cpp +@@ -528,24 +528,26 @@ nsPNGDecoder::info_callback(png_structp png_ptr, png_infop info_ptr) + png_set_expand(png_ptr); + + if (png_get_valid(png_ptr, info_ptr, PNG_INFO_tRNS)) { +- int sample_max = (1 << bit_depth); + png_color_16p trans_values; + png_get_tRNS(png_ptr, info_ptr, &trans, &num_trans, &trans_values); + /* libpng doesn't reject a tRNS chunk with out-of-range samples + so we check it here to avoid setting up a useless opacity +- channel or producing unexpected transparent pixels when using +- libpng-1.2.19 through 1.2.26 (bug #428045) */ +- if ((color_type == PNG_COLOR_TYPE_GRAY && +- (int)trans_values->gray > sample_max) || +- (color_type == PNG_COLOR_TYPE_RGB && +- ((int)trans_values->red > sample_max || +- (int)trans_values->green > sample_max || +- (int)trans_values->blue > sample_max))) ++ channel or producing unexpected transparent pixels (bug #428045) */ ++ if (bit_depth < 16) { ++ png_uint_16 sample_max = (1 << bit_depth) - 1; ++ if ((color_type == PNG_COLOR_TYPE_GRAY && ++ trans_values->gray > sample_max) || ++ (color_type == PNG_COLOR_TYPE_RGB && ++ (trans_values->red > sample_max || ++ trans_values->green > sample_max || ++ trans_values->blue > sample_max))) + { + /* clear the tRNS valid flag and release tRNS memory */ + png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0); ++ num_trans = 0; + } +- else ++ } ++ if (num_trans != 0) + png_set_expand(png_ptr); + } + +-- +2.2.1 + |