From 8830740643397d8d38e018c728ed62d0bcb4c310 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Thu, 26 Feb 2015 00:16:07 -0500 Subject: gnu: icecat: Apply fixes for CVE-2015-{0822,0827,0831,0836}. * gnu/packages/patches/icecat-CVE-2015-0822.patch, gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch, gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch, gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch, gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch, gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches. --- .../patches/icecat-CVE-2015-0836-pt-07.patch | 54 ++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch (limited to 'gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch') diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch new file mode 100644 index 0000000000..818d369b26 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch @@ -0,0 +1,54 @@ +From 94899f849e50a765bb26420f5c70d49002d6673f Mon Sep 17 00:00:00 2001 +From: Glenn Randers-Pehrson +Date: Mon, 26 Jan 2015 16:07:00 -0500 +Subject: [PATCH] Bug 1117406 - Fix handling of out-of-range PNG tRNS values. + r=jmuizelaar, a=abillings + +--- + image/decoders/nsPNGDecoder.cpp | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/image/decoders/nsPNGDecoder.cpp b/image/decoders/nsPNGDecoder.cpp +index acaa835..8e6bc2d 100644 +--- a/image/decoders/nsPNGDecoder.cpp ++++ b/image/decoders/nsPNGDecoder.cpp +@@ -528,24 +528,26 @@ nsPNGDecoder::info_callback(png_structp png_ptr, png_infop info_ptr) + png_set_expand(png_ptr); + + if (png_get_valid(png_ptr, info_ptr, PNG_INFO_tRNS)) { +- int sample_max = (1 << bit_depth); + png_color_16p trans_values; + png_get_tRNS(png_ptr, info_ptr, &trans, &num_trans, &trans_values); + /* libpng doesn't reject a tRNS chunk with out-of-range samples + so we check it here to avoid setting up a useless opacity +- channel or producing unexpected transparent pixels when using +- libpng-1.2.19 through 1.2.26 (bug #428045) */ +- if ((color_type == PNG_COLOR_TYPE_GRAY && +- (int)trans_values->gray > sample_max) || +- (color_type == PNG_COLOR_TYPE_RGB && +- ((int)trans_values->red > sample_max || +- (int)trans_values->green > sample_max || +- (int)trans_values->blue > sample_max))) ++ channel or producing unexpected transparent pixels (bug #428045) */ ++ if (bit_depth < 16) { ++ png_uint_16 sample_max = (1 << bit_depth) - 1; ++ if ((color_type == PNG_COLOR_TYPE_GRAY && ++ trans_values->gray > sample_max) || ++ (color_type == PNG_COLOR_TYPE_RGB && ++ (trans_values->red > sample_max || ++ trans_values->green > sample_max || ++ trans_values->blue > sample_max))) + { + /* clear the tRNS valid flag and release tRNS memory */ + png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0); ++ num_trans = 0; + } +- else ++ } ++ if (num_trans != 0) + png_set_expand(png_ptr); + } + +-- +2.2.1 + -- cgit v1.2.3