Blame SOURCES/advancecomp-1.15-CVE-2019-8383.patch

9eece9
commit 78a56b21340157775be2462a19276b4d31d2bd01
9eece9
Author: Andrea Mazzoleni <amadvance@gmail.com>
9eece9
Date:   Fri Jan 4 20:49:25 2019 +0100
9eece9
9eece9
    Fix a buffer overflow caused by invalid images
9eece9
9eece9
diff --git a/lib/png.c b/lib/png.c
9eece9
index 0939a5a..cbf140b 100644
9eece9
--- a/lib/png.c
9eece9
+++ b/lib/png.c
9eece9
@@ -603,6 +603,7 @@ adv_error adv_png_read_ihdr(
9eece9
 	unsigned pixel;
9eece9
 	unsigned width;
9eece9
 	unsigned width_align;
9eece9
+	unsigned scanline;
9eece9
 	unsigned height;
9eece9
 	unsigned depth;
9eece9
 	int r;
9eece9
@@ -719,9 +720,23 @@ adv_error adv_png_read_ihdr(
9eece9
 		goto err_ptr;
9eece9
 	}
9eece9
 
9eece9
-	*dat_size = height * (width_align * pixel + 1);
9eece9
+	/* check for overflow */
9eece9
+	if (pixel == 0 || width_align >= UINT_MAX / pixel) {
9eece9
+		error_set("Invalid image size");
9eece9
+		goto err_ptr;
9eece9
+	}
9eece9
+
9eece9
+	scanline = width_align * pixel + 1;
9eece9
+
9eece9
+	/* check for overflow */
9eece9
+	if (scanline == 0 || height >= UINT_MAX / scanline) {
9eece9
+		error_set("Invalid image size");
9eece9
+		goto err_ptr;
9eece9
+	}
9eece9
+
9eece9
+	*dat_size = height * scanline;
9eece9
 	*dat_ptr = malloc(*dat_size);
9eece9
-	*pix_scanline = width_align * pixel + 1;
9eece9
+	*pix_scanline = scanline;
9eece9
 	*pix_ptr = *dat_ptr + 1;
9eece9
 
9eece9
 	z.zalloc = 0;
9eece9
diff -up advancecomp-1.15/portable.h.me advancecomp-1.15/portable.h
9eece9
--- advancecomp-1.15/portable.h.me	2019-05-17 15:15:08.109528451 +0200
9eece9
+++ advancecomp-1.15/portable.h	2019-05-17 15:15:38.318620937 +0200
9eece9
@@ -39,6 +39,7 @@ extern "C" {
9eece9
 #include <assert.h>
9eece9
 #include <errno.h>
9eece9
 #include <signal.h>
9eece9
+#include <limits.h>
9eece9
 
9eece9
 #if HAVE_UNISTD_H
9eece9
 #include <unistd.h>