diff --git a/SOURCES/advancecomp-1.15-CVE-2019-8379.patch b/SOURCES/advancecomp-1.15-CVE-2019-8379.patch new file mode 100644 index 0000000..5bb32a7 --- /dev/null +++ b/SOURCES/advancecomp-1.15-CVE-2019-8379.patch @@ -0,0 +1,85 @@ +commit 7894a6e684ce68ddff9f4f4919ab8e3911ac8040 +Author: Andrea Mazzoleni +Date: Fri Jan 4 20:49:48 2019 +0100 + + Fix a buffer overflow caused by invalid chunks + +diff --git a/pngex.cc b/pngex.cc +index 55d16f5..3f5b49f 100644 +--- a/pngex.cc ++++ b/pngex.cc +@@ -163,6 +163,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + + switch (type) { + case ADV_MNG_CN_MHDR : ++ if (size < 28) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " width:" << be_uint32_read(data+0) << " height:" << be_uint32_read(data+4) << " frequency:" << be_uint32_read(data+8); + cout << " simplicity:" << be_uint32_read(data+24); + cout << "(bit"; +@@ -174,6 +178,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + cout << ")"; + break; + case ADV_MNG_CN_DHDR : ++ if (size < 4) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " id:" << be_uint16_read(data+0); + switch (data[2]) { + case 0 : cout << " img:unspecified"; break; +@@ -243,6 +251,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + } + break; + case ADV_MNG_CN_DEFI : ++ if (size < 2) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " id:" << be_uint16_read(data+0); + if (size >= 3) { + switch (data[2]) { +@@ -266,6 +278,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + } + break; + case ADV_MNG_CN_MOVE : ++ if (size < 13) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " id_from:" << be_uint16_read(data+0) << " id_to:" << be_uint16_read(data+2); + switch (data[4]) { + case 0 : cout << " type:replace"; break; +@@ -275,6 +291,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + cout << " x:" << (int)be_uint32_read(data + 5) << " y:" << (int)be_uint32_read(data + 9); + break; + case ADV_MNG_CN_PPLT : ++ if (size < 1) { ++ cout << " invalid chunk size"; ++ break; ++ } + switch (data[0]) { + case 0 : cout << " type:replacement_rgb"; break; + case 1 : cout << " type:delta_rgb"; break; +@@ -285,7 +305,7 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + default : cout << " type:?"; break; + } + i = 1; +- while (i +Date: Fri Jan 4 20:49:25 2019 +0100 + + Fix a buffer overflow caused by invalid images + +diff --git a/lib/png.c b/lib/png.c +index 0939a5a..cbf140b 100644 +--- a/lib/png.c ++++ b/lib/png.c +@@ -603,6 +603,7 @@ adv_error adv_png_read_ihdr( + unsigned pixel; + unsigned width; + unsigned width_align; ++ unsigned scanline; + unsigned height; + unsigned depth; + int r; +@@ -719,9 +720,23 @@ adv_error adv_png_read_ihdr( + goto err_ptr; + } + +- *dat_size = height * (width_align * pixel + 1); ++ /* check for overflow */ ++ if (pixel == 0 || width_align >= UINT_MAX / pixel) { ++ error_set("Invalid image size"); ++ goto err_ptr; ++ } ++ ++ scanline = width_align * pixel + 1; ++ ++ /* check for overflow */ ++ if (scanline == 0 || height >= UINT_MAX / scanline) { ++ error_set("Invalid image size"); ++ goto err_ptr; ++ } ++ ++ *dat_size = height * scanline; + *dat_ptr = malloc(*dat_size); +- *pix_scanline = width_align * pixel + 1; ++ *pix_scanline = scanline; + *pix_ptr = *dat_ptr + 1; + + z.zalloc = 0; +diff -up advancecomp-1.15/portable.h.me advancecomp-1.15/portable.h +--- advancecomp-1.15/portable.h.me 2019-05-17 15:15:08.109528451 +0200 ++++ advancecomp-1.15/portable.h 2019-05-17 15:15:38.318620937 +0200 +@@ -39,6 +39,7 @@ extern "C" { + #include + #include + #include ++#include + + #if HAVE_UNISTD_H + #include diff --git a/SPECS/advancecomp.spec b/SPECS/advancecomp.spec index 8ddd938..dc86cb8 100644 --- a/SPECS/advancecomp.spec +++ b/SPECS/advancecomp.spec @@ -1,11 +1,13 @@ Summary: Recompression utilities for .PNG, .MNG and .ZIP files Name: advancecomp Version: 1.15 -Release: 20%{?dist} +Release: 21%{?dist} License: GPLv2+ Group: Applications/Emulators URL: http://advancemame.sourceforge.net/ Source: http://downloads.sf.net/advancemame/advancecomp-%{version}.tar.gz +Patch0: advancecomp-1.15-CVE-2019-8379.patch +Patch1: advancecomp-1.15-CVE-2019-8383.patch BuildRequires: zlib-devel %description @@ -17,6 +19,8 @@ The main features are : %prep %setup -q +%patch0 -p1 -b .CVE-2019-8379 +%patch1 -p1 -b .CVE-2019-8383 %build @@ -36,6 +40,10 @@ make install DESTDIR=%{buildroot} %changelog +* Fri May 17 2019 Than Ngo - 1.15-21 +- Resolves: #1711051, CVE-2019-8383 denial of service +- Resolves: #1710910, CVE-2019-8379 null pointer dereference + * Wed Jan 29 2014 Daniel Mach - 1.15-20 - Mass rebuild 2014-01-24