2 files changed, 40 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch b/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch
new file mode 100644
index 0000000000..84b1af1fbf
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch
@@ -0,0 +1,37 @@
+From 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sun, 17 Jun 2018 22:56:29 -0400
+Subject: [PATCH] [libpng16] Fix the calculation of row_factor in
+ png_check_chunk_length
+(Bug report by Thuan Pham, SourceForge issue #278)
+Upstream-Status: Backport [https://github.com/glennrp/libpng/commit/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2]
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+---
+ pngrutil.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+diff --git a/pngrutil.c b/pngrutil.c
+index 95571b517..5ba995abf 100644
+--- a/pngrutil.c
+++ b/pngrutil.c
+@@ -3167,10 +3167,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
+    {
+       png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
+       size_t row_factor =
+-         (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+-          + 1 + (png_ptr->interlaced? 6: 0));
+         (size_t)png_ptr->width
+         * (size_t)png_ptr->channels
+         * (png_ptr->bit_depth > 8? 2: 1)
+         + 1
+         + (png_ptr->interlaced? 6: 0);
+       if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+-         idat_limit=PNG_UINT_31_MAX;
+         idat_limit = PNG_UINT_31_MAX;
+       else
+          idat_limit = png_ptr->height * row_factor;
+       row_factor = row_factor > 32566? 32566 : row_factor;
+-- 
+2.19.0
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.34.bb b/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
index e52d032289..3877d6cbf0 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
@@ -8,7 +8,9 @@ DEPENDS = "zlib"
 LIBV = "16"
-SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \
+           file://CVE-2018-13785.patch \
+"
 SRC_URI[md5sum] = "c05b6ca7190a5e387b78657dbe5536b2"
 SRC_URI[sha256sum] = "2f1e960d92ce3b3abd03d06dfec9637dfbd22febf107a536b44f7a47c60659f6"

diff --git a/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch b/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch new file mode 100644 index 0000000000..84b1af1fbf --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch
@@ -0,0 +1,37 @@
		1	From 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2 Mon Sep 17 00:00:00 2001
		2	From: Cosmin Truta <ctruta@gmail.com>
		3	Date: Sun, 17 Jun 2018 22:56:29 -0400
		4	Subject: [PATCH] [libpng16] Fix the calculation of row_factor in
		5	png_check_chunk_length
		6
		7	(Bug report by Thuan Pham, SourceForge issue #278)
		8	Upstream-Status: Backport [https://github.com/glennrp/libpng/commit/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2]
		9	Signed-off-by: Sinan Kaya <okaya@kernel.org>
		10	---
		11	pngrutil.c \| 9 ++++++---
		12	1 file changed, 6 insertions(+), 3 deletions(-)
		13
		14	diff --git a/pngrutil.c b/pngrutil.c
		15	index 95571b517..5ba995abf 100644
		16	--- a/pngrutil.c
		17	+++ b/pngrutil.c
		18	@@ -3167,10 +3167,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
		19	{
		20	png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
		21	size_t row_factor =
		22	- (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
		23	- + 1 + (png_ptr->interlaced? 6: 0));
		24	+ (size_t)png_ptr->width
		25	+ * (size_t)png_ptr->channels
		26	+ * (png_ptr->bit_depth > 8? 2: 1)
		27	+ + 1
		28	+ + (png_ptr->interlaced? 6: 0);
		29	if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
		30	- idat_limit=PNG_UINT_31_MAX;
		31	+ idat_limit = PNG_UINT_31_MAX;
		32	else
		33	idat_limit = png_ptr->height * row_factor;
		34	row_factor = row_factor > 32566? 32566 : row_factor;
		35	--
		36	2.19.0
		37


diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.34.bb b/meta/recipes-multimedia/libpng/libpng_1.6.34.bb index e52d032289..3877d6cbf0 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.34.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
@@ -8,7 +8,9 @@ DEPENDS = "zlib"
8		8
9	LIBV = "16"	9	LIBV = "16"
10		10
11	SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz"	11	SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \
		12	file://CVE-2018-13785.patch \
		13	"
12	SRC_URI[md5sum] = "c05b6ca7190a5e387b78657dbe5536b2"	14	SRC_URI[md5sum] = "c05b6ca7190a5e387b78657dbe5536b2"
13	SRC_URI[sha256sum] = "2f1e960d92ce3b3abd03d06dfec9637dfbd22febf107a536b44f7a47c60659f6"	15	SRC_URI[sha256sum] = "2f1e960d92ce3b3abd03d06dfec9637dfbd22febf107a536b44f7a47c60659f6"
14		16