main/libpng: security fix for CVE-2013-6954

fixes #2699

2 files changed, 48 insertions, 4 deletions

diff --git a/main/libpng/APKBUILD b/main/libpng/APKBUILD
index 965573d344..65d06ff680 100644
--- a/main/libpng/APKBUILD
+++ b/main/libpng/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libpng
 pkgver=1.5.15
-pkgrel=0
+pkgrel=1
 pkgdesc="Portable Network Graphics library"
 url="http://www.libpng.org/"
 arch="all"
@@ -13,12 +13,18 @@ makedepends="$depends_dev gawk"
 subpackages="$pkgname-doc $pkgname-dev"
 source="http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz
 	http://downloads.sourceforge.net/project/libpng-apng/libpng15/$pkgver/libpng-$pkgver-apng.patch.gz
+	libpng15-CVE-2013-6954.patch
 	"
 
 _builddir="$srcdir/$pkgname-$pkgver"
 
 prepare() {
 	cd "$_builddir"
+	for i in $source; do
+		case $i in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
+	done
 	gunzip -c "$srcdir"/libpng-$pkgver-apng.patch.gz | patch -p1 || return 1
 }
 
@@ -37,8 +43,11 @@ package() {
 }
 
 md5sums="ea24254980fd820964a710e4d2a947c7  libpng-1.5.15.tar.gz
-3ae9ea7e4bd201f0b25e25cd6049b094  libpng-1.5.15-apng.patch.gz"
+3ae9ea7e4bd201f0b25e25cd6049b094  libpng-1.5.15-apng.patch.gz
+8cdbf47318e9f4710a957a4704f1dd6e  libpng15-CVE-2013-6954.patch"
 sha256sums="726224b7a6b5ad0032078bf3fb5a84ffb5ad683a33a62d67f7be5eb5bc37d076  libpng-1.5.15.tar.gz
-e6c46fafd5fbea6250daa07c1b7be2b9571a7cc4c99e985c594666a33de52f6b  libpng-1.5.15-apng.patch.gz"
+e6c46fafd5fbea6250daa07c1b7be2b9571a7cc4c99e985c594666a33de52f6b  libpng-1.5.15-apng.patch.gz
+0c039a6cf4476b239ffc9c9f92ed48aabc9678e30b9c982ab6996dfddf6696f2  libpng15-CVE-2013-6954.patch"
 sha512sums="3d4f04bc33150177c9ca46543d92884dd3e6857494b99f7cc171fc90371b345495ae777b11bbed88978ec4a00daab632431b3efa78420b0abb659d5cf5690bc7  libpng-1.5.15.tar.gz
-631f4bb60b5e0a09e8fcb794bb240d39beae832a6aca9dab2d382ba2444bb2f7cb5a72dd02976cbe0972371e4a6238aa00b017ac4d8956c5afc0ec8671dcdbd6  libpng-1.5.15-apng.patch.gz"
+631f4bb60b5e0a09e8fcb794bb240d39beae832a6aca9dab2d382ba2444bb2f7cb5a72dd02976cbe0972371e4a6238aa00b017ac4d8956c5afc0ec8671dcdbd6  libpng-1.5.15-apng.patch.gz
+d4b390479cadd7637f71e494709a7628671d61bacf10a522547f53be58acc08088e23867ae05047d7a9f53985c7eca78616f28ecec82e785fd18cde84ed9dd86  libpng15-CVE-2013-6954.patch"
diff --git a/main/libpng/libpng15-CVE-2013-6954.patch b/main/libpng/libpng15-CVE-2013-6954.patch
new file mode 100644
index 0000000000..9619d8a931
--- /dev/null
+++ b/main/libpng/libpng15-CVE-2013-6954.patch
@@ -0,0 +1,35 @@
+diff --git a/pngrtran.c b/pngrtran.c
+index 5673193..04eecee 100644
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -1900,6 +1900,9 @@ png_read_transform_info(png_structp png_ptr, png_infop info_ptr)
+ 
+          info_ptr->bit_depth = 8;
+          info_ptr->num_trans = 0;
++
++         if (png_ptr->palette == NULL)
++            png_error (png_ptr, "Palette is NULL in indexed image");
+       }
+       else
+       {
+diff --git a/pngset.c b/pngset.c
+index 4177e62..3876103 100644
+--- a/pngset.c
++++ b/pngset.c
+@@ -524,6 +524,16 @@ png_set_PLTE(png_structp png_ptr, png_infop info_ptr,
+          return;
+       }
+    }
++   if ((num_palette > 0 && palette == NULL) ||
++      (num_palette == 0
++ #       ifdef PNG_MNG_FEATURES_SUPPORTED
++            && (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0
++ #       endif
++      ))
++   {
++      png_error(png_ptr, "Invalid palette");
++      return;
++   }
+ 
+    /* It may not actually be necessary to set png_ptr->palette here;
+     * we do it for backward compatibility with the way the png_handle_tRNS