[PATCH] graphics/optipng (CVE-2017-16938 and CVE-2017-1000229)

Frederic Cambus Fri, 08 Dec 2017 14:00:02 -0800

Hi ports@,

Here is a security diff for optipng, fixing:


- CVE-2017-16938 (Global buffer overflow)
  Details: https://sourceforge.net/p/optipng/bugs/69/

- CVE-2017-1000229 (Integer overflow)
  Details: https://sourceforge.net/p/optipng/bugs/65/

Comments? OK?

Index: Makefile
===================================================================
RCS file: /cvs/ports/graphics/optipng/Makefile,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile
--- Makefile    1 Jul 2016 07:44:19 -0000       1.3
+++ Makefile    8 Dec 2017 21:32:08 -0000
@@ -2,6 +2,7 @@
 
 COMMENT =              lossless PNG optimizer
 DISTNAME =             optipng-0.7.6
+REVISION =             0
 CATEGORIES =           graphics
 
 HOMEPAGE =             http://optipng.sourceforge.net/
Index: patches/patch-src_gifread_gifread_c
===================================================================
RCS file: patches/patch-src_gifread_gifread_c
diff -N patches/patch-src_gifread_gifread_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_gifread_gifread_c 8 Dec 2017 21:32:08 -0000
@@ -0,0 +1,17 @@
+$OpenBSD$
+
+Fix for CVE-2017-16938 (Global buffer overflow)
+https://sourceforge.net/p/optipng/bugs/69/
+
+Index: src/gifread/gifread.c
+--- src/gifread/gifread.c.orig
++++ src/gifread/gifread.c
+@@ -499,6 +499,8 @@ static int LZWReadByte(int init_flag, int input_code_s
+             *sp++ = table[1][code];
+             if (code == table[0][code])
+                 GIFError("GIF/LZW error: circular table entry");
++            if ((size_t)(sp - stack) >= sizeof(stack) / sizeof(stack[0]))
++                GIFError("GIF/LZW error: circular table");
+             code = table[0][code];
+         }
+ 
Index: patches/patch-src_minitiff_tiffread_c
===================================================================
RCS file: patches/patch-src_minitiff_tiffread_c
diff -N patches/patch-src_minitiff_tiffread_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_minitiff_tiffread_c       8 Dec 2017 21:32:08 -0000
@@ -0,0 +1,17 @@
+$OpenBSD$
+
+Fix for CVE-2017-1000229 (Integer overflow)
+https://sourceforge.net/p/optipng/bugs/65/
+
+Index: src/minitiff/tiffread.c
+--- src/minitiff/tiffread.c.orig
++++ src/minitiff/tiffread.c
+@@ -350,6 +350,8 @@ minitiff_read_info(struct minitiff_info *tiff_ptr, FIL
+         count = tiff_ptr->strip_offsets_count;
+         if (count == 0 || count > tiff_ptr->height)
+             goto err_invalid;
++        if (count > (size_t)-1 / sizeof(long))
++            goto err_memory;
+         tiff_ptr->strip_offsets = (long *)malloc(count * sizeof(long));
+         if (tiff_ptr->strip_offsets == NULL)
+             goto err_memory;

[PATCH] graphics/optipng (CVE-2017-16938 and CVE-2017-1000229)

Reply via email to