diff options
author | ache <ache@FreeBSD.org> | 2004-07-07 18:33:28 +0800 |
---|---|---|
committer | ache <ache@FreeBSD.org> | 2004-07-07 18:33:28 +0800 |
commit | 85c6d089d7d0cd6492e794c1a3b89df27c358ae4 (patch) | |
tree | ee8e790738a1cc230e32d28404ba7a2d16fb4bb1 | |
parent | c53e6f4ccd5881e9f3b872531ceacc108ccf5d85 (diff) | |
download | freebsd-ports-gnome-85c6d089d7d0cd6492e794c1a3b89df27c358ae4.tar.gz freebsd-ports-gnome-85c6d089d7d0cd6492e794c1a3b89df27c358ae4.tar.zst freebsd-ports-gnome-85c6d089d7d0cd6492e794c1a3b89df27c358ae4.zip |
In 16-bit samples case the starting offsets for the loops are calculated
incorrectly which may cause a buffer overrun beyond the beginning of
the row buffer.
Submitted by: Robert Nagy <robert@openbsd.org>
-rw-r--r-- | graphics/png/Makefile | 4 | ||||
-rw-r--r-- | graphics/png/files/patch-pngrtran.c | 46 |
2 files changed, 48 insertions, 2 deletions
diff --git a/graphics/png/Makefile b/graphics/png/Makefile index eacb963373da..d9a1c89c6b32 100644 --- a/graphics/png/Makefile +++ b/graphics/png/Makefile @@ -6,8 +6,8 @@ # PORTNAME= png -PORTVERSION= 1.2.5 -PORTREVISION= 5 +PORTVERSION= 1.2.5 +PORTREVISION= 6 CATEGORIES= graphics MASTER_SITES= http://www.libpng.org/pub/png/src/ \ ftp://swrinde.nde.swri.edu/pub/png/src/ \ diff --git a/graphics/png/files/patch-pngrtran.c b/graphics/png/files/patch-pngrtran.c new file mode 100644 index 000000000000..1a3a40279cd4 --- /dev/null +++ b/graphics/png/files/patch-pngrtran.c @@ -0,0 +1,46 @@ +--- pngrtran.c.orig Tue Jul 6 17:44:30 2004 ++++ pngrtran.c Tue Jul 6 17:46:22 2004 +@@ -1889,8 +1889,8 @@ png_do_read_filler(png_row_infop row_inf + /* This changes the data from GG to GGXX */ + if (flags & PNG_FLAG_FILLER_AFTER) + { +- png_bytep sp = row + (png_size_t)row_width; +- png_bytep dp = sp + (png_size_t)row_width; ++ png_bytep sp = row + (png_size_t)row_width * 2; ++ png_bytep dp = sp + (png_size_t)row_width * 2; + for (i = 1; i < row_width; i++) + { + *(--dp) = hi_filler; +@@ -1907,8 +1907,8 @@ png_do_read_filler(png_row_infop row_inf + /* This changes the data from GG to XXGG */ + else + { +- png_bytep sp = row + (png_size_t)row_width; +- png_bytep dp = sp + (png_size_t)row_width; ++ png_bytep sp = row + (png_size_t)row_width * 2; ++ png_bytep dp = sp + (png_size_t)row_width * 2; + for (i = 0; i < row_width; i++) + { + *(--dp) = *(--sp); +@@ -1965,8 +1965,8 @@ png_do_read_filler(png_row_infop row_inf + /* This changes the data from RRGGBB to RRGGBBXX */ + if (flags & PNG_FLAG_FILLER_AFTER) + { +- png_bytep sp = row + (png_size_t)row_width * 3; +- png_bytep dp = sp + (png_size_t)row_width; ++ png_bytep sp = row + (png_size_t)row_width * 6; ++ png_bytep dp = sp + (png_size_t)row_width * 2; + for (i = 1; i < row_width; i++) + { + *(--dp) = hi_filler; +@@ -1987,8 +1987,8 @@ png_do_read_filler(png_row_infop row_inf + /* This changes the data from RRGGBB to XXRRGGBB */ + else + { +- png_bytep sp = row + (png_size_t)row_width * 3; +- png_bytep dp = sp + (png_size_t)row_width; ++ png_bytep sp = row + (png_size_t)row_width * 6; ++ png_bytep dp = sp + (png_size_t)row_width * 2; + for (i = 0; i < row_width; i++) + { + *(--dp) = *(--sp);
\ No newline at end of file |