aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorache <ache@FreeBSD.org>2004-07-07 18:33:28 +0800
committerache <ache@FreeBSD.org>2004-07-07 18:33:28 +0800
commit85c6d089d7d0cd6492e794c1a3b89df27c358ae4 (patch)
treeee8e790738a1cc230e32d28404ba7a2d16fb4bb1
parentc53e6f4ccd5881e9f3b872531ceacc108ccf5d85 (diff)
downloadfreebsd-ports-gnome-85c6d089d7d0cd6492e794c1a3b89df27c358ae4.tar.gz
freebsd-ports-gnome-85c6d089d7d0cd6492e794c1a3b89df27c358ae4.tar.zst
freebsd-ports-gnome-85c6d089d7d0cd6492e794c1a3b89df27c358ae4.zip
In 16-bit samples case the starting offsets for the loops are calculated
incorrectly which may cause a buffer overrun beyond the beginning of the row buffer. Submitted by: Robert Nagy <robert@openbsd.org>
-rw-r--r--graphics/png/Makefile4
-rw-r--r--graphics/png/files/patch-pngrtran.c46
2 files changed, 48 insertions, 2 deletions
diff --git a/graphics/png/Makefile b/graphics/png/Makefile
index eacb963373da..d9a1c89c6b32 100644
--- a/graphics/png/Makefile
+++ b/graphics/png/Makefile
@@ -6,8 +6,8 @@
#
PORTNAME= png
-PORTVERSION= 1.2.5
-PORTREVISION= 5
+PORTVERSION= 1.2.5
+PORTREVISION= 6
CATEGORIES= graphics
MASTER_SITES= http://www.libpng.org/pub/png/src/ \
ftp://swrinde.nde.swri.edu/pub/png/src/ \
diff --git a/graphics/png/files/patch-pngrtran.c b/graphics/png/files/patch-pngrtran.c
new file mode 100644
index 000000000000..1a3a40279cd4
--- /dev/null
+++ b/graphics/png/files/patch-pngrtran.c
@@ -0,0 +1,46 @@
+--- pngrtran.c.orig Tue Jul 6 17:44:30 2004
++++ pngrtran.c Tue Jul 6 17:46:22 2004
+@@ -1889,8 +1889,8 @@ png_do_read_filler(png_row_infop row_inf
+ /* This changes the data from GG to GGXX */
+ if (flags & PNG_FLAG_FILLER_AFTER)
+ {
+- png_bytep sp = row + (png_size_t)row_width;
+- png_bytep dp = sp + (png_size_t)row_width;
++ png_bytep sp = row + (png_size_t)row_width * 2;
++ png_bytep dp = sp + (png_size_t)row_width * 2;
+ for (i = 1; i < row_width; i++)
+ {
+ *(--dp) = hi_filler;
+@@ -1907,8 +1907,8 @@ png_do_read_filler(png_row_infop row_inf
+ /* This changes the data from GG to XXGG */
+ else
+ {
+- png_bytep sp = row + (png_size_t)row_width;
+- png_bytep dp = sp + (png_size_t)row_width;
++ png_bytep sp = row + (png_size_t)row_width * 2;
++ png_bytep dp = sp + (png_size_t)row_width * 2;
+ for (i = 0; i < row_width; i++)
+ {
+ *(--dp) = *(--sp);
+@@ -1965,8 +1965,8 @@ png_do_read_filler(png_row_infop row_inf
+ /* This changes the data from RRGGBB to RRGGBBXX */
+ if (flags & PNG_FLAG_FILLER_AFTER)
+ {
+- png_bytep sp = row + (png_size_t)row_width * 3;
+- png_bytep dp = sp + (png_size_t)row_width;
++ png_bytep sp = row + (png_size_t)row_width * 6;
++ png_bytep dp = sp + (png_size_t)row_width * 2;
+ for (i = 1; i < row_width; i++)
+ {
+ *(--dp) = hi_filler;
+@@ -1987,8 +1987,8 @@ png_do_read_filler(png_row_infop row_inf
+ /* This changes the data from RRGGBB to XXRRGGBB */
+ else
+ {
+- png_bytep sp = row + (png_size_t)row_width * 3;
+- png_bytep dp = sp + (png_size_t)row_width;
++ png_bytep sp = row + (png_size_t)row_width * 6;
++ png_bytep dp = sp + (png_size_t)row_width * 2;
+ for (i = 0; i < row_width; i++)
+ {
+ *(--dp) = *(--sp); \ No newline at end of file