[Pkg-phototools-devel] Bug#863469: Wheezy update of pngquant?

[Emilio Pozuelo Monfort]

Control: tags -1 patch

Hi Andreas,

On 31/05/17 22:13, Andreas Tille wrote:
> Hi Emilio,
> 
> On Wed, May 31, 2017 at 09:42:37AM +0200, Emilio Pozuelo Monfort wrote:
>>
>> No worries. I already updated pngquant in wheezy.
> 
> Cool.  Thanks a lot.
> 
>> I also found another possible
>> buffer overflow and reported it upstream, but it's not confirmed yet (and I
>> don't have a test case to confirm it).
>>
>> BTW if you can fix this in sid that'd be nice. Or if you're too busy I can fix
>> it for you there. The fix is pretty simple:
>>
>> https://github.com/pornel/pngquant/commit/b7c217680cda02dddced245d237ebe8c383be285
> 
> Hmmm, are you sure that this patch applies to version 2.5.0 from sid?
> The code looks pretty different.  I do not mind at all if you do a NMU -
> if you provide a patch that applies cleanly I can promise quick upload.

That's because in 2.5.0 the (wrong) overflow check hadn't been added. That
upstream patch removes the wrong check and adds the correct one. Since 2.5.0
doesn't have the wrong one, we just need to add it. See the attached patch,
which builds and works fine in a quick test (didn't test against a crafted image).

Cheers,
Emilio
-------------- next part --------------
--- rwpng.c.old	2017-05-31 22:36:13.329067904 +0200
+++ rwpng.c	2017-05-31 22:37:37.697664350 +0200
@@ -278,6 +278,12 @@ pngquant_error rwpng_read_image24_libpng
 
     rowbytes = png_get_rowbytes(png_ptr, info_ptr);
 
+    // For overflow safety reject images that won't fit in 32-bit
+    if (rowbytes > INT_MAX/mainprog_ptr->height) {
+        png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
+        return PNG_OUT_OF_MEMORY_ERROR;  /* not quite true, but whatever */
+    }
+
     if ((mainprog_ptr->rgba_data = malloc(rowbytes*mainprog_ptr->height)) == NULL) {
         fprintf(stderr, "pngquant readpng:  unable to allocate image data\n");
         png_destroy_read_struct(&png_ptr, &info_ptr, NULL);