From b60c4058b32b1762764c7af0c849b13f85d8d53a Mon Sep 17 00:00:00 2001
From: Chris Efant <rock@sirkull.org>
Date: Sat, 14 Aug 2004 11:52:50 +0000
Subject: [PATCH] Chris Efant: 	added security patches to libpng.  Fixes
 CAN-2002-1363, 	CAN-2004-0421, and CAN-2002-1363b.

[2004080506181204737] (https://www.rocklinux.net/submaster)



git-svn-id: http://www.rocklinux.org/svn/rock-linux/trunk@3854 c5f82cb5-29bc-0310-9cd0-bff59a50e3bc
---
 package/rene/libpng/2-CAN-2002-1363.patch  | 24 +++++++++++++
 package/rene/libpng/3b-CAN-2004-0421.patch | 41 ++++++++++++++++++++++
 package/rene/libpng/4-CAN-2002-1363b.patch | 24 +++++++++++++
 3 files changed, 89 insertions(+)
 create mode 100644 package/rene/libpng/2-CAN-2002-1363.patch
 create mode 100644 package/rene/libpng/3b-CAN-2004-0421.patch
 create mode 100644 package/rene/libpng/4-CAN-2002-1363b.patch

diff --git a/package/rene/libpng/2-CAN-2002-1363.patch b/package/rene/libpng/2-CAN-2002-1363.patch
new file mode 100644
index 000000000..670965e04
--- /dev/null
+++ b/package/rene/libpng/2-CAN-2002-1363.patch
@@ -0,0 +1,24 @@
+--- ./pngrtran.c	9 Jan 2004 18:22:43 -0000	1.1
++++ ./pngrtran.c	3 May 2004 08:19:51 -0000	1.2
+@@ -1965,8 +1965,8 @@
+          /* This changes the data from RRGGBB to RRGGBBXX */
+          if (flags & PNG_FLAG_FILLER_AFTER)
+          {
+-            png_bytep sp = row + (png_size_t)row_width * 3;
+-            png_bytep dp = sp  + (png_size_t)row_width;
++            png_bytep sp = row + (png_size_t)row_width * 6;
++            png_bytep dp = sp  + (png_size_t)row_width * 2;
+             for (i = 1; i < row_width; i++)
+             {
+                *(--dp) = hi_filler;
+@@ -1987,8 +1987,8 @@
+          /* This changes the data from RRGGBB to XXRRGGBB */
+          else
+          {
+-            png_bytep sp = row + (png_size_t)row_width * 3;
+-            png_bytep dp = sp  + (png_size_t)row_width;
++            png_bytep sp = row + (png_size_t)row_width * 6;
++            png_bytep dp = sp  + (png_size_t)row_width * 2;
+             for (i = 0; i < row_width; i++)
+             {
+                *(--dp) = *(--sp);
diff --git a/package/rene/libpng/3b-CAN-2004-0421.patch b/package/rene/libpng/3b-CAN-2004-0421.patch
new file mode 100644
index 000000000..d57ad59be
--- /dev/null
+++ b/package/rene/libpng/3b-CAN-2004-0421.patch
@@ -0,0 +1,41 @@
+*** ./pngconf.h_125	2002-10-03 07:32:27.000000000 -0400
+--- ./pngconf.h	2004-05-06 09:41:33.000000000 -0400
+***************
+*** 1280,1285 ****
+--- 1285,1291 ----
+  #  define CVT_PTR(ptr) (png_far_to_near(png_ptr,ptr,CHECK))
+  #  define CVT_PTR_NOCHECK(ptr) (png_far_to_near(png_ptr,ptr,NOCHECK))
+  #  define png_strcpy _fstrcpy
++ #  define png_strncpy _fstrncpy    /* Added to v 1.2.6 */
+  #  define png_strlen _fstrlen
+  #  define png_memcmp _fmemcmp      /* SJT: added */
+  #  define png_memcpy _fmemcpy
+***************
+*** 1288,1293 ****
+--- 1294,1300 ----
+  #  define CVT_PTR(ptr)         (ptr)
+  #  define CVT_PTR_NOCHECK(ptr) (ptr)
+  #  define png_strcpy strcpy
++ #  define png_strncpy strncpy   /* Added to v 1.2.6 */
+  #  define png_strlen strlen
+  #  define png_memcmp memcmp     /* SJT: added */
+  #  define png_memcpy memcpy
+*** ./pngerror.c_125	2002-10-03 07:32:27.000000000 -0400
+--- ./pngerror.c	2004-05-06 09:41:28.000000000 -0400
+***************
+*** 137,143 ****
+     {
+        buffer[iout++] = ':';
+        buffer[iout++] = ' ';
+!       png_memcpy(buffer+iout, error_message, 64);
+        buffer[iout+63] = 0;
+     }
+  }
+--- 137,143 ----
+     {
+        buffer[iout++] = ':';
+        buffer[iout++] = ' ';
+!       png_strncpy(buffer+iout, error_message, 63);
+        buffer[iout+63] = 0;
+     }
+  }
diff --git a/package/rene/libpng/4-CAN-2002-1363b.patch b/package/rene/libpng/4-CAN-2002-1363b.patch
new file mode 100644
index 000000000..12243606d
--- /dev/null
+++ b/package/rene/libpng/4-CAN-2002-1363b.patch
@@ -0,0 +1,24 @@
+--- ./pngrtran.c	Thu Oct  3 06:32:29 2002
++++ ./pngrtran.c	Fri Jul 23 18:51:26 2004
+@@ -1889,8 +1889,8 @@
+          /* This changes the data from GG to GGXX */
+          if (flags & PNG_FLAG_FILLER_AFTER)
+          {
+-            png_bytep sp = row + (png_size_t)row_width;
+-            png_bytep dp = sp  + (png_size_t)row_width;
++            png_bytep sp = row + (png_size_t)row_width * 2;
++            png_bytep dp = sp  + (png_size_t)row_width * 2;
+             for (i = 1; i < row_width; i++)
+             {
+                *(--dp) = hi_filler;
+@@ -1907,8 +1907,8 @@
+          /* This changes the data from GG to XXGG */
+          else
+          {
+-            png_bytep sp = row + (png_size_t)row_width;
+-            png_bytep dp = sp  + (png_size_t)row_width;
++            png_bytep sp = row + (png_size_t)row_width * 2;
++            png_bytep dp = sp  + (png_size_t)row_width * 2;
+             for (i = 0; i < row_width; i++)
+             {
+                *(--dp) = *(--sp);