File _service:obs_scm:CVE-2017-12652.patch of Package libpng12

From 4d4f4721088414b72233aaf1ab19941666cdc76d Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Mon, 7 Aug 2017 05:51:12 -0500
Subject: [PATCH] [libpng12] Added png_check_chunk_length() function.

---
 png.h      | 17 ++++++++++-------
 pngpread.c |  1 +
 pngrutil.c | 38 ++++++++++++++++++++++++++++++++++++++
 5 files changed, 55 insertions(+), 11 deletions(-)

diff --git a/png.h b/png.h
index b2461323a..09a4ad7e1 100644
--- a/png.h
+++ b/png.h
@@ -3409,6 +3409,9 @@ PNG_EXTERN void png_handle_unknown PNGARG((png_structp png_ptr,
 PNG_EXTERN void png_check_chunk_name PNGARG((png_structp png_ptr,
    png_bytep chunk_name)) PNG_PRIVATE;
 
+PNG_EXTERN void png_check_chunk_length PNGARG((png_structp png_ptr,
+   png_uint_32 chunk_length)) PNG_PRIVATE;
+
 /* Handle the transformations for reading and writing */
 PNG_EXTERN void png_do_read_transformations
    PNGARG((png_structp png_ptr)) PNG_PRIVATE;
diff --git a/pngpread.c b/pngpread.c
index ec2aa7d4b..319a3140d 100644
--- a/pngpread.c
+++ b/pngpread.c
@@ -205,6 +205,7 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr)
       png_reset_crc(png_ptr);
       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
       png_check_chunk_name(png_ptr, png_ptr->chunk_name);
+      png_check_chunk_length(png_ptr, png_ptr->push_length);
       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
    }
 
diff --git a/pngrutil.c b/pngrutil.c
index 36ba4efb7..9011f7063 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -131,6 +131,9 @@ png_read_chunk_header(png_structp png_ptr)
    /* Check to see if chunk name is valid */
    png_check_chunk_name(png_ptr, png_ptr->chunk_name);
 
+   /* Check for too-large chunk length */
+   png_check_chunk_length(png_ptr, length);
+
    return length;
 }
 
@@ -2506,6 +2509,41 @@ png_check_chunk_name(png_structp png_ptr, png_bytep chunk_name)
    }
 }
 
+void /* PRIVATE */
+png_check_chunk_length(png_structp png_ptr, png_uint_32 length)
+{
+   png_uint_32 limit = PNG_UINT_31_MAX;
+
+   /* if (png_ptr->chunk_name != "IDAT") */
+   if (png_ptr->chunk_name[0] != 73 || png_ptr->chunk_name[1] !=68 ||
+       png_ptr->chunk_name[2] != 65 || png_ptr->chunk_name[3] !=84)
+   {
+# if PNG_USER_CHUNK_MALLOC_MAX > 0
+      if (PNG_USER_CHUNK_MALLOC_MAX < limit)
+         limit = PNG_USER_CHUNK_MALLOC_MAX;
+# endif
+   }
+   else
+   {
+      size_t row_factor =
+         (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+          + 1 + (png_ptr->interlaced? 6: 0));
+      if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+         limit=PNG_UINT_31_MAX;
+      else
+         limit = png_ptr->height * row_factor;
+      limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */
+      limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
+   }
+   if (length > limit)
+   {
+      png_debug2(0," length = %lu, limit = %lu",
+         (unsigned long)length,(unsigned long)limit);
+      png_chunk_error(png_ptr, "chunk data is too large");
+   }
+}
+
+
 /* Combines the row recently read in with the existing pixels in the
    row.  This routine takes care of alpha and transparency if requested.
    This routine also handles the two methods of progressive display