This is the fix for the null pointer dereference (CVE-2013-6954)
for OPENBSD_5_4, backported from png 1.6.8.
I don't have a 5.4-stable system at hand to actually test this
there.
OK?
OPENBSD_5_3 has 1.5.10, which is not affected according to the libpng
homepage.
Index: Makefile
===================================================================
RCS file: /cvs/ports/graphics/png/Makefile,v
retrieving revision 1.94
diff -u -p -r1.94 Makefile
--- Makefile 9 Jun 2013 15:13:03 -0000 1.94
+++ Makefile 3 Jan 2014 15:53:18 -0000
@@ -5,7 +5,7 @@ COMMENT= library for manipulating PNG im
VERSION= 1.6.2
DISTNAME= libpng-${VERSION}
PKGNAME= png-${VERSION}
-REVISION= 0
+REVISION= 1
SHARED_LIBS= png16 17.0 \
png 17.0
CATEGORIES= graphics
Index: patches/patch-pngrtran_c
===================================================================
RCS file: patches/patch-pngrtran_c
diff -N patches/patch-pngrtran_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-pngrtran_c 3 Jan 2014 15:53:18 -0000
@@ -0,0 +1,16 @@
+$OpenBSD$
+
+CVE-2013-6954
+
+--- pngrtran.c.orig Thu Apr 25 14:24:44 2013
++++ pngrtran.c Fri Jan 3 14:21:08 2014
+@@ -1933,6 +1933,9 @@ png_read_transform_info(png_structrp png_ptr, png_info
+
+ info_ptr->bit_depth = 8;
+ info_ptr->num_trans = 0;
++
++ if (png_ptr->palette == NULL)
++ png_error (png_ptr, "Palette is NULL in indexed image");
+ }
+ else
+ {
Index: patches/patch-pngset_c
===================================================================
RCS file: patches/patch-pngset_c
diff -N patches/patch-pngset_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-pngset_c 3 Jan 2014 15:53:18 -0000
@@ -0,0 +1,15 @@
+$OpenBSD$
+
+CVE-2013-6954
+
+--- pngset.c.orig Thu Apr 25 14:24:44 2013
++++ pngset.c Fri Jan 3 14:21:08 2014
+@@ -536,7 +536,7 @@ png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr
+ # endif
+ ))
+ {
+- png_chunk_report(png_ptr, "Invalid palette", PNG_CHUNK_ERROR);
++ png_error(png_ptr, "Invalid palette");
+ return;
+ }
+
--
Christian "naddy" Weisgerber [email protected]
