external/libpng/0001-fix-Avoid-integer-overflows-in-function-png_xy_from_.patch.1
| 99 ++++++++++
external/libpng/0001-libpng16-fix-Correct-the-function-png_fp_sub-in-png.patch.1
| 35 +++
external/libpng/UnpackedTarball_libpng.mk
| 2
3 files changed, 136 insertions(+)
New commits:
commit c43454149eceb21e8b935d24c864b6e2ad577615
Author: Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Sun Oct 13 19:44:11 2024 +0100
Commit: Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Mon Oct 14 09:26:57 2024 +0200
ofz#372757014 png_fp_sub Integer-overflow
Change-Id: I0dfe44f8e8f20c137a12eafb4fa108d266f89370
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/174875
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
Tested-by: Jenkins
diff --git
a/external/libpng/0001-fix-Avoid-integer-overflows-in-function-png_xy_from_.patch.1
b/external/libpng/0001-fix-Avoid-integer-overflows-in-function-png_xy_from_.patch.1
new file mode 100644
index 000000000000..90b4d385fadd
--- /dev/null
+++
b/external/libpng/0001-fix-Avoid-integer-overflows-in-function-png_xy_from_.patch.1
@@ -0,0 +1,99 @@
+From 65470ac86c9d479e18c58c181170163925b5f9a1 Mon Sep 17 00:00:00 2001
+From: John Bowler <jbow...@acm.org>
+Date: Sat, 12 Oct 2024 14:55:03 -0700
+Subject: [PATCH] fix: Avoid integer overflows in function `png_xy_from_XYZ`
+
+This is a cherry-picked of commit f45531cc141dc20dc7a4046bbe92270b1e799a5d
+from branch 'libpng18'.
+
+Reviewed-by: Cosmin Truta <ctr...@gmail.com>
+Signed-off-by: John Bowler <jbow...@acm.org>
+Signed-off-by: Cosmin Truta <ctr...@gmail.com>
+---
+ png.c | 40 ++++++++++++++++++++++++----------------
+ 1 file changed, 24 insertions(+), 16 deletions(-)
+
+diff --git a/png.c b/png.c
+index 8cd0179a8..d99e2643b 100644
+--- a/png.c
++++ b/png.c
+@@ -1272,7 +1272,7 @@ png_safe_add(png_int_32 *addend0_and_result, png_int_32
addend1,
+ static int
+ png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
+ {
+- png_int_32 d, dred, dgreen, dwhite, whiteX, whiteY;
++ png_int_32 d, dred, dgreen, dblue, dwhite, whiteX, whiteY;
+
+ /* 'd' in each of the blocks below is just X+Y+Z for each component,
+ * x, y and z are X,Y,Z/(X+Y+Z).
+@@ -1280,44 +1280,52 @@ png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
+ d = XYZ->red_X;
+ if (png_safe_add(&d, XYZ->red_Y, XYZ->red_Z))
+ return 1;
+- if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0)
++ dred = d;
++ if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, dred) == 0)
+ return 1;
+- if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0)
++ if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, dred) == 0)
+ return 1;
+- dred = d;
+- whiteX = XYZ->red_X;
+- whiteY = XYZ->red_Y;
+
+ d = XYZ->green_X;
+ if (png_safe_add(&d, XYZ->green_Y, XYZ->green_Z))
+ return 1;
+- if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0)
++ dgreen = d;
++ if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, dgreen) == 0)
+ return 1;
+- if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0)
++ if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, dgreen) == 0)
+ return 1;
+- dgreen = d;
+- whiteX += XYZ->green_X;
+- whiteY += XYZ->green_Y;
+
+ d = XYZ->blue_X;
+ if (png_safe_add(&d, XYZ->blue_Y, XYZ->blue_Z))
+ return 1;
+- if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0)
++ dblue = d;
++ if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, dblue) == 0)
+ return 1;
+- if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0)
++ if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, dblue) == 0)
+ return 1;
+- whiteX += XYZ->blue_X;
+- whiteY += XYZ->blue_Y;
+
+ /* The reference white is simply the sum of the end-point (X,Y,Z) vectors
so
+ * the fillowing calculates (X+Y+Z) of the reference white (media white,
+ * encoding white) itself:
+ */
++ d = dblue;
+ if (png_safe_add(&d, dred, dgreen))
+ return 1;
+-
+ dwhite = d;
+
++ /* Find the white X,Y values from the sum of the red, green and blue X,Y
++ * values.
++ */
++ d = XYZ->red_X;
++ if (png_safe_add(&d, XYZ->green_X, XYZ->blue_X))
++ return 1;
++ whiteX = d;
++
++ d = XYZ->red_Y;
++ if (png_safe_add(&d, XYZ->green_Y, XYZ->blue_Y))
++ return 1;
++ whiteY = d;
++
+ if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)
+ return 1;
+ if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)
+--
+2.46.1
+
diff --git
a/external/libpng/0001-libpng16-fix-Correct-the-function-png_fp_sub-in-png.patch.1
b/external/libpng/0001-libpng16-fix-Correct-the-function-png_fp_sub-in-png.patch.1
new file mode 100644
index 000000000000..59a8ccc32c6d
--- /dev/null
+++
b/external/libpng/0001-libpng16-fix-Correct-the-function-png_fp_sub-in-png.patch.1
@@ -0,0 +1,35 @@
+From f14d5fcd1efec749d0137162efbee6013757494b Mon Sep 17 00:00:00 2001
+From: John Bowler <jbow...@acm.org>
+Date: Thu, 10 Oct 2024 08:40:41 -0700
+Subject: [PATCH] [libpng16] fix: Correct the function `png_fp_sub` in png.c
+
+The code erroneously evaluated `addend0+addend1` in the case where
+`addend1` is less than zero. The function is meant to subtract the
+second argument from the first.
+
+This is a cherry-pick of commit 79fd6d1edc8fe8c41ed58c6318bd57761d8f007e
+from branch 'libpng18'.
+
+Reviewed-by: Cosmin Truta <ctr...@gmail.com>
+Signed-off-by: John Bowler <jbow...@acm.org>
+Signed-off-by: Cosmin Truta <ctr...@gmail.com>
+---
+ png.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/png.c b/png.c
+index 8a1e2a451..240db5ab9 100644
+--- a/png.c
++++ b/png.c
+@@ -1241,7 +1241,7 @@ png_fp_sub(png_int_32 addend0, png_int_32 addend1, int
*error)
+ else if (addend1 < 0)
+ {
+ if (0x7fffffff + addend1 >= addend0)
+- return addend0+addend1;
++ return addend0-addend1;
+ }
+ else
+ return addend0;
+--
+2.46.1
+
diff --git a/external/libpng/UnpackedTarball_libpng.mk
b/external/libpng/UnpackedTarball_libpng.mk
index af17418daa6f..461b40931708 100644
--- a/external/libpng/UnpackedTarball_libpng.mk
+++ b/external/libpng/UnpackedTarball_libpng.mk
@@ -17,6 +17,8 @@ $(eval $(call gb_UnpackedTarball_add_files,libpng,.,\
$(eval $(call gb_UnpackedTarball_add_patches,libpng,\
external/libpng/0001-ACES-AP0-adjusted-fixes.patch.1 \
+
external/libpng/0001-libpng16-fix-Correct-the-function-png_fp_sub-in-png.patch.1
\
+
external/libpng/0001-fix-Avoid-integer-overflows-in-function-png_xy_from_.patch.1
\
))
# vim: set noet sw=4 ts=4:
