From b56b8f789680e790f9ecb71134781270162ce407 Mon Sep 17 00:00:00 2001
From: jow <jow@3c298f89-4303-0410-b956-a3cf2f4a3e73>
Date: Sat, 18 Feb 2012 19:14:44 +0000
Subject: [PATCH] [packages_10.03.2] merge r30633

git-svn-id: svn://svn.openwrt.org/openwrt/branches/packages_10.03.2@30634 3c298f89-4303-0410-b956-a3cf2f4a3e73
---
 libs/libpng/Makefile                        |  4 +--
 libs/libpng/patches/200-CVE-2011-3026.patch | 40 +++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100644 libs/libpng/patches/200-CVE-2011-3026.patch

diff --git a/libs/libpng/Makefile b/libs/libpng/Makefile
index fb7dc80..43a1e6a 100644
--- a/libs/libpng/Makefile
+++ b/libs/libpng/Makefile
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2006-2011 OpenWrt.org
+# Copyright (C) 2006-2012 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libpng
 PKG_VERSION:=1.2.46
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=@SF/libpng
diff --git a/libs/libpng/patches/200-CVE-2011-3026.patch b/libs/libpng/patches/200-CVE-2011-3026.patch
new file mode 100644
index 0000000..beb0d60
--- /dev/null
+++ b/libs/libpng/patches/200-CVE-2011-3026.patch
@@ -0,0 +1,40 @@
+--- a/pngrutil.c
++++ b/pngrutil.c
+@@ -339,15 +339,18 @@ png_decompress_chunk(png_structp png_ptr
+       /* Now check the limits on this chunk - if the limit fails the
+        * compressed data will be removed, the prefix will remain.
+        */
++      if (prefix_size >= (~(png_size_t)0) - 1 ||
++         expanded_size >= (~(png_size_t)0) - 1 - prefix_size
+ #ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
+-      if (png_ptr->user_chunk_malloc_max &&
++         || (png_ptr->user_chunk_malloc_max &&
+           (prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1))
+ #else
+ #  ifdef PNG_USER_CHUNK_MALLOC_MAX
+-      if ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
++         || ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
+           prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1)
+ #  endif
+ #endif
++          )
+          png_warning(png_ptr, "Exceeded size limit while expanding chunk");
+ 
+       /* If the size is zero either there was an error and a message
+@@ -355,14 +358,11 @@ png_decompress_chunk(png_structp png_ptr
+        * and we have nothing to do - the code will exit through the
+        * error case below.
+        */
+-#if defined(PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED) || \
+-    defined(PNG_USER_CHUNK_MALLOC_MAX)
+-      else
+-#endif
+-      if (expanded_size > 0)
++      else if (expanded_size > 0)
+       {
+          /* Success (maybe) - really uncompress the chunk. */
+          png_size_t new_size = 0;
++
+          png_charp text = png_malloc_warn(png_ptr,
+                         prefix_size + expanded_size + 1);
+ 
-- 
2.11.0