1 files changed, 34 insertions, 0 deletions

diff --git a/libpng15-CVE-2018-13785.patch b/libpng15-CVE-2018-13785.patch
new file mode 100644
index 0000000..32d8df7
--- /dev/null
+++ b/libpng15-CVE-2018-13785.patch
@@ -0,0 +1,34 @@
+From 1748e52e41b7bd8bde8cc917053c39bd6849c17d Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sun, 17 Jun 2018 22:56:29 -0400
+Subject: [PATCH] Fix the calculation of row_factor in png_check_chunk_length
+
+(Bug report by Thuan Pham, SourceForge issue #278)
+---
+ pngrutil.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/pngrutil.c b/pngrutil.c
+index d5a344d..1e90863 100644
+--- a/pngrutil.c
++++ b/pngrutil.c
+@@ -2839,10 +2839,13 @@ png_check_chunk_length(png_structp png_ptr, png_uint_32 length)
+    {
+       png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
+       size_t row_factor =
+-         (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+-          + 1 + (png_ptr->interlaced? 6: 0));
++         (size_t)png_ptr->width
++         * (size_t)png_ptr->channels
++         * (png_ptr->bit_depth > 8? 2: 1)
++         + 1
++         + (png_ptr->interlaced? 6: 0);
+       if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+-         idat_limit=PNG_UINT_31_MAX;
++         idat_limit = PNG_UINT_31_MAX;
+       else
+          idat_limit = png_ptr->height * row_factor;
+       row_factor = row_factor > 32566? 32566 : row_factor;
+-- 
+2.17.1
+