libpng15-CVE-2013-6954.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

diff --git a/pngset.c b/pngset.c
index 4177e62..3876103 100644
--- a/pngset.c
+++ b/pngset.c
@@ -524,6 +524,16 @@ png_set_PLTE(png_structp png_ptr, png_infop info_ptr,
          return;
       }
    }
+   if ((num_palette > 0 && palette == NULL) ||
+      (num_palette == 0
+ #       ifdef PNG_MNG_FEATURES_SUPPORTED
+            && (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0
+ #       endif
+      ))
+   {
+      png_error(png_ptr, "Invalid palette");
+      return;
+   }
 
    /* It may not actually be necessary to set png_ptr->palette here;
     * we do it for backward compatibility with the way the png_handle_tRNS