From 36220a694fe178bdbf0fe70153a54d7cee050984 Mon Sep 17 00:00:00 2001
From: Than Ngo <than@redhat.com>
Date: Mar 01 2019 16:20:36 +0000
Subject: fixed CVE-2019-9210 advancecomp: integer overflow in png_compress in pngex.cc


---

diff --git a/advancecomp-CVE-2019-9210.patch b/advancecomp-CVE-2019-9210.patch
new file mode 100644
index 0000000..5bb32a7
--- /dev/null
+++ b/advancecomp-CVE-2019-9210.patch
@@ -0,0 +1,85 @@
+commit 7894a6e684ce68ddff9f4f4919ab8e3911ac8040
+Author: Andrea Mazzoleni <amadvance@gmail.com>
+Date:   Fri Jan 4 20:49:48 2019 +0100
+
+    Fix a buffer overflow caused by invalid chunks
+
+diff --git a/pngex.cc b/pngex.cc
+index 55d16f5..3f5b49f 100644
+--- a/pngex.cc
++++ b/pngex.cc
+@@ -163,6 +163,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
+ 
+ 	switch (type) {
+ 		case ADV_MNG_CN_MHDR :
++			if (size < 28) {
++				cout << " invalid chunk size";
++				break;
++			}
+ 			cout << " width:" << be_uint32_read(data+0) << " height:" << be_uint32_read(data+4) << " frequency:" << be_uint32_read(data+8);
+ 			cout << " simplicity:" << be_uint32_read(data+24);
+ 			cout << "(bit";
+@@ -174,6 +178,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
+ 			cout << ")";
+ 		break;
+ 		case ADV_MNG_CN_DHDR :
++			if (size < 4) {
++				cout << " invalid chunk size";
++				break;
++			}
+ 			cout << " id:" << be_uint16_read(data+0);
+ 			switch (data[2]) {
+ 				case 0 : cout << " img:unspecified"; break;
+@@ -243,6 +251,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
+ 			}
+ 			break;
+ 		case ADV_MNG_CN_DEFI :
++			if (size < 2) {
++				cout << " invalid chunk size";
++				break;
++			}
+ 			cout << " id:" << be_uint16_read(data+0);
+ 			if (size >= 3) {
+ 				switch (data[2]) {
+@@ -266,6 +278,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
+ 			}
+ 		break;
+ 		case ADV_MNG_CN_MOVE :
++			if (size < 13) {
++				cout << " invalid chunk size";
++				break;
++			}
+ 			cout << " id_from:" << be_uint16_read(data+0) << " id_to:" << be_uint16_read(data+2);
+ 			switch (data[4]) {
+ 				case 0 : cout << " type:replace"; break;
+@@ -275,6 +291,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
+ 			cout << " x:" << (int)be_uint32_read(data + 5) << " y:" << (int)be_uint32_read(data + 9);
+ 			break;
+ 		case ADV_MNG_CN_PPLT :
++			if (size < 1) {
++				cout << " invalid chunk size";
++				break;
++			}
+ 			switch (data[0]) {
+ 				case 0 : cout << " type:replacement_rgb"; break;
+ 				case 1 : cout << " type:delta_rgb"; break;
+@@ -285,7 +305,7 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
+ 				default : cout << " type:?"; break;
+ 			}
+ 			i = 1;
+-			while (i<size) {
++			while (i + 1 < size) {
+ 				unsigned ssize;
+ 				cout << " " << (unsigned)data[i] << ":" << (unsigned)data[i+1];
+ 				if (data[0] == 0 || data[1] == 1)
+@@ -298,6 +318,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size)
+ 			}
+ 			break;
+ 		case ADV_PNG_CN_IHDR :
++			if (size < 13) {
++				cout << " invalid chunk size";
++				break;
++			}
+ 			cout << " width:" << be_uint32_read(data) << " height:" << be_uint32_read(data + 4);
+ 			cout << " depth:" << (unsigned)data[8];
+ 			cout << " color_type:" << (unsigned)data[9];
diff --git a/advancecomp.spec b/advancecomp.spec
index e1872c2..ccba9c4 100644
--- a/advancecomp.spec
+++ b/advancecomp.spec
@@ -1,11 +1,14 @@
 Name:           advancecomp
 Version:        2.1
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        Recompression utilities for png, mng, zip and gz files
 License:        GPLv3
 URL:            http://www.advancemame.it/
 Source0:        https://github.com/amadvance/advancecomp/releases/download/v%{version}/advancecomp-%{version}.tar.gz
 
+# CVE-2019-9210 advancecomp: integer overflow in png_compress in pngex.cc
+Patch0:         advancecomp-CVE-2019-9210.patch
+
 BuildRequires:  gcc gcc-c++
 BuildRequires:  tofrodos
 BuildRequires:  zlib-devel
@@ -25,6 +28,8 @@ This package contains:
 
 %prep
 %setup -q
+%patch0 -p1 -b .CVE-2019-9210
+
 dos2unix -k doc/*.txt
 
 %build
@@ -42,6 +47,9 @@ make install DESTDIR=%{buildroot}
 %{_mandir}/man1/*
 
 %changelog
+* Fri Mar 01 2019 Than Ngo <than@redhat.com> - 2.1-9
+- fixed CVE-2019-9210 advancecomp: integer overflow in png_compress in pngex.cc
+
 * Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.1-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild