From f1cf3952da9fd9853754e2db9d44a1aee29c62e0 Mon Sep 17 00:00:00 2001
From: Than Ngo <than@redhat.com>
Date: May 10 2019 09:43:43 +0000
Subject: Backport for #1708563, CVE-2019-8383 - denial of service in function adv_png_unfilter_8


---

diff --git a/advancecomp-CVE-2019-8383.patch b/advancecomp-CVE-2019-8383.patch
new file mode 100644
index 0000000..3a9b35e
--- /dev/null
+++ b/advancecomp-CVE-2019-8383.patch
@@ -0,0 +1,44 @@
+commit 78a56b21340157775be2462a19276b4d31d2bd01
+Author: Andrea Mazzoleni <amadvance@gmail.com>
+Date:   Fri Jan 4 20:49:25 2019 +0100
+
+    Fix a buffer overflow caused by invalid images
+
+diff --git a/lib/png.c b/lib/png.c
+index 0939a5a..cbf140b 100644
+--- a/lib/png.c
++++ b/lib/png.c
+@@ -603,6 +603,7 @@ adv_error adv_png_read_ihdr(
+ 	unsigned pixel;
+ 	unsigned width;
+ 	unsigned width_align;
++	unsigned scanline;
+ 	unsigned height;
+ 	unsigned depth;
+ 	int r;
+@@ -719,9 +720,23 @@ adv_error adv_png_read_ihdr(
+ 		goto err_ptr;
+ 	}
+ 
+-	*dat_size = height * (width_align * pixel + 1);
++	/* check for overflow */
++	if (pixel == 0 || width_align >= UINT_MAX / pixel) {
++		error_set("Invalid image size");
++		goto err_ptr;
++	}
++
++	scanline = width_align * pixel + 1;
++
++	/* check for overflow */
++	if (scanline == 0 || height >= UINT_MAX / scanline) {
++		error_set("Invalid image size");
++		goto err_ptr;
++	}
++
++	*dat_size = height * scanline;
+ 	*dat_ptr = malloc(*dat_size);
+-	*pix_scanline = width_align * pixel + 1;
++	*pix_scanline = scanline;
+ 	*pix_ptr = *dat_ptr + 1;
+ 
+ 	z.zalloc = 0;
diff --git a/advancecomp.spec b/advancecomp.spec
index 14b0f99..c71e25b 100644
--- a/advancecomp.spec
+++ b/advancecomp.spec
@@ -1,13 +1,15 @@
 Name:           advancecomp
 Version:        2.1
-Release:        10%{?dist}
+Release:        11%{?dist}
 Summary:        Recompression utilities for png, mng, zip and gz files
 License:        GPLv3
 URL:            http://www.advancemame.it/
 Source0:        https://github.com/amadvance/advancecomp/releases/download/v%{version}/advancecomp-%{version}.tar.gz
 
+#  CVE-2019-8383 advancecomp: denial of service in function adv_png_unfilter_8
+Patch0:         advancecomp-CVE-2019-8383.patch
 # CVE-2019-9210 advancecomp: integer overflow in png_compress in pngex.cc
-Patch0:         advancecomp-CVE-2019-9210.patch
+Patch1:         advancecomp-CVE-2019-9210.patch
 
 BuildRequires:  gcc gcc-c++
 BuildRequires:  tofrodos
@@ -28,7 +30,8 @@ This package contains:
 
 %prep
 %setup -q
-%patch0 -p1 -b .CVE-2019-9210
+%patch0 -p1 -b .CVE-2019-8383
+%patch1 -p1 -b .CVE-2019-9210
 
 dos2unix -k doc/*.txt
 
@@ -47,6 +50,9 @@ make install DESTDIR=%{buildroot}
 %{_mandir}/man1/*
 
 %changelog
+* Fri May 10 2019 Than Ngo <than@redhat.com> - 2.1-11
+- Backport for #1708563, CVE-2019-8383 - denial of service in function adv_png_unfilter_8
+
 * Wed Mar 06 2019 Than Ngo <than@redhat.com> - 2.1-10
 - Backport, fix a buffer overflow with image of invalid size