[xulrunner/f15] Added fix for mozbz#727401

[Martin Stransky]

commit b01ac6acd67d5133e6e9d57917c1995cf12058f0
Author: Martin Stransky <stransky at redhat.com>
Date:   Thu Feb 16 12:43:58 2012 +0100

    Added fix for mozbz#727401

 mozilla-727401.patch |   38 ++++++++++++++++++++++++++++++++++++++
 xulrunner.spec       |    8 ++++++--
 2 files changed, 44 insertions(+), 2 deletions(-)
---
diff --git a/mozilla-727401.patch b/mozilla-727401.patch
new file mode 100644
index 0000000..df7ff6d
--- /dev/null
+++ b/mozilla-727401.patch
@@ -0,0 +1,38 @@
+# HG changeset patch
+# User Benjamin Smedberg <benjamin at smedbergs.us>
+# Date 1329314881 18000
+# Node ID 355163c56ea5ad5037ac6da754252aaea67d2217
+# Parent  81f6b9cbb2a92ac08d1ccc0c1b44d6a5c28f6e2a
+Bug 727401 - import libpng overflow patch from http://codereview.chromium.org/9363013
+
+diff --git a/media/libpng/pngrutil.c b/media/libpng/pngrutil.c
+--- a/media/libpng/pngrutil.c
++++ b/media/libpng/pngrutil.c
+@@ -396,18 +396,25 @@ png_decompress_chunk(png_structp png_ptr
+ #if defined(PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED) || \
+     defined(PNG_USER_CHUNK_MALLOC_MAX)
+       else
+ #endif
+       if (expanded_size > 0)
+       {
+          /* Success (maybe) - really uncompress the chunk. */
+          png_size_t new_size = 0;
+-         png_charp text = png_malloc_warn(png_ptr,
+-                        prefix_size + expanded_size + 1);
++         png_charp text = NULL;
++         /* Need to check for both truncation (64-bit platforms) and integer
++          * overflow.
++          */
++         if (prefix_size + expanded_size > prefix_size &&
++             prefix_size + expanded_size < 0xffffffffU)
++         {
++            text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1);
++         }
+ 
+          if (text != NULL)
+          {
+             png_memcpy(text, png_ptr->chunkdata, prefix_size);
+             new_size = png_inflate(png_ptr,
+                 (png_bytep)(png_ptr->chunkdata + prefix_size),
+                 chunklength - prefix_size,
+                 (png_bytep)(text + prefix_size), expanded_size);
diff --git a/xulrunner.spec b/xulrunner.spec
index 49da3f8..cea743f 100644
--- a/xulrunner.spec
+++ b/xulrunner.spec
@@ -61,7 +61,7 @@
 Summary:        XUL Runtime for Gecko Applications
 Name:           xulrunner
 Version:        10.0.1
-Release:        2%{?pre_tag}%{?dist}
+Release:        3%{?pre_tag}%{?dist}
 URL:            http://developer.mozilla.org/En/XULRunner
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 Group:          Applications/Internet
@@ -99,7 +99,7 @@ Patch43:        mozilla-file.patch
 # Needed to detect/use libvpx-1.0.0
 # https://bugzilla.mozilla.org/show_bug.cgi?id=722127
 Patch44:	mozilla-722127.patch
-
+Patch45:	mozilla-727401.patch
 
 # ---------------------------------------------------
 
@@ -232,6 +232,7 @@ sed -e 's/__RPM_VERSION_INTERNAL__/%{gecko_dir_ver}/' %{P:%%PATCH0} \
 %patch42 -p1 -b .706724
 %patch43 -p1 -b .file
 %patch44 -p2 -b .vpx1.0.0
+%patch45 -p1 -b .727401
 
 %{__rm} -f .mozconfig
 %{__cp} %{SOURCE10} .mozconfig
@@ -458,6 +459,9 @@ fi
 #---------------------------------------------------------------------
 
 %changelog
+* Tue Feb 16 2012 Martin Stransky <stransky at redhat.com> - 10.0.1-3
+- Added fix for mozbz#727401
+
 * Tue Feb 14 2012 Martin Stransky <stransky at redhat.com> - 10.0.1-2
 - Allow network manager to handle the offline status