SOURCES: cups-CVE-2008-1722.patch (NEW) - fix CVE-2008-1722 (integer overfl...

charles charles at pld-linux.org
Wed May 14 15:59:23 CEST 2008 

Author: charles                      Date: Wed May 14 13:59:23 2008 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- fix CVE-2008-1722 (integer overflow in image filter - STR #2790)

---- Files affected:
SOURCES:
   cups-CVE-2008-1722.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/cups-CVE-2008-1722.patch
diff -u /dev/null SOURCES/cups-CVE-2008-1722.patch:1.1
--- /dev/null	Wed May 14 15:59:23 2008
+++ SOURCES/cups-CVE-2008-1722.patch	Wed May 14 15:59:18 2008
@@ -0,0 +1,71 @@
+diff -up cups-1.3.7/filter/image-png.c.CVE-2008-1722 cups-1.3.7/filter/image-png.c
+--- cups-1.3.7/filter/image-png.c.CVE-2008-1722	2007-07-11 22:46:42.000000000 +0100
++++ cups-1.3.7/filter/image-png.c	2008-05-09 11:27:45.000000000 +0100
+@@ -3,7 +3,7 @@
+  *
+  *   PNG image routines for the Common UNIX Printing System (CUPS).
+  *
+- *   Copyright 2007 by Apple Inc.
++ *   Copyright 2007-2008 by Apple Inc.
+  *   Copyright 1993-2007 by Easy Software Products.
+  *
+  *   These coded instructions, statements, and computer programs are the
+@@ -170,16 +170,56 @@ _cupsImageReadPNG(
+     * Interlaced images must be loaded all at once...
+     */
+ 
++    size_t bufsize;			/* Size of buffer */
++
++
+     if (color_type == PNG_COLOR_TYPE_GRAY ||
+ 	color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
+-      in = malloc(img->xsize * img->ysize);
++    {
++      bufsize = img->xsize * img->ysize;
++
++      if ((bufsize / img->ysize) != img->xsize)
++      {
++	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
++		(unsigned)img->xsize, (unsigned)img->ysize);
++	fclose(fp);
++	return (1);
++      }
++    }
+     else
+-      in = malloc(img->xsize * img->ysize * 3);
++    {
++      bufsize = img->xsize * img->ysize * 3;
++
++      if ((bufsize / (img->ysize * 3)) != img->xsize)
++      {
++	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
++		(unsigned)img->xsize, (unsigned)img->ysize);
++	fclose(fp);
++	return (1);
++      }
++    }
++
++    in = malloc(bufsize);
+   }
+ 
+   bpp = cupsImageGetDepth(img);
+   out = malloc(img->xsize * bpp);
+ 
++  if (!in || !out)
++  {
++    fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr);
++
++    if (in)
++      free(in);
++
++    if (out)
++      free(out);
++
++    fclose(fp);
++
++    return (1);
++  }
++
+  /*
+   * Read the image, interlacing as needed...
+   */
================================================================

More information about the pld-cvs-commit mailing list