SOURCES: cups-CVE-2008-1722.patch (NEW) - fix CVE-2008-1722 (integer overfl...
charles
charles at pld-linux.org
Wed May 14 15:59:23 CEST 2008
Author: charles Date: Wed May 14 13:59:23 2008 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- fix CVE-2008-1722 (integer overflow in image filter - STR #2790)
---- Files affected:
SOURCES:
cups-CVE-2008-1722.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/cups-CVE-2008-1722.patch
diff -u /dev/null SOURCES/cups-CVE-2008-1722.patch:1.1
--- /dev/null Wed May 14 15:59:23 2008
+++ SOURCES/cups-CVE-2008-1722.patch Wed May 14 15:59:18 2008
@@ -0,0 +1,71 @@
+diff -up cups-1.3.7/filter/image-png.c.CVE-2008-1722 cups-1.3.7/filter/image-png.c
+--- cups-1.3.7/filter/image-png.c.CVE-2008-1722 2007-07-11 22:46:42.000000000 +0100
++++ cups-1.3.7/filter/image-png.c 2008-05-09 11:27:45.000000000 +0100
+@@ -3,7 +3,7 @@
+ *
+ * PNG image routines for the Common UNIX Printing System (CUPS).
+ *
+- * Copyright 2007 by Apple Inc.
++ * Copyright 2007-2008 by Apple Inc.
+ * Copyright 1993-2007 by Easy Software Products.
+ *
+ * These coded instructions, statements, and computer programs are the
+@@ -170,16 +170,56 @@ _cupsImageReadPNG(
+ * Interlaced images must be loaded all at once...
+ */
+
++ size_t bufsize; /* Size of buffer */
++
++
+ if (color_type == PNG_COLOR_TYPE_GRAY ||
+ color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
+- in = malloc(img->xsize * img->ysize);
++ {
++ bufsize = img->xsize * img->ysize;
++
++ if ((bufsize / img->ysize) != img->xsize)
++ {
++ fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
++ (unsigned)img->xsize, (unsigned)img->ysize);
++ fclose(fp);
++ return (1);
++ }
++ }
+ else
+- in = malloc(img->xsize * img->ysize * 3);
++ {
++ bufsize = img->xsize * img->ysize * 3;
++
++ if ((bufsize / (img->ysize * 3)) != img->xsize)
++ {
++ fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
++ (unsigned)img->xsize, (unsigned)img->ysize);
++ fclose(fp);
++ return (1);
++ }
++ }
++
++ in = malloc(bufsize);
+ }
+
+ bpp = cupsImageGetDepth(img);
+ out = malloc(img->xsize * bpp);
+
++ if (!in || !out)
++ {
++ fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr);
++
++ if (in)
++ free(in);
++
++ if (out)
++ free(out);
++
++ fclose(fp);
++
++ return (1);
++ }
++
+ /*
+ * Read the image, interlacing as needed...
+ */
================================================================
More information about the pld-cvs-commit
mailing list