Annotation of /trunk/cups/patches/cups-1.3.7-CVE-2008-1722.patch
Parent Directory | Revision Log
Revision 570 -
(hide annotations)
(download)
Sun Apr 20 13:18:44 2008 UTC (16 years, 5 months ago) by niro
File size: 1752 byte(s)
Sun Apr 20 13:18:44 2008 UTC (16 years, 5 months ago) by niro
File size: 1752 byte(s)
-security fix
1 | niro | 570 | diff -Naur cups-1.3.7/filter/image-png.c cups-1.3.7.new/filter/image-png.c |
2 | --- cups-1.3.7/filter/image-png.c 2007-07-11 23:46:42.000000000 +0200 | ||
3 | +++ cups-1.3.7.new/filter/image-png.c 2008-04-14 15:48:56.641188980 +0200 | ||
4 | @@ -3,7 +3,7 @@ | ||
5 | * | ||
6 | * PNG image routines for the Common UNIX Printing System (CUPS). | ||
7 | * | ||
8 | - * Copyright 2007 by Apple Inc. | ||
9 | + * Copyright 2007-2008 by Apple Inc. | ||
10 | * Copyright 1993-2007 by Easy Software Products. | ||
11 | * | ||
12 | * These coded instructions, statements, and computer programs are the | ||
13 | @@ -170,16 +170,56 @@ | ||
14 | * Interlaced images must be loaded all at once... | ||
15 | */ | ||
16 | |||
17 | + size_t bufsize; /* Size of buffer */ | ||
18 | + | ||
19 | + | ||
20 | if (color_type == PNG_COLOR_TYPE_GRAY || | ||
21 | color_type == PNG_COLOR_TYPE_GRAY_ALPHA) | ||
22 | - in = malloc(img->xsize * img->ysize); | ||
23 | + { | ||
24 | + bufsize = img->xsize * img->ysize; | ||
25 | + | ||
26 | + if ((bufsize / img->ysize) != img->xsize) | ||
27 | + { | ||
28 | + fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", | ||
29 | + (unsigned)width, (unsigned)height); | ||
30 | + fclose(fp); | ||
31 | + return (1); | ||
32 | + } | ||
33 | + } | ||
34 | else | ||
35 | - in = malloc(img->xsize * img->ysize * 3); | ||
36 | + { | ||
37 | + bufsize = img->xsize * img->ysize * 3; | ||
38 | + | ||
39 | + if ((bufsize / (img->ysize * 3)) != img->xsize) | ||
40 | + { | ||
41 | + fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", | ||
42 | + (unsigned)width, (unsigned)height); | ||
43 | + fclose(fp); | ||
44 | + return (1); | ||
45 | + } | ||
46 | + } | ||
47 | + | ||
48 | + in = malloc(bufsize); | ||
49 | } | ||
50 | |||
51 | bpp = cupsImageGetDepth(img); | ||
52 | out = malloc(img->xsize * bpp); | ||
53 | |||
54 | + if (!in || !out) | ||
55 | + { | ||
56 | + fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr); | ||
57 | + | ||
58 | + if (in) | ||
59 | + free(in); | ||
60 | + | ||
61 | + if (out) | ||
62 | + free(out); | ||
63 | + | ||
64 | + fclose(fp); | ||
65 | + | ||
66 | + return (1); | ||
67 | + } | ||
68 | + | ||
69 | /* | ||
70 | * Read the image, interlacing as needed... | ||
71 | */ |