cups/patches/cups-1.3.7-CVE-2008-1722.patch

diff -Naur cups-1.3.7/filter/image-png.c cups-1.3.7.new/filter/image-png.c
--- cups-1.3.7/filter/image-png.c	2007-07-11 23:46:42.000000000 +0200
+++ cups-1.3.7.new/filter/image-png.c	2008-04-14 15:48:56.641188980 +0200
@@ -3,7 +3,7 @@
  *
  *   PNG image routines for the Common UNIX Printing System (CUPS).
  *
- *   Copyright 2007 by Apple Inc.
+ *   Copyright 2007-2008 by Apple Inc.
  *   Copyright 1993-2007 by Easy Software Products.
  *
  *   These coded instructions, statements, and computer programs are the
@@ -170,16 +170,56 @@
     * Interlaced images must be loaded all at once...
     */
 
+    size_t bufsize;			/* Size of buffer */
+
+
     if (color_type == PNG_COLOR_TYPE_GRAY ||
 	color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
-      in = malloc(img->xsize * img->ysize);
+    {
+      bufsize = img->xsize * img->ysize;
+
+      if ((bufsize / img->ysize) != img->xsize)
+      {
+	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+		(unsigned)width, (unsigned)height);
+	fclose(fp);
+	return (1);
+      }
+    }
     else
-      in = malloc(img->xsize * img->ysize * 3);
+    {
+      bufsize = img->xsize * img->ysize * 3;
+
+      if ((bufsize / (img->ysize * 3)) != img->xsize)
+      {
+	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+		(unsigned)width, (unsigned)height);
+	fclose(fp);
+	return (1);
+      }
+    }
+
+    in = malloc(bufsize);
   }
 
   bpp = cupsImageGetDepth(img);
   out = malloc(img->xsize * bpp);
 
+  if (!in || !out)
+  {
+    fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr);
+
+    if (in)
+      free(in);
+
+    if (out)
+      free(out);
+
+    fclose(fp);
+
+    return (1);
+  }
+
  /*
   * Read the image, interlacing as needed...
   */
1	niro	570	diff -Naur cups-1.3.7/filter/image-png.c cups-1.3.7.new/filter/image-png.c
2			--- cups-1.3.7/filter/image-png.c 2007-07-11 23:46:42.000000000 +0200
3			+++ cups-1.3.7.new/filter/image-png.c 2008-04-14 15:48:56.641188980 +0200
4			@@ -3,7 +3,7 @@
5			*
6			* PNG image routines for the Common UNIX Printing System (CUPS).
7			*
8			- * Copyright 2007 by Apple Inc.
9			+ * Copyright 2007-2008 by Apple Inc.
10			* Copyright 1993-2007 by Easy Software Products.
11			*
12			* These coded instructions, statements, and computer programs are the
13			@@ -170,16 +170,56 @@
14			* Interlaced images must be loaded all at once...
15			*/
16
17			+ size_t bufsize; /* Size of buffer */
18			+
19			+
20			if (color_type == PNG_COLOR_TYPE_GRAY \|\|
21			color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
22			- in = malloc(img->xsize * img->ysize);
23			+ {
24			+ bufsize = img->xsize * img->ysize;
25			+
26			+ if ((bufsize / img->ysize) != img->xsize)
27			+ {
28			+ fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
29			+ (unsigned)width, (unsigned)height);
30			+ fclose(fp);
31			+ return (1);
32			+ }
33			+ }
34			else
35			- in = malloc(img->xsize * img->ysize * 3);
36			+ {
37			+ bufsize = img->xsize * img->ysize * 3;
38			+
39			+ if ((bufsize / (img->ysize * 3)) != img->xsize)
40			+ {
41			+ fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
42			+ (unsigned)width, (unsigned)height);
43			+ fclose(fp);
44			+ return (1);
45			+ }
46			+ }
47			+
48			+ in = malloc(bufsize);
49			}
50
51			bpp = cupsImageGetDepth(img);
52			out = malloc(img->xsize * bpp);
53
54			+ if (!in \|\| !out)
55			+ {
56			+ fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr);
57			+
58			+ if (in)
59			+ free(in);
60			+
61			+ if (out)
62			+ free(out);
63			+
64			+ fclose(fp);
65			+
66			+ return (1);
67			+ }
68			+
69			/*
70			* Read the image, interlacing as needed...
71			*/