Contents of /trunk/cups/patches/cups-1.3.7-CVE-2008-1722.patch
Parent Directory | Revision Log
Revision 570 -
(show annotations)
(download)
Sun Apr 20 13:18:44 2008 UTC (16 years, 5 months ago) by niro
File size: 1752 byte(s)
Sun Apr 20 13:18:44 2008 UTC (16 years, 5 months ago) by niro
File size: 1752 byte(s)
-security fix
1 | diff -Naur cups-1.3.7/filter/image-png.c cups-1.3.7.new/filter/image-png.c |
2 | --- cups-1.3.7/filter/image-png.c 2007-07-11 23:46:42.000000000 +0200 |
3 | +++ cups-1.3.7.new/filter/image-png.c 2008-04-14 15:48:56.641188980 +0200 |
4 | @@ -3,7 +3,7 @@ |
5 | * |
6 | * PNG image routines for the Common UNIX Printing System (CUPS). |
7 | * |
8 | - * Copyright 2007 by Apple Inc. |
9 | + * Copyright 2007-2008 by Apple Inc. |
10 | * Copyright 1993-2007 by Easy Software Products. |
11 | * |
12 | * These coded instructions, statements, and computer programs are the |
13 | @@ -170,16 +170,56 @@ |
14 | * Interlaced images must be loaded all at once... |
15 | */ |
16 | |
17 | + size_t bufsize; /* Size of buffer */ |
18 | + |
19 | + |
20 | if (color_type == PNG_COLOR_TYPE_GRAY || |
21 | color_type == PNG_COLOR_TYPE_GRAY_ALPHA) |
22 | - in = malloc(img->xsize * img->ysize); |
23 | + { |
24 | + bufsize = img->xsize * img->ysize; |
25 | + |
26 | + if ((bufsize / img->ysize) != img->xsize) |
27 | + { |
28 | + fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", |
29 | + (unsigned)width, (unsigned)height); |
30 | + fclose(fp); |
31 | + return (1); |
32 | + } |
33 | + } |
34 | else |
35 | - in = malloc(img->xsize * img->ysize * 3); |
36 | + { |
37 | + bufsize = img->xsize * img->ysize * 3; |
38 | + |
39 | + if ((bufsize / (img->ysize * 3)) != img->xsize) |
40 | + { |
41 | + fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", |
42 | + (unsigned)width, (unsigned)height); |
43 | + fclose(fp); |
44 | + return (1); |
45 | + } |
46 | + } |
47 | + |
48 | + in = malloc(bufsize); |
49 | } |
50 | |
51 | bpp = cupsImageGetDepth(img); |
52 | out = malloc(img->xsize * bpp); |
53 | |
54 | + if (!in || !out) |
55 | + { |
56 | + fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr); |
57 | + |
58 | + if (in) |
59 | + free(in); |
60 | + |
61 | + if (out) |
62 | + free(out); |
63 | + |
64 | + fclose(fp); |
65 | + |
66 | + return (1); |
67 | + } |
68 | + |
69 | /* |
70 | * Read the image, interlacing as needed... |
71 | */ |