projects / openwrt / svn-archive / archive.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
[packages] cups: add a bunch of security fixes in 8.09
[openwrt/svn-archive/archive.git] / net / cups / patches / 901-cve-2008-1722.patch
1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1722
2
3 --- a/filter/image-png.c
4 +++ b/filter/image-png.c
5 @@ -3,7 +3,7 @@
6 *
7 * PNG image routines for the Common UNIX Printing System (CUPS).
8 *
9 - * Copyright 2007 by Apple Inc.
10 + * Copyright 2007-2008 by Apple Inc.
11 * Copyright 1993-2007 by Easy Software Products.
12 *
13 * These coded instructions, statements, and computer programs are the
14 @@ -170,16 +170,56 @@ _cupsImageReadPNG(
15 * Interlaced images must be loaded all at once...
16 */
17
18 + size_t bufsize; /* Size of buffer */
19 +
20 +
21 if (color_type == PNG_COLOR_TYPE_GRAY ||
22 color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
23 - in = malloc(img->xsize * img->ysize);
24 + {
25 + bufsize = img->xsize * img->ysize;
26 +
27 + if ((bufsize / img->ysize) != img->xsize)
28 + {
29 + fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
30 + (unsigned)width, (unsigned)height);
31 + fclose(fp);
32 + return (1);
33 + }
34 + }
35 else
36 - in = malloc(img->xsize * img->ysize * 3);
37 + {
38 + bufsize = img->xsize * img->ysize * 3;
39 +
40 + if ((bufsize / (img->ysize * 3)) != img->xsize)
41 + {
42 + fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
43 + (unsigned)width, (unsigned)height);
44 + fclose(fp);
45 + return (1);
46 + }
47 + }
48 +
49 + in = malloc(bufsize);
50 }
51
52 bpp = cupsImageGetDepth(img);
53 out = malloc(img->xsize * bpp);
54
55 + if (!in || !out)
56 + {
57 + fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr);
58 +
59 + if (in)
60 + free(in);
61 +
62 + if (out)
63 + free(out);
64 +
65 + fclose(fp);
66 +
67 + return (1);
68 + }
69 +
70 /*
71 * Read the image, interlacing as needed...
72 */
OpenWrt SVN history