+++ /dev/null
-diff -up cups-1.3.7/filter/image-png.c.CVE-2008-1722 cups-1.3.7/filter/image-png.c
---- cups-1.3.7/filter/image-png.c.CVE-2008-1722 2007-07-11 22:46:42.000000000 +0100
-+++ cups-1.3.7/filter/image-png.c 2008-05-09 11:27:45.000000000 +0100
-@@ -3,7 +3,7 @@
- *
- * PNG image routines for the Common UNIX Printing System (CUPS).
- *
-- * Copyright 2007 by Apple Inc.
-+ * Copyright 2007-2008 by Apple Inc.
- * Copyright 1993-2007 by Easy Software Products.
- *
- * These coded instructions, statements, and computer programs are the
-@@ -170,16 +170,56 @@ _cupsImageReadPNG(
- * Interlaced images must be loaded all at once...
- */
-
-+ size_t bufsize; /* Size of buffer */
-+
-+
- if (color_type == PNG_COLOR_TYPE_GRAY ||
- color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
-- in = malloc(img->xsize * img->ysize);
-+ {
-+ bufsize = img->xsize * img->ysize;
-+
-+ if ((bufsize / img->ysize) != img->xsize)
-+ {
-+ fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
-+ (unsigned)img->xsize, (unsigned)img->ysize);
-+ fclose(fp);
-+ return (1);
-+ }
-+ }
- else
-- in = malloc(img->xsize * img->ysize * 3);
-+ {
-+ bufsize = img->xsize * img->ysize * 3;
-+
-+ if ((bufsize / (img->ysize * 3)) != img->xsize)
-+ {
-+ fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
-+ (unsigned)img->xsize, (unsigned)img->ysize);
-+ fclose(fp);
-+ return (1);
-+ }
-+ }
-+
-+ in = malloc(bufsize);
- }
-
- bpp = cupsImageGetDepth(img);
- out = malloc(img->xsize * bpp);
-
-+ if (!in || !out)
-+ {
-+ fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr);
-+
-+ if (in)
-+ free(in);
-+
-+ if (out)
-+ free(out);
-+
-+ fclose(fp);
-+
-+ return (1);
-+ }
-+
- /*
- * Read the image, interlacing as needed...
- */