2 ===================================================================
3 RCS file: /development/cvs/cups/cgi-bin/var.c,v
4 retrieving revision 1.21
5 retrieving revision 1.22
7 --- cgi-bin/var.c 2002/01/02 17:58:37 1.21
8 +++ cgi-bin/var.c 2002/12/12 20:56:29 1.22
10 var_t *var; /* Returned variable */
13 - if (name == NULL || value == NULL || element < 0)
14 + if (name == NULL || value == NULL || element < 0 || element > 100000)
17 if ((var = cgi_find_variable(name)) == NULL)
19 var_t *var; /* Returned variable */
22 - if (name == NULL || size < 0)
23 + if (name == NULL || size < 0 || size > 100000)
26 if ((var = cgi_find_variable(name)) == NULL)
28 var_t *var; /* New variable */
31 - if (name == NULL || value == NULL)
32 + if (name == NULL || value == NULL || element < 0 || element > 100000)
36 Index: conf/cupsd.conf.in
37 ===================================================================
38 RCS file: /development/cvs/cups/conf/cupsd.conf.in,v
39 retrieving revision 1.7
40 retrieving revision 1.8
42 --- conf/cupsd.conf.in.orig 2001-09-14 18:52:05.000000000 +0200
43 +++ conf/cupsd.conf.in 2002-12-17 13:36:34.000000000 +0100
48 +# MaxClientsPerHost: controls the maximum number of simultaneous clients that
49 +# will be handled from a specific host. Defaults to 10 or 1/10th of the
50 +# MaxClients setting, whichever is larger. A value of 0 specifies the
51 +# automatic (10 or 1/10th) setting.
57 # MaxRequestSize: controls the maximum size of HTTP requests and print files.
58 # Set to 0 to disable this feature (defaults to 0.)
61 ===================================================================
62 RCS file: /development/cvs/cups/cups/http.c,v
63 retrieving revision 1.105
64 retrieving revision 1.107
65 diff -u -r1.105 -r1.107
66 --- cups/http.c 2002/10/30 20:04:56 1.105
67 +++ cups/http.c 2002/12/12 21:44:42 1.107
71 http->data_remaining = strtol(len, NULL, 16);
72 + if (http->data_remaining < 0)
74 + DEBUG_puts("httpRead: Negative chunk length!");
79 DEBUG_printf(("httpRead: data_remaining = %d\n", http->data_remaining));
81 - if (http->data_remaining == 0)
82 + if (http->data_remaining <= 0)
85 * A zero-length chunk ends a transfer; unless we are reading POST
86 Index: filter/image-bmp.c
87 ===================================================================
88 RCS file: /development/cvs/cups/filter/image-bmp.c,v
89 retrieving revision 1.8
90 retrieving revision 1.9
92 --- filter/image-bmp.c 2002/04/19 16:17:26 1.8
93 +++ filter/image-bmp.c 2002/12/13 15:52:20 1.9
96 offset = read_dword(fp);
98 - fprintf(stderr, "offset = %d\n", offset);
99 + fprintf(stderr, "DEBUG: offset = %d\n", offset);
103 + fprintf(stderr, "ERROR: Bad BMP offset %d\n", offset);
109 * Then the bitmap information...
111 @@ -123,15 +130,34 @@
112 colors_used = read_dword(fp);
113 colors_important = read_dword(fp);
115 + if (img->xsize == 0 || img->xsize > IMAGE_MAX_WIDTH ||
116 + img->ysize == 0 || img->ysize > IMAGE_MAX_HEIGHT ||
117 + (depth != 1 && depth != 4 && depth != 8 && depth != 24))
119 + fprintf(stderr, "ERROR: Bad BMP dimensions %ux%ux%d\n",
120 + img->xsize, img->ysize, depth);
125 + if (colors_used < 0 || colors_used > 256)
127 + fprintf(stderr, "ERROR: Bad BMP colormap size %d\n", colors_used);
132 + if (img->xppi == 0 || img->yppi == 0)
134 + fprintf(stderr, "ERROR: Bad BMP resolution %dx%d PPI.\n",
135 + img->xppi, img->yppi);
136 + img->xppi = img->yppi = 128;
140 * Make sure the resolution info is valid...
143 - if (img->xppi == 0)
145 - if (img->yppi == 0)
148 fprintf(stderr, "info_size = %d, xsize = %d, ysize = %d, planes = %d, depth = %d\n",
149 info_size, img->xsize, img->ysize, planes, depth);
150 fprintf(stderr, "compression = %d, image_size = %d, xppi = %d, yppi = %d\n",
152 if (colors_used == 0 && depth <= 8)
153 colors_used = 1 << depth;
155 - fread(colormap, colors_used, 4, fp);
156 + if (colors_used > 0)
157 + fread(colormap, colors_used, 4, fp);
160 * Setup image and buffers...
164 Index: filter/image-gif.c
165 ===================================================================
166 RCS file: /development/cvs/cups/filter/image-gif.c,v
167 retrieving revision 1.13
168 retrieving revision 1.15
169 diff -u -r1.13 -r1.15
170 --- filter/image-gif.c 2002/11/27 04:43:53 1.13
171 +++ filter/image-gif.c 2002/12/13 15:52:20 1.15
173 img->xsize = (buf[5] << 8) | buf[4];
174 img->ysize = (buf[7] << 8) | buf[6];
177 + * Check the dimensions of the image; since the dimensions are
178 + * a 16-bit integer we just need to check for 0...
181 + if (img->xsize == 0 || img->ysize == 0)
183 + fprintf(stderr, "ERROR: Bad GIF image dimensions: %dx%d\n",
184 + img->xsize, img->ysize);
189 i = gif_read_image(fp, img, cmap, buf[8] & GIF_INTERLACE);
192 Index: filter/image-jpeg.c
193 ===================================================================
194 RCS file: /development/cvs/cups/filter/image-jpeg.c,v
195 retrieving revision 1.15
196 retrieving revision 1.16
197 diff -u -r1.15 -r1.16
198 --- filter/image-jpeg.c 2002/04/19 16:17:26 1.15
199 +++ filter/image-jpeg.c 2002/12/13 15:52:20 1.16
202 jpeg_calc_output_dimensions(&cinfo);
204 + if (cinfo.output_width <= 0 || cinfo.output_width > IMAGE_MAX_WIDTH ||
205 + cinfo.output_height <= 0 || cinfo.output_height > IMAGE_MAX_HEIGHT)
207 + fprintf(stderr, "ERROR: Bad JPEG dimensions %dx%d!\n",
208 + cinfo.output_width, cinfo.output_height);
210 + jpeg_destroy_decompress(&cinfo);
216 img->xsize = cinfo.output_width;
217 img->ysize = cinfo.output_height;
220 img->xppi = (int)((float)cinfo.X_density * 2.54);
221 img->yppi = (int)((float)cinfo.Y_density * 2.54);
224 + if (img->xppi == 0 || img->yppi == 0)
226 + fprintf(stderr, "ERROR: Bad JPEG image resolution %dx%d PPI.\n",
227 + img->xppi, img->yppi);
228 + img->xppi = img->yppi = 128;
232 fprintf(stderr, "DEBUG: JPEG image %dx%dx%d, %dx%d PPI\n",
233 Index: filter/image-pix.c
234 ===================================================================
235 RCS file: /development/cvs/cups/filter/image-pix.c,v
236 retrieving revision 1.6
237 retrieving revision 1.7
239 --- filter/image-pix.c 2002/04/19 16:17:27 1.6
240 +++ filter/image-pix.c 2002/12/13 15:52:20 1.7
243 depth = read_short(fp);
246 + * Check the dimensions of the image. Since the short values used for the
247 + * width and height cannot exceed IMAGE_MAX_WIDTH or IMAGE_MAX_HEIGHT, we
248 + * just need to verify they are positive integers.
251 + if (width <= 0 || height <= 0 ||
252 + (depth != 8 && depth != 24))
254 + fprintf(stderr, "ERROR: Bad PIX image dimensions %dx%dx%d\n",
255 + width, height, depth);
261 img->colorspace = secondary;
263 Index: filter/image-png.c
264 ===================================================================
265 RCS file: /development/cvs/cups/filter/image-png.c,v
266 retrieving revision 1.14
267 retrieving revision 1.15
268 diff -u -r1.14 -r1.15
269 --- filter/image-png.c 2002/04/19 16:17:27 1.14
270 +++ filter/image-png.c 2002/12/13 15:52:20 1.15
273 img->colorspace = (primary == IMAGE_RGB_CMYK) ? IMAGE_RGB : primary;
275 + if (info->width == 0 || info->width > IMAGE_MAX_WIDTH ||
276 + info->height == 0 || info->height > IMAGE_MAX_HEIGHT)
278 + fprintf(stderr, "ERROR: PNG image has invalid dimensions %ux%u!\n",
279 + (unsigned)info->width, (unsigned)info->height);
284 img->xsize = info->width;
285 img->ysize = info->height;
289 img->xppi = (int)((float)info->x_pixels_per_unit * 0.0254);
290 img->yppi = (int)((float)info->y_pixels_per_unit * 0.0254);
292 + if (img->xppi == 0 || img->yppi == 0)
294 + fprintf(stderr, "ERROR: PNG image has invalid resolution %dx%d PPI\n",
295 + img->xppi, img->yppi);
297 + img->xppi = img->yppi = 128;
301 ImageSetMaxTiles(img, 0);
302 Index: filter/image-pnm.c
303 ===================================================================
304 RCS file: /development/cvs/cups/filter/image-pnm.c,v
305 retrieving revision 1.10
306 retrieving revision 1.11
307 diff -u -r1.10 -r1.11
308 --- filter/image-pnm.c 2002/04/19 16:17:27 1.10
309 +++ filter/image-pnm.c 2002/12/13 15:52:20 1.11
314 + if (img->xsize == 0 || img->xsize > IMAGE_MAX_WIDTH ||
315 + img->ysize == 0 || img->ysize > IMAGE_MAX_HEIGHT)
317 + fprintf(stderr, "ERROR: Bad PNM dimensions %dx%d!\n",
318 + img->xsize, img->ysize);
325 + fprintf(stderr, "ERROR: Bad PNM max value %d!\n", maxval);
330 if (format == 1 || format == 2 || format == 4 || format == 5)
331 img->colorspace = secondary;
333 Index: filter/image-sgi.c
334 ===================================================================
335 RCS file: /development/cvs/cups/filter/image-sgi.c,v
336 retrieving revision 1.11
337 retrieving revision 1.12
338 diff -u -r1.11 -r1.12
339 --- filter/image-sgi.c 2002/04/19 16:17:27 1.11
340 +++ filter/image-sgi.c 2002/12/13 15:52:20 1.12
342 * Get the image dimensions and load the output image...
346 + * Check the image dimensions; since xsize and ysize are unsigned shorts,
347 + * just check if they are 0 since they can't exceed IMAGE_MAX_WIDTH or
348 + * IMAGE_MAX_HEIGHT...
351 + if (sgip->xsize == 0 || sgip->ysize == 0 ||
352 + sgip->zsize == 0 || sgip->zsize > 4)
354 + fprintf(stderr, "ERROR: Bad SGI image dimensions %ux%ux%u!\n",
355 + sgip->xsize, sgip->ysize, sgip->zsize);
362 img->colorspace = secondary;
364 Index: filter/image-sun.c
365 ===================================================================
366 RCS file: /development/cvs/cups/filter/image-sun.c,v
367 retrieving revision 1.12
368 retrieving revision 1.14
369 diff -u -r1.12 -r1.14
370 --- filter/image-sun.c 2002/10/22 18:43:45 1.12
371 +++ filter/image-sun.c 2002/12/13 15:52:20 1.14
373 fprintf(stderr, "DEBUG: ras_width=%d, ras_height=%d, ras_depth=%d, ras_type=%d, ras_maplength=%d\n",
374 img->xsize, img->ysize, ras_depth, ras_type, ras_maplength);
376 + if (ras_maplength > 768 ||
377 + img->xsize == 0 || img->xsize > IMAGE_MAX_WIDTH ||
378 + img->ysize == 0 || img->ysize > IMAGE_MAX_HEIGHT ||
379 + ras_depth == 0 || ras_depth > 32)
381 + fputs("ERROR: Raster image cannot be loaded!\n", stderr);
385 if (ras_maplength > 0)
387 memset(cmap[0], 255, sizeof(cmap[0]));
388 Index: filter/image-tiff.c
389 ===================================================================
390 RCS file: /development/cvs/cups/filter/image-tiff.c,v
391 retrieving revision 1.23
392 retrieving revision 1.24
393 diff -u -r1.23 -r1.24
394 --- filter/image-tiff.c 2002/04/19 16:17:27 1.23
395 +++ filter/image-tiff.c 2002/12/13 15:52:21 1.24
400 + if (img->xppi == 0 || img->yppi == 0)
402 + fputs("ERROR: Bad TIFF resolution.\n", stderr);
403 + img->xppi = img->yppi = 128;
406 fprintf(stderr, "DEBUG: TIFF resolution = %fx%f, units=%d\n",
407 xres, yres, resunit);
408 fprintf(stderr, "DEBUG: Stored resolution = %dx%d PPI\n",
413 + * Check the size of the image...
416 + if (width == 0 || width > IMAGE_MAX_WIDTH ||
417 + height == 0 || height > IMAGE_MAX_HEIGHT ||
418 + (bits != 1 && bits != 2 && bits != 4 && bits != 8) ||
419 + samples < 1 || samples > 4)
421 + fprintf(stderr, "ERROR: Bad TIFF dimensions %ux%ux%ux%u!\n",
422 + (unsigned)width, (unsigned)height, (unsigned)bits,
423 + (unsigned)samples);
430 * Setup the image size and colorspace...
433 Index: filter/image-zoom.c
434 ===================================================================
435 RCS file: /development/cvs/cups/filter/image-zoom.c,v
436 retrieving revision 1.10
437 retrieving revision 1.11
438 diff -u -r1.10 -r1.11
439 --- filter/image-zoom.c 2002/08/27 16:19:38 1.10
440 +++ filter/image-zoom.c 2002/12/13 15:52:21 1.11
442 int flip; /* Flip on X axis? */
445 + if (xsize > IMAGE_MAX_WIDTH ||
446 + ysize > IMAGE_MAX_HEIGHT ||
447 + (x1 - x0) > IMAGE_MAX_WIDTH ||
448 + (y1 - y0) > IMAGE_MAX_HEIGHT)
449 + return (NULL); /* Protect against integer overflow */
451 if ((z = (izoom_t *)calloc(1, sizeof(izoom_t))) == NULL)
454 Index: filter/image.h
455 ===================================================================
456 RCS file: /development/cvs/cups/filter/image.h,v
457 retrieving revision 1.15
458 retrieving revision 1.16
459 diff -u -r1.15 -r1.16
460 --- filter/image.h 2002/04/29 15:56:58 1.15
461 +++ filter/image.h 2002/12/13 15:52:21 1.16
466 + * Maximum image dimensions that we can handle...
469 +# define IMAGE_MAX_WIDTH 0x07ffffff /* 2^27-1 to allow for 15-channel data */
470 +# define IMAGE_MAX_HEIGHT 0x7fffffff /* 2^31-1 */
477 # define IMAGE_RGB 3 /* Red, green, and blue */
478 # define IMAGE_RGB_CMYK 4 /* Use RGB or CMYK */
482 * Tile definitions...
484 Index: scheduler/client.c
485 ===================================================================
486 RCS file: /development/cvs/cups/scheduler/client.c,v
487 retrieving revision 1.128
488 retrieving revision 1.130
489 diff -u -r1.128 -r1.130
490 --- scheduler/client.c 2002/11/21 14:58:18 1.128
491 +++ scheduler/client.c 2002/12/13 16:24:05 1.130
493 LogMessage(L_DEBUG2, "ReadClient() %d, used=%d", con->http.fd,
496 + if (con->http.error)
502 switch (con->http.state)
509 + else if (atoi(con->http.fields[HTTP_FIELD_CONTENT_LENGTH]) < 0)
512 + * Negative content lengths are invalid!
515 + if (!SendError(con, HTTP_BAD_REQUEST))
525 * See what kind of POST request this is; for IPP requests the
526 Index: scheduler/dirsvc.c
527 ===================================================================
528 RCS file: /development/cvs/cups/scheduler/dirsvc.c,v
529 retrieving revision 1.100
530 retrieving revision 1.101
531 diff -u -r1.100 -r1.101
532 --- scheduler/dirsvc.c 2002/09/26 15:19:31 1.100
533 +++ scheduler/dirsvc.c 2002/12/12 20:56:32 1.101
535 httpSeparate(uri, method, username, host, &port, resource);
538 + * Determine if the URI contains any illegal characters in it...
541 + if (strncmp(uri, "ipp://", 6) != 0 ||
543 + (strncmp(resource, "/printers/", 10) != 0 &&
544 + strncmp(resource, "/classes/", 9) != 0))
546 + LogMessage(L_ERROR, "ProcessBrowseData: Bad printer URI in browse data: %s",
551 + if (strchr(resource, '?') != NULL ||
552 + (strncmp(resource, "/printers/", 10) == 0 &&
553 + strchr(resource + 10, '/') != NULL) ||
554 + (strncmp(resource, "/classes/", 9) == 0 &&
555 + strchr(resource + 9, '/') != NULL))
557 + LogMessage(L_ERROR, "ProcessBrowseData: Bad resource in browse data: %s",
563 * OK, this isn't a local printer; see if we already have it listed in
564 * the Printers list, and add it if not...