[packages/cups.git] / cups-CVE-2008-1722.patch

diff -up cups-1.3.7/filter/image-png.c.CVE-2008-1722 cups-1.3.7/filter/image-png.c
--- cups-1.3.7/filter/image-png.c.CVE-2008-1722	2007-07-11 22:46:42.000000000 +0100
+++ cups-1.3.7/filter/image-png.c	2008-05-09 11:27:45.000000000 +0100
@@ -3,7 +3,7 @@
  *
  *   PNG image routines for the Common UNIX Printing System (CUPS).
  *
- *   Copyright 2007 by Apple Inc.
+ *   Copyright 2007-2008 by Apple Inc.
  *   Copyright 1993-2007 by Easy Software Products.
  *
  *   These coded instructions, statements, and computer programs are the
@@ -170,16 +170,56 @@ _cupsImageReadPNG(
     * Interlaced images must be loaded all at once...
     */
 
+    size_t bufsize;			/* Size of buffer */
+
+
     if (color_type == PNG_COLOR_TYPE_GRAY ||
 	color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
-      in = malloc(img->xsize * img->ysize);
+    {
+      bufsize = img->xsize * img->ysize;
+
+      if ((bufsize / img->ysize) != img->xsize)
+      {
+	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+		(unsigned)img->xsize, (unsigned)img->ysize);
+	fclose(fp);
+	return (1);
+      }
+    }
     else
-      in = malloc(img->xsize * img->ysize * 3);
+    {
+      bufsize = img->xsize * img->ysize * 3;
+
+      if ((bufsize / (img->ysize * 3)) != img->xsize)
+      {
+	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+		(unsigned)img->xsize, (unsigned)img->ysize);
+	fclose(fp);
+	return (1);
+      }
+    }
+
+    in = malloc(bufsize);
   }
 
   bpp = cupsImageGetDepth(img);
   out = malloc(img->xsize * bpp);
 
+  if (!in || !out)
+  {
+    fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr);
+
+    if (in)
+      free(in);
+
+    if (out)
+      free(out);
+
+    fclose(fp);
+
+    return (1);
+  }
+
  /*
   * Read the image, interlacing as needed...
   */
Commit	Line	Data
50b01e38 KK	1	diff -up cups-1.3.7/filter/image-png.c.CVE-2008-1722 cups-1.3.7/filter/image-png.c
	2	--- cups-1.3.7/filter/image-png.c.CVE-2008-1722 2007-07-11 22:46:42.000000000 +0100
	3	+++ cups-1.3.7/filter/image-png.c 2008-05-09 11:27:45.000000000 +0100
	4	@@ -3,7 +3,7 @@
	5	*
	6	* PNG image routines for the Common UNIX Printing System (CUPS).
	7	*
	8	- * Copyright 2007 by Apple Inc.
	9	+ * Copyright 2007-2008 by Apple Inc.
	10	* Copyright 1993-2007 by Easy Software Products.
	11	*
	12	* These coded instructions, statements, and computer programs are the
	13	@@ -170,16 +170,56 @@ _cupsImageReadPNG(
	14	* Interlaced images must be loaded all at once...
	15	*/
	16
	17	+ size_t bufsize; /* Size of buffer */
	18	+
	19	+
	20	if (color_type == PNG_COLOR_TYPE_GRAY \|\|
	21	color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
	22	- in = malloc(img->xsize * img->ysize);
	23	+ {
	24	+ bufsize = img->xsize * img->ysize;
	25	+
	26	+ if ((bufsize / img->ysize) != img->xsize)
	27	+ {
	28	+ fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
	29	+ (unsigned)img->xsize, (unsigned)img->ysize);
	30	+ fclose(fp);
	31	+ return (1);
	32	+ }
	33	+ }
	34	else
	35	- in = malloc(img->xsize * img->ysize * 3);
	36	+ {
	37	+ bufsize = img->xsize * img->ysize * 3;
	38	+
	39	+ if ((bufsize / (img->ysize * 3)) != img->xsize)
	40	+ {
	41	+ fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
	42	+ (unsigned)img->xsize, (unsigned)img->ysize);
	43	+ fclose(fp);
	44	+ return (1);
	45	+ }
	46	+ }
	47	+
	48	+ in = malloc(bufsize);
	49	}
	50
	51	bpp = cupsImageGetDepth(img);
	52	out = malloc(img->xsize * bpp);
	53
	54	+ if (!in \|\| !out)
	55	+ {
	56	+ fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr);
	57	+
	58	+ if (in)
	59	+ free(in);
	60	+
	61	+ if (out)
	62	+ free(out);
	63	+
	64	+ fclose(fp);
65	+
66	+ return (1);
67	+ }
68	+
69	/*
70	* Read the image, interlacing as needed...
71	*/