[packages/cups.git] / cups-idefense-v2.patch

Index: cgi-bin/var.c
===================================================================
RCS file: /development/cvs/cups/cgi-bin/var.c,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- cgi-bin/var.c	2002/01/02 17:58:37	1.21
+++ cgi-bin/var.c	2002/12/12 20:56:29	1.22
@@ -242,7 +242,7 @@
   var_t	*var;	/* Returned variable */
 
 
-  if (name == NULL || value == NULL || element < 0)
+  if (name == NULL || value == NULL || element < 0 || element > 100000)
     return;
 
   if ((var = cgi_find_variable(name)) == NULL)
@@ -286,7 +286,7 @@
   var_t	*var;	/* Returned variable */
 
 
-  if (name == NULL || size < 0)
+  if (name == NULL || size < 0 || size > 100000)
     return;
 
   if ((var = cgi_find_variable(name)) == NULL)
@@ -361,7 +361,7 @@
   var_t	*var;				/* New variable */
 
 
-  if (name == NULL || value == NULL)
+  if (name == NULL || value == NULL || element < 0 || element > 100000)
     return;
 
 #ifdef DEBUG
Index: conf/cupsd.conf.in
===================================================================
RCS file: /development/cvs/cups/conf/cupsd.conf.in,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- conf/cupsd.conf.in.orig	2001-09-14 18:52:05.000000000 +0200
+++ conf/cupsd.conf.in	2002-12-17 13:36:34.000000000 +0100
@@ -358,6 +358,15 @@
 #MaxClients 100
 
 #
+# MaxClientsPerHost: controls the maximum number of simultaneous clients that
+# will be handled from a specific host.  Defaults to 10 or 1/10th of the
+# MaxClients setting, whichever is larger.  A value of 0 specifies the
+# automatic (10 or 1/10th) setting.
+#
+
+#MaxClientsPerHost 0
+
+#
 # MaxRequestSize: controls the maximum size of HTTP requests and print files.
 # Set to 0 to disable this feature (defaults to 0.)
 #
Index: cups/http.c
===================================================================
RCS file: /development/cvs/cups/cups/http.c,v
retrieving revision 1.105
retrieving revision 1.107
diff -u -r1.105 -r1.107
--- cups/http.c	2002/10/30 20:04:56	1.105
+++ cups/http.c	2002/12/12 21:44:42	1.107
@@ -896,11 +896,16 @@
     }
 
     http->data_remaining = strtol(len, NULL, 16);
+    if (http->data_remaining < 0)
+    {
+      DEBUG_puts("httpRead: Negative chunk length!");
+      return (0);
+    }
   }
 
   DEBUG_printf(("httpRead: data_remaining = %d\n", http->data_remaining));
 
-  if (http->data_remaining == 0)
+  if (http->data_remaining <= 0)
   {
    /*
     * A zero-length chunk ends a transfer; unless we are reading POST
Index: filter/image-bmp.c
===================================================================
RCS file: /development/cvs/cups/filter/image-bmp.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- filter/image-bmp.c	2002/04/19 16:17:26	1.8
+++ filter/image-bmp.c	2002/12/13 15:52:20	1.9
@@ -105,8 +105,15 @@
   read_word(fp);
   offset = read_dword(fp);
 
-  fprintf(stderr, "offset = %d\n", offset);
+  fprintf(stderr, "DEBUG: offset = %d\n", offset);
 
+  if (offset < 0)
+  {
+    fprintf(stderr, "ERROR: Bad BMP offset %d\n", offset);
+    fclose(fp);
+    return (1);
+  }
+
  /*
   * Then the bitmap information...
   */
@@ -123,15 +130,34 @@
   colors_used      = read_dword(fp);
   colors_important = read_dword(fp);
 
+  if (img->xsize == 0 || img->xsize > IMAGE_MAX_WIDTH ||
+      img->ysize == 0 || img->ysize > IMAGE_MAX_HEIGHT ||
+      (depth != 1 && depth != 4 && depth != 8 && depth != 24))
+  {
+    fprintf(stderr, "ERROR: Bad BMP dimensions %ux%ux%d\n",
+            img->xsize, img->ysize, depth);
+    fclose(fp);
+    return (1);
+  }
+
+  if (colors_used < 0 || colors_used > 256)
+  {
+    fprintf(stderr, "ERROR: Bad BMP colormap size %d\n", colors_used);
+    fclose(fp);
+    return (1);
+  }
+
+  if (img->xppi == 0 || img->yppi == 0)
+  {
+    fprintf(stderr, "ERROR: Bad BMP resolution %dx%d PPI.\n",
+            img->xppi, img->yppi);
+    img->xppi = img->yppi = 128;
+  }
+
  /*
   * Make sure the resolution info is valid...
   */
 
-  if (img->xppi == 0)
-    img->xppi = 128;
-  if (img->yppi == 0)
-    img->yppi = 128;
-
   fprintf(stderr, "info_size = %d, xsize = %d, ysize = %d, planes = %d, depth = %d\n",
           info_size, img->xsize, img->ysize, planes, depth);
   fprintf(stderr, "compression = %d, image_size = %d, xppi = %d, yppi = %d\n",
@@ -150,7 +176,8 @@
   if (colors_used == 0 && depth <= 8)
     colors_used = 1 << depth;
 
-  fread(colormap, colors_used, 4, fp);
+  if (colors_used > 0)
+    fread(colormap, colors_used, 4, fp);
 
  /*
   * Setup image and buffers...


Index: filter/image-gif.c
===================================================================
RCS file: /development/cvs/cups/filter/image-gif.c,v
retrieving revision 1.13
retrieving revision 1.15
diff -u -r1.13 -r1.15
--- filter/image-gif.c	2002/11/27 04:43:53	1.13
+++ filter/image-gif.c	2002/12/13 15:52:20	1.15
@@ -233,6 +233,19 @@
           img->xsize = (buf[5] << 8) | buf[4];
           img->ysize = (buf[7] << 8) | buf[6];
 
+         /*
+	  * Check the dimensions of the image; since the dimensions are
+	  * a 16-bit integer we just need to check for 0...
+	  */
+
+          if (img->xsize == 0 || img->ysize == 0)
+	  {
+	    fprintf(stderr, "ERROR: Bad GIF image dimensions: %dx%d\n",
+	            img->xsize, img->ysize);
+	    fclose(fp);
+	    return (1);
+	  }
+
 	  i = gif_read_image(fp, img, cmap, buf[8] & GIF_INTERLACE);
           fclose(fp);
           return (i);
Index: filter/image-jpeg.c
===================================================================
RCS file: /development/cvs/cups/filter/image-jpeg.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- filter/image-jpeg.c	2002/04/19 16:17:26	1.15
+++ filter/image-jpeg.c	2002/12/13 15:52:20	1.16
@@ -126,6 +126,18 @@
 
   jpeg_calc_output_dimensions(&cinfo);
 
+  if (cinfo.output_width <= 0 || cinfo.output_width > IMAGE_MAX_WIDTH ||
+      cinfo.output_height <= 0 || cinfo.output_height > IMAGE_MAX_HEIGHT)
+  {
+    fprintf(stderr, "ERROR: Bad JPEG dimensions %dx%d!\n",
+            cinfo.output_width, cinfo.output_height);
+
+    jpeg_destroy_decompress(&cinfo);
+
+    fclose(fp);
+    return (1);
+  }
+
   img->xsize      = cinfo.output_width;
   img->ysize      = cinfo.output_height;
 
@@ -141,6 +153,13 @@
       img->xppi = (int)((float)cinfo.X_density * 2.54);
       img->yppi = (int)((float)cinfo.Y_density * 2.54);
     }
+
+    if (img->xppi == 0 || img->yppi == 0)
+    {
+      fprintf(stderr, "ERROR: Bad JPEG image resolution %dx%d PPI.\n",
+              img->xppi, img->yppi);
+      img->xppi = img->yppi = 128;
+    }
   }
 
   fprintf(stderr, "DEBUG: JPEG image %dx%dx%d, %dx%d PPI\n",
Index: filter/image-pix.c
===================================================================
RCS file: /development/cvs/cups/filter/image-pix.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- filter/image-pix.c	2002/04/19 16:17:27	1.6
+++ filter/image-pix.c	2002/12/13 15:52:20	1.7
@@ -78,6 +78,21 @@
   read_short(fp);
   depth  = read_short(fp);
 
+ /*
+  * Check the dimensions of the image.  Since the short values used for the
+  * width and height cannot exceed IMAGE_MAX_WIDTH or IMAGE_MAX_HEIGHT, we
+  * just need to verify they are positive integers.
+  */
+
+  if (width <= 0 || height <= 0 ||
+      (depth != 8 && depth != 24))
+  {
+    fprintf(stderr, "ERROR: Bad PIX image dimensions %dx%dx%d\n",
+            width, height, depth);
+    fclose(fp);
+    return (1);
+  }
+
   if (depth == 8)
     img->colorspace = secondary;
   else
Index: filter/image-png.c
===================================================================
RCS file: /development/cvs/cups/filter/image-png.c,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- filter/image-png.c	2002/04/19 16:17:27	1.14
+++ filter/image-png.c	2002/12/13 15:52:20	1.15
@@ -90,6 +90,15 @@
   else
     img->colorspace = (primary == IMAGE_RGB_CMYK) ? IMAGE_RGB : primary;
 
+  if (info->width == 0 || info->width > IMAGE_MAX_WIDTH ||
+      info->height == 0 || info->height > IMAGE_MAX_HEIGHT)
+  {
+    fprintf(stderr, "ERROR: PNG image has invalid dimensions %ux%u!\n",
+            (unsigned)info->width, (unsigned)info->height);
+    fclose(fp);
+    return (1);
+  }
+
   img->xsize = info->width;
   img->ysize = info->height;
 
@@ -98,6 +107,14 @@
   {
     img->xppi = (int)((float)info->x_pixels_per_unit * 0.0254);
     img->yppi = (int)((float)info->y_pixels_per_unit * 0.0254);
+
+    if (img->xppi == 0 || img->yppi == 0)
+    {
+      fprintf(stderr, "ERROR: PNG image has invalid resolution %dx%d PPI\n",
+              img->xppi, img->yppi);
+
+      img->xppi = img->yppi = 128;
+    }
   }
 
   ImageSetMaxTiles(img, 0);
Index: filter/image-pnm.c
===================================================================
RCS file: /development/cvs/cups/filter/image-pnm.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- filter/image-pnm.c	2002/04/19 16:17:27	1.10
+++ filter/image-pnm.c	2002/12/13 15:52:20	1.11
@@ -132,6 +132,22 @@
   else
     maxval = 1;
 
+  if (img->xsize == 0 || img->xsize > IMAGE_MAX_WIDTH ||
+      img->ysize == 0 || img->ysize > IMAGE_MAX_HEIGHT)
+  {
+    fprintf(stderr, "ERROR: Bad PNM dimensions %dx%d!\n",
+            img->xsize, img->ysize);
+    fclose(fp);
+    return (1);
+  }
+
+  if (maxval == 0)
+  {
+    fprintf(stderr, "ERROR: Bad PNM max value %d!\n", maxval);
+    fclose(fp);
+    return (1);
+  }
+
   if (format == 1 || format == 2 || format == 4 || format == 5)
     img->colorspace = secondary;
   else
Index: filter/image-sgi.c
===================================================================
RCS file: /development/cvs/cups/filter/image-sgi.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- filter/image-sgi.c	2002/04/19 16:17:27	1.11
+++ filter/image-sgi.c	2002/12/13 15:52:20	1.12
@@ -73,6 +73,22 @@
   * Get the image dimensions and load the output image...
   */
 
+ /*
+  * Check the image dimensions; since xsize and ysize are unsigned shorts,
+  * just check if they are 0 since they can't exceed IMAGE_MAX_WIDTH or
+  * IMAGE_MAX_HEIGHT...
+  */
+
+  if (sgip->xsize == 0 || sgip->ysize == 0 ||
+      sgip->zsize == 0 || sgip->zsize > 4)
+  {
+    fprintf(stderr, "ERROR: Bad SGI image dimensions %ux%ux%u!\n",
+            sgip->xsize, sgip->ysize, sgip->zsize);
+    sgiClose(sgip);
+    fclose(fp);
+    return (1);
+  }
+
   if (sgip->zsize < 3)
     img->colorspace = secondary;
   else
Index: filter/image-sun.c
===================================================================
RCS file: /development/cvs/cups/filter/image-sun.c,v
retrieving revision 1.12
retrieving revision 1.14
diff -u -r1.12 -r1.14
--- filter/image-sun.c	2002/10/22 18:43:45	1.12
+++ filter/image-sun.c	2002/12/13 15:52:20	1.14
@@ -121,6 +121,15 @@
   fprintf(stderr, "DEBUG: ras_width=%d, ras_height=%d, ras_depth=%d, ras_type=%d, ras_maplength=%d\n",
           img->xsize, img->ysize, ras_depth, ras_type, ras_maplength);
 
+  if (ras_maplength > 768 ||
+      img->xsize == 0 || img->xsize > IMAGE_MAX_WIDTH ||
+      img->ysize == 0 || img->ysize > IMAGE_MAX_HEIGHT ||
+      ras_depth == 0 || ras_depth > 32)
+  {
+    fputs("ERROR: Raster image cannot be loaded!\n", stderr);
+    return (1);
+  }
+
   if (ras_maplength > 0)
   {
     memset(cmap[0], 255, sizeof(cmap[0]));
Index: filter/image-tiff.c
===================================================================
RCS file: /development/cvs/cups/filter/image-tiff.c,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- filter/image-tiff.c	2002/04/19 16:17:27	1.23
+++ filter/image-tiff.c	2002/12/13 15:52:21	1.24
@@ -173,6 +173,12 @@
       img->yppi = 128;
     }
 
+    if (img->xppi == 0 || img->yppi == 0)
+    {
+      fputs("ERROR: Bad TIFF resolution.\n", stderr);
+      img->xppi = img->yppi = 128;
+    }
+
     fprintf(stderr, "DEBUG: TIFF resolution = %fx%f, units=%d\n",
             xres, yres, resunit);
     fprintf(stderr, "DEBUG: Stored resolution = %dx%d PPI\n",
@@ -189,6 +195,23 @@
     alpha = 0;
 
  /*
+  * Check the size of the image...
+  */
+
+  if (width == 0 || width > IMAGE_MAX_WIDTH ||
+      height == 0 || height > IMAGE_MAX_HEIGHT ||
+      (bits != 1 && bits != 2 && bits != 4 && bits != 8) ||
+      samples < 1 || samples > 4)
+  {
+    fprintf(stderr, "ERROR: Bad TIFF dimensions %ux%ux%ux%u!\n",
+            (unsigned)width, (unsigned)height, (unsigned)bits,
+	    (unsigned)samples);
+    TIFFClose(tif);
+    fclose(fp);
+    return (1);
+  }
+
+ /*
   * Setup the image size and colorspace...
   */
 
Index: filter/image-zoom.c
===================================================================
RCS file: /development/cvs/cups/filter/image-zoom.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- filter/image-zoom.c	2002/08/27 16:19:38	1.10
+++ filter/image-zoom.c	2002/12/13 15:52:21	1.11
@@ -58,6 +58,12 @@
   int		flip;		/* Flip on X axis? */
 
 
+  if (xsize > IMAGE_MAX_WIDTH ||
+      ysize > IMAGE_MAX_HEIGHT ||
+      (x1 - x0) > IMAGE_MAX_WIDTH ||
+      (y1 - y0) > IMAGE_MAX_HEIGHT)
+    return (NULL);		/* Protect against integer overflow */
+
   if ((z = (izoom_t *)calloc(1, sizeof(izoom_t))) == NULL)
     return (NULL);
 
Index: filter/image.h
===================================================================
RCS file: /development/cvs/cups/filter/image.h,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- filter/image.h	2002/04/29 15:56:58	1.15
+++ filter/image.h	2002/12/13 15:52:21	1.16
@@ -40,6 +40,13 @@
 
 
 /*
+ * Maximum image dimensions that we can handle...
+ */
+
+#  define IMAGE_MAX_WIDTH	0x07ffffff	/* 2^27-1 to allow for 15-channel data */
+#  define IMAGE_MAX_HEIGHT	0x7fffffff	/* 2^31-1 */
+
+/*
  * Colorspaces...
  */
 
@@ -50,7 +57,6 @@
 #  define IMAGE_RGB	3		/* Red, green, and blue */
 #  define IMAGE_RGB_CMYK 4		/* Use RGB or CMYK */
 
-
 /*
  * Tile definitions...
  */
Index: scheduler/client.c
===================================================================
RCS file: /development/cvs/cups/scheduler/client.c,v
retrieving revision 1.128
retrieving revision 1.130
diff -u -r1.128 -r1.130
--- scheduler/client.c	2002/11/21 14:58:18	1.128
+++ scheduler/client.c	2002/12/13 16:24:05	1.130
@@ -492,6 +520,12 @@
   LogMessage(L_DEBUG2, "ReadClient() %d, used=%d", con->http.fd,
              con->http.used);
 
+  if (con->http.error)
+  {
+    CloseClient(con);
+    return (0);
+  }
+
   switch (con->http.state)
   {
     case HTTP_WAITING :
@@ -944,6 +978,20 @@
 
 	      break;
             }
+	    else if (atoi(con->http.fields[HTTP_FIELD_CONTENT_LENGTH]) < 0)
+	    {
+	     /*
+	      * Negative content lengths are invalid!
+	      */
+
+              if (!SendError(con, HTTP_BAD_REQUEST))
+	      {
+		CloseClient(con);
+		return (0);
+	      }
+
+	      break;
+	    }
 
            /*
 	    * See what kind of POST request this is; for IPP requests the
Index: scheduler/dirsvc.c
===================================================================
RCS file: /development/cvs/cups/scheduler/dirsvc.c,v
retrieving revision 1.100
retrieving revision 1.101
diff -u -r1.100 -r1.101
--- scheduler/dirsvc.c	2002/09/26 15:19:31	1.100
+++ scheduler/dirsvc.c	2002/12/12 20:56:32	1.101
@@ -88,6 +88,31 @@
   httpSeparate(uri, method, username, host, &port, resource);
 
  /*
+  * Determine if the URI contains any illegal characters in it...
+  */
+
+  if (strncmp(uri, "ipp://", 6) != 0 ||
+      !host[0] ||
+      (strncmp(resource, "/printers/", 10) != 0 &&
+       strncmp(resource, "/classes/", 9) != 0))
+  {
+    LogMessage(L_ERROR, "ProcessBrowseData: Bad printer URI in browse data: %s",
+               uri);
+    return;
+  }
+
+  if (strchr(resource, '?') != NULL ||
+      (strncmp(resource, "/printers/", 10) == 0 &&
+       strchr(resource + 10, '/') != NULL) ||
+      (strncmp(resource, "/classes/", 9) == 0 &&
+       strchr(resource + 9, '/') != NULL))
+  {
+    LogMessage(L_ERROR, "ProcessBrowseData: Bad resource in browse data: %s",
+               resource);
+    return;
+  }
+    
+ /*
   * OK, this isn't a local printer; see if we already have it listed in
   * the Printers list, and add it if not...
   */
Commit	Line	Data
10cbef6c JB	1	Index: cgi-bin/var.c
	2	===================================================================
	3	RCS file: /development/cvs/cups/cgi-bin/var.c,v
	4	retrieving revision 1.21
	5	retrieving revision 1.22
	6	diff -u -r1.21 -r1.22
	7	--- cgi-bin/var.c 2002/01/02 17:58:37 1.21
	8	+++ cgi-bin/var.c 2002/12/12 20:56:29 1.22
	9	@@ -242,7 +242,7 @@
	10	var_t var; / Returned variable */
	11
	12
	13	- if (name == NULL \|\| value == NULL \|\| element < 0)
	14	+ if (name == NULL \|\| value == NULL \|\| element < 0 \|\| element > 100000)
	15	return;
	16
	17	if ((var = cgi_find_variable(name)) == NULL)
	18	@@ -286,7 +286,7 @@
	19	var_t var; / Returned variable */
	20
	21
	22	- if (name == NULL \|\| size < 0)
	23	+ if (name == NULL \|\| size < 0 \|\| size > 100000)
	24	return;
	25
	26	if ((var = cgi_find_variable(name)) == NULL)
	27	@@ -361,7 +361,7 @@
	28	var_t var; / New variable */
	29
	30
	31	- if (name == NULL \|\| value == NULL)
	32	+ if (name == NULL \|\| value == NULL \|\| element < 0 \|\| element > 100000)
	33	return;
	34
	35	#ifdef DEBUG
	36	Index: conf/cupsd.conf.in
	37	===================================================================
	38	RCS file: /development/cvs/cups/conf/cupsd.conf.in,v
	39	retrieving revision 1.7
	40	retrieving revision 1.8
	41	diff -u -r1.7 -r1.8
	42	--- conf/cupsd.conf.in.orig 2001-09-14 18:52:05.000000000 +0200
	43	+++ conf/cupsd.conf.in 2002-12-17 13:36:34.000000000 +0100
	44	@@ -358,6 +358,15 @@
	45	#MaxClients 100
	46
	47	#
	48	+# MaxClientsPerHost: controls the maximum number of simultaneous clients that
	49	+# will be handled from a specific host. Defaults to 10 or 1/10th of the
	50	+# MaxClients setting, whichever is larger. A value of 0 specifies the
	51	+# automatic (10 or 1/10th) setting.
	52	+#
	53	+
	54	+#MaxClientsPerHost 0
	55	+
	56	+#
	57	# MaxRequestSize: controls the maximum size of HTTP requests and print files.
	58	# Set to 0 to disable this feature (defaults to 0.)
	59	#
	60	Index: cups/http.c
	61	===================================================================
	62	RCS file: /development/cvs/cups/cups/http.c,v
	63	retrieving revision 1.105
	64	retrieving revision 1.107
65	diff -u -r1.105 -r1.107
66	--- cups/http.c 2002/10/30 20:04:56 1.105
67	+++ cups/http.c 2002/12/12 21:44:42 1.107
68	@@ -896,11 +896,16 @@
69	}
70
71	http->data_remaining = strtol(len, NULL, 16);
72	+ if (http->data_remaining < 0)
73	+ {
74	+ DEBUG_puts("httpRead: Negative chunk length!");
75	+ return (0);
76	+ }
77	}
78
79	DEBUG_printf(("httpRead: data_remaining = %d\n", http->data_remaining));
80
81	- if (http->data_remaining == 0)
82	+ if (http->data_remaining <= 0)
83	{
84	/*
85	* A zero-length chunk ends a transfer; unless we are reading POST
86	Index: filter/image-bmp.c
87	===================================================================
88	RCS file: /development/cvs/cups/filter/image-bmp.c,v
89	retrieving revision 1.8
90	retrieving revision 1.9
91	diff -u -r1.8 -r1.9
92	--- filter/image-bmp.c 2002/04/19 16:17:26 1.8
93	+++ filter/image-bmp.c 2002/12/13 15:52:20 1.9
94	@@ -105,8 +105,15 @@
95	read_word(fp);
96	offset = read_dword(fp);
97
98	- fprintf(stderr, "offset = %d\n", offset);
99	+ fprintf(stderr, "DEBUG: offset = %d\n", offset);
100
101	+ if (offset < 0)
102	+ {
103	+ fprintf(stderr, "ERROR: Bad BMP offset %d\n", offset);
104	+ fclose(fp);
105	+ return (1);
106	+ }
107	+
108	/*
109	* Then the bitmap information...
110	*/
111	@@ -123,15 +130,34 @@
112	colors_used = read_dword(fp);
113	colors_important = read_dword(fp);
114
115	+ if (img->xsize == 0 \|\| img->xsize > IMAGE_MAX_WIDTH \|\|
116	+ img->ysize == 0 \|\| img->ysize > IMAGE_MAX_HEIGHT \|\|
117	+ (depth != 1 && depth != 4 && depth != 8 && depth != 24))
118	+ {
119	+ fprintf(stderr, "ERROR: Bad BMP dimensions %ux%ux%d\n",
120	+ img->xsize, img->ysize, depth);
121	+ fclose(fp);
122	+ return (1);
123	+ }
124	+
125	+ if (colors_used < 0 \|\| colors_used > 256)
126	+ {
127	+ fprintf(stderr, "ERROR: Bad BMP colormap size %d\n", colors_used);
128	+ fclose(fp);
129	+ return (1);
130	+ }
131	+
132	+ if (img->xppi == 0 \|\| img->yppi == 0)
133	+ {
134	+ fprintf(stderr, "ERROR: Bad BMP resolution %dx%d PPI.\n",
135	+ img->xppi, img->yppi);
136	+ img->xppi = img->yppi = 128;
137	+ }
138	+
139	/*
140	* Make sure the resolution info is valid...
141	*/
142
143	- if (img->xppi == 0)
144	- img->xppi = 128;
145	- if (img->yppi == 0)
146	- img->yppi = 128;
147	-
148	fprintf(stderr, "info_size = %d, xsize = %d, ysize = %d, planes = %d, depth = %d\n",
149	info_size, img->xsize, img->ysize, planes, depth);
150	fprintf(stderr, "compression = %d, image_size = %d, xppi = %d, yppi = %d\n",
151	@@ -150,7 +176,8 @@
152	if (colors_used == 0 && depth <= 8)
153	colors_used = 1 << depth;
154
155	- fread(colormap, colors_used, 4, fp);
156	+ if (colors_used > 0)
157	+ fread(colormap, colors_used, 4, fp);
158
159	/*
160	* Setup image and buffers...
161
162
163
164	Index: filter/image-gif.c
165	===================================================================
166	RCS file: /development/cvs/cups/filter/image-gif.c,v
167	retrieving revision 1.13
168	retrieving revision 1.15
169	diff -u -r1.13 -r1.15
170	--- filter/image-gif.c 2002/11/27 04:43:53 1.13
171	+++ filter/image-gif.c 2002/12/13 15:52:20 1.15
172	@@ -233,6 +233,19 @@
173	img->xsize = (buf[5] << 8) \| buf[4];
174	img->ysize = (buf[7] << 8) \| buf[6];
175
176	+ /*
177	+ * Check the dimensions of the image; since the dimensions are
178	+ * a 16-bit integer we just need to check for 0...
179	+ */
180	+
181	+ if (img->xsize == 0 \|\| img->ysize == 0)
182	+ {
183	+ fprintf(stderr, "ERROR: Bad GIF image dimensions: %dx%d\n",
184	+ img->xsize, img->ysize);
185	+ fclose(fp);
186	+ return (1);
187	+ }
188	+
189	i = gif_read_image(fp, img, cmap, buf[8] & GIF_INTERLACE);
190	fclose(fp);
191	return (i);
192	Index: filter/image-jpeg.c
193	===================================================================
194	RCS file: /development/cvs/cups/filter/image-jpeg.c,v
195	retrieving revision 1.15
196	retrieving revision 1.16
197	diff -u -r1.15 -r1.16
198	--- filter/image-jpeg.c 2002/04/19 16:17:26 1.15
199	+++ filter/image-jpeg.c 2002/12/13 15:52:20 1.16
200	@@ -126,6 +126,18 @@
201
202	jpeg_calc_output_dimensions(&cinfo);
203
204	+ if (cinfo.output_width <= 0 \|\| cinfo.output_width > IMAGE_MAX_WIDTH \|\|
205	+ cinfo.output_height <= 0 \|\| cinfo.output_height > IMAGE_MAX_HEIGHT)
206	+ {
207	+ fprintf(stderr, "ERROR: Bad JPEG dimensions %dx%d!\n",
208	+ cinfo.output_width, cinfo.output_height);
209	+
210	+ jpeg_destroy_decompress(&cinfo);
211	+
212	+ fclose(fp);
213	+ return (1);
214	+ }
215	+
216	img->xsize = cinfo.output_width;
217	img->ysize = cinfo.output_height;
218
219	@@ -141,6 +153,13 @@
220	img->xppi = (int)((float)cinfo.X_density * 2.54);
221	img->yppi = (int)((float)cinfo.Y_density * 2.54);
222	}
223	+
224	+ if (img->xppi == 0 \|\| img->yppi == 0)
225	+ {
226	+ fprintf(stderr, "ERROR: Bad JPEG image resolution %dx%d PPI.\n",
227	+ img->xppi, img->yppi);
228	+ img->xppi = img->yppi = 128;
229	+ }
230	}
231
232	fprintf(stderr, "DEBUG: JPEG image %dx%dx%d, %dx%d PPI\n",
233	Index: filter/image-pix.c
234	===================================================================
235	RCS file: /development/cvs/cups/filter/image-pix.c,v
236	retrieving revision 1.6
237	retrieving revision 1.7
238	diff -u -r1.6 -r1.7
239	--- filter/image-pix.c 2002/04/19 16:17:27 1.6
240	+++ filter/image-pix.c 2002/12/13 15:52:20 1.7
241	@@ -78,6 +78,21 @@
242	read_short(fp);
243	depth = read_short(fp);
244
245	+ /*
246	+ * Check the dimensions of the image. Since the short values used for the
247	+ * width and height cannot exceed IMAGE_MAX_WIDTH or IMAGE_MAX_HEIGHT, we
248	+ * just need to verify they are positive integers.
249	+ */
250	+
251	+ if (width <= 0 \|\| height <= 0 \|\|
252	+ (depth != 8 && depth != 24))
253	+ {
254	+ fprintf(stderr, "ERROR: Bad PIX image dimensions %dx%dx%d\n",
255	+ width, height, depth);
256	+ fclose(fp);
257	+ return (1);
258	+ }
259	+
260	if (depth == 8)
261	img->colorspace = secondary;
262	else
263	Index: filter/image-png.c
264	===================================================================
265	RCS file: /development/cvs/cups/filter/image-png.c,v
266	retrieving revision 1.14
267	retrieving revision 1.15
268	diff -u -r1.14 -r1.15
269	--- filter/image-png.c 2002/04/19 16:17:27 1.14
270	+++ filter/image-png.c 2002/12/13 15:52:20 1.15
271	@@ -90,6 +90,15 @@
272	else
273	img->colorspace = (primary == IMAGE_RGB_CMYK) ? IMAGE_RGB : primary;
274
275	+ if (info->width == 0 \|\| info->width > IMAGE_MAX_WIDTH \|\|
276	+ info->height == 0 \|\| info->height > IMAGE_MAX_HEIGHT)
277	+ {
278	+ fprintf(stderr, "ERROR: PNG image has invalid dimensions %ux%u!\n",
279	+ (unsigned)info->width, (unsigned)info->height);
280	+ fclose(fp);
281	+ return (1);
282	+ }
283	+
284	img->xsize = info->width;
285	img->ysize = info->height;
286
287	@@ -98,6 +107,14 @@
288	{
289	img->xppi = (int)((float)info->x_pixels_per_unit * 0.0254);
290	img->yppi = (int)((float)info->y_pixels_per_unit * 0.0254);
291	+
292	+ if (img->xppi == 0 \|\| img->yppi == 0)
293	+ {
294	+ fprintf(stderr, "ERROR: PNG image has invalid resolution %dx%d PPI\n",
295	+ img->xppi, img->yppi);
296	+
297	+ img->xppi = img->yppi = 128;
298	+ }
299	}
300
301	ImageSetMaxTiles(img, 0);
302	Index: filter/image-pnm.c
303	===================================================================
304	RCS file: /development/cvs/cups/filter/image-pnm.c,v
305	retrieving revision 1.10
306	retrieving revision 1.11
307	diff -u -r1.10 -r1.11
308	--- filter/image-pnm.c 2002/04/19 16:17:27 1.10
309	+++ filter/image-pnm.c 2002/12/13 15:52:20 1.11
310	@@ -132,6 +132,22 @@
311	else
312	maxval = 1;
313
314	+ if (img->xsize == 0 \|\| img->xsize > IMAGE_MAX_WIDTH \|\|
315	+ img->ysize == 0 \|\| img->ysize > IMAGE_MAX_HEIGHT)
316	+ {
317	+ fprintf(stderr, "ERROR: Bad PNM dimensions %dx%d!\n",
318	+ img->xsize, img->ysize);
319	+ fclose(fp);
320	+ return (1);
321	+ }
322	+
323	+ if (maxval == 0)
324	+ {
325	+ fprintf(stderr, "ERROR: Bad PNM max value %d!\n", maxval);
326	+ fclose(fp);
327	+ return (1);
328	+ }
329	+
330	if (format == 1 \|\| format == 2 \|\| format == 4 \|\| format == 5)
331	img->colorspace = secondary;
332	else
333	Index: filter/image-sgi.c
334	===================================================================
335	RCS file: /development/cvs/cups/filter/image-sgi.c,v
336	retrieving revision 1.11
337	retrieving revision 1.12
338	diff -u -r1.11 -r1.12
339	--- filter/image-sgi.c 2002/04/19 16:17:27 1.11
340	+++ filter/image-sgi.c 2002/12/13 15:52:20 1.12
341	@@ -73,6 +73,22 @@
342	* Get the image dimensions and load the output image...
343	*/
344
345	+ /*
346	+ * Check the image dimensions; since xsize and ysize are unsigned shorts,
347	+ * just check if they are 0 since they can't exceed IMAGE_MAX_WIDTH or
348	+ * IMAGE_MAX_HEIGHT...
349	+ */
350	+
351	+ if (sgip->xsize == 0 \|\| sgip->ysize == 0 \|\|
352	+ sgip->zsize == 0 \|\| sgip->zsize > 4)
353	+ {
354	+ fprintf(stderr, "ERROR: Bad SGI image dimensions %ux%ux%u!\n",
355	+ sgip->xsize, sgip->ysize, sgip->zsize);
356	+ sgiClose(sgip);
357	+ fclose(fp);
358	+ return (1);
359	+ }
360	+
361	if (sgip->zsize < 3)
362	img->colorspace = secondary;
363	else
364	Index: filter/image-sun.c
365	===================================================================
366	RCS file: /development/cvs/cups/filter/image-sun.c,v
367	retrieving revision 1.12
368	retrieving revision 1.14
369	diff -u -r1.12 -r1.14
370	--- filter/image-sun.c 2002/10/22 18:43:45 1.12
371	+++ filter/image-sun.c 2002/12/13 15:52:20 1.14
372	@@ -121,6 +121,15 @@
373	fprintf(stderr, "DEBUG: ras_width=%d, ras_height=%d, ras_depth=%d, ras_type=%d, ras_maplength=%d\n",
374	img->xsize, img->ysize, ras_depth, ras_type, ras_maplength);
375
376	+ if (ras_maplength > 768 \|\|
377	+ img->xsize == 0 \|\| img->xsize > IMAGE_MAX_WIDTH \|\|
378	+ img->ysize == 0 \|\| img->ysize > IMAGE_MAX_HEIGHT \|\|
379	+ ras_depth == 0 \|\| ras_depth > 32)
380	+ {
381	+ fputs("ERROR: Raster image cannot be loaded!\n", stderr);
382	+ return (1);
383	+ }
384	+
385	if (ras_maplength > 0)
386	{
387	memset(cmap[0], 255, sizeof(cmap[0]));
388	Index: filter/image-tiff.c
389	===================================================================
390	RCS file: /development/cvs/cups/filter/image-tiff.c,v
391	retrieving revision 1.23
392	retrieving revision 1.24
393	diff -u -r1.23 -r1.24
394	--- filter/image-tiff.c 2002/04/19 16:17:27 1.23
395	+++ filter/image-tiff.c 2002/12/13 15:52:21 1.24
396	@@ -173,6 +173,12 @@
397	img->yppi = 128;
398	}
399
400	+ if (img->xppi == 0 \|\| img->yppi == 0)
401	+ {
402	+ fputs("ERROR: Bad TIFF resolution.\n", stderr);
403	+ img->xppi = img->yppi = 128;
404	+ }
405	+
406	fprintf(stderr, "DEBUG: TIFF resolution = %fx%f, units=%d\n",
407	xres, yres, resunit);
408	fprintf(stderr, "DEBUG: Stored resolution = %dx%d PPI\n",
409	@@ -189,6 +195,23 @@
410	alpha = 0;
411
412	/*
413	+ * Check the size of the image...
414	+ */
415	+
416	+ if (width == 0 \|\| width > IMAGE_MAX_WIDTH \|\|
417	+ height == 0 \|\| height > IMAGE_MAX_HEIGHT \|\|
418	+ (bits != 1 && bits != 2 && bits != 4 && bits != 8) \|\|
419	+ samples < 1 \|\| samples > 4)
420	+ {
421	+ fprintf(stderr, "ERROR: Bad TIFF dimensions %ux%ux%ux%u!\n",
422	+ (unsigned)width, (unsigned)height, (unsigned)bits,
423	+ (unsigned)samples);
424	+ TIFFClose(tif);
425	+ fclose(fp);
426	+ return (1);
427	+ }
428	+
429	+ /*
430	* Setup the image size and colorspace...
431	*/
432
433	Index: filter/image-zoom.c
434	===================================================================
435	RCS file: /development/cvs/cups/filter/image-zoom.c,v
436	retrieving revision 1.10
437	retrieving revision 1.11
438	diff -u -r1.10 -r1.11
439	--- filter/image-zoom.c 2002/08/27 16:19:38 1.10
440	+++ filter/image-zoom.c 2002/12/13 15:52:21 1.11
441	@@ -58,6 +58,12 @@
442	int flip; /* Flip on X axis? */
443
444
445	+ if (xsize > IMAGE_MAX_WIDTH \|\|
446	+ ysize > IMAGE_MAX_HEIGHT \|\|
447	+ (x1 - x0) > IMAGE_MAX_WIDTH \|\|
448	+ (y1 - y0) > IMAGE_MAX_HEIGHT)
449	+ return (NULL); /* Protect against integer overflow */
450	+
451	if ((z = (izoom_t *)calloc(1, sizeof(izoom_t))) == NULL)
452	return (NULL);
453
454	Index: filter/image.h
455	===================================================================
456	RCS file: /development/cvs/cups/filter/image.h,v
457	retrieving revision 1.15
458	retrieving revision 1.16
459	diff -u -r1.15 -r1.16
460	--- filter/image.h 2002/04/29 15:56:58 1.15
461	+++ filter/image.h 2002/12/13 15:52:21 1.16
462	@@ -40,6 +40,13 @@
463
464
465	/*
466	+ * Maximum image dimensions that we can handle...
467	+ */
468	+
469	+# define IMAGE_MAX_WIDTH 0x07ffffff /* 2^27-1 to allow for 15-channel data */
470	+# define IMAGE_MAX_HEIGHT 0x7fffffff /* 2^31-1 */
471	+
472	+/*
473	* Colorspaces...
474	*/
475
476	@@ -50,7 +57,6 @@
477	# define IMAGE_RGB 3 /* Red, green, and blue */
478	# define IMAGE_RGB_CMYK 4 /* Use RGB or CMYK */
479
480	-
481	/*
482	* Tile definitions...
483	*/
484	Index: scheduler/client.c
485	===================================================================
486	RCS file: /development/cvs/cups/scheduler/client.c,v
487	retrieving revision 1.128
488	retrieving revision 1.130
489	diff -u -r1.128 -r1.130
490	--- scheduler/client.c 2002/11/21 14:58:18 1.128
491	+++ scheduler/client.c 2002/12/13 16:24:05 1.130
492	@@ -492,6 +520,12 @@
493	LogMessage(L_DEBUG2, "ReadClient() %d, used=%d", con->http.fd,
494	con->http.used);
495
496	+ if (con->http.error)
497	+ {
498	+ CloseClient(con);
499	+ return (0);
500	+ }
501	+
502	switch (con->http.state)
503	{
504	case HTTP_WAITING :
505	@@ -944,6 +978,20 @@
506
507	break;
508	}
509	+ else if (atoi(con->http.fields[HTTP_FIELD_CONTENT_LENGTH]) < 0)
510	+ {
511	+ /*
512	+ * Negative content lengths are invalid!
513	+ */
514	+
515	+ if (!SendError(con, HTTP_BAD_REQUEST))
516	+ {
517	+ CloseClient(con);
518	+ return (0);
519	+ }
520	+
521	+ break;
522	+ }
523
524	/*
525	* See what kind of POST request this is; for IPP requests the
526	Index: scheduler/dirsvc.c
527	===================================================================
528	RCS file: /development/cvs/cups/scheduler/dirsvc.c,v
529	retrieving revision 1.100
530	retrieving revision 1.101
531	diff -u -r1.100 -r1.101
532	--- scheduler/dirsvc.c 2002/09/26 15:19:31 1.100
533	+++ scheduler/dirsvc.c 2002/12/12 20:56:32 1.101
534	@@ -88,6 +88,31 @@
535	httpSeparate(uri, method, username, host, &port, resource);
536
537	/*
538	+ * Determine if the URI contains any illegal characters in it...
539	+ */
540	+
541	+ if (strncmp(uri, "ipp://", 6) != 0 \|\|
542	+ !host[0] \|\|
543	+ (strncmp(resource, "/printers/", 10) != 0 &&
544	+ strncmp(resource, "/classes/", 9) != 0))
545	+ {
546	+ LogMessage(L_ERROR, "ProcessBrowseData: Bad printer URI in browse data: %s",
547	+ uri);
548	+ return;
549	+ }
550	+
551	+ if (strchr(resource, '?') != NULL \|\|
552	+ (strncmp(resource, "/printers/", 10) == 0 &&
553	+ strchr(resource + 10, '/') != NULL) \|\|
554	+ (strncmp(resource, "/classes/", 9) == 0 &&
555	+ strchr(resource + 9, '/') != NULL))
556	+ {
557	+ LogMessage(L_ERROR, "ProcessBrowseData: Bad resource in browse data: %s",
558	+ resource);
559	+ return;
560	+ }
561	+
562	+ /*
563	* OK, this isn't a local printer; see if we already have it listed in
564	* the Printers list, and add it if not...
565	*/