--- cups-1.2.10/filter/image-png.c.cve-2008-1722 2006-05-11 07:41:36.000000000 -0400 +++ cups-1.2.10/filter/image-png.c 2008-08-13 15:11:00.000000000 -0400 @@ -3,6 +3,7 @@ * * PNG image routines for the Common UNIX Printing System (CUPS). * + * Copyright 2007 by Apple Inc. * Copyright 1993-2006 by Easy Software Products. * * These coded instructions, statements, and computer programs are the @@ -179,16 +180,56 @@ _cupsImageReadPNG( * Interlaced images must be loaded all at once... */ + size_t bufsize; /* Size of buffer */ + + if (color_type == PNG_COLOR_TYPE_GRAY || color_type == PNG_COLOR_TYPE_GRAY_ALPHA) - in = malloc(img->xsize * img->ysize); + { + bufsize = img->xsize * img->ysize; + + if ((bufsize / img->ysize) != img->xsize) + { + fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", + (unsigned)width, (unsigned)height); + fclose(fp); + return (1); + } + } else - in = malloc(img->xsize * img->ysize * 3); + { + bufsize = img->xsize * img->ysize * 3; + + if ((bufsize / (img->ysize * 3)) != img->xsize) + { + fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", + (unsigned)width, (unsigned)height); + fclose(fp); + return (1); + } + } + + in = malloc(bufsize); } bpp = cupsImageGetDepth(img); out = malloc(img->xsize * bpp); + if (!in || !out) + { + fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr); + + if (in) + free(in); + + if (out) + free(out); + + fclose(fp); + + return (1); + } + /* * Read the image, interlacing as needed... */ --- cups-1.2.10/filter/image-zoom.c.cve-2008-1722 2006-02-26 21:47:56.000000000 -0500 +++ cups-1.2.10/filter/image-zoom.c 2008-08-13 15:16:49.000000000 -0400 @@ -103,7 +103,7 @@ _cupsImageZoomNew( { cups_izoom_t *z; /* New zoom record */ int flip; /* Flip on X axis? */ - + size_t bufsize; /* Size of buffer for allocation */ if (xsize > CUPS_IMAGE_MAX_WIDTH || ysize > CUPS_IMAGE_MAX_HEIGHT || @@ -191,20 +191,24 @@ _cupsImageZoomNew( z->inincr = -z->inincr; } - if ((z->rows[0] = (cups_ib_t *)malloc(z->xsize * z->depth)) == NULL) + bufsize = z->xsize * z->depth; + if ((bufsize / z->depth) != z->xsize || + (z->rows[0] = (cups_ib_t *)malloc(bufsize)) == NULL) { free(z); return (NULL); } - if ((z->rows[1] = (cups_ib_t *)malloc(z->xsize * z->depth)) == NULL) + if ((z->rows[1] = (cups_ib_t *)malloc(bufsize)) == NULL) { free(z->rows[0]); free(z); return (NULL); } - if ((z->in = (cups_ib_t *)malloc(z->width * z->depth)) == NULL) + bufsize = z->width * z->depth; + if ((bufsize / z->depth) != z->width || + (z->in = (cups_ib_t *)malloc(bufsize)) == NULL) { free(z->rows[0]); free(z->rows[1]);