Sophie

Sophie

distrib > Mandriva > 2007.1 > i586 > by-pkgid > e3b8995dab7e82931766eb63171a2411 > files > 9

cups-1.2.10-2.8mdv2007.1.src.rpm

--- cups-1.2.10/filter/image-png.c.cve-2008-1722	2006-05-11 07:41:36.000000000 -0400
+++ cups-1.2.10/filter/image-png.c	2008-08-13 15:11:00.000000000 -0400
@@ -3,6 +3,7 @@
  *
  *   PNG image routines for the Common UNIX Printing System (CUPS).
  *
+ *   Copyright 2007 by Apple Inc.
  *   Copyright 1993-2006 by Easy Software Products.
  *
  *   These coded instructions, statements, and computer programs are the
@@ -179,16 +180,56 @@ _cupsImageReadPNG(
     * Interlaced images must be loaded all at once...
     */
 
+    size_t bufsize;			/* Size of buffer */
+
+
     if (color_type == PNG_COLOR_TYPE_GRAY ||
 	color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
-      in = malloc(img->xsize * img->ysize);
+    {
+      bufsize = img->xsize * img->ysize;
+
+      if ((bufsize / img->ysize) != img->xsize)
+      {
+	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+		(unsigned)width, (unsigned)height);
+	fclose(fp);
+	return (1);
+      }
+    }
     else
-      in = malloc(img->xsize * img->ysize * 3);
+    {
+      bufsize = img->xsize * img->ysize * 3;
+
+      if ((bufsize / (img->ysize * 3)) != img->xsize)
+      {
+	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+		(unsigned)width, (unsigned)height);
+	fclose(fp);
+	return (1);
+      }
+    }
+
+    in = malloc(bufsize);
   }
 
   bpp = cupsImageGetDepth(img);
   out = malloc(img->xsize * bpp);
 
+  if (!in || !out)
+  {
+    fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr);
+
+    if (in)
+      free(in);
+
+    if (out)
+      free(out);
+
+    fclose(fp);
+
+    return (1);
+  }
+
  /*
   * Read the image, interlacing as needed...
   */
--- cups-1.2.10/filter/image-zoom.c.cve-2008-1722	2006-02-26 21:47:56.000000000 -0500
+++ cups-1.2.10/filter/image-zoom.c	2008-08-13 15:16:49.000000000 -0400
@@ -103,7 +103,7 @@ _cupsImageZoomNew(
 {
   cups_izoom_t	*z;			/* New zoom record */
   int		flip;			/* Flip on X axis? */
-
+  size_t	bufsize;		/* Size of buffer for allocation */
 
   if (xsize > CUPS_IMAGE_MAX_WIDTH ||
       ysize > CUPS_IMAGE_MAX_HEIGHT ||
@@ -191,20 +191,24 @@ _cupsImageZoomNew(
     z->inincr = -z->inincr;
   }
 
-  if ((z->rows[0] = (cups_ib_t *)malloc(z->xsize * z->depth)) == NULL)
+  bufsize = z->xsize * z->depth;
+  if ((bufsize / z->depth) != z->xsize ||
+      (z->rows[0] = (cups_ib_t *)malloc(bufsize)) == NULL)
   {
     free(z);
     return (NULL);
   }
 
-  if ((z->rows[1] = (cups_ib_t *)malloc(z->xsize * z->depth)) == NULL)
+  if ((z->rows[1] = (cups_ib_t *)malloc(bufsize)) == NULL)
   {
     free(z->rows[0]);
     free(z);
     return (NULL);
   }
 
-  if ((z->in = (cups_ib_t *)malloc(z->width * z->depth)) == NULL)
+  bufsize = z->width * z->depth;
+  if ((bufsize / z->depth) != z->width ||
+      (z->in = (cups_ib_t *)malloc(bufsize)) == NULL)
   {
     free(z->rows[0]);
     free(z->rows[1]);

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional