pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkg/38534: Fix for cups-1.3.7 security problem



>Number:         38534
>Category:       pkg
>Synopsis:       Fix for cups-1.3.7 security problem
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Mon Apr 28 12:55:00 +0000 2008
>Originator:     Michael C. Vergallen
>Release:        pkgsrc-2008Q1
>Organization:
Michael C. Vergallen
>Environment:
All versions, all machines
>Description:
The fix to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1722 is out. 
why dous nobody bother to cummit the fix instead of warning poeple about this. 
The fix was published the 21 st of this month just after the author recieved 
the report of the problem.


>How-To-Repeat:

>Fix:
Index: image-png.c
===================================================================
--- image-png.c (revision 7434)
+++ image-png.c (working copy)
@@ -3,7 +3,7 @@
  *
  *   PNG image routines for the Common UNIX Printing System (CUPS).
  *
- *   Copyright 2007 by Apple Inc.
+ *   Copyright 2007-2008 by Apple Inc.
  *   Copyright 1993-2007 by Easy Software Products.
  *
  *   These coded instructions, statements, and computer programs are the
@@ -170,16 +170,56 @@
     * Interlaced images must be loaded all at once...
     */
 
+    size_t bufsize;                    /* Size of buffer */
+
+
     if (color_type == PNG_COLOR_TYPE_GRAY ||
        color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
-      in = malloc(img->xsize * img->ysize);
+    {
+      bufsize = img->xsize * img->ysize;
+
+      if ((bufsize / img->ysize) != img->xsize)
+      {
+       fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+               (unsigned)width, (unsigned)height);
+       fclose(fp);
+       return (1);
+      }
+    }
     else
-      in = malloc(img->xsize * img->ysize * 3);
+    {
+      bufsize = img->xsize * img->ysize * 3;
+
+      if ((bufsize / (img->ysize * 3)) != img->xsize)
+      {
+       fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+               (unsigned)width, (unsigned)height);
+       fclose(fp);
+       return (1);
+      }
+    }
+
+    in = malloc(bufsize);
   }
 
   bpp = cupsImageGetDepth(img);
   out = malloc(img->xsize * bpp);
 
+  if (!in || !out)
+  {
+    fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr);
+
+    if (in)
+      free(in);
+
+    if (out)
+      free(out);
+
+    fclose(fp);
+
+    return (1);
+  }
+
  /*
   * Read the image, interlacing as needed...
   */



Home | Main Index | Thread Index | Old Index