diff options
| author | drochner <drochner@pkgsrc.org> | 2008-04-15 17:26:23 +0000 |
|---|---|---|
| committer | drochner <drochner@pkgsrc.org> | 2008-04-15 17:26:23 +0000 |
| commit | 695ac6c5d082b5d6a0260814b94e262525bf7d84 (patch) | |
| tree | f616f0ebd73a3afd8df507d484d5c5ca09e77c5f /print/cups/patches | |
| parent | 22f59d01592271a701546e89457d62e906753f16 (diff) | |
| download | pkgsrc-695ac6c5d082b5d6a0260814b94e262525bf7d84.tar.gz | |
fix a possible integer overflow in buffer size calculation, from upstream,
bump PKGREVISION
Diffstat (limited to 'print/cups/patches')
| -rw-r--r-- | print/cups/patches/patch-au | 72 |
1 files changed, 72 insertions, 0 deletions
diff --git a/print/cups/patches/patch-au b/print/cups/patches/patch-au new file mode 100644 index 00000000000..d12daeddb35 --- /dev/null +++ b/print/cups/patches/patch-au @@ -0,0 +1,72 @@ +$NetBSD: patch-au,v 1.11 2008/04/15 17:26:23 drochner Exp $ + +--- ./filter/image-png.c.orig 2007-07-11 23:46:42.000000000 +0200 ++++ ./filter/image-png.c +@@ -3,7 +3,7 @@ + * + * PNG image routines for the Common UNIX Printing System (CUPS). + * +- * Copyright 2007 by Apple Inc. ++ * Copyright 2007-2008 by Apple Inc. + * Copyright 1993-2007 by Easy Software Products. + * + * These coded instructions, statements, and computer programs are the +@@ -170,16 +170,56 @@ _cupsImageReadPNG( + * Interlaced images must be loaded all at once... + */ + ++ size_t bufsize; /* Size of buffer */ ++ ++ + if (color_type == PNG_COLOR_TYPE_GRAY || + color_type == PNG_COLOR_TYPE_GRAY_ALPHA) +- in = malloc(img->xsize * img->ysize); ++ { ++ bufsize = img->xsize * img->ysize; ++ ++ if ((bufsize / img->ysize) != img->xsize) ++ { ++ fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", ++ (unsigned)width, (unsigned)height); ++ fclose(fp); ++ return (1); ++ } ++ } + else +- in = malloc(img->xsize * img->ysize * 3); ++ { ++ bufsize = img->xsize * img->ysize * 3; ++ ++ if ((bufsize / (img->ysize * 3)) != img->xsize) ++ { ++ fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", ++ (unsigned)width, (unsigned)height); ++ fclose(fp); ++ return (1); ++ } ++ } ++ ++ in = malloc(bufsize); + } + + bpp = cupsImageGetDepth(img); + out = malloc(img->xsize * bpp); + ++ if (!in || !out) ++ { ++ fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr); ++ ++ if (in) ++ free(in); ++ ++ if (out) ++ free(out); ++ ++ fclose(fp); ++ ++ return (1); ++ } ++ + /* + * Read the image, interlacing as needed... + */ |