fix a possible integer overflow in buffer size calculation, from upstream,

bump PKGREVISION

3 files changed, 76 insertions, 2 deletions

diff --git a/print/cups/Makefile b/print/cups/Makefile
index 5424b897176..722942b49b3 100644
--- a/print/cups/Makefile
+++ b/print/cups/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.133 2008/04/03 04:06:27 markd Exp $
+# $NetBSD: Makefile,v 1.134 2008/04/15 17:26:23 drochner Exp $
 #
 # The CUPS author is very good about taking back changes into the main
 # CUPS distribution.  The correct place to send patches or bug-fixes is:
@@ -6,6 +6,7 @@
 
 DISTNAME=	cups-${DIST_VERS}-source
 PKGNAME=	cups-${VERS}
+PKGREVISION=	1
 BASE_VERS=	1.3.7
 DIST_VERS=	${BASE_VERS}
 VERS=		${DIST_VERS:S/-/./g}
diff --git a/print/cups/distinfo b/print/cups/distinfo
index 755f6a00e7c..f467efa9199 100644
--- a/print/cups/distinfo
+++ b/print/cups/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.55 2008/04/03 04:06:27 markd Exp $
+$NetBSD: distinfo,v 1.56 2008/04/15 17:26:23 drochner Exp $
 
 SHA1 (cups-1.3.7-source.tar.bz2) = 4267822cdad2fdad44ff0885587132250bcf8dff
 RMD160 (cups-1.3.7-source.tar.bz2) = 7d3bd9dbe91e787f7032b770e576ab31cfcf6588
@@ -10,3 +10,4 @@ SHA1 (patch-ad) = 6695c344453495cd960460733a80d50654786c60
 SHA1 (patch-an) = 5c12e6de5d83659011c6050786049756e4aa4b49
 SHA1 (patch-ao) = 4fc204e312bf8752f3f3b4fd73ec1e4f166ae2d3
 SHA1 (patch-at) = eea32b989402c353f5f1644348c1042a3d4ddfa1
+SHA1 (patch-au) = 0c32755a4979e5a44b1773c9fd1fb75bcf919cef
diff --git a/print/cups/patches/patch-au b/print/cups/patches/patch-au
new file mode 100644
index 00000000000..d12daeddb35
--- /dev/null
+++ b/print/cups/patches/patch-au
@@ -0,0 +1,72 @@
+$NetBSD: patch-au,v 1.11 2008/04/15 17:26:23 drochner Exp $
+
+--- ./filter/image-png.c.orig	2007-07-11 23:46:42.000000000 +0200
++++ ./filter/image-png.c
+@@ -3,7 +3,7 @@
+  *
+  *   PNG image routines for the Common UNIX Printing System (CUPS).
+  *
+- *   Copyright 2007 by Apple Inc.
++ *   Copyright 2007-2008 by Apple Inc.
+  *   Copyright 1993-2007 by Easy Software Products.
+  *
+  *   These coded instructions, statements, and computer programs are the
+@@ -170,16 +170,56 @@ _cupsImageReadPNG(
+     * Interlaced images must be loaded all at once...
+     */
+ 
++    size_t bufsize;			/* Size of buffer */
++
++
+     if (color_type == PNG_COLOR_TYPE_GRAY ||
+ 	color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
+-      in = malloc(img->xsize * img->ysize);
++    {
++      bufsize = img->xsize * img->ysize;
++
++      if ((bufsize / img->ysize) != img->xsize)
++      {
++	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
++		(unsigned)width, (unsigned)height);
++	fclose(fp);
++	return (1);
++      }
++    }
+     else
+-      in = malloc(img->xsize * img->ysize * 3);
++    {
++      bufsize = img->xsize * img->ysize * 3;
++
++      if ((bufsize / (img->ysize * 3)) != img->xsize)
++      {
++	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
++		(unsigned)width, (unsigned)height);
++	fclose(fp);
++	return (1);
++      }
++    }
++
++    in = malloc(bufsize);
+   }
+ 
+   bpp = cupsImageGetDepth(img);
+   out = malloc(img->xsize * bpp);
+ 
++  if (!in || !out)
++  {
++    fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr);
++
++    if (in)
++      free(in);
++
++    if (out)
++      free(out);
++
++    fclose(fp);
++
++    return (1);
++  }
++
+  /*
+   * Read the image, interlacing as needed...
+   */