Blame cups-CVE-2008-1373.patch
|
Tim Waugh |
a5bf04 |
diff -up cups-1.3.6/filter/image-gif.c.CVE-2008-1373 cups-1.3.6/filter/image-gif.c
|
|
Tim Waugh |
a5bf04 |
--- cups-1.3.6/filter/image-gif.c.CVE-2008-1373 2008-01-14 22:12:58.000000000 +0000
|
|
Tim Waugh |
a5bf04 |
+++ cups-1.3.6/filter/image-gif.c 2008-04-01 16:43:22.000000000 +0100
|
|
Tim Waugh |
a5bf04 |
@@ -38,6 +38,8 @@
|
|
Tim Waugh |
a5bf04 |
#define GIF_INTERLACE 0x40
|
|
Tim Waugh |
a5bf04 |
#define GIF_COLORMAP 0x80
|
|
Tim Waugh |
a5bf04 |
|
|
Tim Waugh |
a5bf04 |
+#define MAX_LWZ_BITS 12
|
|
Tim Waugh |
a5bf04 |
+
|
|
Tim Waugh |
a5bf04 |
typedef cups_ib_t gif_cmap_t[256][4];
|
|
Tim Waugh |
a5bf04 |
typedef short gif_table_t[4096];
|
|
Tim Waugh |
a5bf04 |
|
|
Tim Waugh |
a5bf04 |
@@ -465,6 +467,9 @@ gif_read_image(FILE *fp, /* I -
|
|
Tim Waugh |
a5bf04 |
if (!pixels)
|
|
Tim Waugh |
a5bf04 |
return (-1);
|
|
Tim Waugh |
a5bf04 |
|
|
Tim Waugh |
a5bf04 |
+ if (code_size > MAX_LWZ_BITS)
|
|
Tim Waugh |
a5bf04 |
+ return (-1);
|
|
Tim Waugh |
a5bf04 |
+
|
|
Tim Waugh |
a5bf04 |
if (gif_read_lzw(fp, 1, code_size) < 0)
|
|
Tim Waugh |
a5bf04 |
{
|
|
Tim Waugh |
a5bf04 |
free(pixels);
|