diff -up cups-1.2.12/filter/hpgl-input.c.CVE-2008-0053 cups-1.2.12/filter/hpgl-input.c
--- cups-1.2.12/filter/hpgl-input.c.CVE-2008-0053 2007-07-06 23:39:54.000000000 +0100
+++ cups-1.2.12/filter/hpgl-input.c 2008-04-01 16:56:26.000000000 +0100
@@ -3,6 +3,7 @@
*
* HP-GL/2 input processing for the Common UNIX Printing System (CUPS).
*
+ * Copyright 2007-2008 by Apple Inc.
* Copyright 1993-2006 by Easy Software Products.
*
* These coded instructions, statements, and computer programs are the
@@ -56,6 +57,7 @@ ParseCommand(FILE *fp, /* I - File to
i; /* Looping var */
char buf[262144], /* String buffer */
*bufptr; /* Pointer into buffer */
+ float temp; /* Temporary parameter value */
static param_t p[MAX_PARAMS]; /* Parameter buffer */
@@ -220,10 +222,10 @@ ParseCommand(FILE *fp, /* I - File to
case '-' :
case '+' :
ungetc(ch, fp);
- fscanf(fp, "%f", &(p[num_params].value.number));
- if (num_params < MAX_PARAMS)
+ if (fscanf(fp, "%f", &temp) == 1 && num_params < MAX_PARAMS)
{
- p[num_params].type = PARAM_RELATIVE;
+ p[num_params].type = PARAM_RELATIVE;
+ p[num_params].value.number = temp;
num_params ++;
}
break;
@@ -239,10 +241,10 @@ ParseCommand(FILE *fp, /* I - File to
case '9' :
case '.' :
ungetc(ch, fp);
- fscanf(fp, "%f", &(p[num_params].value.number));
- if (num_params < MAX_PARAMS)
+ if (fscanf(fp, "%f", &temp) == 1 && num_params < MAX_PARAMS)
{
- p[num_params].type = PARAM_ABSOLUTE;
+ p[num_params].type = PARAM_ABSOLUTE;
+ p[num_params].value.number = temp;
num_params ++;
}
break;