From 46dabf03fd01a6515591a24bfd32f3013268c480 Mon Sep 17 00:00:00 2001
From: Tim Waugh <twaugh@fedoraproject.org>
Date: Aug 09 2007 15:47:37 +0000
Subject: - Applied patch to fix CVE-2007-3387 (bug #251518).


---

diff --git a/cups-CVE-2007-3387.patch b/cups-CVE-2007-3387.patch
new file mode 100644
index 0000000..ae7c468
--- /dev/null
+++ b/cups-CVE-2007-3387.patch
@@ -0,0 +1,23 @@
+--- cups-1.2.12/pdftops/Stream.cxx.CVE-2007-3387	2006-02-13 03:08:11.000000000 +0000
++++ cups-1.2.12/pdftops/Stream.cxx	2007-08-09 16:29:28.000000000 +0100
+@@ -411,15 +411,13 @@
+   ok = gFalse;
+ 
+   nVals = width * nComps;
+-  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+-      nComps >= INT_MAX / nBits ||
+-      width >= INT_MAX / nComps / nBits ||
+-      nVals * nBits + 7 < 0) {
+-    return;
+-  }
+   pixBytes = (nComps * nBits + 7) >> 3;
+   rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
+-  if (rowBytes <= 0) {
++  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
++      nComps > gfxColorMaxComps ||
++      nBits > 16 ||
++      width >= INT_MAX / nComps ||      // check for overflow in nVals
++      nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes
+     return;
+   }
+   predLine = (Guchar *)gmalloc(rowBytes);
diff --git a/cups.spec b/cups.spec
index 2e3b41a..6820fc3 100644
--- a/cups.spec
+++ b/cups.spec
@@ -6,7 +6,7 @@
 Summary: Common Unix Printing System
 Name: cups
 Version: 1.2.12
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPL
 Group: System Environment/Daemons
 Source: ftp://ftp.easysw.com/pub/cups/%{version}/cups-%{version}-source.tar.bz2
@@ -46,6 +46,7 @@ Patch21: cups-driverd-timeout.patch
 Patch22: cups-af_unix-auth.patch
 Patch24: cups-str2109.patch
 Patch25: cups-usb-paperout.patch
+Patch26: cups-CVE-2007-3387.patch
 Patch100: cups-lspp.patch
 Epoch: 1
 Url: http://www.cups.org/
@@ -154,6 +155,7 @@ lpd emulation.
 %patch22 -p1 -b .af_unix-auth
 %patch24 -p1 -b .str2109
 %patch25 -p1 -b .usb-paperout
+%patch26 -p1 -b .CVE-2007-3387
 
 %if %lspp
 %patch100 -p1 -b .lspp
@@ -441,6 +443,9 @@ rm -rf $RPM_BUILD_ROOT
 %{cups_serverbin}/daemon/cups-lpd
 
 %changelog
+* Thu Aug  9 2007 Tim Waugh <twaugh@redhat.com> 1:1.2.12-4
+- Applied patch to fix CVE-2007-3387 (bug #251518).
+
 * Tue Jul 31 2007 Tim Waugh <twaugh@redhat.com> 1:1.2.12-3
 - Better buildroot tag.
 - Moved LSPP access check and security attributes check in add_job() to