ALT Linux repositórios
S: | 2.4.7-alt1 |
5.0: | 1.3.10-alt1 |
4.1: | 1.3.10-alt0.M41.4 |
+updates: | 1.3.9-alt1.M41.1 |
4.0: | 1.2.12-alt6.M40.9 |
+updates: | 1.2.12-alt6.M40.8 |
3.0: | 1.1.20-alt14.1 |
Group :: Sistema/Servidores
RPM: cups
Main Changelog Spec Patches Sources Download Gear Bugs e FR Repocop
Patch: cups-CVE-2011-2896.patch
Download
Download
diff -up cups-1.3.7/filter/image-gif.c.CVE-2011-2896 cups-1.3.7/filter/image-gif.c
--- cups-1.3.7/filter/image-gif.c.CVE-2011-2896 2011-11-08 17:41:31.000000000 +0100
+++ cups-1.3.7/filter/image-gif.c 2011-11-08 17:54:34.000000000 +0100
@@ -353,7 +353,7 @@ gif_get_code(FILE *fp, /* I - File to
* Read in another buffer...
*/
- if ((count = gif_get_block (fp, buf + last_byte)) <= 0)
+ if ((count = gif_get_block(fp, buf + last_byte)) <= 0)
{
/*
* Whoops, no more data!
@@ -583,19 +583,13 @@ gif_read_lzw(FILE *fp, /* I - File to
gif_get_code(fp, 0, 1);
/*
- * Wipe the decompressor table...
+ * Wipe the decompressor table (already mostly 0 due to the calloc above...)
*/
fresh = 1;
- for (i = 0; i < clear_code; i ++)
- {
- table[0][i] = 0;
+ for (i = 1; i < clear_code; i ++)
table[1][i] = i;
- }
-
- for (; i < 4096; i ++)
- table[0][i] = table[1][0] = 0;
sp = stack;
@@ -605,29 +605,30 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
fresh = 0;
do
+ {
firstcode = oldcode = gif_get_code(fp, code_size, 0);
+ }
while (firstcode == clear_code);
- return (firstcode);
+ return (firstcode & 255);
}
else if (!table)
return (0);
if (sp > stack)
- return (*--sp);
+ return ((*--sp) & 255);
- while ((code = gif_get_code (fp, code_size, 0)) >= 0)
+ while ((code = gif_get_code(fp, code_size, 0)) >= 0)
{
if (code == clear_code)
{
- for (i = 0; i < clear_code; i ++)
- {
- table[0][i] = 0;
- table[1][i] = i;
- }
+ /*
+ * Clear/reset the compression table...
+ */
- for (; i < 4096; i ++)
- table[0][i] = table[1][i] = 0;
+ memset(table, 0, 2 * sizeof(gif_table_t));
+ for (i = 1; i < clear_code; i ++)
+ table[1][i] = i;
code_size = set_code_size + 1;
max_code_size = 2 * clear_code;
@@ -636,12 +631,11 @@ gif_read_lzw(FILE *fp, /* I - File to
firstcode = oldcode = gif_get_code(fp, code_size, 0);
- return (firstcode);
+ return (firstcode & 255);
}
- else if (code == end_code)
+ else if (code == end_code || code > max_code)
{
- unsigned char buf[260];
-
+ unsigned char buf[260]; /* Block buffer */
if (!gif_eof)
while (gif_get_block(fp, buf) > 0);
@@ -651,13 +645,15 @@ gif_read_lzw(FILE *fp, /* I - File to
incode = code;
- if (code >= max_code)
+ if (code == max_code)
{
- *sp++ = firstcode;
- code = oldcode;
+ if (sp < (stack + 8192))
+ *sp++ = firstcode;
+
+ code = oldcode;
}
- while (code >= clear_code)
+ while (code >= clear_code && sp < (stack + 8192))
{
*sp++ = table[1][code];
if (code == table[0][code])
@@ -666,8 +662,10 @@ gif_read_lzw(FILE *fp, /* I - File to
code = table[0][code];
}
- *sp++ = firstcode = table[1][code];
- code = max_code;
+ if (sp < (stack + 8192))
+ *sp++ = firstcode = table[1][code];
+
+ code = max_code;
if (code < 4096)
{
@@ -685,10 +683,10 @@ gif_read_lzw(FILE *fp, /* I - File to
oldcode = incode;
if (sp > stack)
- return (*--sp);
+ return ((*--sp) & 255);
}
- return (code);
+ return (code & 255);
}