Sisyphus repositório
Última atualização: 1 outubro 2023 | SRPMs: 18631 | Visitas: 37748415
en ru br
ALT Linux repositórios
S:2.4.7-alt1
5.0: 1.3.10-alt1
4.1: 1.3.10-alt0.M41.4
+updates:1.3.9-alt1.M41.1
4.0: 1.2.12-alt6.M40.9
+updates:1.2.12-alt6.M40.8
3.0: 1.1.20-alt14.1

Group :: Sistema/Servidores
RPM: cups

 Main   Changelog   Spec   Patches   Sources   Download   Gear   Bugs e FR  Repocop 

Patch: cups-CVE-2011-2896.patch
Download

diff -up cups-1.3.7/filter/image-gif.c.CVE-2011-2896 cups-1.3.7/filter/image-gif.c
--- cups-1.3.7/filter/image-gif.c.CVE-2011-2896	2011-11-08 17:41:31.000000000 +0100
+++ cups-1.3.7/filter/image-gif.c	2011-11-08 17:54:34.000000000 +0100
@@ -353,7 +353,7 @@ gif_get_code(FILE *fp,			/* I - File to 
     * Read in another buffer...
     */
 
-    if ((count = gif_get_block (fp, buf + last_byte)) <= 0)
+    if ((count = gif_get_block(fp, buf + last_byte)) <= 0)
     {
      /*
       * Whoops, no more data!
@@ -583,19 +583,13 @@ gif_read_lzw(FILE *fp,			/* I - File to 
     gif_get_code(fp, 0, 1);
 
    /*
-    * Wipe the decompressor table...
+    * Wipe the decompressor table (already mostly 0 due to the calloc above...)
     */
 
     fresh = 1;
 
-    for (i = 0; i < clear_code; i ++)
-    {
-      table[0][i] = 0;
+    for (i = 1; i < clear_code; i ++)
       table[1][i] = i;
-    }
-
-    for (; i < 4096; i ++)
-      table[0][i] = table[1][0] = 0;
 
     sp = stack;
 
@@ -605,29 +605,30 @@ gif_read_lzw(FILE *fp,			/* I - File to read from */
     fresh = 0;
 
     do
+    {
       firstcode = oldcode = gif_get_code(fp, code_size, 0);
+    }
     while (firstcode == clear_code);
 
-    return (firstcode);
+    return (firstcode & 255);
   }
   else if (!table)
     return (0);
 
   if (sp > stack)
-    return (*--sp);
+    return ((*--sp) & 255);
 
-  while ((code = gif_get_code (fp, code_size, 0)) >= 0)
+  while ((code = gif_get_code(fp, code_size, 0)) >= 0)
   {
     if (code == clear_code)
     {
-      for (i = 0; i < clear_code; i ++)
-      {
-	table[0][i] = 0;
-	table[1][i] = i;
-      }
+     /*
+      * Clear/reset the compression table...
+      */
 
-      for (; i < 4096; i ++)
-	table[0][i] = table[1][i] = 0;
+      memset(table, 0, 2 * sizeof(gif_table_t));
+      for (i = 1; i < clear_code; i ++)
+        table[1][i] = i;
 
       code_size     = set_code_size + 1;
       max_code_size = 2 * clear_code;
@@ -636,12 +631,11 @@ gif_read_lzw(FILE *fp,			/* I - File to 
 
       firstcode = oldcode = gif_get_code(fp, code_size, 0);
 
-      return (firstcode);
+      return (firstcode & 255);
     }
-    else if (code == end_code)
+    else if (code == end_code || code > max_code)
     {
-      unsigned char	buf[260];
-
+      unsigned char	buf[260];	/* Block buffer */
 
       if (!gif_eof)
         while (gif_get_block(fp, buf) > 0);
@@ -651,13 +645,15 @@ gif_read_lzw(FILE *fp,			/* I - File to 
 
     incode = code;
 
-    if (code >= max_code)
+    if (code == max_code)
     {
-      *sp++ = firstcode;
-      code  = oldcode;
+      if (sp < (stack + 8192))
+	*sp++ = firstcode;
+
+      code = oldcode;
     }
 
-    while (code >= clear_code)
+    while (code >= clear_code && sp < (stack + 8192))
     {
       *sp++ = table[1][code];
       if (code == table[0][code])
@@ -666,8 +662,10 @@ gif_read_lzw(FILE *fp,			/* I - File to 
       code = table[0][code];
     }
 
-    *sp++ = firstcode = table[1][code];
-    code  = max_code;
+    if (sp < (stack + 8192))
+      *sp++ = firstcode = table[1][code];
+
+    code = max_code;
 
     if (code < 4096)
     {
@@ -685,10 +683,10 @@ gif_read_lzw(FILE *fp,			/* I - File to 
     oldcode = incode;
 
     if (sp > stack)
-      return (*--sp);
+      return ((*--sp) & 255);
   }
 
-  return (code);
+  return (code & 255);
 }
 
projeto & código: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
mantenedor atual: Michael Shigorin
mantenedor da tradução: Fernando Martini aka fmartini © 2009