diff -up cups-1.3.7/filter/image-gif.c.CVE-2011-2896 cups-1.3.7/filter/image-gif.c
--- cups-1.3.7/filter/image-gif.c.CVE-2011-2896	2011-11-08 17:41:31.000000000 +0100
+++ cups-1.3.7/filter/image-gif.c	2011-11-08 17:54:34.000000000 +0100
@@ -353,7 +353,7 @@ gif_get_code(FILE *fp,			/* I - File to 
     * Read in another buffer...
     */
 
-    if ((count = gif_get_block (fp, buf + last_byte)) <= 0)
+    if ((count = gif_get_block(fp, buf + last_byte)) <= 0)
     {
      /*
       * Whoops, no more data!
@@ -583,19 +583,13 @@ gif_read_lzw(FILE *fp,			/* I - File to 
     gif_get_code(fp, 0, 1);
 
    /*
-    * Wipe the decompressor table...
+    * Wipe the decompressor table (already mostly 0 due to the calloc above...)
     */
 
     fresh = 1;
 
-    for (i = 0; i < clear_code; i ++)
-    {
-      table[0][i] = 0;
+    for (i = 1; i < clear_code; i ++)
       table[1][i] = i;
-    }
-
-    for (; i < 4096; i ++)
-      table[0][i] = table[1][0] = 0;
 
     sp = stack;
 
@@ -605,29 +605,30 @@ gif_read_lzw(FILE *fp,			/* I - File to read from */
     fresh = 0;
 
     do
+    {
       firstcode = oldcode = gif_get_code(fp, code_size, 0);
+    }
     while (firstcode == clear_code);
 
-    return (firstcode);
+    return (firstcode & 255);
   }
   else if (!table)
     return (0);
 
   if (sp > stack)
-    return (*--sp);
+    return ((*--sp) & 255);
 
-  while ((code = gif_get_code (fp, code_size, 0)) >= 0)
+  while ((code = gif_get_code(fp, code_size, 0)) >= 0)
   {
     if (code == clear_code)
     {
-      for (i = 0; i < clear_code; i ++)
-      {
-	table[0][i] = 0;
-	table[1][i] = i;
-      }
+     /*
+      * Clear/reset the compression table...
+      */
 
-      for (; i < 4096; i ++)
-	table[0][i] = table[1][i] = 0;
+      memset(table, 0, 2 * sizeof(gif_table_t));
+      for (i = 1; i < clear_code; i ++)
+        table[1][i] = i;
 
       code_size     = set_code_size + 1;
       max_code_size = 2 * clear_code;
@@ -636,12 +631,11 @@ gif_read_lzw(FILE *fp,			/* I - File to 
 
       firstcode = oldcode = gif_get_code(fp, code_size, 0);
 
-      return (firstcode);
+      return (firstcode & 255);
     }
-    else if (code == end_code)
+    else if (code == end_code || code > max_code)
     {
-      unsigned char	buf[260];
-
+      unsigned char	buf[260];	/* Block buffer */
 
       if (!gif_eof)
         while (gif_get_block(fp, buf) > 0);
@@ -651,13 +645,15 @@ gif_read_lzw(FILE *fp,			/* I - File to 
 
     incode = code;
 
-    if (code >= max_code)
+    if (code == max_code)
     {
-      *sp++ = firstcode;
-      code  = oldcode;
+      if (sp < (stack + 8192))
+	*sp++ = firstcode;
+
+      code = oldcode;
     }
 
-    while (code >= clear_code)
+    while (code >= clear_code && sp < (stack + 8192))
     {
       *sp++ = table[1][code];
       if (code == table[0][code])
@@ -666,8 +662,10 @@ gif_read_lzw(FILE *fp,			/* I - File to 
       code = table[0][code];
     }
 
-    *sp++ = firstcode = table[1][code];
-    code  = max_code;
+    if (sp < (stack + 8192))
+      *sp++ = firstcode = table[1][code];
+
+    code = max_code;
 
     if (code < 4096)
     {
@@ -685,10 +683,10 @@ gif_read_lzw(FILE *fp,			/* I - File to 
     oldcode = incode;
 
     if (sp > stack)
-      return (*--sp);
+      return ((*--sp) & 255);
   }
 
-  return (code);
+  return (code & 255);
 }