7079992 Problem with print/cups
7080146 GIF decoder LZW decompressor buffer overflow in CUPS
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/cups/patches/str3867.patch Wed Aug 17 18:42:48 2011 -0700
@@ -0,0 +1,119 @@
+See: http://cups.org/str.php?L3867 for details.
+
+Index: filter/image-gif.c
+===================================================================
+--- filter/image-gif.c (revision 9839)
++++ filter/image-gif.c (working copy)
[email protected]@ -353,7 +353,7 @@
+ * Read in another buffer...
+ */
+
+- if ((count = gif_get_block (fp, buf + last_byte)) <= 0)
++ if ((count = gif_get_block(fp, buf + last_byte)) <= 0)
+ {
+ /*
+ * Whoops, no more data!
[email protected]@ -582,20 +582,14 @@
+ gif_get_code(fp, 0, 1);
+
+ /*
+- * Wipe the decompressor table...
++ * Wipe the decompressor table (already mostly 0 due to the calloc above...)
+ */
+
+ fresh = 1;
+
+- for (i = 0; i < clear_code; i ++)
+- {
+- table[0][i] = 0;
++ for (i = 1; i < clear_code; i ++)
+ table[1][i] = i;
+- }
+
+- for (; i < 4096; i ++)
+- table[0][i] = table[1][0] = 0;
+-
+ sp = stack;
+
+ return (0);
[email protected]@ -605,30 +599,31 @@
+ fresh = 0;
+
+ do
++ {
+ firstcode = oldcode = gif_get_code(fp, code_size, 0);
++ }
+ while (firstcode == clear_code);
+
+- return (firstcode);
++ return (firstcode & 255);
+ }
+ else if (!table)
+ return (0);
+
+ if (sp > stack)
+- return (*--sp);
++ return ((*--sp) & 255);
+
+- while ((code = gif_get_code (fp, code_size, 0)) >= 0)
++ while ((code = gif_get_code(fp, code_size, 0)) >= 0)
+ {
+ if (code == clear_code)
+ {
+- for (i = 0; i < clear_code; i ++)
+- {
+- table[0][i] = 0;
++ /*
++ * Clear/reset the compression table...
++ */
++
++ memset(table, 0, 2 * sizeof(gif_table_t));
++ for (i = 1; i < clear_code; i ++)
+ table[1][i] = i;
+- }
+
+- for (; i < 4096; i ++)
+- table[0][i] = table[1][i] = 0;
+-
+ code_size = set_code_size + 1;
+ max_code_size = 2 * clear_code;
+ max_code = clear_code + 2;
[email protected]@ -637,13 +632,12 @@
+
+ firstcode = oldcode = gif_get_code(fp, code_size, 0);
+
+- return (firstcode);
++ return (firstcode & 255);
+ }
+- else if (code == end_code)
++ else if (code == end_code || code > max_code)
+ {
+- unsigned char buf[260];
++ unsigned char buf[260]; /* Block buffer */
+
+-
+ if (!gif_eof)
+ while (gif_get_block(fp, buf) > 0);
+
[email protected]@ -652,7 +646,7 @@
+
+ incode = code;
+
+- if (code >= max_code)
++ if (code == max_code)
+ {
+ *sp++ = firstcode;
+ code = oldcode;
[email protected]@ -686,10 +680,10 @@
+ oldcode = incode;
+
+ if (sp > stack)
+- return (*--sp);
++ return ((*--sp) & 255);
+ }
+
+- return (code);
++ return (code & 255);
+ }
+
+ --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/cups/patches/str3914.patch Wed Aug 17 18:42:48 2011 -0700
@@ -0,0 +1,37 @@
+See: http://www.cups.org/str.php?L3914 for details.
+
+Index: filter/image-gif.c
+===================================================================
+--- filter/image-gif.c (revision 9862)
++++ filter/image-gif.c (working copy)
[email protected]@ -648,11 +648,13 @@
+
+ if (code == max_code)
+ {
+- *sp++ = firstcode;
+- code = oldcode;
++ if (sp < (stack + 8192))
++ *sp++ = firstcode;
++
++ code = oldcode;
+ }
+
+- while (code >= clear_code)
++ while (code >= clear_code && sp < (stack + 8192))
+ {
+ *sp++ = table[1][code];
+ if (code == table[0][code])
[email protected]@ -661,9 +663,11 @@
+ code = table[0][code];
+ }
+
+- *sp++ = firstcode = table[1][code];
+- code = max_code;
++ if (sp < (stack + 8192))
++ *sp++ = firstcode = table[1][code];
+
++ code = max_code;
++
+ if (code < 4096)
+ {
+ table[0][code] = oldcode;