7079992 Problem with print/cups
authorJiri Sasek <Jiri.Sasek@Sun.COM>
Wed, 17 Aug 2011 18:42:48 -0700
changeset 478 143405c872eb
parent 477 068d10529156
child 479 c9b8e016b757
7079992 Problem with print/cups 7080146 GIF decoder LZW decompressor buffer overflow in CUPS
components/cups/patches/str3867.patch
components/cups/patches/str3914.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/cups/patches/str3867.patch	Wed Aug 17 18:42:48 2011 -0700
@@ -0,0 +1,119 @@
+See: http://cups.org/str.php?L3867 for details.
+
+Index: filter/image-gif.c
+===================================================================
+--- filter/image-gif.c	(revision 9839)
++++ filter/image-gif.c	(working copy)
[email protected]@ -353,7 +353,7 @@
+     * Read in another buffer...
+     */
+ 
+-    if ((count = gif_get_block (fp, buf + last_byte)) <= 0)
++    if ((count = gif_get_block(fp, buf + last_byte)) <= 0)
+     {
+      /*
+       * Whoops, no more data!
[email protected]@ -582,20 +582,14 @@
+     gif_get_code(fp, 0, 1);
+ 
+    /*
+-    * Wipe the decompressor table...
++    * Wipe the decompressor table (already mostly 0 due to the calloc above...)
+     */
+ 
+     fresh = 1;
+ 
+-    for (i = 0; i < clear_code; i ++)
+-    {
+-      table[0][i] = 0;
++    for (i = 1; i < clear_code; i ++)
+       table[1][i] = i;
+-    }
+ 
+-    for (; i < 4096; i ++)
+-      table[0][i] = table[1][0] = 0;
+-
+     sp = stack;
+ 
+     return (0);
[email protected]@ -605,30 +599,31 @@
+     fresh = 0;
+ 
+     do
++    {
+       firstcode = oldcode = gif_get_code(fp, code_size, 0);
++    }
+     while (firstcode == clear_code);
+ 
+-    return (firstcode);
++    return (firstcode & 255);
+   }
+   else if (!table)
+     return (0);
+ 
+   if (sp > stack)
+-    return (*--sp);
++    return ((*--sp) & 255);
+ 
+-  while ((code = gif_get_code (fp, code_size, 0)) >= 0)
++  while ((code = gif_get_code(fp, code_size, 0)) >= 0)
+   {
+     if (code == clear_code)
+     {
+-      for (i = 0; i < clear_code; i ++)
+-      {
+-	table[0][i] = 0;
++     /*
++      * Clear/reset the compression table...
++      */
++
++      memset(table, 0, 2 * sizeof(gif_table_t));
++      for (i = 1; i < clear_code; i ++)
+ 	table[1][i] = i;
+-      }
+ 
+-      for (; i < 4096; i ++)
+-	table[0][i] = table[1][i] = 0;
+-
+       code_size     = set_code_size + 1;
+       max_code_size = 2 * clear_code;
+       max_code      = clear_code + 2;
[email protected]@ -637,13 +632,12 @@
+ 
+       firstcode = oldcode = gif_get_code(fp, code_size, 0);
+ 
+-      return (firstcode);
++      return (firstcode & 255);
+     }
+-    else if (code == end_code)
++    else if (code == end_code || code > max_code)
+     {
+-      unsigned char	buf[260];
++      unsigned char	buf[260];	/* Block buffer */
+ 
+-
+       if (!gif_eof)
+         while (gif_get_block(fp, buf) > 0);
+ 
[email protected]@ -652,7 +646,7 @@
+ 
+     incode = code;
+ 
+-    if (code >= max_code)
++    if (code == max_code)
+     {
+       *sp++ = firstcode;
+       code  = oldcode;
[email protected]@ -686,10 +680,10 @@
+     oldcode = incode;
+ 
+     if (sp > stack)
+-      return (*--sp);
++      return ((*--sp) & 255);
+   }
+ 
+-  return (code);
++  return (code & 255);
+ }
+ 
+ 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/cups/patches/str3914.patch	Wed Aug 17 18:42:48 2011 -0700
@@ -0,0 +1,37 @@
+See: http://www.cups.org/str.php?L3914 for details.
+
+Index: filter/image-gif.c
+===================================================================
+--- filter/image-gif.c	(revision 9862)
++++ filter/image-gif.c	(working copy)
[email protected]@ -648,11 +648,13 @@
+ 
+     if (code == max_code)
+     {
+-      *sp++ = firstcode;
+-      code  = oldcode;
++      if (sp < (stack + 8192))
++	*sp++ = firstcode;
++
++      code = oldcode;
+     }
+ 
+-    while (code >= clear_code)
++    while (code >= clear_code && sp < (stack + 8192))
+     {
+       *sp++ = table[1][code];
+       if (code == table[0][code])
[email protected]@ -661,9 +663,11 @@
+       code = table[0][code];
+     }
+ 
+-    *sp++ = firstcode = table[1][code];
+-    code  = max_code;
++    if (sp < (stack + 8192))
++      *sp++ = firstcode = table[1][code];
+ 
++    code = max_code;
++
+     if (code < 4096)
+     {
+       table[0][code] = oldcode;