Fix image size check in PNG reading code (STR #2974)

git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@8064 7a7537e8-13f0-0310-91df-b6672ffda945

diff --git a/CHANGES-1.3.txt b/CHANGES-1.3.txt
index 173fbfe2a4e0ca0cf6d57fc64a7912b26439d789..c9786957306915b50ff3d13bc3716795b392988d 100644 (file)
--- a/CHANGES-1.3.txt
+++ b/CHANGES-1.3.txt
@@ -1,6 +1,13 @@
 CHANGES-1.3.txt
 ---------------
 
+CHANGES IN CUPS V1.3.10
+
+       - SECURITY: The PNG image reading code did not validate the
+         image size properly, leading to a potential buffer overflow
+         (STR #2974)
+
+
 CHANGES IN CUPS V1.3.9
 
        - SECURITY: The HP-GL/2 filter did not range check pen numbers

diff --git a/filter/image-png.c b/filter/image-png.c
index 81cc803f207e1b380b1cbd7559d23c1855ea9ed6..7efa3882ecadc126d472fd23add81c68e8ca14d6 100644 (file)
--- a/filter/image-png.c
+++ b/filter/image-png.c
@@ -178,7 +178,7 @@ _cupsImageReadPNG(
     {
       bufsize = img->xsize * img->ysize;
 
-      if ((bufsize / img->ysize) != img->xsize)
+      if ((bufsize / img->xsize) != img->ysize)
       {
        fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
                (unsigned)width, (unsigned)height);
@@ -190,7 +190,7 @@ _cupsImageReadPNG(
     {
       bufsize = img->xsize * img->ysize * 3;
 
-      if ((bufsize / (img->ysize * 3)) != img->xsize)
+      if ((bufsize / (img->xsize * 3)) != img->ysize)
       {
        fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
                (unsigned)width, (unsigned)height);