From: msweet Date: Fri, 23 Oct 2015 17:44:03 +0000 (+0000) Subject: Protect against integer overflow in raster data () X-Git-Tag: v2.2b1~179 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3c0659cd0fb6a9ccfa1e432dea9cf5511c1e1464;p=thirdparty%2Fcups.git Protect against integer overflow in raster data () git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@12908 a1ca3aef-8c08-0410-bb20-df032aa958be --- diff --git a/CHANGES-2.1.txt b/CHANGES-2.1.txt index 7ba00211e9..7c196cc836 100644 --- a/CHANGES-2.1.txt +++ b/CHANGES-2.1.txt @@ -3,6 +3,7 @@ CHANGES-2.1.txt CHANGES IN CUPS V2.1.1 + - Security hardening fixes () - The cupsGetPPD* functions did not work with IPP printers (STR #4725) - Some older HP LaserJet printers need a delayed close when printing using the libusb-based USB backend (STR #4549) diff --git a/filter/raster.c b/filter/raster.c index ec3033899c..a921433803 100644 --- a/filter/raster.c +++ b/filter/raster.c @@ -64,7 +64,7 @@ static ssize_t cups_raster_io(cups_raster_t *r, unsigned char *buf, size_t bytes static unsigned cups_raster_read_header(cups_raster_t *r); static ssize_t cups_raster_read(cups_raster_t *r, unsigned char *buf, size_t bytes); -static void cups_raster_update(cups_raster_t *r); +static int cups_raster_update(cups_raster_t *r); static ssize_t cups_raster_write(cups_raster_t *r, const unsigned char *pixels); static ssize_t cups_read_fd(void *ctx, unsigned char *buf, size_t bytes); @@ -566,7 +566,8 @@ cupsRasterWriteHeader( memset(&(r->header), 0, sizeof(r->header)); memcpy(&(r->header), h, sizeof(cups_page_header_t)); - cups_raster_update(r); + if (!cups_raster_update(r)) + return (0); /* * Write the raster header... @@ -682,7 +683,8 @@ cupsRasterWriteHeader2( memcpy(&(r->header), h, sizeof(cups_page_header2_t)); - cups_raster_update(r); + if (!cups_raster_update(r)) + return (0); /* * Write the raster header... @@ -1015,11 +1017,12 @@ cups_raster_read_header( * Update the header and row count... */ - cups_raster_update(r); + if (!cups_raster_update(r)) + return (0); DEBUG_printf(("4cups_raster_read_header: cupsBitsPerPixel=%u, cupsBitsPerColor=%u, cupsBytesPerLine=%u, cupsWidth=%u, cupsHeight=%u, r->bpp=%d", r->header.cupsBitsPerPixel, r->header.cupsBitsPerColor, r->header.cupsBytesPerLine, r->header.cupsWidth, r->header.cupsHeight, r->bpp)); - return (r->header.cupsBitsPerPixel != 0 && r->header.cupsBitsPerColor != 0 && r->header.cupsBytesPerLine != 0 && r->header.cupsHeight != 0 && (r->header.cupsBytesPerLine % r->bpp) == 0); + return (r->header.cupsBitsPerPixel > 0 && r->header.cupsBitsPerPixel <= 240 && r->header.cupsBitsPerColor > 0 && r->header.cupsBitsPerColor <= 16 && r->header.cupsBytesPerLine != 0 && r->header.cupsHeight != 0 && (r->header.cupsBytesPerLine % r->bpp) == 0); } @@ -1219,7 +1222,7 @@ cups_raster_read(cups_raster_t *r, /* I - Raster stream */ * current page. */ -static void +static int /* O - 1 on success, 0 on failure */ cups_raster_update(cups_raster_t *r) /* I - Raster stream */ { if (r->sync == CUPS_RASTER_SYNCv1 || r->sync == CUPS_RASTER_REVSYNCv1 || @@ -1300,6 +1303,10 @@ cups_raster_update(cups_raster_t *r) /* I - Raster stream */ r->header.cupsNumColors = r->header.cupsColorSpace - CUPS_CSPACE_DEVICE1 + 1; break; + + default : + /* Unknown color space */ + return (0); } }