From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Wed, 10 May 2023 19:33:23 +0000 (-0400)
Subject: Fix an integer overflow issue in the PWG media size name code (Issue #668)
X-Git-Tag: v2.4.3~25
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae98f1237cd6a0d7c08094feec46885aa80388f9;p=thirdparty%2Fcups.git

Fix an integer overflow issue in the PWG media size name code (Issue #668)
---

diff --git a/CHANGES.md b/CHANGES.md
index 2fcd20b49c..af3754ac8f 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -170,6 +170,8 @@ Changes in CUPS v2.4b1 (2021-10-27)
 - Fixed support for "job-hold-until" with the Restart-Job operation (Issue #250)
 - Fixed the default color/grayscale presets for IPP Everywhere PPDs (Issue #262)
 - Fixed support for the 'offline-report' state for all USB backends (Issue #264)
+- Fixed an integer overflow in the PWG media size name formatting code
+  (Issue #668)
 - Documentation fixes (Issue #92, Issue #163, Issue #177, Issue #184)
 - Localization updates (Issue #123, Issue #129, Issue #134, Issue #146,
   Issue #164)
diff --git a/cups/pwg-media.c b/cups/pwg-media.c
index d6ee5951b8..14a5ad3c2d 100644
--- a/cups/pwg-media.c
+++ b/cups/pwg-media.c
@@ -1108,9 +1108,13 @@ pwg_format_inches(char   *buf,		/* I - Buffer */
   * the nearest thousandth.
   */
 
-  thousandths = (val * 1000 + 1270) / 2540;
-  integer     = thousandths / 1000;
-  fraction    = thousandths % 1000;
+  integer  = val / 2540;
+  fraction = ((val % 2540) * 1000 + 1270) / 2540;
+  if (fraction >= 1000)
+  {
+    integer ++;
+    fraction -= 1000;
+  }
 
  /*
   * Format as a pair of integers (avoids locale stuff), avoiding trailing