Validate cupsBitsPerColor, cupsBitsPerPixel, and cupsBytesPerLine to avoid

potential buffer overflow with compressed raster data (STR #4551)

git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@12452 a1ca3aef-8c08-0410-bb20-df032aa958be

diff --git a/CHANGES-2.0.txt b/CHANGES-2.0.txt
index a92d32e594b4ad36fb04183c1a75ba280aa16187..a38b05c0f0ecbeb6a70139c8d2a9beda5ce6fdc5 100644 (file)
--- a/CHANGES-2.0.txt
+++ b/CHANGES-2.0.txt
@@ -3,6 +3,8 @@ CHANGES-2.0.txt
 
 CHANGES IN CUPS V2.0.2
 
+       - Security: cupsRasterReadPixels buffer overflow with invalid page
+         header and compressed raster data (STR #4551)
        - Command-line programs were not localized on Mac OS X
          (<rdar://problem/14546232>)
        - The scheduler incorrectly cleared the MakeModel string in the

diff --git a/filter/raster.c b/filter/raster.c
index a7a4a7a48f99e5c1bb8664434a4832eadcf5c2e9..c3247da812a1575f7141c940393f9eb6d624835b 100644 (file)
--- a/filter/raster.c
+++ b/filter/raster.c
@@ -3,7 +3,7 @@
  *
  * Raster file routines for CUPS.
  *
- * Copyright 2007-2014 by Apple Inc.
+ * Copyright 2007-2015 by Apple Inc.
  * Copyright 1997-2006 by Easy Software Products.
  *
  * This file is part of the CUPS Imaging library.
@@ -256,7 +256,10 @@ cupsRasterReadHeader(
   */
 
   if (!cups_raster_read_header(r))
+  {
+    memset(h, 0, sizeof(cups_page_header_t));
     return (0);
+  }
 
  /*
   * Copy the header to the user-supplied buffer...
@@ -285,7 +288,10 @@ cupsRasterReadHeader2(
   */
 
   if (!cups_raster_read_header(r))
+  {
+    memset(h, 0, sizeof(cups_page_header2_t));
     return (0);
+  }
 
  /*
   * Copy the header to the user-supplied buffer...
@@ -964,7 +970,7 @@ cups_raster_read_header(
 
   cups_raster_update(r);
 
-  return (r->header.cupsBytesPerLine != 0 && r->header.cupsHeight != 0);
+  return (r->header.cupsBytesPerLine != 0 && r->header.cupsHeight != 0 && (r->header.cupsBytesPerLine % r->bpp) == 0);
 }