summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'net-print/cups/files/cups-1.4.8-CVE-2011-2896.patch')
-rw-r--r--net-print/cups/files/cups-1.4.8-CVE-2011-2896.patch37
1 files changed, 37 insertions, 0 deletions
diff --git a/net-print/cups/files/cups-1.4.8-CVE-2011-2896.patch b/net-print/cups/files/cups-1.4.8-CVE-2011-2896.patch
new file mode 100644
index 0000000..843456f
--- /dev/null
+++ b/net-print/cups/files/cups-1.4.8-CVE-2011-2896.patch
@@ -0,0 +1,37 @@
+Source: Upstream http://cups.org/str.php?L3914
+Reason: Avoid GIF reader loop (CVE-2011-2896)
+Upstream: Fixed in trunk
+
+diff -up cups-1.4.8/filter/image-gif.c.CVE-2011-2896 cups-1.4.8/filter/image-gif.c
+--- cups-1.4.8/filter/image-gif.c.CVE-2011-2896 2011-06-20 21:37:51.000000000 +0100
++++ cups-1.4.8/filter/image-gif.c 2011-08-19 11:33:37.547911212 +0100
+@@ -648,11 +648,13 @@ gif_read_lzw(FILE *fp, /* I - File to
+
+ if (code == max_code)
+ {
+- *sp++ = firstcode;
+- code = oldcode;
++ if (sp < (stack + 8192))
++ *sp++ = firstcode;
++
++ code = oldcode;
+ }
+
+- while (code >= clear_code)
++ while (code >= clear_code && sp < (stack + 8192))
+ {
+ *sp++ = table[1][code];
+ if (code == table[0][code])
+@@ -661,8 +663,10 @@ gif_read_lzw(FILE *fp, /* I - File to
+ code = table[0][code];
+ }
+
+- *sp++ = firstcode = table[1][code];
+- code = max_code;
++ if (sp < (stack + 8192))
++ *sp++ = firstcode = table[1][code];
++
++ code = max_code;
+
+ if (code < 4096)
+ {