cups/cups-CVE-2008-1373.patch

diff -up cups-1.3.6/filter/image-gif.c.CVE-2008-1373 cups-1.3.6/filter/image-gif.c
--- cups-1.3.6/filter/image-gif.c.CVE-2008-1373	2008-01-14 22:12:58.000000000 +0000
+++ cups-1.3.6/filter/image-gif.c	2008-04-01 16:43:22.000000000 +0100
@@ -38,6 +38,8 @@
 #define GIF_INTERLACE	0x40
 #define GIF_COLORMAP	0x80
 
+#define MAX_LWZ_BITS	12
+
 typedef cups_ib_t	gif_cmap_t[256][4];
 typedef short		gif_table_t[4096];
 
@@ -465,6 +467,9 @@ gif_read_image(FILE         *fp,	/* I - 
   if (!pixels)
     return (-1);
 
+  if (code_size > MAX_LWZ_BITS)
+    return (-1);
+
   if (gif_read_lzw(fp, 1, code_size) < 0)
   {
     free(pixels);
- Applied patch to fix CVE-2008-1373 (GIF overflow, bug #438303). - Applied patch to prevent heap-based buffer overflow in CUPS helper program (bug #436153, CVE-2008-0047, STR #2729). 2008-04-01 15:48:12 +00:00			`diff -up cups-1.3.6/filter/image-gif.c.CVE-2008-1373 cups-1.3.6/filter/image-gif.c`
			`--- cups-1.3.6/filter/image-gif.c.CVE-2008-1373 2008-01-14 22:12:58.000000000 +0000`
			`+++ cups-1.3.6/filter/image-gif.c 2008-04-01 16:43:22.000000000 +0100`
			`@@ -38,6 +38,8 @@`
			`#define GIF_INTERLACE 0x40`
			`#define GIF_COLORMAP 0x80`

			`+#define MAX_LWZ_BITS 12`
			`+`
			`typedef cups_ib_t gif_cmap_t[256][4];`
			`typedef short gif_table_t[4096];`

			`@@ -465,6 +467,9 @@ gif_read_image(FILE fp, / I -`
			`if (!pixels)`
			`return (-1);`

			`+ if (code_size > MAX_LWZ_BITS)`
			`+ return (-1);`
			`+`
			`if (gif_read_lzw(fp, 1, code_size) < 0)`
			`{`
			`free(pixels);`