diff -up cups-1.3.7/filter/image-png.c.CVE-2008-1722 cups-1.3.7/filter/image-png.c --- cups-1.3.7/filter/image-png.c.CVE-2008-1722 2007-07-11 22:46:42.000000000 +0100 +++ cups-1.3.7/filter/image-png.c 2008-05-09 11:27:45.000000000 +0100 @@ -3,7 +3,7 @@ * * PNG image routines for the Common UNIX Printing System (CUPS). * - * Copyright 2007 by Apple Inc. + * Copyright 2007-2008 by Apple Inc. * Copyright 1993-2007 by Easy Software Products. * * These coded instructions, statements, and computer programs are the @@ -170,16 +170,56 @@ _cupsImageReadPNG( * Interlaced images must be loaded all at once... */ + size_t bufsize; /* Size of buffer */ + + if (color_type == PNG_COLOR_TYPE_GRAY || color_type == PNG_COLOR_TYPE_GRAY_ALPHA) - in = malloc(img->xsize * img->ysize); + { + bufsize = img->xsize * img->ysize; + + if ((bufsize / img->ysize) != img->xsize) + { + fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", + (unsigned)width, (unsigned)height); + fclose(fp); + return (1); + } + } else - in = malloc(img->xsize * img->ysize * 3); + { + bufsize = img->xsize * img->ysize * 3; + + if ((bufsize / (img->ysize * 3)) != img->xsize) + { + fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", + (unsigned)width, (unsigned)height); + fclose(fp); + return (1); + } + } + + in = malloc(bufsize); } bpp = cupsImageGetDepth(img); out = malloc(img->xsize * bpp); + if (!in || !out) + { + fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr); + + if (in) + free(in); + + if (out) + free(out); + + fclose(fp); + + return (1); + } + /* * Read the image, interlacing as needed... */