141 lines
3.7 KiB
Diff
141 lines
3.7 KiB
Diff
cups - CVE-2011-2896
|
|
|
|
the patch come from:
|
|
http://cups.org/strfiles/3867/str3867.patch
|
|
|
|
The LZW decompressor in the LWZReadByte function in giftoppm.c
|
|
in the David Koblas GIF decoder in PBMPLUS, as used in the
|
|
gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7,
|
|
the LZWReadByte function in plug-ins/common/file-gif-load.c
|
|
in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c
|
|
in XPCE in SWI-Prolog 5.10.4 and earlier, and other products,
|
|
does not properly handle code words that are absent from the
|
|
decompression table when encountered, which allows remote attackers to
|
|
trigger an infinite loop or a heap-based buffer overflow, and possibly
|
|
execute arbitrary code, via a crafted compressed stream, a related
|
|
issue to CVE-2006-1168 and CVE-2011-2895.
|
|
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2896
|
|
|
|
Integrated-by: Li Wang <li.wang@windriver.com>
|
|
---
|
|
filter/image-gif.c | 46 ++++++++++++++++++++--------------------------
|
|
1 files changed, 20 insertions(+), 26 deletions(-)
|
|
|
|
diff --git a/filter/image-gif.c b/filter/image-gif.c
|
|
index 3857c21..fa9691e 100644
|
|
--- a/filter/image-gif.c
|
|
+++ b/filter/image-gif.c
|
|
@@ -353,7 +353,7 @@ gif_get_code(FILE *fp, /* I - File to read from */
|
|
* Read in another buffer...
|
|
*/
|
|
|
|
- if ((count = gif_get_block (fp, buf + last_byte)) <= 0)
|
|
+ if ((count = gif_get_block(fp, buf + last_byte)) <= 0)
|
|
{
|
|
/*
|
|
* Whoops, no more data!
|
|
@@ -582,19 +582,13 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
|
|
gif_get_code(fp, 0, 1);
|
|
|
|
/*
|
|
- * Wipe the decompressor table...
|
|
+ * Wipe the decompressor table (already mostly 0 due to the calloc above...)
|
|
*/
|
|
|
|
fresh = 1;
|
|
|
|
- for (i = 0; i < clear_code; i ++)
|
|
- {
|
|
- table[0][i] = 0;
|
|
+ for (i = 1; i < clear_code; i ++)
|
|
table[1][i] = i;
|
|
- }
|
|
-
|
|
- for (; i < 4096; i ++)
|
|
- table[0][i] = table[1][0] = 0;
|
|
|
|
sp = stack;
|
|
|
|
@@ -605,29 +599,30 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
|
|
fresh = 0;
|
|
|
|
do
|
|
+ {
|
|
firstcode = oldcode = gif_get_code(fp, code_size, 0);
|
|
+ }
|
|
while (firstcode == clear_code);
|
|
|
|
- return (firstcode);
|
|
+ return (firstcode & 255);
|
|
}
|
|
else if (!table)
|
|
return (0);
|
|
|
|
if (sp > stack)
|
|
- return (*--sp);
|
|
+ return ((*--sp) & 255);
|
|
|
|
- while ((code = gif_get_code (fp, code_size, 0)) >= 0)
|
|
+ while ((code = gif_get_code(fp, code_size, 0)) >= 0)
|
|
{
|
|
if (code == clear_code)
|
|
{
|
|
- for (i = 0; i < clear_code; i ++)
|
|
- {
|
|
- table[0][i] = 0;
|
|
- table[1][i] = i;
|
|
- }
|
|
+ /*
|
|
+ * Clear/reset the compression table...
|
|
+ */
|
|
|
|
- for (; i < 4096; i ++)
|
|
- table[0][i] = table[1][i] = 0;
|
|
+ memset(table, 0, 2 * sizeof(gif_table_t));
|
|
+ for (i = 1; i < clear_code; i ++)
|
|
+ table[1][i] = i;
|
|
|
|
code_size = set_code_size + 1;
|
|
max_code_size = 2 * clear_code;
|
|
@@ -637,12 +632,11 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
|
|
|
|
firstcode = oldcode = gif_get_code(fp, code_size, 0);
|
|
|
|
- return (firstcode);
|
|
+ return (firstcode & 255);
|
|
}
|
|
- else if (code == end_code)
|
|
+ else if (code == end_code || code > max_code)
|
|
{
|
|
- unsigned char buf[260];
|
|
-
|
|
+ unsigned char buf[260]; /* Block buffer */
|
|
|
|
if (!gif_eof)
|
|
while (gif_get_block(fp, buf) > 0);
|
|
@@ -652,7 +646,7 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
|
|
|
|
incode = code;
|
|
|
|
- if (code >= max_code)
|
|
+ if (code == max_code)
|
|
{
|
|
if (sp < (stack + 8192))
|
|
*sp++ = firstcode;
|
|
@@ -690,10 +684,10 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
|
|
oldcode = incode;
|
|
|
|
if (sp > stack)
|
|
- return (*--sp);
|
|
+ return ((*--sp) & 255);
|
|
}
|
|
|
|
- return (code);
|
|
+ return (code & 255);
|
|
}
|
|
|
|
|
|
--
|
|
1.7.0.5
|
|
|