Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 166715 Details for
Bug 238976
net-print/cups <1.3.8-r2 Multiple buffer overflows (CVE-2008-{3639,3640,3641})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
cups-1.3.8-CVE-2008-3641.patch
cups-1.3.8-CVE-2008-3641.patch (text/plain), 3.97 KB, created by
Robert Buchholz (RETIRED)
on 2008-09-28 21:12:07 UTC
(
hide
)
Description:
cups-1.3.8-CVE-2008-3641.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2008-09-28 21:12:07 UTC
Size:
3.97 KB
patch
obsolete
>Index: cups-1.3.8/filter/hpgl-attr.c >=================================================================== >--- cups-1.3.8.orig/filter/hpgl-attr.c >+++ cups-1.3.8/filter/hpgl-attr.c >@@ -197,8 +197,18 @@ NP_number_pens(int num_params, /* I > > if (num_params == 0) > PenCount = 8; >- else if (num_params == 1 && params[0].value.number <= 1024) >- PenCount = (int)params[0].value.number; >+ else if (num_params == 1) >+ { >+ if (params[0].value.number < 1 || params[0].value.number > MAX_PENS) >+ { >+ fprintf(stderr, >+ "DEBUG: HP-GL/2 \'NP\' command with invalid number of " >+ "pens (%d)!\n", (int)params[0].value.number); >+ PenCount = 8; >+ } >+ else >+ PenCount = (int)params[0].value.number; >+ } > else > fprintf(stderr, > "DEBUG: HP-GL/2 \'NP\' command with invalid number of " >@@ -235,7 +245,7 @@ PC_pen_color(int num_params, /* I - > > if (num_params == 0) > { >- for (i = 0; i <= PenCount; i ++) >+ for (i = 0; i < PenCount; i ++) > if (i < 8) > { > Pens[i].rgb[0] = standard_colors[i][0]; >@@ -256,7 +266,14 @@ PC_pen_color(int num_params, /* I - > } > else if (num_params == 1 || num_params == 4) > { >- i = (int)params[0].value.number; >+ i = (int)params[0].value.number - 1; >+ >+ if (i < 0 || i >= PenCount) >+ { >+ fprintf(stderr, >+ "DEBUG: HP-GL/2 \'PC\' command with invalid pen (%d)!\n", i + 1); >+ return; >+ } > > if (num_params == 1) > { >@@ -330,7 +347,15 @@ PW_pen_width(int num_params, /* I - > > if (num_params == 2) > { >- pen = (int)params[1].value.number; >+ pen = (int)params[1].value.number - 1; >+ >+ if (pen < 0 || pen >= PenCount) >+ { >+ fprintf(stderr, >+ "DEBUG: HP-GL/2 \'PW\' command with invalid pen (%d)!\n", >+ pen + 1); >+ return; >+ } > > Pens[pen].width = w; > >@@ -345,7 +370,7 @@ PW_pen_width(int num_params, /* I - > * Set width for all pens... > */ > >- for (pen = 0; pen <= PenCount; pen ++) >+ for (pen = 0; pen < PenCount; pen ++) > Pens[pen].width = w; > > if (PageDirty) >@@ -399,14 +424,16 @@ SP_select_pen(int num_params, /* I - > param_t *params) /* I - Parameters */ > { > if (num_params == 0) >- PenNumber = 1; >- else if (params[0].value.number <= PenCount) >- PenNumber = (int)params[0].value.number; >- else >+ PenNumber = 0; >+ else if (num_params > 1) > fprintf(stderr, >- "DEBUG: HP-GL/2 \'SP\' command with invalid number or value " >- "of parameters (%d, %d)!\n", num_params, >+ "DEBUG: HP-GL/2 \'SP\' command with invalid number of parameters " >+ "(%d)!\n", num_params); >+ else if (params[0].value.number <= 0 || params[0].value.number >= PenCount) >+ fprintf(stderr, "DEBUG: HP-GL/2 \'SP\' command with invalid pen (%d)!\n", > (int)params[0].value.number); >+ else >+ PenNumber = (int)params[0].value.number - 1; > > if (PageDirty) > printf("%.3f %.3f %.3f %.2f SP\n", Pens[PenNumber].rgb[0], >Index: cups-1.3.8/filter/hpgltops.h >=================================================================== >--- cups-1.3.8.orig/filter/hpgltops.h >+++ cups-1.3.8/filter/hpgltops.h >@@ -26,6 +26,14 @@ > # define M_PI 3.14159265358979323846 > #endif /* M_PI */ > >+ >+/* >+ * Maximum number of pens we emulate... >+ */ >+ >+#define MAX_PENS 1024 >+ >+ > /* > * Parameter value structure... > */ >@@ -108,10 +116,10 @@ VAR float PenPosition[2] VALUE2(0.0f, 0. > /* Current pen position */ > PenScaling VALUE(1.0f), /* Pen width scaling factor */ > PenWidth VALUE(1.0f); /* Default pen width */ >-VAR pen_t Pens[1024]; /* State of each pen */ >+VAR pen_t Pens[MAX_PENS]; /* State of each pen */ > VAR int PenMotion VALUE(0), /* 0 = absolute, 1 = relative */ > PenValid VALUE(0), /* 1 = valid position, 0 = undefined */ >- PenNumber VALUE(1), /* Current pen number */ >+ PenNumber VALUE(0), /* Current pen number */ > PenCount VALUE(8), /* Number of pens */ > PenDown VALUE(0), /* 0 = pen up, 1 = pen down */ > PolygonMode VALUE(0), /* Drawing polygons? */
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 238976
:
166712
|
166713
| 166715 |
167039