cups: remove old patch files
(From OE-Core rev: c3c51a5961f77d51e7f8eb1f0746d16576663bba) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
23c2bd0022
commit
e43dfc9ed1
|
@ -1,140 +0,0 @@
|
|||
cups - CVE-2011-2896
|
||||
|
||||
the patch come from:
|
||||
http://cups.org/strfiles/3867/str3867.patch
|
||||
|
||||
The LZW decompressor in the LWZReadByte function in giftoppm.c
|
||||
in the David Koblas GIF decoder in PBMPLUS, as used in the
|
||||
gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7,
|
||||
the LZWReadByte function in plug-ins/common/file-gif-load.c
|
||||
in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c
|
||||
in XPCE in SWI-Prolog 5.10.4 and earlier, and other products,
|
||||
does not properly handle code words that are absent from the
|
||||
decompression table when encountered, which allows remote attackers to
|
||||
trigger an infinite loop or a heap-based buffer overflow, and possibly
|
||||
execute arbitrary code, via a crafted compressed stream, a related
|
||||
issue to CVE-2006-1168 and CVE-2011-2895.
|
||||
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2896
|
||||
|
||||
Integrated-by: Li Wang <li.wang@windriver.com>
|
||||
---
|
||||
filter/image-gif.c | 46 ++++++++++++++++++++--------------------------
|
||||
1 files changed, 20 insertions(+), 26 deletions(-)
|
||||
|
||||
diff --git a/filter/image-gif.c b/filter/image-gif.c
|
||||
index 3857c21..fa9691e 100644
|
||||
--- a/filter/image-gif.c
|
||||
+++ b/filter/image-gif.c
|
||||
@@ -353,7 +353,7 @@ gif_get_code(FILE *fp, /* I - File to read from */
|
||||
* Read in another buffer...
|
||||
*/
|
||||
|
||||
- if ((count = gif_get_block (fp, buf + last_byte)) <= 0)
|
||||
+ if ((count = gif_get_block(fp, buf + last_byte)) <= 0)
|
||||
{
|
||||
/*
|
||||
* Whoops, no more data!
|
||||
@@ -582,19 +582,13 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
|
||||
gif_get_code(fp, 0, 1);
|
||||
|
||||
/*
|
||||
- * Wipe the decompressor table...
|
||||
+ * Wipe the decompressor table (already mostly 0 due to the calloc above...)
|
||||
*/
|
||||
|
||||
fresh = 1;
|
||||
|
||||
- for (i = 0; i < clear_code; i ++)
|
||||
- {
|
||||
- table[0][i] = 0;
|
||||
+ for (i = 1; i < clear_code; i ++)
|
||||
table[1][i] = i;
|
||||
- }
|
||||
-
|
||||
- for (; i < 4096; i ++)
|
||||
- table[0][i] = table[1][0] = 0;
|
||||
|
||||
sp = stack;
|
||||
|
||||
@@ -605,29 +599,30 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
|
||||
fresh = 0;
|
||||
|
||||
do
|
||||
+ {
|
||||
firstcode = oldcode = gif_get_code(fp, code_size, 0);
|
||||
+ }
|
||||
while (firstcode == clear_code);
|
||||
|
||||
- return (firstcode);
|
||||
+ return (firstcode & 255);
|
||||
}
|
||||
else if (!table)
|
||||
return (0);
|
||||
|
||||
if (sp > stack)
|
||||
- return (*--sp);
|
||||
+ return ((*--sp) & 255);
|
||||
|
||||
- while ((code = gif_get_code (fp, code_size, 0)) >= 0)
|
||||
+ while ((code = gif_get_code(fp, code_size, 0)) >= 0)
|
||||
{
|
||||
if (code == clear_code)
|
||||
{
|
||||
- for (i = 0; i < clear_code; i ++)
|
||||
- {
|
||||
- table[0][i] = 0;
|
||||
- table[1][i] = i;
|
||||
- }
|
||||
+ /*
|
||||
+ * Clear/reset the compression table...
|
||||
+ */
|
||||
|
||||
- for (; i < 4096; i ++)
|
||||
- table[0][i] = table[1][i] = 0;
|
||||
+ memset(table, 0, 2 * sizeof(gif_table_t));
|
||||
+ for (i = 1; i < clear_code; i ++)
|
||||
+ table[1][i] = i;
|
||||
|
||||
code_size = set_code_size + 1;
|
||||
max_code_size = 2 * clear_code;
|
||||
@@ -637,12 +632,11 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
|
||||
|
||||
firstcode = oldcode = gif_get_code(fp, code_size, 0);
|
||||
|
||||
- return (firstcode);
|
||||
+ return (firstcode & 255);
|
||||
}
|
||||
- else if (code == end_code)
|
||||
+ else if (code == end_code || code > max_code)
|
||||
{
|
||||
- unsigned char buf[260];
|
||||
-
|
||||
+ unsigned char buf[260]; /* Block buffer */
|
||||
|
||||
if (!gif_eof)
|
||||
while (gif_get_block(fp, buf) > 0);
|
||||
@@ -652,7 +646,7 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
|
||||
|
||||
incode = code;
|
||||
|
||||
- if (code >= max_code)
|
||||
+ if (code == max_code)
|
||||
{
|
||||
if (sp < (stack + 8192))
|
||||
*sp++ = firstcode;
|
||||
@@ -690,10 +684,10 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
|
||||
oldcode = incode;
|
||||
|
||||
if (sp > stack)
|
||||
- return (*--sp);
|
||||
+ return ((*--sp) & 255);
|
||||
}
|
||||
|
||||
- return (code);
|
||||
+ return (code & 255);
|
||||
}
|
||||
|
||||
|
||||
--
|
||||
1.7.0.5
|
||||
|
|
@ -1,54 +0,0 @@
|
|||
cups CVE-2011-3170
|
||||
|
||||
the patch come from:
|
||||
http://cups.org/strfiles/3914/str3914.patch
|
||||
|
||||
The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and
|
||||
earlier does not properly handle the first code word in an LZW stream,
|
||||
which allows remote attackers to trigger a heap-based buffer overflow,
|
||||
and possibly execute arbitrary code, via a crafted stream, a different
|
||||
vulnerability than CVE-2011-2896.
|
||||
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3170
|
||||
|
||||
Integrated-by: Li Wang <li.wang@windriver.com>
|
||||
---
|
||||
filter/image-gif.c | 14 +++++++++-----
|
||||
1 files changed, 9 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/filter/image-gif.c b/filter/image-gif.c
|
||||
index 9542704..3857c21 100644
|
||||
--- a/filter/image-gif.c
|
||||
+++ b/filter/image-gif.c
|
||||
@@ -654,11 +654,13 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
|
||||
|
||||
if (code >= max_code)
|
||||
{
|
||||
- *sp++ = firstcode;
|
||||
- code = oldcode;
|
||||
+ if (sp < (stack + 8192))
|
||||
+ *sp++ = firstcode;
|
||||
+
|
||||
+ code = oldcode;
|
||||
}
|
||||
|
||||
- while (code >= clear_code)
|
||||
+ while (code >= clear_code && sp < (stack + 8192))
|
||||
{
|
||||
*sp++ = table[1][code];
|
||||
if (code == table[0][code])
|
||||
@@ -667,8 +669,10 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
|
||||
code = table[0][code];
|
||||
}
|
||||
|
||||
- *sp++ = firstcode = table[1][code];
|
||||
- code = max_code;
|
||||
+ if (sp < (stack + 8192))
|
||||
+ *sp++ = firstcode = table[1][code];
|
||||
+
|
||||
+ code = max_code;
|
||||
|
||||
if (code < 4096)
|
||||
{
|
||||
--
|
||||
1.7.0.5
|
||||
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue