diff options
Diffstat (limited to 'meta/recipes-extended/cups/cups/cups-CVE-2011-2896.patch')
-rw-r--r-- | meta/recipes-extended/cups/cups/cups-CVE-2011-2896.patch | 140 |
1 files changed, 0 insertions, 140 deletions
diff --git a/meta/recipes-extended/cups/cups/cups-CVE-2011-2896.patch b/meta/recipes-extended/cups/cups/cups-CVE-2011-2896.patch deleted file mode 100644 index 7c6f75bd6c..0000000000 --- a/meta/recipes-extended/cups/cups/cups-CVE-2011-2896.patch +++ /dev/null @@ -1,140 +0,0 @@ -cups - CVE-2011-2896 - -the patch come from: -http://cups.org/strfiles/3867/str3867.patch - -The LZW decompressor in the LWZReadByte function in giftoppm.c -in the David Koblas GIF decoder in PBMPLUS, as used in the -gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, -the LZWReadByte function in plug-ins/common/file-gif-load.c -in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c -in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, -does not properly handle code words that are absent from the -decompression table when encountered, which allows remote attackers to -trigger an infinite loop or a heap-based buffer overflow, and possibly -execute arbitrary code, via a crafted compressed stream, a related -issue to CVE-2006-1168 and CVE-2011-2895. -http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2896 - -Integrated-by: Li Wang <li.wang@windriver.com> ---- - filter/image-gif.c | 46 ++++++++++++++++++++-------------------------- - 1 files changed, 20 insertions(+), 26 deletions(-) - -diff --git a/filter/image-gif.c b/filter/image-gif.c -index 3857c21..fa9691e 100644 ---- a/filter/image-gif.c -+++ b/filter/image-gif.c -@@ -353,7 +353,7 @@ gif_get_code(FILE *fp, /* I - File to read from */ - * Read in another buffer... - */ - -- if ((count = gif_get_block (fp, buf + last_byte)) <= 0) -+ if ((count = gif_get_block(fp, buf + last_byte)) <= 0) - { - /* - * Whoops, no more data! -@@ -582,19 +582,13 @@ gif_read_lzw(FILE *fp, /* I - File to read from */ - gif_get_code(fp, 0, 1); - - /* -- * Wipe the decompressor table... -+ * Wipe the decompressor table (already mostly 0 due to the calloc above...) - */ - - fresh = 1; - -- for (i = 0; i < clear_code; i ++) -- { -- table[0][i] = 0; -+ for (i = 1; i < clear_code; i ++) - table[1][i] = i; -- } -- -- for (; i < 4096; i ++) -- table[0][i] = table[1][0] = 0; - - sp = stack; - -@@ -605,29 +599,30 @@ gif_read_lzw(FILE *fp, /* I - File to read from */ - fresh = 0; - - do -+ { - firstcode = oldcode = gif_get_code(fp, code_size, 0); -+ } - while (firstcode == clear_code); - -- return (firstcode); -+ return (firstcode & 255); - } - else if (!table) - return (0); - - if (sp > stack) -- return (*--sp); -+ return ((*--sp) & 255); - -- while ((code = gif_get_code (fp, code_size, 0)) >= 0) -+ while ((code = gif_get_code(fp, code_size, 0)) >= 0) - { - if (code == clear_code) - { -- for (i = 0; i < clear_code; i ++) -- { -- table[0][i] = 0; -- table[1][i] = i; -- } -+ /* -+ * Clear/reset the compression table... -+ */ - -- for (; i < 4096; i ++) -- table[0][i] = table[1][i] = 0; -+ memset(table, 0, 2 * sizeof(gif_table_t)); -+ for (i = 1; i < clear_code; i ++) -+ table[1][i] = i; - - code_size = set_code_size + 1; - max_code_size = 2 * clear_code; -@@ -637,12 +632,11 @@ gif_read_lzw(FILE *fp, /* I - File to read from */ - - firstcode = oldcode = gif_get_code(fp, code_size, 0); - -- return (firstcode); -+ return (firstcode & 255); - } -- else if (code == end_code) -+ else if (code == end_code || code > max_code) - { -- unsigned char buf[260]; -- -+ unsigned char buf[260]; /* Block buffer */ - - if (!gif_eof) - while (gif_get_block(fp, buf) > 0); -@@ -652,7 +646,7 @@ gif_read_lzw(FILE *fp, /* I - File to read from */ - - incode = code; - -- if (code >= max_code) -+ if (code == max_code) - { - if (sp < (stack + 8192)) - *sp++ = firstcode; -@@ -690,10 +684,10 @@ gif_read_lzw(FILE *fp, /* I - File to read from */ - oldcode = incode; - - if (sp > stack) -- return (*--sp); -+ return ((*--sp) & 255); - } - -- return (code); -+ return (code & 255); - } - - --- -1.7.0.5 - |