summaryrefslogtreecommitdiff
blob: 843456f2eebd4f320dd33320ecf18cccd4f26c6d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Source: Upstream http://cups.org/str.php?L3914
Reason: Avoid GIF reader loop (CVE-2011-2896)
Upstream: Fixed in trunk

diff -up cups-1.4.8/filter/image-gif.c.CVE-2011-2896 cups-1.4.8/filter/image-gif.c
--- cups-1.4.8/filter/image-gif.c.CVE-2011-2896	2011-06-20 21:37:51.000000000 +0100
+++ cups-1.4.8/filter/image-gif.c	2011-08-19 11:33:37.547911212 +0100
@@ -648,11 +648,13 @@ gif_read_lzw(FILE *fp,			/* I - File to 
 
     if (code == max_code)
     {
-      *sp++ = firstcode;
-      code  = oldcode;
+      if (sp < (stack + 8192))
+	*sp++ = firstcode;
+
+      code = oldcode;
     }
 
-    while (code >= clear_code)
+    while (code >= clear_code && sp < (stack + 8192))
     {
       *sp++ = table[1][code];
       if (code == table[0][code])
@@ -661,8 +663,10 @@ gif_read_lzw(FILE *fp,			/* I - File to 
       code = table[0][code];
     }
 
-    *sp++ = firstcode = table[1][code];
-    code  = max_code;
+    if (sp < (stack + 8192))
+      *sp++ = firstcode = table[1][code];
+
+    code = max_code;
 
     if (code < 4096)
     {