--- /dev/null
+cups - CVE-2011-2896
+
+the patch come from:
+http://cups.org/strfiles/3867/str3867.patch
+
+The LZW decompressor in the LWZReadByte function in giftoppm.c
+in the David Koblas GIF decoder in PBMPLUS, as used in the
+gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7,
+the LZWReadByte function in plug-ins/common/file-gif-load.c
+in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c
+in XPCE in SWI-Prolog 5.10.4 and earlier, and other products,
+does not properly handle code words that are absent from the
+decompression table when encountered, which allows remote attackers to
+trigger an infinite loop or a heap-based buffer overflow, and possibly
+execute arbitrary code, via a crafted compressed stream, a related
+issue to CVE-2006-1168 and CVE-2011-2895.
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2896
+
+Integrated-by: Li Wang <li.wang@windriver.com>
+---
+ filter/image-gif.c | 46 ++++++++++++++++++++--------------------------
+ 1 files changed, 20 insertions(+), 26 deletions(-)
+
+diff --git a/filter/image-gif.c b/filter/image-gif.c
+index 3857c21..fa9691e 100644
+--- a/filter/image-gif.c
++++ b/filter/image-gif.c
+@@ -353,7 +353,7 @@ gif_get_code(FILE *fp, /* I - File to read from */
+ * Read in another buffer...
+ */
+
+- if ((count = gif_get_block (fp, buf + last_byte)) <= 0)
++ if ((count = gif_get_block(fp, buf + last_byte)) <= 0)
+ {
+ /*
+ * Whoops, no more data!
+@@ -582,19 +582,13 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
+ gif_get_code(fp, 0, 1);
+
+ /*
+- * Wipe the decompressor table...
++ * Wipe the decompressor table (already mostly 0 due to the calloc above...)
+ */
+
+ fresh = 1;
+
+- for (i = 0; i < clear_code; i ++)
+- {
+- table[0][i] = 0;
++ for (i = 1; i < clear_code; i ++)
+ table[1][i] = i;
+- }
+-
+- for (; i < 4096; i ++)
+- table[0][i] = table[1][0] = 0;
+
+ sp = stack;
+
+@@ -605,29 +599,30 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
+ fresh = 0;
+
+ do
++ {
+ firstcode = oldcode = gif_get_code(fp, code_size, 0);
++ }
+ while (firstcode == clear_code);
+
+- return (firstcode);
++ return (firstcode & 255);
+ }
+ else if (!table)
+ return (0);
+
+ if (sp > stack)
+- return (*--sp);
++ return ((*--sp) & 255);
+
+- while ((code = gif_get_code (fp, code_size, 0)) >= 0)
++ while ((code = gif_get_code(fp, code_size, 0)) >= 0)
+ {
+ if (code == clear_code)
+ {
+- for (i = 0; i < clear_code; i ++)
+- {
+- table[0][i] = 0;
+- table[1][i] = i;
+- }
++ /*
++ * Clear/reset the compression table...
++ */
+
+- for (; i < 4096; i ++)
+- table[0][i] = table[1][i] = 0;
++ memset(table, 0, 2 * sizeof(gif_table_t));
++ for (i = 1; i < clear_code; i ++)
++ table[1][i] = i;
+
+ code_size = set_code_size + 1;
+ max_code_size = 2 * clear_code;
+@@ -637,12 +632,11 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
+
+ firstcode = oldcode = gif_get_code(fp, code_size, 0);
+
+- return (firstcode);
++ return (firstcode & 255);
+ }
+- else if (code == end_code)
++ else if (code == end_code || code > max_code)
+ {
+- unsigned char buf[260];
+-
++ unsigned char buf[260]; /* Block buffer */
+
+ if (!gif_eof)
+ while (gif_get_block(fp, buf) > 0);
+@@ -652,7 +646,7 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
+
+ incode = code;
+
+- if (code >= max_code)
++ if (code == max_code)
+ {
+ if (sp < (stack + 8192))
+ *sp++ = firstcode;
+@@ -690,10 +684,10 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
+ oldcode = incode;
+
+ if (sp > stack)
+- return (*--sp);
++ return ((*--sp) & 255);
+ }
+
+- return (code);
++ return (code & 255);
+ }
+
+
+--
+1.7.0.5
+
projects / scm / bb / tizen-distro.git / commitdiff