Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 318029 Details for
Bug 464716
CVE-2008-3641 CUPS: HP/GL reader insufficient bounds checking
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Patch from Apple
CVE-2008-3641.patch (text/plain), 3.90 KB, created by
Josh Bressers
on 2008-09-30 00:38:49 UTC
(
hide
)
Description:
Patch from Apple
Filename:
MIME Type:
Creator:
Josh Bressers
Created:
2008-09-30 00:38:49 UTC
Size:
3.90 KB
patch
obsolete
>Index: filter/hpgl-attr.c >=================================================================== >--- filter/hpgl-attr.c (revision 914) >+++ filter/hpgl-attr.c (working copy) >@@ -197,8 +197,18 @@ > > if (num_params == 0) > PenCount = 8; >- else if (num_params == 1 && params[0].value.number <= 1024) >- PenCount = (int)params[0].value.number; >+ else if (num_params == 1) >+ { >+ if (params[0].value.number < 1 || params[0].value.number > MAX_PENS) >+ { >+ fprintf(stderr, >+ "DEBUG: HP-GL/2 \'NP\' command with invalid number of " >+ "pens (%d)!\n", (int)params[0].value.number); >+ PenCount = 8; >+ } >+ else >+ PenCount = (int)params[0].value.number; >+ } > else > fprintf(stderr, > "DEBUG: HP-GL/2 \'NP\' command with invalid number of " >@@ -235,7 +245,7 @@ > > if (num_params == 0) > { >- for (i = 0; i <= PenCount; i ++) >+ for (i = 0; i < PenCount; i ++) > if (i < 8) > { > Pens[i].rgb[0] = standard_colors[i][0]; >@@ -256,8 +266,15 @@ > } > else if (num_params == 1 || num_params == 4) > { >- i = (int)params[0].value.number; >+ i = (int)params[0].value.number - 1; > >+ if (i < 0 || i >= PenCount) >+ { >+ fprintf(stderr, >+ "DEBUG: HP-GL/2 \'PC\' command with invalid pen (%d)!\n", i + 1); >+ return; >+ } >+ > if (num_params == 1) > { > Pens[i].rgb[0] = standard_colors[i & 7][0]; >@@ -330,8 +347,16 @@ > > if (num_params == 2) > { >- pen = (int)params[1].value.number; >+ pen = (int)params[1].value.number - 1; > >+ if (pen < 0 || pen >= PenCount) >+ { >+ fprintf(stderr, >+ "DEBUG: HP-GL/2 \'PW\' command with invalid pen (%d)!\n", >+ pen + 1); >+ return; >+ } >+ > Pens[pen].width = w; > > if (PageDirty && pen == PenNumber) >@@ -345,7 +370,7 @@ > * Set width for all pens... > */ > >- for (pen = 0; pen <= PenCount; pen ++) >+ for (pen = 0; pen < PenCount; pen ++) > Pens[pen].width = w; > > if (PageDirty) >@@ -399,14 +424,16 @@ > param_t *params) /* I - Parameters */ > { > if (num_params == 0) >- PenNumber = 1; >- else if (params[0].value.number <= PenCount) >- PenNumber = (int)params[0].value.number; >- else >+ PenNumber = 0; >+ else if (num_params > 1) > fprintf(stderr, >- "DEBUG: HP-GL/2 \'SP\' command with invalid number or value " >- "of parameters (%d, %d)!\n", num_params, >+ "DEBUG: HP-GL/2 \'SP\' command with invalid number of parameters " >+ "(%d)!\n", num_params); >+ else if (params[0].value.number <= 0 || params[0].value.number >= PenCount) >+ fprintf(stderr, "DEBUG: HP-GL/2 \'SP\' command with invalid pen (%d)!\n", > (int)params[0].value.number); >+ else >+ PenNumber = (int)params[0].value.number - 1; > > if (PageDirty) > printf("%.3f %.3f %.3f %.2f SP\n", Pens[PenNumber].rgb[0], >Index: filter/hpgltops.h >=================================================================== >--- filter/hpgltops.h (revision 914) >+++ filter/hpgltops.h (working copy) >@@ -26,7 +26,15 @@ > # define M_PI 3.14159265358979323846 > #endif /* M_PI */ > >+ > /* >+ * Maximum number of pens we emulate... >+ */ >+ >+#define MAX_PENS 1024 >+ >+ >+/* > * Parameter value structure... > */ > >@@ -108,10 +116,10 @@ > /* Current pen position */ > PenScaling VALUE(1.0f), /* Pen width scaling factor */ > PenWidth VALUE(1.0f); /* Default pen width */ >-VAR pen_t Pens[1024]; /* State of each pen */ >+VAR pen_t Pens[MAX_PENS]; /* State of each pen */ > VAR int PenMotion VALUE(0), /* 0 = absolute, 1 = relative */ > PenValid VALUE(0), /* 1 = valid position, 0 = undefined */ >- PenNumber VALUE(1), /* Current pen number */ >+ PenNumber VALUE(0), /* Current pen number */ > PenCount VALUE(8), /* Number of pens */ > PenDown VALUE(0), /* 0 = pen up, 1 = pen down */ > PolygonMode VALUE(0), /* Drawing polygons? */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=318029">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 464716
: 318029