An integer overflow issue exists within the WriteProlog() function in the
texttops CUPS image filter. When calculating the page size for storing
PostScript data, values are derived from user content and are used in
multiplication. If the operation overflows, a small destination buffer may
be allocated, resulting in a heap-based buffer overflow.
Red Hat would like to thank "regenrecht" for reporting this issue.
Created attachment 318028 [details]
Patch from Apple
Public now via:
Fixed upstream in: 1.3.9
cups-1.3.9-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
cups-1.3.9-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in:
Red Hat Enterprise Linux: