- Fix integer overflow in PNG validation

Security: http://www.cups.org/str.php?L2974
PR:		129193

2 files changed, 28 insertions, 1 deletions

diff --git a/print/cups-base/Makefile b/print/cups-base/Makefile
index edea3b20aaab..05190a65ad5c 100644
--- a/print/cups-base/Makefile
+++ b/print/cups-base/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	cups
 PORTVERSION=	1.3.9
-PORTREVISION=	1
+PORTREVISION=	2
 DISTVERSIONSUFFIX=	-source
 CATEGORIES=	print
 MASTER_SITES=	EASYSW/${PORTNAME}/${DISTVERSION}
diff --git a/print/cups-base/files/patch-str2974 b/print/cups-base/files/patch-str2974
new file mode 100644
index 000000000000..f407d5543387
--- /dev/null
+++ b/print/cups-base/files/patch-str2974
@@ -0,0 +1,27 @@
+Fix for the buffer overflow in the PNG reading code
+
+See: http://www.cups.org/str.php?L2974
+Obtained from: http://www.cups.org/strfiles/2974/str2974.patch
+
+Index: filter/image-png.c
+===================================================================
+--- filter/image-png.c	(revision 8062)
++++ filter/image-png.c	(working copy)
+@@ -178,7 +178,7 @@
+     {
+       bufsize = img->xsize * img->ysize;
+ 
+-      if ((bufsize / img->ysize) != img->xsize)
++      if ((bufsize / img->xsize) != img->ysize)
+       {
+ 	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+ 		(unsigned)width, (unsigned)height);
+@@ -190,7 +190,7 @@
+     {
+       bufsize = img->xsize * img->ysize * 3;
+ 
+-      if ((bufsize / (img->ysize * 3)) != img->xsize)
++      if ((bufsize / (img->xsize * 3)) != img->ysize)
+       {
+ 	fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
+ 		(unsigned)width, (unsigned)height);