- Fix buffer overflow vulnerability.

- Bump PORTREVISION

Approved by:	simon (secteam)
Security:	http://www.vuxml.org/freebsd/0e43a14d-3f3f-11dc-a79a-0016179b2dd5.html

2 files changed, 24 insertions, 1 deletions

diff --git a/print/cups-base/Makefile b/print/cups-base/Makefile
index 2610d198b976..8211254ce05f 100644
--- a/print/cups-base/Makefile
+++ b/print/cups-base/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	cups
 PORTVERSION=	1.2.11
-PORTREVISION=	2
+PORTREVISION=	3
 DISTVERSIONSUFFIX=	-source
 CATEGORIES=	print
 MASTER_SITES=	EASYSW/${PORTNAME}/${DISTVERSION}
diff --git a/print/cups-base/files/patch-CVE-2007-3387 b/print/cups-base/files/patch-CVE-2007-3387
new file mode 100644
index 000000000000..91710dba6195
--- /dev/null
+++ b/print/cups-base/files/patch-CVE-2007-3387
@@ -0,0 +1,23 @@
+--- pdftops/Stream.cxx.orig	2006-02-13 04:08:11.000000000 +0100
++++ pdftops/Stream.cxx	2007-07-31 15:05:53.000000000 +0200
+@@ -411,15 +411,13 @@
+   ok = gFalse;
+ 
+   nVals = width * nComps;
+-  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+-      nComps >= INT_MAX / nBits ||
+-      width >= INT_MAX / nComps / nBits ||
+-      nVals * nBits + 7 < 0) {
+-    return;
+-  }
+   pixBytes = (nComps * nBits + 7) >> 3;
+   rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
+-  if (rowBytes <= 0) {
++  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
++      nComps > gfxColorMaxComps ||
++      nBits > 16 ||
++      width >= INT_MAX / nComps ||      // check for overflow in nVals 
++      nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes
+     return;
+   }
+   predLine = (Guchar *)gmalloc(rowBytes);