| rev |
line source |
|
al@20679
|
1 Submitted By: Fernando de Oliveira <famobr at yahoo dot com dot br>
|
|
al@20679
|
2 Date: 2015-03-24
|
|
al@20679
|
3 Initial Package Version: 1.19
|
|
al@20679
|
4 Upstream Status: unknown
|
|
al@20679
|
5 Origin: Arch Linux
|
|
al@20679
|
6 URL (CVE): https://www.suse.com/security/cve/CVE-2013-4276.html
|
|
al@20679
|
7 Description: Multiple stack-based buffer overflows in LittleCMS
|
|
al@20679
|
8 (aka lcms or liblcms) 1.19 and earlier allow remote
|
|
al@20679
|
9 attackers to cause a denial of service (crash) via a
|
|
al@20679
|
10 crafted (1) ICC color profile to the icctrans utility
|
|
al@20679
|
11 or (2) TIFF image to the tiffdiff utility.
|
|
al@20679
|
12
|
|
al@20679
|
13 diff -ur lcms-1.19.dfsg/samples/icctrans.c lcms-1.19.dfsg-patched/samples/icctrans.c
|
|
al@20679
|
14 --- lcms-1.19.dfsg/samples/icctrans.c 2009-10-30 15:57:45.000000000 +0000
|
|
al@20679
|
15 +++ lcms-1.19.dfsg-patched/samples/icctrans.c 2013-08-06 11:53:14.385266647 +0100
|
|
al@20679
|
16 @@ -86,6 +86,8 @@
|
|
al@20679
|
17 static LPcmsNAMEDCOLORLIST InputColorant = NULL;
|
|
al@20679
|
18 static LPcmsNAMEDCOLORLIST OutputColorant = NULL;
|
|
al@20679
|
19
|
|
al@20679
|
20 +unsigned int Buffer_size = 4096;
|
|
al@20679
|
21 +
|
|
al@20679
|
22
|
|
al@20679
|
23 // isatty replacement
|
|
al@20679
|
24
|
|
al@20679
|
25 @@ -500,7 +502,7 @@
|
|
al@20679
|
26
|
|
al@20679
|
27 Prefix[0] = 0;
|
|
al@20679
|
28 if (!lTerse)
|
|
al@20679
|
29 - sprintf(Prefix, "%s=", C);
|
|
al@20679
|
30 + snprintf(Prefix, 20, "%s=", C);
|
|
al@20679
|
31
|
|
al@20679
|
32 if (InHexa)
|
|
al@20679
|
33 {
|
|
al@20679
|
34 @@ -648,7 +650,9 @@
|
|
al@20679
|
35 static
|
|
al@20679
|
36 void GetLine(char* Buffer)
|
|
al@20679
|
37 {
|
|
al@20679
|
38 - scanf("%s", Buffer);
|
|
al@20679
|
39 + char User_buffer[Buffer_size];
|
|
al@20679
|
40 + fgets(User_buffer, (Buffer_size - 1), stdin);
|
|
al@20679
|
41 + sscanf(User_buffer,"%s", Buffer);
|
|
al@20679
|
42
|
|
al@20679
|
43 if (toupper(Buffer[0]) == 'Q') { // Quit?
|
|
al@20679
|
44
|
|
al@20679
|
45 @@ -668,7 +672,7 @@
|
|
al@20679
|
46 static
|
|
al@20679
|
47 double GetAnswer(const char* Prompt, double Range)
|
|
al@20679
|
48 {
|
|
al@20679
|
49 - char Buffer[4096];
|
|
al@20679
|
50 + char Buffer[Buffer_size];
|
|
al@20679
|
51 double val = 0.0;
|
|
al@20679
|
52
|
|
al@20679
|
53 if (Range == 0.0) { // Range 0 means double value
|
|
al@20679
|
54 @@ -738,7 +742,7 @@
|
|
al@20679
|
55 static
|
|
al@20679
|
56 WORD GetIndex(void)
|
|
al@20679
|
57 {
|
|
al@20679
|
58 - char Buffer[4096], Name[40], Prefix[40], Suffix[40];
|
|
al@20679
|
59 + char Buffer[Buffer_size], Name[40], Prefix[40], Suffix[40];
|
|
al@20679
|
60 int index, max;
|
|
al@20679
|
61
|
|
al@20679
|
62 max = cmsNamedColorCount(hTrans)-1;
|
|
al@20679
|
63 diff -ur lcms-1.19.dfsg/tifficc/tiffdiff.c lcms-1.19.dfsg-patched/tifficc/tiffdiff.c
|
|
al@20679
|
64 --- lcms-1.19.dfsg/tifficc/tiffdiff.c 2009-10-30 15:57:46.000000000 +0000
|
|
al@20679
|
65 +++ lcms-1.19.dfsg-patched/tifficc/tiffdiff.c 2013-08-06 11:49:06.698951157 +0100
|
|
al@20679
|
66 @@ -633,7 +633,7 @@
|
|
al@20679
|
67 cmsIT8SetSheetType(hIT8, "TIFFDIFF");
|
|
al@20679
|
68
|
|
al@20679
|
69
|
|
al@20679
|
70 - sprintf(Buffer, "Differences between %s and %s", TiffName1, TiffName2);
|
|
al@20679
|
71 + snprintf(Buffer, 256, "Differences between %s and %s", TiffName1, TiffName2);
|
|
al@20679
|
72
|
|
al@20679
|
73 cmsIT8SetComment(hIT8, Buffer);
|
|
al@20679
|
74
|