erkanisik
/
main
miroir de https://github.com/pisilinux/main.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475
							Submitted By:            Fernando de Oliveira <famobr at yahoo dot com dot br>
Date:                    2015-03-24
Initial Package Version: 1.19
Upstream Status:         unknown
Origin:                  Arch Linux
URL (CVE):               https://www.suse.com/security/cve/CVE-2013-4276.html
Description:             Multiple stack-based buffer overflows in LittleCMS
                         (aka lcms or liblcms) 1.19 and earlier allow remote
                         attackers to cause a denial of service (crash) via a
                         crafted (1) ICC color profile to the icctrans utility
                         or (2) TIFF image to the tiffdiff utility.

diff -ur lcms-1.19.dfsg/samples/icctrans.c lcms-1.19.dfsg-patched/samples/icctrans.c
--- lcms-1.19.dfsg/samples/icctrans.c	2009-10-30 15:57:45.000000000 +0000
+++ lcms-1.19.dfsg-patched/samples/icctrans.c	2013-08-06 11:53:14.385266647 +0100
@@ -86,6 +86,8 @@
 static LPcmsNAMEDCOLORLIST InputColorant = NULL;
 static LPcmsNAMEDCOLORLIST OutputColorant = NULL;
 
+unsigned int Buffer_size = 4096;
+
 
 // isatty replacement
 
@@ -500,7 +502,7 @@
 
     Prefix[0] = 0;
     if (!lTerse)
-        sprintf(Prefix, "%s=", C);
+        snprintf(Prefix, 20, "%s=", C);
 
     if (InHexa)
     {
@@ -648,7 +650,9 @@
 static
 void GetLine(char* Buffer)
 {    
-    scanf("%s", Buffer);
+    char User_buffer[Buffer_size];
+    fgets(User_buffer, (Buffer_size - 1), stdin);
+    sscanf(User_buffer,"%s", Buffer);
     
     if (toupper(Buffer[0]) == 'Q') { // Quit?
 
@@ -668,7 +672,7 @@
 static
 double GetAnswer(const char* Prompt, double Range)
 {
-    char Buffer[4096];
+    char Buffer[Buffer_size];
     double val = 0.0;
 	       
     if (Range == 0.0) {              // Range 0 means double value
@@ -738,7 +742,7 @@
 static
 WORD GetIndex(void)
 {
-    char Buffer[4096], Name[40], Prefix[40], Suffix[40];
+    char Buffer[Buffer_size], Name[40], Prefix[40], Suffix[40];
     int index, max;
 
     max = cmsNamedColorCount(hTrans)-1;
diff -ur lcms-1.19.dfsg/tifficc/tiffdiff.c lcms-1.19.dfsg-patched/tifficc/tiffdiff.c
--- lcms-1.19.dfsg/tifficc/tiffdiff.c	2009-10-30 15:57:46.000000000 +0000
+++ lcms-1.19.dfsg-patched/tifficc/tiffdiff.c	2013-08-06 11:49:06.698951157 +0100
@@ -633,7 +633,7 @@
     cmsIT8SetSheetType(hIT8, "TIFFDIFF");
     
    
-    sprintf(Buffer, "Differences between %s and %s", TiffName1, TiffName2);
+    snprintf(Buffer, 256, "Differences between %s and %s", TiffName1, TiffName2);
   
     cmsIT8SetComment(hIT8, Buffer);