67bca8bef8
CUPS security fix CVE-2020-10001 (bsc#1180520) OBS-URL: https://build.opensuse.org/request/show/868665 OBS-URL: https://build.opensuse.org/package/show/Printing/cups?expand=0&rev=365
39 lines
1.4 KiB
Diff
39 lines
1.4 KiB
Diff
--- cups/ipp.c.orig 2021-01-11 10:53:43.080847679 +0100
|
|
+++ cups/ipp.c 2021-01-11 12:03:56.010423238 +0100
|
|
@@ -2965,7 +2965,8 @@ ippReadIO(void *src, /* I - Data
|
|
unsigned char *buffer, /* Data buffer */
|
|
string[IPP_MAX_TEXT],
|
|
/* Small string buffer */
|
|
- *bufptr; /* Pointer into buffer */
|
|
+ *bufptr, /* Pointer into buffer */
|
|
+ *bufend; /* End of buffer */
|
|
ipp_attribute_t *attr; /* Current attribute */
|
|
ipp_tag_t tag; /* Current tag */
|
|
ipp_tag_t value_tag; /* Current value tag */
|
|
@@ -3524,6 +3525,7 @@ ippReadIO(void *src, /* I - Data
|
|
}
|
|
|
|
bufptr = buffer;
|
|
+ bufend = buffer + n;
|
|
|
|
/*
|
|
* text-with-language and name-with-language are composite
|
|
@@ -3537,7 +3539,7 @@ ippReadIO(void *src, /* I - Data
|
|
|
|
n = (bufptr[0] << 8) | bufptr[1];
|
|
|
|
- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
|
|
+ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
|
|
{
|
|
_cupsSetError(IPP_STATUS_ERROR_INTERNAL,
|
|
_("IPP language length overflows value."), 1);
|
|
@@ -3564,7 +3566,7 @@ ippReadIO(void *src, /* I - Data
|
|
bufptr += 2 + n;
|
|
n = (bufptr[0] << 8) | bufptr[1];
|
|
|
|
- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
|
|
+ if ((bufptr + 2 + n) > bufend)
|
|
{
|
|
_cupsSetError(IPP_STATUS_ERROR_INTERNAL,
|
|
_("IPP string length overflows value."), 1);
|