diff options
Diffstat (limited to 'print/cups/patches/patch-au')
-rw-r--r-- | print/cups/patches/patch-au | 155 |
1 files changed, 155 insertions, 0 deletions
diff --git a/print/cups/patches/patch-au b/print/cups/patches/patch-au new file mode 100644 index 00000000000..aa6fdb50876 --- /dev/null +++ b/print/cups/patches/patch-au @@ -0,0 +1,155 @@ +$NetBSD: patch-au,v 1.8.4.1 2007/12/03 13:13:14 ghen Exp $ + +# CVE-2007-4351 + +--- cups/ipp.c.orig 2007-02-05 20:25:50.000000000 +0000 ++++ cups/ipp.c +@@ -1315,6 +1315,12 @@ ippReadIO(void *src, /* I - Data + { + case IPP_TAG_INTEGER : + case IPP_TAG_ENUM : ++ if (n != 4) ++ { ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); ++ } ++ + if ((*cb)(src, buffer, 4) < 4) + { + DEBUG_puts("ippReadIO: Unable to read integer value!"); +@@ -1327,6 +1333,12 @@ ippReadIO(void *src, /* I - Data + value->integer = n; + break; + case IPP_TAG_BOOLEAN : ++ if (n != 1) ++ { ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); ++ } ++ + if ((*cb)(src, buffer, 1) < 1) + { + DEBUG_puts("ippReadIO: Unable to read boolean value!"); +@@ -1344,6 +1356,12 @@ ippReadIO(void *src, /* I - Data + case IPP_TAG_CHARSET : + case IPP_TAG_LANGUAGE : + case IPP_TAG_MIMETYPE : ++ if (n >= sizeof(buffer)) ++ { ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); ++ } ++ + if ((*cb)(src, buffer, n) < n) + { + DEBUG_puts("ippReadIO: unable to read name!"); +@@ -1356,6 +1374,12 @@ ippReadIO(void *src, /* I - Data + value->string.text)); + break; + case IPP_TAG_DATE : ++ if (n != 11) ++ { ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); ++ } ++ + if ((*cb)(src, value->date, 11) < 11) + { + DEBUG_puts("ippReadIO: Unable to date integer value!"); +@@ -1363,6 +1387,12 @@ ippReadIO(void *src, /* I - Data + } + break; + case IPP_TAG_RESOLUTION : ++ if (n != 9) ++ { ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); ++ } ++ + if ((*cb)(src, buffer, 9) < 9) + { + DEBUG_puts("ippReadIO: Unable to read resolution value!"); +@@ -1379,6 +1409,12 @@ ippReadIO(void *src, /* I - Data + (ipp_res_t)buffer[8]; + break; + case IPP_TAG_RANGE : ++ if (n != 8) ++ { ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); ++ } ++ + if ((*cb)(src, buffer, 8) < 8) + { + DEBUG_puts("ippReadIO: Unable to read range value!"); +@@ -1394,7 +1430,7 @@ ippReadIO(void *src, /* I - Data + break; + case IPP_TAG_TEXTLANG : + case IPP_TAG_NAMELANG : +- if (n > sizeof(buffer) || n < 4) ++ if (n >= sizeof(buffer) || n < 4) + { + DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); + return (IPP_ERROR); +@@ -1420,22 +1456,27 @@ ippReadIO(void *src, /* I - Data + + n = (bufptr[0] << 8) | bufptr[1]; + +- if (n >= sizeof(string)) ++ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) || ++ n >= sizeof(string)) + { +- memcpy(string, bufptr + 2, sizeof(string) - 1); +- string[sizeof(string) - 1] = '\0'; ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); + } +- else +- { +- memcpy(string, bufptr + 2, n); +- string[n] = '\0'; +- } ++ ++ memcpy(string, bufptr + 2, n); ++ string[n] = '\0'; + + value->string.charset = _cupsStrAlloc((char *)string); + + bufptr += 2 + n; + n = (bufptr[0] << 8) | bufptr[1]; + ++ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer))) ++ { ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); ++ } ++ + bufptr[2 + n] = '\0'; + value->string.text = _cupsStrAlloc((char *)bufptr + 2); + break; +@@ -1477,6 +1518,12 @@ ippReadIO(void *src, /* I - Data + * we need to carry over... + */ + ++ if (n >= sizeof(buffer)) ++ { ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); ++ } ++ + if ((*cb)(src, buffer, n) < n) + { + DEBUG_puts("ippReadIO: Unable to read member name value!"); +@@ -1498,6 +1545,12 @@ ippReadIO(void *src, /* I - Data + break; + + default : /* Other unsupported values */ ++ if (n > sizeof(buffer)) ++ { ++ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); ++ return (IPP_ERROR); ++ } ++ + value->unknown.length = n; + if (n > 0) + { |