1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
|
$NetBSD: patch-au,v 1.8.4.1 2007/12/03 13:13:14 ghen Exp $
# CVE-2007-4351
--- cups/ipp.c.orig 2007-02-05 20:25:50.000000000 +0000
+++ cups/ipp.c
@@ -1315,6 +1315,12 @@ ippReadIO(void *src, /* I - Data
{
case IPP_TAG_INTEGER :
case IPP_TAG_ENUM :
+ if (n != 4)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, 4) < 4)
{
DEBUG_puts("ippReadIO: Unable to read integer value!");
@@ -1327,6 +1333,12 @@ ippReadIO(void *src, /* I - Data
value->integer = n;
break;
case IPP_TAG_BOOLEAN :
+ if (n != 1)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, 1) < 1)
{
DEBUG_puts("ippReadIO: Unable to read boolean value!");
@@ -1344,6 +1356,12 @@ ippReadIO(void *src, /* I - Data
case IPP_TAG_CHARSET :
case IPP_TAG_LANGUAGE :
case IPP_TAG_MIMETYPE :
+ if (n >= sizeof(buffer))
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, n) < n)
{
DEBUG_puts("ippReadIO: unable to read name!");
@@ -1356,6 +1374,12 @@ ippReadIO(void *src, /* I - Data
value->string.text));
break;
case IPP_TAG_DATE :
+ if (n != 11)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, value->date, 11) < 11)
{
DEBUG_puts("ippReadIO: Unable to date integer value!");
@@ -1363,6 +1387,12 @@ ippReadIO(void *src, /* I - Data
}
break;
case IPP_TAG_RESOLUTION :
+ if (n != 9)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, 9) < 9)
{
DEBUG_puts("ippReadIO: Unable to read resolution value!");
@@ -1379,6 +1409,12 @@ ippReadIO(void *src, /* I - Data
(ipp_res_t)buffer[8];
break;
case IPP_TAG_RANGE :
+ if (n != 8)
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, 8) < 8)
{
DEBUG_puts("ippReadIO: Unable to read range value!");
@@ -1394,7 +1430,7 @@ ippReadIO(void *src, /* I - Data
break;
case IPP_TAG_TEXTLANG :
case IPP_TAG_NAMELANG :
- if (n > sizeof(buffer) || n < 4)
+ if (n >= sizeof(buffer) || n < 4)
{
DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
return (IPP_ERROR);
@@ -1420,22 +1456,27 @@ ippReadIO(void *src, /* I - Data
n = (bufptr[0] << 8) | bufptr[1];
- if (n >= sizeof(string))
+ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) ||
+ n >= sizeof(string))
{
- memcpy(string, bufptr + 2, sizeof(string) - 1);
- string[sizeof(string) - 1] = '\0';
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
}
- else
- {
- memcpy(string, bufptr + 2, n);
- string[n] = '\0';
- }
+
+ memcpy(string, bufptr + 2, n);
+ string[n] = '\0';
value->string.charset = _cupsStrAlloc((char *)string);
bufptr += 2 + n;
n = (bufptr[0] << 8) | bufptr[1];
+ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
bufptr[2 + n] = '\0';
value->string.text = _cupsStrAlloc((char *)bufptr + 2);
break;
@@ -1477,6 +1518,12 @@ ippReadIO(void *src, /* I - Data
* we need to carry over...
*/
+ if (n >= sizeof(buffer))
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
if ((*cb)(src, buffer, n) < n)
{
DEBUG_puts("ippReadIO: Unable to read member name value!");
@@ -1498,6 +1545,12 @@ ippReadIO(void *src, /* I - Data
break;
default : /* Other unsupported values */
+ if (n > sizeof(buffer))
+ {
+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
+ return (IPP_ERROR);
+ }
+
value->unknown.length = n;
if (n > 0)
{
|
