File cups-2.2.7-CVE-2020-10001.patch of Package cups

Overview Repositories Revisions Requests Users Attributes Meta

File cups-2.2.7-CVE-2020-10001.patch of Package cups (Revision bd63122de6aba1ba7baeaa338438fe1c)

Currently displaying revision bd63122de6aba1ba7baeaa338438fe1c , Show latest

--- cups/ipp.c.orig	2021-01-11 10:53:43.080847679 +0100
+++ cups/ipp.c	2021-01-11 12:03:56.010423238 +0100
@@ -2965,7 +2965,8 @@ ippReadIO(void       *src,		/* I - Data
   unsigned char		*buffer,	/* Data buffer */
 			string[IPP_MAX_TEXT],
 					/* Small string buffer */
-			*bufptr;	/* Pointer into buffer */
+			*bufptr,	/* Pointer into buffer */
+			*bufend;	/* End of buffer */
   ipp_attribute_t	*attr;		/* Current attribute */
   ipp_tag_t		tag;		/* Current tag */
   ipp_tag_t		value_tag;	/* Current value tag */
@@ -3524,6 +3525,7 @@ ippReadIO(void       *src,		/* I - Data
 		}
 
                 bufptr = buffer;
+                bufend = buffer + n;
 
 	       /*
 	        * text-with-language and name-with-language are composite
@@ -3537,7 +3539,7 @@ ippReadIO(void       *src,		/* I - Data
 
 		n = (bufptr[0] << 8) | bufptr[1];
 
-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
+		if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
 		{
 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
 		                _("IPP language length overflows value."), 1);
@@ -3564,7 +3566,7 @@ ippReadIO(void       *src,		/* I - Data
                 bufptr += 2 + n;
 		n = (bufptr[0] << 8) | bufptr[1];
 
-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
+		if ((bufptr + 2 + n) > bufend)
 		{
 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
 		                _("IPP string length overflows value."), 1);

 
--- cups/ipp.c.orig 2021-01-11 10:53:43.080847679 +0100
+++ cups/ipp.c  2021-01-11 12:03:56.010423238 +0100
@@ -2965,7 +2965,8 @@ ippReadIO(void       *src,        /* I - Data
   unsigned char        *buffer,    /* Data buffer */
            string[IPP_MAX_TEXT],
                    /* Small string buffer */
-           *bufptr;    /* Pointer into buffer */
+           *bufptr,    /* Pointer into buffer */
+           *bufend;    /* End of buffer */
   ipp_attribute_t  *attr;      /* Current attribute */
   ipp_tag_t        tag;        /* Current tag */
   ipp_tag_t        value_tag;  /* Current value tag */
@@ -3524,6 +3525,7 @@ ippReadIO(void       *src,        /* I - Data
        }
 
                 bufptr = buffer;
+                bufend = buffer + n;
 
           /*
            * text-with-language and name-with-language are composite
@@ -3537,7 +3539,7 @@ ippReadIO(void       *src,        /* I - Data
 
        n = (bufptr[0] << 8) | bufptr[1];
 
-       if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
+       if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
        {
          _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
                        _("IPP language length overflows value."), 1);
@@ -3564,7 +3566,7 @@ ippReadIO(void       *src,        /* I - Data
                 bufptr += 2 + n;
        n = (bufptr[0] << 8) | bufptr[1];
 
-       if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
+       if ((bufptr + 2 + n) > bufend)
        {
          _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
                        _("IPP string length overflows value."), 1);
​

Places

File cups-2.2.7-CVE-2020-10001.patch of Package cups (Revision bd63122de6aba1ba7baeaa338438fe1c)

Places