From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001 From: Michael R Sweet Date: Mon, 1 Feb 2021 15:02:32 -0500 Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001) --- diff --git a/cups/ipp.c b/cups/ipp.c index 3d529346c..adbb26fba 100644 --- a/cups/ipp.c +++ b/cups/ipp.c @@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */ unsigned char *buffer, /* Data buffer */ string[IPP_MAX_TEXT], /* Small string buffer */ - *bufptr; /* Pointer into buffer */ + *bufptr, /* Pointer into buffer */ + *bufend; /* End of buffer */ ipp_attribute_t *attr; /* Current attribute */ ipp_tag_t tag; /* Current tag */ ipp_tag_t value_tag; /* Current value tag */ @@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */ } bufptr = buffer; + bufend = buffer + n; /* * text-with-language and name-with-language are composite @@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */ n = (bufptr[0] << 8) | bufptr[1]; - if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string)) + if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string)) { _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP language length overflows value."), 1); @@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */ bufptr += 2 + n; n = (bufptr[0] << 8) | bufptr[1]; - if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE)) + if ((bufptr + 2 + n) > bufend) { _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP string length overflows value."), 1); b71eb704dc60137f7f53370eedb52141473da0'/>
path: root/tests/guix-git-authenticate.sh
AgeCommit message (Expand)Author