Validate lengths of integers/length values so that we don't see bogus values.

git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@8945 7a7537e8-13f0-0310-91df-b6672ffda945

diff --git a/cups/snmp.c b/cups/snmp.c
index ef40daefddda50470656e5039ef1e0076a606827..7079878a63454a57aa12217ee432bbf31c99ef55 100644 (file)
--- a/cups/snmp.c
+++ b/cups/snmp.c
@@ -1286,6 +1286,12 @@ asn1_get_integer(
   int  value;                          /* Integer value */
 
 
+  if (length > sizeof(int))
+  {
+    (*buffer) += length;
+    return (0);
+  }
+
   for (value = (**buffer & 0x80) ? -1 : 0;
        length > 0 && *buffer < bufend;
        length --, (*buffer) ++)
@@ -1314,7 +1320,13 @@ asn1_get_length(unsigned char **buffer,  /* IO - Pointer in buffer */
     int        count;                          /* Number of bytes for length */
 
 
-    for (count = length & 127, length = 0;
+    if ((count = length & 127) > sizeof(unsigned))
+    {
+      (*buffer) += count;
+      return (0);
+    }
+
+    for (length = 0;
         count > 0 && *buffer < bufend;
         count --, (*buffer) ++)
       length = (length << 8) | **buffer;