libcups: Fix handling of extension tag in `ipp_read_io()`

Fixes: CVE-2025-58364

diff --git a/cups/ipp.c b/cups/ipp.c
index 283e386b6e6c3a955b7c83b853315634228f0fad..e1e361b2ca325f195c596e65da5f023c4b6b20b6 100644 (file)
--- a/cups/ipp.c
+++ b/cups/ipp.c
@@ -6045,31 +6045,6 @@ ipp_read_io(void       *src,             /* I - Data source */
          */
 
           tag = (ipp_tag_t)buffer[0];
-          if (tag == IPP_TAG_EXTENSION)
-          {
-           /*
-            * Read 32-bit "extension" tag...
-            */
-
-           if ((*cb)(src, buffer, 4) < 4)
-           {
-             DEBUG_puts("1ipp_read_io: Callback returned EOF/error");
-             goto rollback;
-           }
-
-           tag = (ipp_tag_t)((buffer[0] << 24) | (buffer[1] << 16) | (buffer[2] << 8) | buffer[3]);
-
-            if (tag & IPP_TAG_CUPS_CONST)
-            {
-             /*
-              * Fail if the high bit is set in the tag...
-              */
-
-             _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP extension tag larger than 0x7FFFFFFF."), 1);
-             DEBUG_printf(("1ipp_read_io: bad tag 0x%x.", tag));
-             goto rollback;
-            }
-          }
 
          if (tag == IPP_TAG_END)
          {
@@ -6292,6 +6267,7 @@ ipp_read_io(void       *src,              /* I - Data source */
 
            if ((*cb)(src, buffer, (size_t)n) < n)
            {
+             _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to read IPP attribute name."), 1);
              DEBUG_puts("1ipp_read_io: unable to read name.");
              goto rollback;
            }