From: mike <mike@7a7537e8-13f0-0310-91df-b6672ffda945>
Date: Thu, 14 Jan 2010 22:17:53 +0000 (+0000)
Subject: Validate lengths of integers/length values so that we don't see bogus values.
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=49b7cf6f358879037d35d82ed0b2713d10aea34f;p=thirdparty%2Fcups.git

Validate lengths of integers/length values so that we don't see bogus values.


git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@8945 7a7537e8-13f0-0310-91df-b6672ffda945
---

diff --git a/cups/snmp.c b/cups/snmp.c
index ef40daefdd..7079878a63 100644
--- a/cups/snmp.c
+++ b/cups/snmp.c
@@ -1286,6 +1286,12 @@ asn1_get_integer(
   int	value;				/* Integer value */
 
 
+  if (length > sizeof(int))
+  {
+    (*buffer) += length;
+    return (0);
+  }
+
   for (value = (**buffer & 0x80) ? -1 : 0;
        length > 0 && *buffer < bufend;
        length --, (*buffer) ++)
@@ -1314,7 +1320,13 @@ asn1_get_length(unsigned char **buffer,	/* IO - Pointer in buffer */
     int	count;				/* Number of bytes for length */
 
 
-    for (count = length & 127, length = 0;
+    if ((count = length & 127) > sizeof(unsigned))
+    {
+      (*buffer) += count;
+      return (0);
+    }
+
+    for (length = 0;
 	 count > 0 && *buffer < bufend;
 	 count --, (*buffer) ++)
       length = (length << 8) | **buffer;