From 40fe4f77212d97fb58fa69e5d75a5afaff9fc254 Mon Sep 17 00:00:00 2001
From: Rose <83477269+AtariDreams@users.noreply.github.com>
Date: Sun, 23 Apr 2023 13:09:50 -0400
Subject: [PATCH] UBSan: Array over-read when operating on _fields

We are reading outside of the _fields boundaries and onto other fields when we iterate across all the fields, rather than comparing just those that are within _fields, and then always freeing the ones that are not.

This PR fixes that.
---
 cups/http.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/cups/http.c b/cups/http.c
index 001490fbfc..ef0e26d100 100644
--- a/cups/http.c
+++ b/cups/http.c
@@ -308,16 +308,28 @@ httpClearFields(http_t *http)		/* I - HTTP connection */
 
   if (http)
   {
-    memset(http->_fields, 0, sizeof(http->fields));
+    memset(http->_fields, 0, sizeof(http->_fields));
 
-    for (field = HTTP_FIELD_ACCEPT_LANGUAGE; field < HTTP_FIELD_MAX; field ++)
+    for (field = HTTP_FIELD_ACCEPT_LANGUAGE; field < HTTP_FIELD_ACCEPT_ENCODING; field ++)
     {
-      if (http->fields[field] && http->fields[field] != http->_fields[field])
+      if (!http->fields[field])
+        continue;
+
+      if (http->fields[field] != http->_fields[field])
         free(http->fields[field]);
 
       http->fields[field] = NULL;
     }
 
+    for (; field < HTTP_FIELD_MAX; field ++)
+    {
+      if (!http->fields[field])
+        continue;
+
+      free(http->fields[field]);
+      http->fields[field] = NULL;
+    }
+
     if (http->mode == _HTTP_MODE_CLIENT)
     {
       if (http->hostname[0] == '/')
@@ -3624,7 +3636,7 @@ http_add_field(http_t       *http,	/* I - HTTP connection */
 
   if (!append && http->fields[field])
   {
-    if (http->fields[field] != http->_fields[field])
+    if (field >= HTTP_FIELD_ACCEPT_ENCODING || http->fields[field] != http->_fields[field])
       free(http->fields[field]);
 
     http->fields[field] = NULL;
@@ -3674,7 +3686,7 @@ http_add_field(http_t       *http,	/* I - HTTP connection */
 
     char *mcombined;			/* New value string */
 
-    if (http->fields[field] == http->_fields[field])
+    if (field < HTTP_FIELD_ACCEPT_ENCODING && http->fields[field] == http->_fields[field])
     {
       if ((mcombined = malloc(total + 1)) != NULL)
       {
-- 
2.47.2