Stop accepting attributes in collections (Issue #5630)

diff --git a/CHANGES.md b/CHANGES.md
index 77324d1678f93f7e8f94bcd35023a271cc31a004..8c7bfb0cdddd1115d754273925fa0ce896f86503 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,4 +1,4 @@
-CHANGES - 2.3.0 - 2019-08-01
+CHANGES - 2.3.0 - 2019-08-07
 ============================
 
 
@@ -26,6 +26,8 @@ Changes in CUPS v2.3.0
   to a named group (Issue #5613)
 - Added USB quirks rule for HP LaserJet 1015 (Issue #5617)
 - Fixed some PPD parser issues (Issue #5623, Issue #5624)
+- The IPP parser no longer allows invalid member attributes in collections
+  (Issue #5630)
 - Fixed an issue with unsupported "sides" values in the IPP backend
   (rdar://51775322)
 - The scheduler would restart continuously when idle and printers were not

diff --git a/cups/ipp.c b/cups/ipp.c
index 0248cb9d295a01d365e5c49eec29b31b19bd4200..6fae52a0060576091ea327495a8421e8e535044e 100644 (file)
--- a/cups/ipp.c
+++ b/cups/ipp.c
@@ -3040,8 +3040,13 @@ ippReadIO(void       *src,               /* I - Data source */
 
           DEBUG_printf(("2ippReadIO: name length=%d", n));
 
-          if (n == 0 && tag != IPP_TAG_MEMBERNAME &&
-             tag != IPP_TAG_END_COLLECTION)
+          if (n && parent)
+          {
+            _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Invalid named IPP attribute in collection."), 1);
+            DEBUG_puts("1ippReadIO: bad attribute name in collection.");
+            return (IPP_STATE_ERROR);
+          }
+          else if (n == 0 && tag != IPP_TAG_MEMBERNAME && tag != IPP_TAG_END_COLLECTION)
          {
           /*
            * More values for current attribute...

diff --git a/cups/testipp.c b/cups/testipp.c
index 67700c64233dc3db7683fbf63c67362167996622..aca52021a4d34325e7884c429d6a85804cc58674 100644 (file)
--- a/cups/testipp.c
+++ b/cups/testipp.c
@@ -187,6 +187,71 @@ static ipp_uchar_t collection[] =  /* Collection buffer */
                  0x00, 0x00,           /* No name */
                  0x00, 0x00,           /* No value */
 
+                 IPP_TAG_END           /* end tag */
+               };
+static ipp_uchar_t bad_collection[] =  /* Collection buffer (bad encoding) */
+               {
+                 0x01, 0x01,           /* IPP version */
+                 0x00, 0x02,           /* Print-Job operation */
+                 0x00, 0x00, 0x00, 0x01,
+                                       /* Request ID */
+
+                 IPP_TAG_OPERATION,
+
+                 IPP_TAG_CHARSET,
+                 0x00, 0x12,           /* Name length + name */
+                 'a','t','t','r','i','b','u','t','e','s','-',
+                 'c','h','a','r','s','e','t',
+                 0x00, 0x05,           /* Value length + value */
+                 'u','t','f','-','8',
+
+                 IPP_TAG_LANGUAGE,
+                 0x00, 0x1b,           /* Name length + name */
+                 'a','t','t','r','i','b','u','t','e','s','-',
+                 'n','a','t','u','r','a','l','-','l','a','n',
+                 'g','u','a','g','e',
+                 0x00, 0x02,           /* Value length + value */
+                 'e','n',
+
+                 IPP_TAG_URI,
+                 0x00, 0x0b,           /* Name length + name */
+                 'p','r','i','n','t','e','r','-','u','r','i',
+                 0x00, 0x1c,                   /* Value length + value */
+                 'i','p','p',':','/','/','l','o','c','a','l',
+                 'h','o','s','t','/','p','r','i','n','t','e',
+                 'r','s','/','f','o','o',
+
+                 IPP_TAG_JOB,          /* job group tag */
+
+                 IPP_TAG_BEGIN_COLLECTION,
+                                       /* begCollection tag */
+                 0x00, 0x09,           /* Name length + name */
+                 'm', 'e', 'd', 'i', 'a', '-', 'c', 'o', 'l',
+                 0x00, 0x00,           /* No value */
+                   IPP_TAG_BEGIN_COLLECTION,
+                                       /* begCollection tag */
+                   0x00, 0x0a,         /* Name length + name */
+                   'm', 'e', 'd', 'i', 'a', '-', 's', 'i', 'z', 'e',
+                   0x00, 0x00,         /* No value */
+                     IPP_TAG_INTEGER,  /* integer tag */
+                     0x00, 0x0b,       /* Name length + name */
+                     'x', '-', 'd', 'i', 'm', 'e', 'n', 's', 'i', 'o', 'n',
+                     0x00, 0x04,       /* Value length + value */
+                     0x00, 0x00, 0x54, 0x56,
+                     IPP_TAG_INTEGER,  /* integer tag */
+                     0x00, 0x0b,       /* Name length + name */
+                     'y', '-', 'd', 'i', 'm', 'e', 'n', 's', 'i', 'o', 'n',
+                     0x00, 0x04,       /* Value length + value */
+                     0x00, 0x00, 0x6d, 0x24,
+                   IPP_TAG_END_COLLECTION,
+                                       /* endCollection tag */
+                   0x00, 0x00,         /* No name */
+                   0x00, 0x00,         /* No value */
+                 IPP_TAG_END_COLLECTION,
+                                       /* endCollection tag */
+                 0x00, 0x00,           /* No name */
+                 0x00, 0x00,           /* No value */
+
                  IPP_TAG_END           /* end tag */
                };
 
@@ -586,12 +651,33 @@ main(int  argc,                   /* I - Number of command-line arguments */
 
     ippDelete(request);
 
+   /*
+    * Read the bad collection data and confirm we get an error...
+    */
+
+    fputs("Read Bad Collection from Memory: ", stdout);
+
+    request = ippNew();
+    data.rpos    = 0;
+    data.wused   = sizeof(bad_collection);
+    data.wsize   = sizeof(bad_collection);
+    data.wbuffer = bad_collection;
+
+    while ((state = ippReadIO(&data, (ipp_iocb_t)read_cb, 1, NULL, request)) != IPP_STATE_DATA)
+      if (state == IPP_STATE_ERROR)
+       break;
+
+    if (state != IPP_STATE_ERROR)
+      puts("FAIL (read successful)");
+    else
+      puts("PASS");
+
    /*
     * Read the mixed data and confirm we converted everything to rangeOfInteger
     * values...
     */
 
-    printf("Read Mixed integer/rangeOfInteger from Memory: ");
+    fputs("Read Mixed integer/rangeOfInteger from Memory: ", stdout);
 
     request = ippNew();
     data.rpos    = 0;