From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Tue, 5 Feb 2019 17:03:10 +0000 (-0500)
Subject: Fix UTF-8 validation (Issue #5509)
X-Git-Tag: v2.2.11~19
X-Git-Url: http://git.ipfire.org/?p=thirdparty%2Fcups.git;a=commitdiff_plain;h=949c21788d1ff42a193631cd1f0432acf84736cc

Fix UTF-8 validation (Issue #5509)
---

diff --git a/CHANGES.md b/CHANGES.md
index 6fdaf1785..5434a98b2 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,10 +1,12 @@
-CHANGES - 2.2.11 - 2019-01-23
+CHANGES - 2.2.11 - 2019-02-05
 =============================
 
 
 Changes in CUPS v2.2.11
 -----------------------
 
+- The `ippValidateAttribute` function did not catch all instances of invalid
+  UTF-8 strings (Issue #5509)
 - Running ppdmerge with the same input and output filenames did not work as
   advertised (Issue #5455)
 - Fixed a potential memory leak when reading at the end of a file (Issue #5473)
diff --git a/cups/ipp.c b/cups/ipp.c
index fb3413981..f4171bc71 100644
--- a/cups/ipp.c
+++ b/cups/ipp.c
@@ -4975,30 +4975,24 @@ ippValidateAttribute(
 	  {
 	    if ((*ptr & 0xe0) == 0xc0)
 	    {
-	      ptr ++;
-	      if ((*ptr & 0xc0) != 0x80)
+	      if ((ptr[1] & 0xc0) != 0x80)
 	        break;
+
+	      ptr ++;
 	    }
 	    else if ((*ptr & 0xf0) == 0xe0)
 	    {
-	      ptr ++;
-	      if ((*ptr & 0xc0) != 0x80)
-	        break;
-	      ptr ++;
-	      if ((*ptr & 0xc0) != 0x80)
+	      if ((ptr[1] & 0xc0) != 0x80 || (ptr[2] & 0xc0) != 0x80)
 	        break;
+
+	      ptr += 2;
 	    }
 	    else if ((*ptr & 0xf8) == 0xf0)
 	    {
-	      ptr ++;
-	      if ((*ptr & 0xc0) != 0x80)
-	        break;
-	      ptr ++;
-	      if ((*ptr & 0xc0) != 0x80)
-	        break;
-	      ptr ++;
-	      if ((*ptr & 0xc0) != 0x80)
+	      if ((ptr[1] & 0xc0) != 0x80 || (ptr[2] & 0xc0) != 0x80 || (ptr[3] & 0xc0) != 0x80)
 	        break;
+
+	      ptr += 3;
 	    }
 	    else if (*ptr & 0x80)
 	      break;
@@ -5040,30 +5034,24 @@ ippValidateAttribute(
 	  {
 	    if ((*ptr & 0xe0) == 0xc0)
 	    {
-	      ptr ++;
-	      if ((*ptr & 0xc0) != 0x80)
+	      if ((ptr[1] & 0xc0) != 0x80)
 	        break;
+
+	      ptr ++;
 	    }
 	    else if ((*ptr & 0xf0) == 0xe0)
 	    {
-	      ptr ++;
-	      if ((*ptr & 0xc0) != 0x80)
-	        break;
-	      ptr ++;
-	      if ((*ptr & 0xc0) != 0x80)
+	      if ((ptr[1] & 0xc0) != 0x80 || (ptr[2] & 0xc0) != 0x80)
 	        break;
+
+	      ptr += 2;
 	    }
 	    else if ((*ptr & 0xf8) == 0xf0)
 	    {
-	      ptr ++;
-	      if ((*ptr & 0xc0) != 0x80)
-	        break;
-	      ptr ++;
-	      if ((*ptr & 0xc0) != 0x80)
-	        break;
-	      ptr ++;
-	      if ((*ptr & 0xc0) != 0x80)
+	      if ((ptr[1] & 0xc0) != 0x80 || (ptr[2] & 0xc0) != 0x80 || (ptr[3] & 0xc0) != 0x80)
 	        break;
+
+	      ptr += 3;
 	    }
 	    else if (*ptr & 0x80)
 	      break;