From a00d9eaecfbaba8b78d063d2460b81f1516989b6 Mon Sep 17 00:00:00 2001 From: Sean Kau Date: Wed, 4 Dec 2019 10:19:18 -0800 Subject: [PATCH] Off by one error in ipp_finishings_vendor When enumvalue is 101 and attrname is "finsishings-supported" we were getting the memory after ipp_finishings_vendor in the ipp_job_collation_types array. --- cups/ipp-support.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cups/ipp-support.c b/cups/ipp-support.c index 192f5b6b8..bfb9dff09 100644 --- a/cups/ipp-support.c +++ b/cups/ipp-support.c @@ -2093,7 +2093,7 @@ ippEnumString(const char *attrname, /* I - Attribute name */ { if (enumvalue >= 3 && enumvalue < (3 + (int)(sizeof(ipp_finishings) / sizeof(ipp_finishings[0])))) return (ipp_finishings[enumvalue - 3]); - else if (enumvalue >= 0x40000000 && enumvalue <= (0x40000000 + (int)(sizeof(ipp_finishings_vendor) / sizeof(ipp_finishings_vendor[0])))) + else if (enumvalue >= 0x40000000 && enumvalue < (0x40000000 + (int)(sizeof(ipp_finishings_vendor) / sizeof(ipp_finishings_vendor[0])))) return (ipp_finishings_vendor[enumvalue - 0x40000000]); } else if ((!strcmp(attrname, "job-collation-type") || !strcmp(attrname, "job-collation-type-actual")) && enumvalue >= 3 && enumvalue < (3 + (int)(sizeof(ipp_job_collation_types) / sizeof(ipp_job_collation_types[0])))) -- 2.39.2