]> git.ipfire.org Git - thirdparty/cups.git/commitdiff
projects / thirdparty / cups.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f33716a)
UBSan: Array over-read when operating on _fields 669/head
authorRose <83477269+AtariDreams@users.noreply.github.com>
Sun, 23 Apr 2023 17:09:50 +0000 (13:09 -0400)
committerRose <83477269+AtariDreams@users.noreply.github.com>
Thu, 27 Apr 2023 16:43:20 +0000 (12:43 -0400)
We are reading outside of the _fields boundaries and onto other fields when we iterate across all the fields, rather than comparing just those that are within _fields, and then always freeing the ones that are not.

This PR fixes that.

cups/http.c patch | blob | blame | history

diff --git a/cups/http.c b/cups/http.c
index 001490fbfc8eef84a27b7e7fbc162c357ef2332c..ef0e26d100e7b6f7306b1e47969b23ce69a15f97 100644 (file)
--- a/cups/http.c
+++ b/cups/http.c
@@ -308,16 +308,28 @@ httpClearFields(http_t *http)             /* I - HTTP connection */
 
   if (http)
   {
-    memset(http->_fields, 0, sizeof(http->fields));
+    memset(http->_fields, 0, sizeof(http->_fields));
 
-    for (field = HTTP_FIELD_ACCEPT_LANGUAGE; field < HTTP_FIELD_MAX; field ++)
+    for (field = HTTP_FIELD_ACCEPT_LANGUAGE; field < HTTP_FIELD_ACCEPT_ENCODING; field ++)
     {
-      if (http->fields[field] && http->fields[field] != http->_fields[field])
+      if (!http->fields[field])
+        continue;
+
+      if (http->fields[field] != http->_fields[field])
         free(http->fields[field]);
 
       http->fields[field] = NULL;
     }
 
+    for (; field < HTTP_FIELD_MAX; field ++)
+    {
+      if (!http->fields[field])
+        continue;
+
+      free(http->fields[field]);
+      http->fields[field] = NULL;
+    }
+
     if (http->mode == _HTTP_MODE_CLIENT)
     {
       if (http->hostname[0] == '/')
@@ -3624,7 +3636,7 @@ http_add_field(http_t       *http,        /* I - HTTP connection */
 
   if (!append && http->fields[field])
   {
-    if (http->fields[field] != http->_fields[field])
+    if (field >= HTTP_FIELD_ACCEPT_ENCODING || http->fields[field] != http->_fields[field])
       free(http->fields[field]);
 
     http->fields[field] = NULL;
@@ -3674,7 +3686,7 @@ http_add_field(http_t       *http,        /* I - HTTP connection */
 
     char *mcombined;                   /* New value string */
 
-    if (http->fields[field] == http->_fields[field])
+    if (field < HTTP_FIELD_ACCEPT_ENCODING && http->fields[field] == http->_fields[field])
     {
       if ((mcombined = malloc(total + 1)) != NULL)
       {
Mirror of https://github.com/OpenPrinting/cups.git