Add length checks to avoid pointer wraparound (Issue #431)

diff --git a/cups/snmp.c b/cups/snmp.c
index f2e0ee1bbd1f4a05aed5e2c61639d01fd5fa7db3..a53efe7b1dff6d55f97888cddbfdbb771ed3011f 100644 (file)
--- a/cups/snmp.c
+++ b/cups/snmp.c
@@ -1239,7 +1239,11 @@ asn1_get_integer(
 
   if (length > sizeof(int))
   {
-    (*buffer) += length;
+    if (length > (unsigned)(bufend - *buffer))
+      *buffer = bufend;
+    else
+      (*buffer) += length;
+
     return (0);
   }
 
@@ -1275,7 +1279,11 @@ asn1_get_length(unsigned char **buffer,  /* IO - Pointer in buffer */
 
     if ((count = length & 127) > sizeof(unsigned))
     {
-      (*buffer) += count;
+      if (count > (bufend - *buffer))
+       *buffer = bufend;
+      else
+       (*buffer) += count;
+
       return (0);
     }
 
@@ -1308,7 +1316,14 @@ asn1_get_oid(
 
 
   if (*buffer >= bufend)
+  {
     return (0);
+  }
+  else if (length > (unsigned)(bufend - *buffer))
+  {
+    *buffer = bufend;
+    return (0);
+  }
 
   valend = *buffer + length;
   oidptr = oid;