We can accept OID string as input in few cases (mainly via side channel) and if the crafted OID string is sent, internal function asn1_size_oid() can end up with stack buffer overflow.
The issue happens when one OID node is too large, or OID is invalid (ending with dots) - we can fix it in _cupsSNMPStringToOID() by checking if the last source character is a dot (invalid OID), and by limiting integer for OID node to 0xffff.
Fixes #905
projects / thirdparty / cups.git / commitdiff
