Changes in CUPS v2.3.3op2
-------------------------
+- Security: Fixed a buffer (read) overflow in the `ippReadIO` function
+ (CVE-2020-10001)
- Clarified the documentation for the "Listen" directive (Issue #53)
- Fixed duplicate ColorModel entries for AirPrint printers (Issue 59)
- Fixed directory/permission defaults for Debian kfreebsd-based systems
unsigned char *buffer, /* Data buffer */
string[IPP_MAX_TEXT],
/* Small string buffer */
- *bufptr; /* Pointer into buffer */
+ *bufptr, /* Pointer into buffer */
+ *bufend; /* End of buffer */
ipp_attribute_t *attr; /* Current attribute */
ipp_tag_t tag; /* Current tag */
ipp_tag_t value_tag; /* Current value tag */
}
bufptr = buffer;
+ bufend = buffer + n;
/*
* text-with-language and name-with-language are composite
n = (bufptr[0] << 8) | bufptr[1];
- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
+ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
{
_cupsSetError(IPP_STATUS_ERROR_INTERNAL,
_("IPP language length overflows value."), 1);
bufptr += 2 + n;
n = (bufptr[0] << 8) | bufptr[1];
- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
+ if ((bufptr + 2 + n) > bufend)
{
_cupsSetError(IPP_STATUS_ERROR_INTERNAL,
_("IPP string length overflows value."), 1);
projects / thirdparty / cups.git / commitdiff
