From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Wed, 20 Jul 2022 02:00:12 +0000 (-0400)
Subject: Add length checks to avoid pointer wraparound (Issue #431)
X-Git-Tag: v2.4.3~161
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=803d683ee6ab705fd27c2ab638f666c27d315406;p=thirdparty%2Fcups.git

Add length checks to avoid pointer wraparound (Issue #431)
---

diff --git a/cups/snmp.c b/cups/snmp.c
index f2e0ee1bbd..a53efe7b1d 100644
--- a/cups/snmp.c
+++ b/cups/snmp.c
@@ -1239,7 +1239,11 @@ asn1_get_integer(
 
   if (length > sizeof(int))
   {
-    (*buffer) += length;
+    if (length > (unsigned)(bufend - *buffer))
+      *buffer = bufend;
+    else
+      (*buffer) += length;
+
     return (0);
   }
 
@@ -1275,7 +1279,11 @@ asn1_get_length(unsigned char **buffer,	/* IO - Pointer in buffer */
 
     if ((count = length & 127) > sizeof(unsigned))
     {
-      (*buffer) += count;
+      if (count > (bufend - *buffer))
+	*buffer = bufend;
+      else
+	(*buffer) += count;
+
       return (0);
     }
 
@@ -1308,7 +1316,14 @@ asn1_get_oid(
 
 
   if (*buffer >= bufend)
+  {
     return (0);
+  }
+  else if (length > (unsigned)(bufend - *buffer))
+  {
+    *buffer = bufend;
+    return (0);
+  }
 
   valend = *buffer + length;
   oidptr = oid;