From: aizu-m <aizumusheer2@gmail.com>
Date: Tue, 9 Jun 2026 06:42:08 +0000 (+0530)
Subject: fix out-of-bounds write in encode_string
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=93465602b37ecdc59420e5cdeadf5bedc0a6fb0c;p=thirdparty%2Fcups.git

fix out-of-bounds write in encode_string
---

diff --git a/cups/form.c b/cups/form.c
index 236eff4b00..54cf8e5b84 100644
--- a/cups/form.c
+++ b/cups/form.c
@@ -301,12 +301,18 @@ encode_string(const char *s,            // I - String to encode
     if (*s == ' ')
     {
       // Space is encoded as '+'
-      *bufptr++ = '+';
+      if (bufptr < bufend)
+        *bufptr++ = '+';
+      else
+        bufptr ++;
     }
     else if (*s == '\n')
     {
       // Newline is encoded as percent-encoded CR & LF
-      *bufptr++ = '%';
+      if (bufptr < bufend)
+        *bufptr++ = '%';
+      else
+        bufptr ++;
       if (bufptr < bufend)
         *bufptr++ = '0';
       else
@@ -331,7 +337,10 @@ encode_string(const char *s,            // I - String to encode
     else if (!isalnum(*s & 255))
     {
       // Characters other than letters and numbers get percent-encoded
-      *bufptr++ = '%';
+      if (bufptr < bufend)
+        *bufptr++ = '%';
+      else
+        bufptr ++;
       if (bufptr < bufend)
         *bufptr++ = hex[(*s >> 4) & 15];
       else