From: Sean Kau <skau@chromium.org>
Date: Wed, 4 Dec 2019 18:19:18 +0000 (-0800)
Subject: Off by one error in ipp_finishings_vendor
X-Git-Tag: v2.3.1~4^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a00d9eaecfbaba8b78d063d2460b81f1516989b6;p=thirdparty%2Fcups.git

Off by one error in ipp_finishings_vendor

When enumvalue is 101 and attrname is "finsishings-supported"
we were getting the memory after ipp_finishings_vendor
in the ipp_job_collation_types array.
---

diff --git a/cups/ipp-support.c b/cups/ipp-support.c
index 192f5b6b8b..bfb9dff099 100644
--- a/cups/ipp-support.c
+++ b/cups/ipp-support.c
@@ -2093,7 +2093,7 @@ ippEnumString(const char *attrname,	/* I - Attribute name */
   {
     if (enumvalue >= 3 && enumvalue < (3 + (int)(sizeof(ipp_finishings) / sizeof(ipp_finishings[0]))))
       return (ipp_finishings[enumvalue - 3]);
-    else if (enumvalue >= 0x40000000 && enumvalue <= (0x40000000 + (int)(sizeof(ipp_finishings_vendor) / sizeof(ipp_finishings_vendor[0]))))
+    else if (enumvalue >= 0x40000000 && enumvalue < (0x40000000 + (int)(sizeof(ipp_finishings_vendor) / sizeof(ipp_finishings_vendor[0]))))
       return (ipp_finishings_vendor[enumvalue - 0x40000000]);
   }
   else if ((!strcmp(attrname, "job-collation-type") || !strcmp(attrname, "job-collation-type-actual")) && enumvalue >= 3 && enumvalue < (3 + (int)(sizeof(ipp_job_collation_types) / sizeof(ipp_job_collation_types[0]))))