From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Mon, 18 Jul 2022 22:03:49 +0000 (-0400)
Subject: Fix a potential SNMP OID value overflow issue (Issue #431)
X-Git-Tag: v2.4.3~162
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7cbeaa6e12080ab154e7a446ae211046ef9d3ab;p=thirdparty%2Fcups.git

Fix a potential SNMP OID value overflow issue (Issue #431)
---

diff --git a/CHANGES.md b/CHANGES.md
index 11b5fd0732..b63e9d014b 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -9,6 +9,7 @@ Changes in CUPS v2.4.3 (TBA)
 - Fixed the `device_uri` invalid pointer for driverless printers with `.local`
   hostname (Issue #419)
 - Fixed an OpenSSL crash bug (Issue #409)
+- Fixed a potential SNMP OID value overflow issue (Issue #431)
 - Use localhost when printing via printer application (Issue #353)
 - Now localize HTTP responses using the Content-Language value (Issue #426)
 
diff --git a/cups/snmp.c b/cups/snmp.c
index 6da119d767..f2e0ee1bbd 100644
--- a/cups/snmp.c
+++ b/cups/snmp.c
@@ -1,6 +1,7 @@
 /*
  * SNMP functions for CUPS.
  *
+ * Copyright © 2022 by OpenPrinting.
  * Copyright © 2007-2019 by Apple Inc.
  * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
  *
@@ -1272,7 +1273,6 @@ asn1_get_length(unsigned char **buffer,	/* IO - Pointer in buffer */
   {
     int	count;				/* Number of bytes for length */
 
-
     if ((count = length & 127) > sizeof(unsigned))
     {
       (*buffer) += count;
@@ -1317,7 +1317,7 @@ asn1_get_oid(
   if (valend > bufend)
     valend = bufend;
 
-  number = asn1_get_packed(buffer, bufend);
+  number = asn1_get_packed(buffer, valend);
 
   if (number < 80)
   {
@@ -1334,7 +1334,7 @@ asn1_get_oid(
 
   while (*buffer < valend)
   {
-    number = asn1_get_packed(buffer, bufend);
+    number = asn1_get_packed(buffer, valend);
 
     if (oidptr < oidend)
       *oidptr++ = number;