From: Michael R Sweet <msweet@msweet.org>
Date: Mon, 1 Feb 2021 20:02:32 +0000 (-0500)
Subject: Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)
X-Git-Tag: v2.3.3op2~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=efbea1742bd30f842fbbfb87a473e5c84f4162f9;p=thirdparty%2Fcups.git

Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001)
---

diff --git a/CHANGES-OPENPRINTING.md b/CHANGES-OPENPRINTING.md
index e8f039695b..c9715c07ac 100644
--- a/CHANGES-OPENPRINTING.md
+++ b/CHANGES-OPENPRINTING.md
@@ -4,6 +4,8 @@ OpenPrinting CUPS Changes
 Changes in CUPS v2.3.3op2
 -------------------------
 
+- Security: Fixed a buffer (read) overflow in the `ippReadIO` function
+  (CVE-2020-10001)
 - Clarified the documentation for the "Listen" directive (Issue #53)
 - Fixed duplicate ColorModel entries for AirPrint printers (Issue 59)
 - Fixed directory/permission defaults for Debian kfreebsd-based systems
diff --git a/cups/ipp.c b/cups/ipp.c
index 3d529346c2..adbb26fba1 100644
--- a/cups/ipp.c
+++ b/cups/ipp.c
@@ -2866,7 +2866,8 @@ ippReadIO(void       *src,		/* I - Data source */
   unsigned char		*buffer,	/* Data buffer */
 			string[IPP_MAX_TEXT],
 					/* Small string buffer */
-			*bufptr;	/* Pointer into buffer */
+			*bufptr,	/* Pointer into buffer */
+			*bufend;	/* End of buffer */
   ipp_attribute_t	*attr;		/* Current attribute */
   ipp_tag_t		tag;		/* Current tag */
   ipp_tag_t		value_tag;	/* Current value tag */
@@ -3441,6 +3442,7 @@ ippReadIO(void       *src,		/* I - Data source */
 		}
 
                 bufptr = buffer;
+                bufend = buffer + n;
 
 	       /*
 	        * text-with-language and name-with-language are composite
@@ -3454,7 +3456,7 @@ ippReadIO(void       *src,		/* I - Data source */
 
 		n = (bufptr[0] << 8) | bufptr[1];
 
-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
+		if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
 		{
 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
 		                _("IPP language length overflows value."), 1);
@@ -3481,7 +3483,7 @@ ippReadIO(void       *src,		/* I - Data source */
                 bufptr += 2 + n;
 		n = (bufptr[0] << 8) | bufptr[1];
 
-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
+		if ((bufptr + 2 + n) > bufend)
 		{
 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
 		                _("IPP string length overflows value."), 1);