From e58cba9d6fceed4242980e51dbd1302cf638ab1d Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Thu, 11 Sep 2025 14:53:49 +0200
Subject: [PATCH] libcups: Fix handling of extension tag in `ipp_read_io()`

Fixes: CVE-2025-58364
---
 cups/ipp.c | 26 +-------------------------
 1 file changed, 1 insertion(+), 25 deletions(-)

diff --git a/cups/ipp.c b/cups/ipp.c
index 283e386b6e..e1e361b2ca 100644
--- a/cups/ipp.c
+++ b/cups/ipp.c
@@ -6045,31 +6045,6 @@ ipp_read_io(void       *src,		/* I - Data source */
 	  */
 
           tag = (ipp_tag_t)buffer[0];
-          if (tag == IPP_TAG_EXTENSION)
-          {
-           /*
-            * Read 32-bit "extension" tag...
-            */
-
-	    if ((*cb)(src, buffer, 4) < 4)
-	    {
-	      DEBUG_puts("1ipp_read_io: Callback returned EOF/error");
-	      goto rollback;
-	    }
-
-	    tag = (ipp_tag_t)((buffer[0] << 24) | (buffer[1] << 16) | (buffer[2] << 8) | buffer[3]);
-
-            if (tag & IPP_TAG_CUPS_CONST)
-            {
-             /*
-              * Fail if the high bit is set in the tag...
-              */
-
-	      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP extension tag larger than 0x7FFFFFFF."), 1);
-	      DEBUG_printf(("1ipp_read_io: bad tag 0x%x.", tag));
-	      goto rollback;
-            }
-          }
 
 	  if (tag == IPP_TAG_END)
 	  {
@@ -6292,6 +6267,7 @@ ipp_read_io(void       *src,		/* I - Data source */
 
 	    if ((*cb)(src, buffer, (size_t)n) < n)
 	    {
+             _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to read IPP attribute name."), 1);
 	      DEBUG_puts("1ipp_read_io: unable to read name.");
 	      goto rollback;
 	    }
-- 
2.47.3