fix out-of-bounds write in encode_string

diff --git a/cups/form.c b/cups/form.c
index 236eff4b00169245db425e553f6f52bc51678039..54cf8e5b840702dc2325d6dfd2d9fa1ce86c4786 100644 (file)
--- a/cups/form.c
+++ b/cups/form.c
@@ -301,12 +301,18 @@ encode_string(const char *s,            // I - String to encode
     if (*s == ' ')
     {
       // Space is encoded as '+'
-      *bufptr++ = '+';
+      if (bufptr < bufend)
+        *bufptr++ = '+';
+      else
+        bufptr ++;
     }
     else if (*s == '\n')
     {
       // Newline is encoded as percent-encoded CR & LF
-      *bufptr++ = '%';
+      if (bufptr < bufend)
+        *bufptr++ = '%';
+      else
+        bufptr ++;
       if (bufptr < bufend)
         *bufptr++ = '0';
       else
@@ -331,7 +337,10 @@ encode_string(const char *s,            // I - String to encode
     else if (!isalnum(*s & 255))
     {
       // Characters other than letters and numbers get percent-encoded
-      *bufptr++ = '%';
+      if (bufptr < bufend)
+        *bufptr++ = '%';
+      else
+        bufptr ++;
       if (bufptr < bufend)
         *bufptr++ = hex[(*s >> 4) & 15];
       else