Attachment #134186 for bug #196736

Lines 1-5 Link Here

(-)ipp.c (-7 / +59 lines)
1	/*	1	/*
2	* "$Id: ipp.c,v 1.98 2005/01/03 19:29:45 mike Exp $"	2	* "$Id$"
3	*	3	*
4	* Internet Printing Protocol support functions for the Common UNIX	4	* Internet Printing Protocol support functions for the Common UNIX
5	* Printing System (CUPS).	5	* Printing System (CUPS).
Lines 1119-1124 Link Here
1119	{	1119	{
1120	case IPP_TAG_INTEGER :	1120	case IPP_TAG_INTEGER :
1121	case IPP_TAG_ENUM :	1121	case IPP_TAG_ENUM :
		1122	if (n != 4)
		1123	{
		1124	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1125	return (IPP_ERROR);
		1126	}
		1127
1122	if ((*cb)(src, buffer, 4) < 4)	1128	if ((*cb)(src, buffer, 4) < 4)
1123	{	1129	{
1124	DEBUG_puts("ippReadIO: Unable to read integer value!");	1130	DEBUG_puts("ippReadIO: Unable to read integer value!");
Lines 1131-1136 Link Here
1131	value->integer = n;	1137	value->integer = n;
1132	break;	1138	break;
1133	case IPP_TAG_BOOLEAN :	1139	case IPP_TAG_BOOLEAN :
		1140	if (n != 1)
		1141	{
		1142	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1143	return (IPP_ERROR);
		1144	}
		1145
1134	if ((*cb)(src, buffer, 1) < 1)	1146	if ((*cb)(src, buffer, 1) < 1)
1135	{	1147	{
1136	DEBUG_puts("ippReadIO: Unable to read boolean value!");	1148	DEBUG_puts("ippReadIO: Unable to read boolean value!");
Lines 1148-1153 Link Here
1148	case IPP_TAG_CHARSET :	1160	case IPP_TAG_CHARSET :
1149	case IPP_TAG_LANGUAGE :	1161	case IPP_TAG_LANGUAGE :
1150	case IPP_TAG_MIMETYPE :	1162	case IPP_TAG_MIMETYPE :
		1163	if (n >= sizeof(buffer))
		1164	{
		1165	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1166	return (IPP_ERROR);
		1167	}
		1168
1151	value->string.text = calloc(n + 1, 1);	1169	value->string.text = calloc(n + 1, 1);
1152		1170
1153	if ((cb)(src, (ipp_uchar_t )value->string.text, n) < n)	1171	if ((cb)(src, (ipp_uchar_t )value->string.text, n) < n)
Lines 1160-1165 Link Here
1160	value->string.text));	1178	value->string.text));
1161	break;	1179	break;
1162	case IPP_TAG_DATE :	1180	case IPP_TAG_DATE :
		1181	if (n != 11)
		1182	{
		1183	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1184	return (IPP_ERROR);
		1185	}
		1186
1163	if ((*cb)(src, value->date, 11) < 11)	1187	if ((*cb)(src, value->date, 11) < 11)
1164	{	1188	{
1165	DEBUG_puts("ippReadIO: Unable to date integer value!");	1189	DEBUG_puts("ippReadIO: Unable to date integer value!");
Lines 1167-1172 Link Here
1167	}	1191	}
1168	break;	1192	break;
1169	case IPP_TAG_RESOLUTION :	1193	case IPP_TAG_RESOLUTION :
		1194	if (n != 9)
		1195	{
		1196	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1197	return (IPP_ERROR);
		1198	}
		1199
1170	if ((*cb)(src, buffer, 9) < 9)	1200	if ((*cb)(src, buffer, 9) < 9)
1171	{	1201	{
1172	DEBUG_puts("ippReadIO: Unable to read resolution value!");	1202	DEBUG_puts("ippReadIO: Unable to read resolution value!");
Lines 1183-1188 Link Here
1183	(ipp_res_t)buffer[8];	1213	(ipp_res_t)buffer[8];
1184	break;	1214	break;
1185	case IPP_TAG_RANGE :	1215	case IPP_TAG_RANGE :
		1216	if (n != 8)
		1217	{
		1218	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1219	return (IPP_ERROR);
		1220	}
		1221
1186	if ((*cb)(src, buffer, 8) < 8)	1222	if ((*cb)(src, buffer, 8) < 8)
1187	{	1223	{
1188	DEBUG_puts("ippReadIO: Unable to read range value!");	1224	DEBUG_puts("ippReadIO: Unable to read range value!");
Lines 1198-1204 Link Here
1198	break;	1234	break;
1199	case IPP_TAG_TEXTLANG :	1235	case IPP_TAG_TEXTLANG :
1200	case IPP_TAG_NAMELANG :	1236	case IPP_TAG_NAMELANG :
1201	if (n > sizeof(buffer) \|\| n < 4)	1237	if (n >= sizeof(buffer) \|\| n < 4)
1202	{	1238	{
1203	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));	1239	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
1204	return (IPP_ERROR);	1240	return (IPP_ERROR);
Lines 1224-1241 Link Here
1224		1260
1225	n = (bufptr[0] << 8) \| bufptr[1];	1261	n = (bufptr[0] << 8) \| bufptr[1];
1226		1262
		1263	if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
		1264	{
		1265	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1266	return (IPP_ERROR);
		1267	}
		1268
1227	value->string.charset = calloc(n + 1, 1);	1269	value->string.charset = calloc(n + 1, 1);
1228		1270
1229	memcpy(value->string.charset,	1271	memcpy(value->string.charset, bufptr + 2, n);
1230	bufptr + 2, n);
1231		1272
1232	bufptr += 2 + n;	1273	bufptr += 2 + n;
1233	n = (bufptr[0] << 8) \| bufptr[1];	1274	n = (bufptr[0] << 8) \| bufptr[1];
1234		1275
		1276	if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
		1277	{
		1278	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1279	return (IPP_ERROR);
		1280	}
		1281
1235	value->string.text = calloc(n + 1, 1);	1282	value->string.text = calloc(n + 1, 1);
1236		1283
1237	memcpy(value->string.text,	1284	memcpy(value->string.text, bufptr + 2, n);
1238	bufptr + 2, n);
1239	break;	1285	break;
1240		1286
1241	case IPP_TAG_BEGIN_COLLECTION :	1287	case IPP_TAG_BEGIN_COLLECTION :
Lines 1287-1292 Link Here
1287	break;	1333	break;
1288		1334
1289	default : /* Other unsupported values */	1335	default : /* Other unsupported values */
		1336	if (n > sizeof(buffer))
		1337	{
		1338	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1339	return (IPP_ERROR);
		1340	}
		1341
1290	value->unknown.length = n;	1342	value->unknown.length = n;
1291	if (n > 0)	1343	if (n > 0)
1292	{	1344	{
Lines 2557-2561 Link Here
2557		2609
2558		2610
2559	/*	2611	/*
2560	* End of "$Id: ipp.c,v 1.98 2005/01/03 19:29:45 mike Exp $".	2612	* End of "$Id$".
2561	*/	2613	*/

Return to bug 196736