Attachment #134187 for bug #196736

Lines 1315-1320 Link Here

(-)ipp.c (-9 / +62 lines)
1315	{	1315	{
1316	case IPP_TAG_INTEGER :	1316	case IPP_TAG_INTEGER :
1317	case IPP_TAG_ENUM :	1317	case IPP_TAG_ENUM :
		1318	if (n != 4)
		1319	{
		1320	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1321	return (IPP_ERROR);
		1322	}
		1323
1318	if ((*cb)(src, buffer, 4) < 4)	1324	if ((*cb)(src, buffer, 4) < 4)
1319	{	1325	{
1320	DEBUG_puts("ippReadIO: Unable to read integer value!");	1326	DEBUG_puts("ippReadIO: Unable to read integer value!");
Lines 1327-1332 Link Here
1327	value->integer = n;	1333	value->integer = n;
1328	break;	1334	break;
1329	case IPP_TAG_BOOLEAN :	1335	case IPP_TAG_BOOLEAN :
		1336	if (n != 1)
		1337	{
		1338	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1339	return (IPP_ERROR);
		1340	}
		1341
1330	if ((*cb)(src, buffer, 1) < 1)	1342	if ((*cb)(src, buffer, 1) < 1)
1331	{	1343	{
1332	DEBUG_puts("ippReadIO: Unable to read boolean value!");	1344	DEBUG_puts("ippReadIO: Unable to read boolean value!");
Lines 1344-1349 Link Here
1344	case IPP_TAG_CHARSET :	1356	case IPP_TAG_CHARSET :
1345	case IPP_TAG_LANGUAGE :	1357	case IPP_TAG_LANGUAGE :
1346	case IPP_TAG_MIMETYPE :	1358	case IPP_TAG_MIMETYPE :
		1359	if (n >= sizeof(buffer))
		1360	{
		1361	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1362	return (IPP_ERROR);
		1363	}
		1364
1347	if ((*cb)(src, buffer, n) < n)	1365	if ((*cb)(src, buffer, n) < n)
1348	{	1366	{
1349	DEBUG_puts("ippReadIO: unable to read name!");	1367	DEBUG_puts("ippReadIO: unable to read name!");
Lines 1356-1361 Link Here
1356	value->string.text));	1374	value->string.text));
1357	break;	1375	break;
1358	case IPP_TAG_DATE :	1376	case IPP_TAG_DATE :
		1377	if (n != 11)
		1378	{
		1379	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1380	return (IPP_ERROR);
		1381	}
		1382
1359	if ((*cb)(src, value->date, 11) < 11)	1383	if ((*cb)(src, value->date, 11) < 11)
1360	{	1384	{
1361	DEBUG_puts("ippReadIO: Unable to date integer value!");	1385	DEBUG_puts("ippReadIO: Unable to date integer value!");
Lines 1363-1368 Link Here
1363	}	1387	}
1364	break;	1388	break;
1365	case IPP_TAG_RESOLUTION :	1389	case IPP_TAG_RESOLUTION :
		1390	if (n != 9)
		1391	{
		1392	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1393	return (IPP_ERROR);
		1394	}
		1395
1366	if ((*cb)(src, buffer, 9) < 9)	1396	if ((*cb)(src, buffer, 9) < 9)
1367	{	1397	{
1368	DEBUG_puts("ippReadIO: Unable to read resolution value!");	1398	DEBUG_puts("ippReadIO: Unable to read resolution value!");
Lines 1379-1384 Link Here
1379	(ipp_res_t)buffer[8];	1409	(ipp_res_t)buffer[8];
1380	break;	1410	break;
1381	case IPP_TAG_RANGE :	1411	case IPP_TAG_RANGE :
		1412	if (n != 8)
		1413	{
		1414	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1415	return (IPP_ERROR);
		1416	}
		1417
1382	if ((*cb)(src, buffer, 8) < 8)	1418	if ((*cb)(src, buffer, 8) < 8)
1383	{	1419	{
1384	DEBUG_puts("ippReadIO: Unable to read range value!");	1420	DEBUG_puts("ippReadIO: Unable to read range value!");
Lines 1394-1400 Link Here
1394	break;	1430	break;
1395	case IPP_TAG_TEXTLANG :	1431	case IPP_TAG_TEXTLANG :
1396	case IPP_TAG_NAMELANG :	1432	case IPP_TAG_NAMELANG :
1397	if (n > sizeof(buffer) \|\| n < 4)	1433	if (n >= sizeof(buffer) \|\| n < 4)
1398	{	1434	{
1399	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));	1435	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
1400	return (IPP_ERROR);	1436	return (IPP_ERROR);
Lines 1420-1441 Link Here
1420		1456
1421	n = (bufptr[0] << 8) \| bufptr[1];	1457	n = (bufptr[0] << 8) \| bufptr[1];
1422		1458
1423	if (n >= sizeof(string))	1459	if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) \|\|
		1460	n >= sizeof(string))
1424	{	1461	{
1425	memcpy(string, bufptr + 2, sizeof(string) - 1);	1462	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
1426	string[sizeof(string) - 1] = '\0';	1463	return (IPP_ERROR);
1427	}	1464	}
1428	else
1429	{
1430	memcpy(string, bufptr + 2, n);
1431	string[n] = '\0';
1432	}
1433		1465
		1466	memcpy(string, bufptr + 2, n);
		1467	string[n] = '\0';
		1468
1434	value->string.charset = _cupsStrAlloc((char *)string);	1469	value->string.charset = _cupsStrAlloc((char *)string);
1435		1470
1436	bufptr += 2 + n;	1471	bufptr += 2 + n;
1437	n = (bufptr[0] << 8) \| bufptr[1];	1472	n = (bufptr[0] << 8) \| bufptr[1];
1438		1473
		1474	if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
		1475	{
		1476	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1477	return (IPP_ERROR);
		1478	}
		1479
1439	bufptr[2 + n] = '\0';	1480	bufptr[2 + n] = '\0';
1440	value->string.text = _cupsStrAlloc((char *)bufptr + 2);	1481	value->string.text = _cupsStrAlloc((char *)bufptr + 2);
1441	break;	1482	break;
Lines 1477-1482 Link Here
1477	* we need to carry over...	1518	* we need to carry over...
1478	*/	1519	*/
1479		1520
		1521	if (n >= sizeof(buffer))
		1522	{
		1523	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1524	return (IPP_ERROR);
		1525	}
		1526
1480	if ((*cb)(src, buffer, n) < n)	1527	if ((*cb)(src, buffer, n) < n)
1481	{	1528	{
1482	DEBUG_puts("ippReadIO: Unable to read member name value!");	1529	DEBUG_puts("ippReadIO: Unable to read member name value!");
Lines 1498-1503 Link Here
1498	break;	1545	break;
1499		1546
1500	default : /* Other unsupported values */	1547	default : /* Other unsupported values */
		1548	if (n > sizeof(buffer))
		1549	{
		1550	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1551	return (IPP_ERROR);
		1552	}
		1553
1501	value->unknown.length = n;	1554	value->unknown.length = n;
1502	if (n > 0)	1555	if (n > 0)
1503	{	1556	{

Return to bug 196736