Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 134187 Details for
Bug 196736
net-print/cups < 1.2.12-r2 IPP Tags Memory Corruption Vulnerability (CVE-2007-4351)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
str2561-cups12v2.patch
str2561-cups12v2.patch (text/plain), 3.78 KB, created by
Sune Kloppenborg Jeppesen (RETIRED)
on 2007-10-23 18:50:15 UTC
(
hide
)
Description:
str2561-cups12v2.patch
Filename:
MIME Type:
Creator:
Sune Kloppenborg Jeppesen (RETIRED)
Created:
2007-10-23 18:50:15 UTC
Size:
3.78 KB
patch
obsolete
>Index: ipp.c >=================================================================== >--- ipp.c (revision 7023) >+++ ipp.c (working copy) >@@ -1315,6 +1315,12 @@ > { > case IPP_TAG_INTEGER : > case IPP_TAG_ENUM : >+ if (n != 4) >+ { >+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); >+ return (IPP_ERROR); >+ } >+ > if ((*cb)(src, buffer, 4) < 4) > { > DEBUG_puts("ippReadIO: Unable to read integer value!"); >@@ -1327,6 +1333,12 @@ > value->integer = n; > break; > case IPP_TAG_BOOLEAN : >+ if (n != 1) >+ { >+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); >+ return (IPP_ERROR); >+ } >+ > if ((*cb)(src, buffer, 1) < 1) > { > DEBUG_puts("ippReadIO: Unable to read boolean value!"); >@@ -1344,6 +1356,12 @@ > case IPP_TAG_CHARSET : > case IPP_TAG_LANGUAGE : > case IPP_TAG_MIMETYPE : >+ if (n >= sizeof(buffer)) >+ { >+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); >+ return (IPP_ERROR); >+ } >+ > if ((*cb)(src, buffer, n) < n) > { > DEBUG_puts("ippReadIO: unable to read name!"); >@@ -1356,6 +1374,12 @@ > value->string.text)); > break; > case IPP_TAG_DATE : >+ if (n != 11) >+ { >+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); >+ return (IPP_ERROR); >+ } >+ > if ((*cb)(src, value->date, 11) < 11) > { > DEBUG_puts("ippReadIO: Unable to date integer value!"); >@@ -1363,6 +1387,12 @@ > } > break; > case IPP_TAG_RESOLUTION : >+ if (n != 9) >+ { >+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); >+ return (IPP_ERROR); >+ } >+ > if ((*cb)(src, buffer, 9) < 9) > { > DEBUG_puts("ippReadIO: Unable to read resolution value!"); >@@ -1379,6 +1409,12 @@ > (ipp_res_t)buffer[8]; > break; > case IPP_TAG_RANGE : >+ if (n != 8) >+ { >+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); >+ return (IPP_ERROR); >+ } >+ > if ((*cb)(src, buffer, 8) < 8) > { > DEBUG_puts("ippReadIO: Unable to read range value!"); >@@ -1394,7 +1430,7 @@ > break; > case IPP_TAG_TEXTLANG : > case IPP_TAG_NAMELANG : >- if (n > sizeof(buffer) || n < 4) >+ if (n >= sizeof(buffer) || n < 4) > { > DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); > return (IPP_ERROR); >@@ -1420,22 +1456,27 @@ > > n = (bufptr[0] << 8) | bufptr[1]; > >- if (n >= sizeof(string)) >+ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) || >+ n >= sizeof(string)) > { >- memcpy(string, bufptr + 2, sizeof(string) - 1); >- string[sizeof(string) - 1] = '\0'; >+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); >+ return (IPP_ERROR); > } >- else >- { >- memcpy(string, bufptr + 2, n); >- string[n] = '\0'; >- } > >+ memcpy(string, bufptr + 2, n); >+ string[n] = '\0'; >+ > value->string.charset = _cupsStrAlloc((char *)string); > > bufptr += 2 + n; > n = (bufptr[0] << 8) | bufptr[1]; > >+ if ((bufptr + 2 + n) >= (buffer + sizeof(buffer))) >+ { >+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); >+ return (IPP_ERROR); >+ } >+ > bufptr[2 + n] = '\0'; > value->string.text = _cupsStrAlloc((char *)bufptr + 2); > break; >@@ -1477,6 +1518,12 @@ > * we need to carry over... > */ > >+ if (n >= sizeof(buffer)) >+ { >+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); >+ return (IPP_ERROR); >+ } >+ > if ((*cb)(src, buffer, n) < n) > { > DEBUG_puts("ippReadIO: Unable to read member name value!"); >@@ -1498,6 +1545,12 @@ > break; > > default : /* Other unsupported values */ >+ if (n > sizeof(buffer)) >+ { >+ DEBUG_printf(("ippReadIO: bad value length %d!\n", n)); >+ return (IPP_ERROR); >+ } >+ > value->unknown.length = n; > if (n > 0) > {
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 196736
:
134186
| 134187 |
134188