Attachment #134188 for bug #196736

Lines 1306-1311 Link Here

(-)ipp.c (-9 / +62 lines)
1306	{	1306	{
1307	case IPP_TAG_INTEGER :	1307	case IPP_TAG_INTEGER :
1308	case IPP_TAG_ENUM :	1308	case IPP_TAG_ENUM :
		1309	if (n != 4)
		1310	{
		1311	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1312	return (IPP_ERROR);
		1313	}
		1314
1309	if ((*cb)(src, buffer, 4) < 4)	1315	if ((*cb)(src, buffer, 4) < 4)
1310	{	1316	{
1311	DEBUG_puts("ippReadIO: Unable to read integer value!");	1317	DEBUG_puts("ippReadIO: Unable to read integer value!");
Lines 1318-1323 Link Here
1318	value->integer = n;	1324	value->integer = n;
1319	break;	1325	break;
1320	case IPP_TAG_BOOLEAN :	1326	case IPP_TAG_BOOLEAN :
		1327	if (n != 1)
		1328	{
		1329	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1330	return (IPP_ERROR);
		1331	}
		1332
1321	if ((*cb)(src, buffer, 1) < 1)	1333	if ((*cb)(src, buffer, 1) < 1)
1322	{	1334	{
1323	DEBUG_puts("ippReadIO: Unable to read boolean value!");	1335	DEBUG_puts("ippReadIO: Unable to read boolean value!");
Lines 1335-1340 Link Here
1335	case IPP_TAG_CHARSET :	1347	case IPP_TAG_CHARSET :
1336	case IPP_TAG_LANGUAGE :	1348	case IPP_TAG_LANGUAGE :
1337	case IPP_TAG_MIMETYPE :	1349	case IPP_TAG_MIMETYPE :
		1350	if (n >= sizeof(buffer))
		1351	{
		1352	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1353	return (IPP_ERROR);
		1354	}
		1355
1338	if ((*cb)(src, buffer, n) < n)	1356	if ((*cb)(src, buffer, n) < n)
1339	{	1357	{
1340	DEBUG_puts("ippReadIO: unable to read name!");	1358	DEBUG_puts("ippReadIO: unable to read name!");
Lines 1347-1352 Link Here
1347	value->string.text));	1365	value->string.text));
1348	break;	1366	break;
1349	case IPP_TAG_DATE :	1367	case IPP_TAG_DATE :
		1368	if (n != 11)
		1369	{
		1370	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1371	return (IPP_ERROR);
		1372	}
		1373
1350	if ((*cb)(src, value->date, 11) < 11)	1374	if ((*cb)(src, value->date, 11) < 11)
1351	{	1375	{
1352	DEBUG_puts("ippReadIO: Unable to date integer value!");	1376	DEBUG_puts("ippReadIO: Unable to date integer value!");
Lines 1354-1359 Link Here
1354	}	1378	}
1355	break;	1379	break;
1356	case IPP_TAG_RESOLUTION :	1380	case IPP_TAG_RESOLUTION :
		1381	if (n != 9)
		1382	{
		1383	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1384	return (IPP_ERROR);
		1385	}
		1386
1357	if ((*cb)(src, buffer, 9) < 9)	1387	if ((*cb)(src, buffer, 9) < 9)
1358	{	1388	{
1359	DEBUG_puts("ippReadIO: Unable to read resolution value!");	1389	DEBUG_puts("ippReadIO: Unable to read resolution value!");
Lines 1370-1375 Link Here
1370	(ipp_res_t)buffer[8];	1400	(ipp_res_t)buffer[8];
1371	break;	1401	break;
1372	case IPP_TAG_RANGE :	1402	case IPP_TAG_RANGE :
		1403	if (n != 8)
		1404	{
		1405	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1406	return (IPP_ERROR);
		1407	}
		1408
1373	if ((*cb)(src, buffer, 8) < 8)	1409	if ((*cb)(src, buffer, 8) < 8)
1374	{	1410	{
1375	DEBUG_puts("ippReadIO: Unable to read range value!");	1411	DEBUG_puts("ippReadIO: Unable to read range value!");
Lines 1385-1391 Link Here
1385	break;	1421	break;
1386	case IPP_TAG_TEXTLANG :	1422	case IPP_TAG_TEXTLANG :
1387	case IPP_TAG_NAMELANG :	1423	case IPP_TAG_NAMELANG :
1388	if (n > sizeof(buffer) \|\| n < 4)	1424	if (n >= sizeof(buffer) \|\| n < 4)
1389	{	1425	{
1390	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));	1426	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
1391	return (IPP_ERROR);	1427	return (IPP_ERROR);
Lines 1411-1432 Link Here
1411		1447
1412	n = (bufptr[0] << 8) \| bufptr[1];	1448	n = (bufptr[0] << 8) \| bufptr[1];
1413		1449
1414	if (n >= sizeof(string))	1450	if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)) \|\|
		1451	n >= sizeof(string))
1415	{	1452	{
1416	memcpy(string, bufptr + 2, sizeof(string) - 1);	1453	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
1417	string[sizeof(string) - 1] = '\0';	1454	return (IPP_ERROR);
1418	}	1455	}
1419	else
1420	{
1421	memcpy(string, bufptr + 2, n);
1422	string[n] = '\0';
1423	}
1424		1456
		1457	memcpy(string, bufptr + 2, n);
		1458	string[n] = '\0';
		1459
1425	value->string.charset = _cupsStrAlloc((char *)string);	1460	value->string.charset = _cupsStrAlloc((char *)string);
1426		1461
1427	bufptr += 2 + n;	1462	bufptr += 2 + n;
1428	n = (bufptr[0] << 8) \| bufptr[1];	1463	n = (bufptr[0] << 8) \| bufptr[1];
1429		1464
		1465	if ((bufptr + 2 + n) >= (buffer + sizeof(buffer)))
		1466	{
		1467	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1468	return (IPP_ERROR);
		1469	}
		1470
1430	bufptr[2 + n] = '\0';	1471	bufptr[2 + n] = '\0';
1431	value->string.text = _cupsStrAlloc((char *)bufptr + 2);	1472	value->string.text = _cupsStrAlloc((char *)bufptr + 2);
1432	break;	1473	break;
Lines 1468-1473 Link Here
1468	* we need to carry over...	1509	* we need to carry over...
1469	*/	1510	*/
1470		1511
		1512	if (n >= sizeof(buffer))
		1513	{
		1514	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1515	return (IPP_ERROR);
		1516	}
		1517
1471	if ((*cb)(src, buffer, n) < n)	1518	if ((*cb)(src, buffer, n) < n)
1472	{	1519	{
1473	DEBUG_puts("ippReadIO: Unable to read member name value!");	1520	DEBUG_puts("ippReadIO: Unable to read member name value!");
Lines 1489-1494 Link Here
1489	break;	1536	break;
1490		1537
1491	default : /* Other unsupported values */	1538	default : /* Other unsupported values */
		1539	if (n > sizeof(buffer))
		1540	{
		1541	DEBUG_printf(("ippReadIO: bad value length %d!\n", n));
		1542	return (IPP_ERROR);
		1543	}
		1544
1492	value->unknown.length = n;	1545	value->unknown.length = n;
1493	if (n > 0)	1546	if (n > 0)
1494	{	1547	{

Return to bug 196736