Blame SOURCES/cups-cve202010001.patch

fbeb5e
Fix for CVE-2020-10001, which is a bug in the CUPS ippReadIO function when it
fbeb5e
reads tagged string values (nameWithLanguage and textWithLanguage).  The
fbeb5e
previous code verified that the length of the sub-strings (language identifier
fbeb5e
and name/text value) did not exceed the size of the allocated buffer (1 byte
fbeb5e
larger than the maximum IPP value size of 32767 bytes), but did not validate
fbeb5e
against the length of the actual IPP value.
fbeb5e
fbeb5e
The issues introduced by this vulnerability include:
fbeb5e
fbeb5e
- Potential information disclosure by copying uninitialized areas of memory into
fbeb5e
  an IPP string value.
fbeb5e
- Potential Denial of Service by supplying/using invalid string values when
fbeb5e
  strict validation has been disabled by the system administrator.
fbeb5e
fbeb5e
This change ensures that:
fbeb5e
fbeb5e
1. The language identifier does not extend beyond the end of the IPP value.
fbeb5e
2. The length of the name/text string is within the IPP value.
fbeb5e
3. The name/text string is within the IPP value.
fbeb5e
fbeb5e
diff --git a/cups/ipp.c b/cups/ipp.c
fbeb5e
index 3d529346c..adbb26fba 100644
fbeb5e
--- a/cups/ipp.c
fbeb5e
+++ b/cups/ipp.c
fbeb5e
@@ -2866,7 +2866,8 @@ ippReadIO(void       *src,		/* I - Data source */
fbeb5e
   unsigned char		*buffer,	/* Data buffer */
fbeb5e
 			string[IPP_MAX_TEXT],
fbeb5e
 					/* Small string buffer */
fbeb5e
-			*bufptr;	/* Pointer into buffer */
fbeb5e
+			*bufptr,	/* Pointer into buffer */
fbeb5e
+			*bufend;	/* End of buffer */
fbeb5e
   ipp_attribute_t	*attr;		/* Current attribute */
fbeb5e
   ipp_tag_t		tag;		/* Current tag */
fbeb5e
   ipp_tag_t		value_tag;	/* Current value tag */
fbeb5e
@@ -3441,6 +3442,7 @@ ippReadIO(void       *src,		/* I - Data source */
fbeb5e
 		}
fbeb5e
fbeb5e
                 bufptr = buffer;
fbeb5e
+                bufend = buffer + n;
fbeb5e
fbeb5e
 	       /*
fbeb5e
 	        * text-with-language and name-with-language are composite
fbeb5e
@@ -3454,7 +3456,7 @@ ippReadIO(void       *src,		/* I - Data source */
fbeb5e
fbeb5e
 		n = (bufptr[0] << 8) | bufptr[1];
fbeb5e
fbeb5e
-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string))
fbeb5e
+		if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string))
fbeb5e
 		{
fbeb5e
 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
fbeb5e
 		                _("IPP language length overflows value."), 1);
fbeb5e
@@ -3481,7 +3483,7 @@ ippReadIO(void       *src,		/* I - Data source */
fbeb5e
                 bufptr += 2 + n;
fbeb5e
 		n = (bufptr[0] << 8) | bufptr[1];
fbeb5e
fbeb5e
-		if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE))
fbeb5e
+		if ((bufptr + 2 + n) > bufend)
fbeb5e
 		{
fbeb5e
 		  _cupsSetError(IPP_STATUS_ERROR_INTERNAL,
fbeb5e
 		                _("IPP string length overflows value."), 1);
fbeb5e