Contents of /trunk/cups/patches/cups-1.2.12-CVE-2007-5849.patch
Parent Directory | Revision Log
Revision 435 -
(show annotations)
(download)
Wed Dec 19 16:14:13 2007 UTC (16 years, 9 months ago) by niro
File size: 1017 byte(s)
Wed Dec 19 16:14:13 2007 UTC (16 years, 9 months ago) by niro
File size: 1017 byte(s)
-security fixes
1 | diff -Naur cups-1.3.4/backend/snmp.c cups-1.3.4.new/backend/snmp.c |
2 | --- cups-1.3.4/backend/snmp.c 2007-07-11 23:46:42.000000000 +0200 |
3 | +++ cups-1.3.4.new/backend/snmp.c 2007-12-10 12:56:12.680574919 +0100 |
4 | @@ -1064,18 +1064,38 @@ |
5 | char *string, /* I - String buffer */ |
6 | int strsize) /* I - String buffer size */ |
7 | { |
8 | - if (length < strsize) |
9 | + if (length < 0) |
10 | { |
11 | - memcpy(string, *buffer, length); |
12 | + /* |
13 | + * Disallow negative lengths! |
14 | + */ |
15 | + |
16 | + fprintf(stderr, "ERROR: Bad ASN1 string length %d!\n", length); |
17 | + *string = '\0'; |
18 | + } |
19 | + else if (length < strsize) |
20 | + { |
21 | + /* |
22 | + * String is smaller than the buffer... |
23 | + */ |
24 | + |
25 | + if (length > 0) |
26 | + memcpy(string, *buffer, length); |
27 | + |
28 | string[length] = '\0'; |
29 | } |
30 | else |
31 | { |
32 | + /* |
33 | + * String is larger than the buffer... |
34 | + */ |
35 | + |
36 | memcpy(string, buffer, strsize - 1); |
37 | string[strsize - 1] = '\0'; |
38 | } |
39 | |
40 | - (*buffer) += length; |
41 | + if (length > 0) |
42 | + (*buffer) += length; |
43 | |
44 | return (string); |
45 | } |