Annotation of /trunk/cups/patches/cups-1.2.12-CVE-2007-5849.patch
Parent Directory
| 
Revision Log
Revision 435 -
(hide annotations)
(download)
Wed Dec 19 16:14:13 2007 UTC (16 years, 5 months ago) by niro
File size: 1017 byte(s)
Wed Dec 19 16:14:13 2007 UTC (16 years, 5 months ago) by niro
File size: 1017 byte(s)
-security fixes
| 1 | niro | 435 | diff -Naur cups-1.3.4/backend/snmp.c cups-1.3.4.new/backend/snmp.c |
| 2 | --- cups-1.3.4/backend/snmp.c 2007-07-11 23:46:42.000000000 +0200 | ||
| 3 | +++ cups-1.3.4.new/backend/snmp.c 2007-12-10 12:56:12.680574919 +0100 | ||
| 4 | @@ -1064,18 +1064,38 @@ | ||
| 5 | char *string, /* I - String buffer */ | ||
| 6 | int strsize) /* I - String buffer size */ | ||
| 7 | { | ||
| 8 | - if (length < strsize) | ||
| 9 | + if (length < 0) | ||
| 10 | { | ||
| 11 | - memcpy(string, *buffer, length); | ||
| 12 | + /* | ||
| 13 | + * Disallow negative lengths! | ||
| 14 | + */ | ||
| 15 | + | ||
| 16 | + fprintf(stderr, "ERROR: Bad ASN1 string length %d!\n", length); | ||
| 17 | + *string = '\0'; | ||
| 18 | + } | ||
| 19 | + else if (length < strsize) | ||
| 20 | + { | ||
| 21 | + /* | ||
| 22 | + * String is smaller than the buffer... | ||
| 23 | + */ | ||
| 24 | + | ||
| 25 | + if (length > 0) | ||
| 26 | + memcpy(string, *buffer, length); | ||
| 27 | + | ||
| 28 | string[length] = '\0'; | ||
| 29 | } | ||
| 30 | else | ||
| 31 | { | ||
| 32 | + /* | ||
| 33 | + * String is larger than the buffer... | ||
| 34 | + */ | ||
| 35 | + | ||
| 36 | memcpy(string, buffer, strsize - 1); | ||
| 37 | string[strsize - 1] = '\0'; | ||
| 38 | } | ||
| 39 | |||
| 40 | - (*buffer) += length; | ||
| 41 | + if (length > 0) | ||
| 42 | + (*buffer) += length; | ||
| 43 | |||
| 44 | return (string); | ||
| 45 | } |