File cups-1.7.5-CVE-2019-8675.CVE-2019-8696.patch of Package cups.17820

--- cups/http.c.orig	2014-03-28 14:04:33.000000000 +0100
+++ cups/http.c	2019-11-13 16:21:39.000000000 +0100
@@ -1960,7 +1960,7 @@ httpPrintf(http_t     *http,		/* I - Con
 	   ...)				/* I - Additional args as needed */
 {
   int		bytes;			/* Number of bytes to write */
-  char		buf[16384];		/* Buffer for formatted string */
+  char		buf[65536];		/* Buffer for formatted string */
   va_list	ap;			/* Variable argument pointer */
 
 
@@ -1972,7 +1972,12 @@ httpPrintf(http_t     *http,		/* I - Con
 
   DEBUG_printf(("3httpPrintf: (%d bytes) %s", bytes, buf));
 
-  if (http->data_encoding == HTTP_ENCODING_FIELDS)
+  if (bytes > (ssize_t)(sizeof(buf) - 1))
+  {
+    http->error = ENOMEM;
+    return (-1);
+  }
+  else if (http->data_encoding == HTTP_ENCODING_FIELDS)
     return (httpWrite2(http, buf, bytes));
   else
   {
--- cups/ipp.c.orig	2014-05-09 01:10:47.000000000 +0200
+++ cups/ipp.c	2019-11-13 16:25:43.000000000 +0100
@@ -4659,9 +4659,7 @@ ippSetValueTag(
         break;
 
     case IPP_TAG_NAME :
-        if (temp_tag != IPP_TAG_KEYWORD && temp_tag != IPP_TAG_URI &&
-            temp_tag != IPP_TAG_URISCHEME && temp_tag != IPP_TAG_LANGUAGE &&
-            temp_tag != IPP_TAG_MIMETYPE)
+        if (temp_tag != IPP_TAG_KEYWORD)
           return (0);
 
         (*attr)->value_tag = (ipp_tag_t)(IPP_TAG_NAME | ((*attr)->value_tag & IPP_TAG_CUPS_CONST));
@@ -4669,10 +4667,7 @@ ippSetValueTag(
 
     case IPP_TAG_NAMELANG :
     case IPP_TAG_TEXTLANG :
-        if (value_tag == IPP_TAG_NAMELANG &&
-            (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD &&
-             temp_tag != IPP_TAG_URI && temp_tag != IPP_TAG_URISCHEME &&
-             temp_tag != IPP_TAG_LANGUAGE && temp_tag != IPP_TAG_MIMETYPE))
+        if (value_tag == IPP_TAG_NAMELANG && (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD))
           return (0);
 
         if (value_tag == IPP_TAG_TEXTLANG && temp_tag != IPP_TAG_TEXT)
--- cups/snmp.c.orig	2013-02-04 20:27:13.000000000 +0100
+++ cups/snmp.c	2019-11-13 16:32:00.000000000 +0100
@@ -1275,6 +1275,9 @@ asn1_get_integer(
   int	value;				/* Integer value */
 
 
+  if (*buffer >= bufend)
+    return (0);
+
   if (length > sizeof(int))
   {
     (*buffer) += length;
@@ -1301,6 +1304,9 @@ asn1_get_length(unsigned char **buffer,
   unsigned	length;			/* Length */
 
 
+  if (*buffer >= bufend)
+    return (0);
+
   length = **buffer;
   (*buffer) ++;
 
@@ -1343,6 +1349,9 @@ asn1_get_oid(
   int		number;			/* OID number */
 
 
+  if (*buffer >= bufend)
+    return (0);
+
   valend = *buffer + length;
   oidptr = oid;
   oidend = oid + oidsize - 1;
@@ -1391,9 +1400,12 @@ asn1_get_packed(
   int	value;				/* Value */
 
 
+  if (*buffer >= bufend)
+    return (0);
+
   value = 0;
 
-  while ((**buffer & 128) && *buffer < bufend)
+  while (*buffer < bufend && (**buffer & 128))
   {
     value = (value << 7) | (**buffer & 127);
     (*buffer) ++;
@@ -1421,6 +1433,9 @@ asn1_get_string(
     char          *string,		/* I  - String buffer */
     int           strsize)		/* I  - String buffer size */
 {
+  if (*buffer >= bufend)
+    return (NULL);
+
   if (length > (bufend - *buffer))
     length = bufend - *buffer;
 
@@ -1471,6 +1486,9 @@ asn1_get_type(unsigned char **buffer,	/*
   int	type;				/* Type */
 
 
+  if (*buffer >= bufend)
+    return (0);
+
   type = **buffer;
   (*buffer) ++;
Places

File cups-1.7.5-CVE-2019-8675.CVE-2019-8696.patch of Package cups.17820

Places
