diff options
author | Michael R Sweet <michael.r.sweet@gmail.com> | 2019-08-15 14:06:47 -0400 |
---|---|---|
committer | Michael R Sweet <michael.r.sweet@gmail.com> | 2019-08-15 14:06:47 -0400 |
commit | 2c030c7a06e0c2b8227c7e85f5c58dfb339731d0 (patch) | |
tree | 87e6adc4798757791b2782935ad5f06132283456 /cups/http.c | |
parent | d784ca2f837b6c221d97ec0850b7020d13db75a5 (diff) | |
download | cups-2c030c7a06e0c2b8227c7e85f5c58dfb339731d0.tar.gz |
Multiple security/disclosure issues:
- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows (rdar://51685251)
- Fixed IPP buffer overflow (rdar://50035411)
- Fixed memory disclosure issue in the scheduler (rdar://51373853)
- Fixed DoS issues in the scheduler (rdar://51373929)
Diffstat (limited to 'cups/http.c')
-rw-r--r-- | cups/http.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/cups/http.c b/cups/http.c index 266a15791..fbb1bf13c 100644 --- a/cups/http.c +++ b/cups/http.c @@ -1860,7 +1860,7 @@ httpPrintf(http_t *http, /* I - HTTP connection */ ...) /* I - Additional args as needed */ { ssize_t bytes; /* Number of bytes to write */ - char buf[16384]; /* Buffer for formatted string */ + char buf[65536]; /* Buffer for formatted string */ va_list ap; /* Variable argument pointer */ @@ -1872,7 +1872,12 @@ httpPrintf(http_t *http, /* I - HTTP connection */ DEBUG_printf(("3httpPrintf: (" CUPS_LLFMT " bytes) %s", CUPS_LLCAST bytes, buf)); - if (http->data_encoding == HTTP_ENCODING_FIELDS) + if (bytes > (ssize_t)(sizeof(buf) - 1)) + { + http->error = ENOMEM; + return (-1); + } + else if (http->data_encoding == HTTP_ENCODING_FIELDS) return ((int)httpWrite2(http, buf, (size_t)bytes)); else { |