diff options
Diffstat (limited to 'cups/snmp.c')
-rw-r--r-- | cups/snmp.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/cups/snmp.c b/cups/snmp.c index 5cefee454..1d9da01f2 100644 --- a/cups/snmp.c +++ b/cups/snmp.c @@ -1233,6 +1233,9 @@ asn1_get_integer( int value; /* Integer value */ + if (*buffer >= bufend) + return (0); + if (length > sizeof(int)) { (*buffer) += length; @@ -1259,6 +1262,9 @@ asn1_get_length(unsigned char **buffer, /* IO - Pointer in buffer */ unsigned length; /* Length */ + if (*buffer >= bufend) + return (0); + length = **buffer; (*buffer) ++; @@ -1301,6 +1307,9 @@ asn1_get_oid( int number; /* OID number */ + if (*buffer >= bufend) + return (0); + valend = *buffer + length; oidptr = oid; oidend = oid + oidsize - 1; @@ -1349,9 +1358,12 @@ asn1_get_packed( int value; /* Value */ + if (*buffer >= bufend) + return (0); + value = 0; - while ((**buffer & 128) && *buffer < bufend) + while (*buffer < bufend && (**buffer & 128)) { value = (value << 7) | (**buffer & 127); (*buffer) ++; @@ -1379,6 +1391,9 @@ asn1_get_string( char *string, /* I - String buffer */ size_t strsize) /* I - String buffer size */ { + if (*buffer >= bufend) + return (NULL); + if (length > (unsigned)(bufend - *buffer)) length = (unsigned)(bufend - *buffer); @@ -1421,6 +1436,9 @@ asn1_get_type(unsigned char **buffer, /* IO - Pointer in buffer */ int type; /* Type */ + if (*buffer >= bufend) + return (0); + type = **buffer; (*buffer) ++; |