commit b58481780c9e85fc71c990f90f0dcdbdcee8fc00
author Bryan Ferris <bferris@google.com> Thu Jun 20 14:12:54 2019 -0700
committer Bryan Ferris <bferris@google.com> Fri Jun 21 17:20:50 2019 +0000
tree 7620755268e3685206640358e7270c17e39ac4ec
parent 1fa6c247571d74dfd48aeb585c950ff095d115cd

Fix heap buffer overflow in ipp.c

Bug: 110899492
Test: PoC from bug
Test: Printed on a real printer
Change-Id: I9b7388c75c7a4f13dcd8ba3b2d60b87b057bb216

cups/ipp.c

diff --git a/cups/ipp.c b/cups/ipp.c
index 817c9d5..650d33d 100644
--- a/cups/ipp.c
+++ b/cups/ipp.c
@@ -4607,9 +4607,7 @@
         break;
 
     case IPP_TAG_NAME :
-        if (temp_tag != IPP_TAG_KEYWORD && temp_tag != IPP_TAG_URI &&
-            temp_tag != IPP_TAG_URISCHEME && temp_tag != IPP_TAG_LANGUAGE &&
-            temp_tag != IPP_TAG_MIMETYPE)
+        if (temp_tag != IPP_TAG_KEYWORD)
           return (0);
 
         (*attr)->value_tag = (ipp_tag_t)(IPP_TAG_NAME | ((*attr)->value_tag & IPP_TAG_CUPS_CONST));
@@ -4617,10 +4615,7 @@
 
     case IPP_TAG_NAMELANG :
     case IPP_TAG_TEXTLANG :
-        if (value_tag == IPP_TAG_NAMELANG &&
-            (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD &&
-             temp_tag != IPP_TAG_URI && temp_tag != IPP_TAG_URISCHEME &&
-             temp_tag != IPP_TAG_LANGUAGE && temp_tag != IPP_TAG_MIMETYPE))
+        if (value_tag == IPP_TAG_NAMELANG && (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD))
           return (0);
 
         if (value_tag == IPP_TAG_TEXTLANG && temp_tag != IPP_TAG_TEXT)