summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSolomon Peachy <pizza@shaftnet.org>2019-03-22 08:37:43 -0400
committerSolomon Peachy <pizza@shaftnet.org>2019-03-22 08:37:43 -0400
commitfef356b87720b033e9445e674b22ec204f4388d1 (patch)
treef3fdd1727212d146bc0dc1db120e7de3d74c942d
parentdb06592776d4bd3cb95b10bd0a8fc844b62f72e2 (diff)
downloadselphy_print-fef356b87720b033e9445e674b22ec204f4388d1.tar.gz
selphy_print-fef356b87720b033e9445e674b22ec204f4388d1.tar.bz2
selphy_print-fef356b87720b033e9445e674b22ec204f4388d1.zip
sony: Try to prevent malformed jobs from overflowing our buffer.
-rw-r--r--backend_sonyupdr150.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/backend_sonyupdr150.c b/backend_sonyupdr150.c
index 7650b3f..fa8e113 100644
--- a/backend_sonyupdr150.c
+++ b/backend_sonyupdr150.c
@@ -293,6 +293,13 @@ static int updr150_read_parse(void *vctx, const void **vjob, int data_fd, int co
if (keep)
job->datalen += sizeof(uint32_t);
+ /* Make sure we're not too large */
+ if (job->datalen + len > MAX_PRINTJOB_LEN) {
+ ERROR("Buffer overflow when parsing printjob! (%d+%d)\n",
+ job->datalen, len);
+ return CUPS_BACKEND_CANCEL;
+ }
+
/* Read in the data chunk */
while(len > 0) {
i = read(data_fd, job->databuf + job->datalen, len);