magicard: Prevent buffer overflow from malformed buffer headers.

This commit is contained in:
Solomon Peachy 2018-09-25 20:28:49 -04:00
parent efc76299af
commit 641f08a901
1 changed files with 13 additions and 3 deletions

View File

@ -553,7 +553,8 @@ static void downscale_and_extract(int gamma, uint32_t pixels,
}
}
#define MAX_PRINTJOB_LEN (1016*672*4) + 1024 /* 1016*672 * 4color */
#define MAX_HEADERS_LEN 2048
#define MAX_PRINTJOB_LEN (1016*672*4) + MAX_HEADERS_LEN /* 1016*672 * 4color */
#define INITIAL_BUF_LEN 1024
static int magicard_read_parse(void *vctx, const void **vjob, int data_fd, int copies) {
struct magicard_ctx *ctx = vctx;
@ -630,7 +631,10 @@ static int magicard_read_parse(void *vctx, const void **vjob, int data_fd, int c
char *ptr;
ptr = strtok((char*)initial_buf + ++buf_offset, ",\x1c");
while (ptr && *ptr != 0x1c) {
while (ptr
&& ((ptr - (char*)initial_buf) < INITIAL_BUF_LEN)
&& ((ptr - (char*)initial_buf) + strnlen(ptr, INITIAL_BUF_LEN) < INITIAL_BUF_LEN)
&& *ptr != 0x1c) {
if (!strcmp("X-GP-8", ptr)) {
x_gp_8bpp = 1;
} else if (!strncmp("TDT", ptr, 3)) {
@ -656,6 +660,12 @@ static int magicard_read_parse(void *vctx, const void **vjob, int data_fd, int c
len_k = atoi(ptr + 3);
}
} else {
/* Safety valve */
if (strlen(ptr) + job->datalen > MAX_HEADERS_LEN) {
ERROR("headers too long, bogus job!\n");
return CUPS_BACKEND_CANCEL;
}
/* Everything else goes in */
job->datalen += sprintf((char*)job->databuf + job->datalen, ",%s", ptr);
}
@ -946,7 +956,7 @@ static const char *magicard_prefixes[] = {
struct dyesub_backend magicard_backend = {
.name = "Magicard family",
.version = "0.15",
.version = "0.16",
.uri_prefixes = magicard_prefixes,
.cmdline_arg = magicard_cmdline_arg,
.cmdline_usage = magicard_cmdline,