33 lines
907 B
Diff
33 lines
907 B
Diff
# http://www.cups.org/str.php?L3978
|
|
|
|
--- a/backend/usb-libusb.c
|
|
+++ b/backend/usb-libusb.c
|
|
@@ -430,15 +430,26 @@
|
|
* Check to see if the length is larger than our buffer; first
|
|
* assume that the vendor incorrectly implemented the 1284 spec,
|
|
* and then limit the length to the size of our buffer...
|
|
+ * Consider a length < 14 as too short, as the minimum valid device
|
|
+ * ID ("MFG:x;MDL:y;") is 12 bytes long and so we have at least 14
|
|
+ * bytes with the two length bytes...
|
|
+ * Especially the length in the memmove() call cannot get negative then,
|
|
+ * causing the backend to segfault.
|
|
*/
|
|
|
|
- if (length > bufsize)
|
|
+ if ((length > bufsize) || (length < 14))
|
|
length = (((unsigned)buffer[1] & 255) << 8) +
|
|
((unsigned)buffer[0] & 255);
|
|
|
|
if (length > bufsize)
|
|
length = bufsize;
|
|
|
|
+ if (length < 14)
|
|
+ {
|
|
+ *buffer = '\0';
|
|
+ return (-1);
|
|
+ }
|
|
+
|
|
length -= 2;
|
|
|
|
/*
|