From df09e5bff91658d173218df26186a5d8000a5943 Mon Sep 17 00:00:00 2001 From: Aizal Khan Date: Thu, 2 Jul 2026 16:16:17 +0530 Subject: [PATCH] bound DER element walk in cupsSignCredentialsRequest --- cups/tls-openssl.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c index 191dff3c7..cf196ee00 100644 --- a/cups/tls-openssl.c +++ b/cups/tls-openssl.c @@ -1240,7 +1240,7 @@ cupsSignCredentialsRequest( for (purpose = 0, j = 4; j < datalen; j += data[j + 1] + 2) { - if (data[j] != 0x06 || data[j + 1] != 8 || memcmp(data + j + 2, "+\006\001\005\005\007\003", 7)) + if ((j + 2) > datalen || (j + 2 + data[j + 1]) > datalen || data[j] != 0x06 || data[j + 1] != 8 || memcmp(data + j + 2, "+\006\001\005\005\007\003", 7)) { _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Bad keyUsage extension in X.509 certificate request."), 1); goto done; @@ -1331,8 +1331,12 @@ cupsSignCredentialsRequest( } // Parse the SAN values (there should be an easier/standard OpenSSL API to do this!) - for (j = 4, datalen -= 2; j < datalen; j += data[j + 1] + 2) + for (j = 4; j < datalen; j += data[j + 1] + 2) { + // Stop if the element header or value runs past the extension data... + if ((j + 2) > datalen || (j + 2 + data[j + 1]) > datalen) + break; + if (data[j] == 0x82 && data[j + 1]) { // GENERAL_STRING for DNS