From 1668f3bdc68101d44d0d18c85ba3e6572b517ff4 Mon Sep 17 00:00:00 2001
From: Stephan Zeisberg <stephan.zeisberg@splone.com>
Date: Fri, 10 Apr 2020 17:14:34 +0200
Subject: =?UTF-8?q?CVE-2020-3898=20-=20heap-buffer-overflow=20in=20libcups?=
 =?UTF-8?q?=E2=80=99s=20ppdFindOption()=20function=20in=20ppd-mark.c?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 cups/ppd.c           |  3 +--
 ppdc/ppdc-source.cxx | 14 ++++++++------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/cups/ppd.c b/cups/ppd.c
index b823d17b4..8d3eb8a3b 100644
--- a/cups/ppd.c
+++ b/cups/ppd.c
@@ -1705,8 +1705,7 @@ _ppdOpen(
                      constraint->choice1, constraint->option2,
 		     constraint->choice2))
       {
-        case 0 : /* Error */
-	case 1 : /* Error */
+        default : /* Error */
 	    pg->ppd_status = PPD_BAD_UI_CONSTRAINTS;
 	    goto error;
 
diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx
index 5add81002..383f0183d 100644
--- a/ppdc/ppdc-source.cxx
+++ b/ppdc/ppdc-source.cxx
@@ -1746,15 +1746,17 @@ ppdcSource::get_resolution(ppdcFile *fp)// I - File to read
 
   switch (sscanf(name, "%dx%d", &xdpi, &ydpi))
   {
-    case 0 :
-        _cupsLangPrintf(stderr,
-	                _("ppdc: Bad resolution name \"%s\" on line %d of "
-			  "%s."), name, fp->line, fp->filename);
-        break;
     case 1 :
         ydpi = xdpi;
 	break;
-  }
+    case 2 :
+        break;
+    default :
+        _cupsLangPrintf(stderr,
+                  _("ppdc: Bad resolution name \"%s\" on line %d of "
+        "%s."), name, fp->line, fp->filename);
+        break;
+}
 
   // Create the necessary PS commands...
   snprintf(command, sizeof(command),
-- 
cgit v1.2.3


From f1b7b7e074291c85366a60f7a197dea19e62c9cf Mon Sep 17 00:00:00 2001
From: Didier Raboud <odyx@debian.org>
Date: Sat, 25 Apr 2020 16:02:12 +0200
Subject: CVE-2019-8842: The `ippReadIO` function may under-read an extension
 field

---
 cups/ipp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cups/ipp.c b/cups/ipp.c
index 98b499716..4ebb1da9c 100644
--- a/cups/ipp.c
+++ b/cups/ipp.c
@@ -2960,7 +2960,7 @@ ippReadIO(void       *src,		/* I - Data source */
             * Read 32-bit "extension" tag...
             */
 
-	    if ((*cb)(src, buffer, 4) < 1)
+	    if ((*cb)(src, buffer, 4) < 4)
 	    {
 	      DEBUG_puts("1ippReadIO: Callback returned EOF/error");
 	      _cupsBufferRelease((char *)buffer);
-- 
cgit v1.2.3