Index: notifier/dbus.c =================================================================== --- notifier/dbus.c (revision 10154) +++ notifier/dbus.c (working copy) @@ -3,7 +3,7 @@ * * D-Bus notifier for CUPS. * - * Copyright 2008-2010 by Apple Inc. + * Copyright 2008-2011 by Apple Inc. * Copyright (C) 2011 Red Hat, Inc. * Copyright (C) 2007 Tim Waugh * Copyright 1997-2005 by Easy Software Products. @@ -220,6 +220,8 @@ const char *signame = NULL;/* DBUS signal name */ char *printer_reasons = NULL; /* Printer reasons string */ + char *job_reasons = NULL; + /* Job reasons string */ const char *nul = ""; /* Empty string value */ int no = 0; /* Boolean "no" value */ int params = PARAMS_NONE; @@ -363,7 +365,8 @@ attr = ippFindAttribute(msg, "notify-text", IPP_TAG_TEXT); if (!attr) goto bail; - dbus_message_iter_append_string(&iter, &(attr->values[0].string.text)); + if (!dbus_message_iter_append_string(&iter, &(attr->values[0].string.text))) + goto bail; if (params >= PARAMS_PRINTER) { @@ -375,7 +378,11 @@ /* STRING printer-uri or "" */ attr = ippFindAttribute(msg, "notify-printer-uri", IPP_TAG_URI); if (attr) - dbus_message_iter_append_string(&iter, &(attr->values[0].string.text)); + { + if (!dbus_message_iter_append_string(&iter, + &(attr->values[0].string.text))) + goto bail; + } else { have_printer_params = 0; @@ -387,8 +394,11 @@ { attr = ippFindAttribute(msg, "printer-name", IPP_TAG_NAME); if (attr) - dbus_message_iter_append_string(&iter, - &(attr->values[0].string.text)); + { + if (!dbus_message_iter_append_string(&iter, + &(attr->values[0].string.text))) + goto bail; + } else goto bail; } @@ -429,7 +439,8 @@ strcpy(p, attr->values[i].string.text); p += strlen(p); } - dbus_message_iter_append_string(&iter, &printer_reasons); + if (!dbus_message_iter_append_string(&iter, &printer_reasons)) + goto bail; } else goto bail; @@ -467,14 +478,37 @@ /* STRING job-state-reasons */ attr = ippFindAttribute(msg, "job-state-reasons", IPP_TAG_KEYWORD); - if (!attr) + if (attr) + { + for (reasons_length = 0, i = 0; i < attr->num_values; i++) + /* All need commas except the last, which needs a nul byte. */ + reasons_length += 1 + strlen(attr->values[i].string.text); + job_reasons = malloc(reasons_length); + if (!job_reasons) + goto bail; + p = job_reasons; + for (i = 0; i < attr->num_values; i++) + { + if (i) + *p++ = ','; + + strcpy(p, attr->values[i].string.text); + p += strlen(p); + } + if (!dbus_message_iter_append_string(&iter, &job_reasons)) + goto bail; + } + else goto bail; - dbus_message_iter_append_string(&iter, &(attr->values[0].string.text)); /* STRING job-name or "" */ attr = ippFindAttribute(msg, "job-name", IPP_TAG_NAME); if (attr) - dbus_message_iter_append_string(&iter, &(attr->values[0].string.text)); + { + if (!dbus_message_iter_append_string(&iter, + &(attr->values[0].string.text))) + goto bail; + } else dbus_message_iter_append_string(&iter, &nul); @@ -495,10 +529,14 @@ bail: + dbus_message_unref(message); + if (printer_reasons) free(printer_reasons); - dbus_message_unref(message); + if (job_reasons) + free(job_reasons); + ippDelete(msg); } Index: CHANGES.txt =================================================================== --- CHANGES.txt (revision 10154) +++ CHANGES.txt (working copy) @@ -1,10 +1,11 @@ -CHANGES.txt - 2011-11-06 +CHANGES.txt - 2011-12-16 ------------------------ CHANGES IN CUPS V1.5.1 - Documentation updates (STR #3885, STR #3946, STR #3969) - Build fixes (STR #3956) + - The DBUS notifier did not validate string parameters (STR #3984) - Group quota ACLs did not work with Kerberos (STR #3972) - The IPP backend did not retry when a printer responded with client-error-not-possible (STR #3963)