From b58481780c9e85fc71c990f90f0dcdbdcee8fc00 Mon Sep 17 00:00:00 2001
From: Bryan Ferris <bferris@google.com>
Date: Thu, 20 Jun 2019 14:12:54 -0700
Subject: Fix heap buffer overflow in ipp.c

Bug: 110899492
Test: PoC from bug
Test: Printed on a real printer
Change-Id: I9b7388c75c7a4f13dcd8ba3b2d60b87b057bb216
---
 cups/ipp.c | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/cups/ipp.c b/cups/ipp.c
index 817c9d5f..650d33d0 100644
--- a/cups/ipp.c
+++ b/cups/ipp.c
@@ -4607,9 +4607,7 @@ ippSetValueTag(
         break;
 
     case IPP_TAG_NAME :
-        if (temp_tag != IPP_TAG_KEYWORD && temp_tag != IPP_TAG_URI &&
-            temp_tag != IPP_TAG_URISCHEME && temp_tag != IPP_TAG_LANGUAGE &&
-            temp_tag != IPP_TAG_MIMETYPE)
+        if (temp_tag != IPP_TAG_KEYWORD)
           return (0);
 
         (*attr)->value_tag = (ipp_tag_t)(IPP_TAG_NAME | ((*attr)->value_tag & IPP_TAG_CUPS_CONST));
@@ -4617,10 +4615,7 @@ ippSetValueTag(
 
     case IPP_TAG_NAMELANG :
     case IPP_TAG_TEXTLANG :
-        if (value_tag == IPP_TAG_NAMELANG &&
-            (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD &&
-             temp_tag != IPP_TAG_URI && temp_tag != IPP_TAG_URISCHEME &&
-             temp_tag != IPP_TAG_LANGUAGE && temp_tag != IPP_TAG_MIMETYPE))
+        if (value_tag == IPP_TAG_NAMELANG && (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD))
           return (0);
 
         if (value_tag == IPP_TAG_TEXTLANG && temp_tag != IPP_TAG_TEXT)
-- 
cgit v1.2.3