From dca3df73fbbbf67c8858a1f0eb7287595c20ada7 Mon Sep 17 00:00:00 2001 From: Aizal Khan Date: Thu, 25 Jun 2026 22:45:13 +0530 Subject: [PATCH] bound the nul terminator in cups_collection_string The serialiser advances bufptr past bufend to report the length needed, so the final *bufptr = '\0' could terminate out of bounds once a collection overflows the buffer. Clamp it the way ippAttributeString already does, and keep the bufsize==0 sub-collection call safe. --- cups/dest-options.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cups/dest-options.c b/cups/dest-options.c index 892b59578..cc17dce7e 100644 --- a/cups/dest-options.c +++ b/cups/dest-options.c @@ -2161,7 +2161,11 @@ cups_collection_string( bufptr ++; } - *bufptr = '\0'; + if (bufptr < bufend) + *bufptr = '\0'; + else if (bufsize > 0) + *bufend = '\0'; + return ((size_t)(bufptr - buffer + 1)); }