Protect against deep collection values (Issue #1539)

Author: michaelrsweet

cups/cups-private.h

@@ -1,7 +1,7 @@
 //
 // Private definitions for CUPS.
 //
-// Copyright © 2020-2025 by OpenPrinting.
+// Copyright © 2020-2026 by OpenPrinting.
 // Copyright © 2007-2019 by Apple Inc.
 // Copyright © 1997-2007 by Easy Software Products, all rights reserved.
 //
@@ -32,6 +32,13 @@ typedef int mode_t;			// Windows doesn't support mode_t type @private@
 #  include <regex.h>
 
 
+//
+// Constants...
+//
+
+#  define _CUPS_MAX_OPTION_DEPTH 4	// Maximum depth of nested options/collections
+
+
 //
 // Types...
 //
@@ -268,7 +275,7 @@ extern void		_cupsBufferRelease(char *b) _CUPS_PRIVATE;
 extern http_t		*_cupsConnect(void) _CUPS_PRIVATE;
 extern char		*_cupsCreateDest(const char *name, const char *info, const char *device_id, const char *device_uri, char *uri, size_t urisize) _CUPS_PRIVATE;
 extern bool		_cupsDirCreate(const char *path, mode_t mode) _CUPS_PRIVATE;
-extern ipp_attribute_t	*_cupsEncodeOption(ipp_t *ipp, ipp_tag_t group_tag, _ipp_option_t *map, const char *name, const char *value) _CUPS_PRIVATE;
+extern ipp_attribute_t	*_cupsEncodeOption(ipp_t *ipp, ipp_tag_t group_tag, _ipp_option_t *map, const char *name, const char *value, int depth) _CUPS_PRIVATE;
 extern int		_cupsGet1284Values(const char *device_id, cups_option_t **values) _CUPS_PRIVATE;
 extern const char	*_cupsGetDestResource(cups_dest_t *dest, unsigned flags, char *resource, size_t resourcesize) _CUPS_PRIVATE;
 extern int		_cupsGetDests(http_t *http, ipp_op_t op, const char *name, cups_dest_t **dests, cups_ptype_t type, cups_ptype_t mask) _CUPS_PRIVATE;

cups/dest-options.c

@@ -1,7 +1,7 @@
 /*
  * Destination option/media support for CUPS.
  *
- * Copyright © 2020-2025 by OpenPrinting.
+ * Copyright © 2020-2026 by OpenPrinting.
  * Copyright © 2012-2019 by Apple Inc.
  *
  * Licensed under Apache License v2.0.  See the file "LICENSE" for more
@@ -3202,7 +3202,7 @@ cups_test_constraints(
 
         case IPP_TAG_BEGIN_COLLECTION :
             col = ippNew();
-            _cupsEncodeOption(col, IPP_TAG_ZERO, NULL, ippGetName(attr), value);
+            _cupsEncodeOption(col, IPP_TAG_ZERO, NULL, ippGetName(attr), value, /*depth*/0);
 
             for (i = 0, count = ippGetCount(attr); i < count; i ++)
             {

cups/encode.c

@@ -376,6 +376,7 @@ static const _ipp_option_t ipp_options[] =
  */
 
 static int	compare_ipp_options(_ipp_option_t *a, _ipp_option_t *b);
+static void	encode_options(ipp_t *ipp, int num_options, cups_option_t *options, ipp_tag_t group_tag, int depth);
 
 
 /*
@@ -388,7 +389,8 @@ _cupsEncodeOption(
     ipp_tag_t     group_tag,		/* I - Group tag */
     _ipp_option_t *map,			/* I - Option mapping, if any */
     const char    *name,		/* I - Attribute name */
-    const char    *value)		/* I - Value */
+    const char    *value,		/* I - Value */
+    int           depth)		/* I - Depth of values */
 {
   int			i,		/* Looping var */
 			count;		/* Number of values */
@@ -659,6 +661,19 @@ _cupsEncodeOption(
 	  * Collection value
 	  */
 
+          if (depth >= _CUPS_MAX_OPTION_DEPTH)
+          {
+           /*
+            * Don't allow "infinite" recursion of collection values...
+            */
+
+	    if (copy)
+	      free(copy);
+
+	    ippDeleteAttribute(ipp, attr);
+	    return (NULL);
+          }
+
 	  num_cols = cupsParseOptions(val, 0, &cols);
 	  if ((collection = ippNew()) == NULL)
 	  {
@@ -672,7 +687,7 @@ _cupsEncodeOption(
 	  }
 
 	  ippSetCollection(ipp, &attr, i, collection);
-	  cupsEncodeOptions2(collection, num_cols, cols, IPP_TAG_JOB);
+	  encode_options(collection, num_cols, cols, IPP_TAG_JOB, depth + 1);
 	  cupsFreeOptions(num_cols, cols);
 	  ippDelete(collection);
 	  break;
@@ -701,7 +716,7 @@ cupsEncodeOption(ipp_t      *ipp,	/* I - IPP request/response */
                  const char *name,	/* I - Option name */
                  const char *value)	/* I - Option string value */
 {
-  return (_cupsEncodeOption(ipp, group_tag, _ippFindOption(name), name, value));
+  return (_cupsEncodeOption(ipp, group_tag, _ippFindOption(name), name, value, /*depth*/0));
 }
 
 
@@ -747,11 +762,8 @@ cupsEncodeOptions2(
     cups_option_t *options,		/* I - Options */
     ipp_tag_t     group_tag)		/* I - Group to encode */
 {
-  int			i;		/* Looping var */
   char			*val;		/* Pointer to option value */
-  cups_option_t		*option;	/* Current option */
   ipp_op_t		op;		/* Operation for this request */
-  const ipp_op_t	*ops;		/* List of allowed operations */
 
 
   DEBUG_printf("cupsEncodeOptions2(ipp=%p(%s), num_options=%d, options=%p, group_tag=%x)", (void *)ipp, ipp ? ippOpString(ippGetOperation(ipp)) : "", num_options, (void *)options, group_tag);
@@ -784,15 +796,100 @@ cupsEncodeOptions2(
   }
 
  /*
-  * Then loop through the options...
+  * Then encode the options...
+  */
+
+  encode_options(ipp, num_options, options, group_tag, /*depth*/0);
+}
+
+
+#ifdef DEBUG
+/*
+ * '_ippCheckOptions()' - Validate that the option array is sorted properly.
+ */
+
+const char *				/* O - First out-of-order option or NULL */
+_ippCheckOptions(void)
+{
+  int	i;				/* Looping var */
+
+
+  for (i = 0; i < (int)(sizeof(ipp_options) / sizeof(ipp_options[0]) - 1); i ++)
+    if (strcmp(ipp_options[i].name, ipp_options[i + 1].name) >= 0)
+      return (ipp_options[i + 1].name);
+
+  return (NULL);
+}
+#endif /* DEBUG */
+
+
+/*
+ * '_ippFindOption()' - Find the attribute information for an option.
+ */
+
+_ipp_option_t *				/* O - Attribute information */
+_ippFindOption(const char *name)	/* I - Option/attribute name */
+{
+  _ipp_option_t	key;			/* Search key */
+
+
+ /*
+  * Lookup the proper value and group tags for this option...
+  */
+
+  key.name = name;
+
+  return ((_ipp_option_t *)bsearch(&key, ipp_options,
+                                   sizeof(ipp_options) / sizeof(ipp_options[0]),
+				   sizeof(ipp_options[0]),
+				   (int (*)(const void *, const void *))
+				       compare_ipp_options));
+}
+
+
+/*
+ * 'compare_ipp_options()' - Compare two IPP options.
+ */
+
+static int				/* O - Result of comparison */
+compare_ipp_options(_ipp_option_t *a,	/* I - First option */
+                    _ipp_option_t *b)	/* I - Second option */
+{
+  return (strcmp(a->name, b->name));
+}
+
+
+/*
+ * 'encode_options()' - Encode options to the specified depth.
+ */
+
+void
+encode_options(
+    ipp_t         *ipp,			/* I - IPP request/response */
+    int           num_options,		/* I - Number of options */
+    cups_option_t *options,		/* I - Options */
+    ipp_tag_t     group_tag,		/* I - Group to encode */
+    int           depth)		/* I - Depth of options/collections */
+{
+  int			i;		/* Looping var */
+  cups_option_t		*option;	/* Current option */
+  ipp_op_t		op = ippGetOperation(ipp);
+					/* Operation for this request */
+  const ipp_op_t	*ops;		/* List of allowed operations */
+
+
+  DEBUG_printf("4encode_options(ipp=%p(%s), num_options=%d, options=%p, group_tag=%x, depth=%d)", (void *)ipp, ipp ? ippOpString(ippGetOperation(ipp)) : "", num_options, (void *)options, group_tag, depth);
+
+ /*
+  * Loop through the options...
   */
 
   for (i = num_options, option = options; i > 0; i --, option ++)
   {
     _ipp_option_t	*match;		/* Matching attribute */
 
    /*
-    * Skip document format options that are handled above...
+    * Skip document format options that are handled in cupsEncodeOptions2...
     */
 
     if (!_cups_strcasecmp(option->name, "raw") || !_cups_strcasecmp(option->name, "document-format") || !option->name[0])
@@ -819,7 +916,7 @@ cupsEncodeOptions2(
         ops = ipp_set_printer;
       else
       {
-	DEBUG_printf("2cupsEncodeOptions2: Skipping \"%s\".", option->name);
+	DEBUG_printf("5encode_options: Skipping \"%s\".", option->name);
         continue;
       }
     }
@@ -833,13 +930,13 @@ cupsEncodeOptions2(
       {
 	if (group_tag != IPP_TAG_JOB && group_tag != IPP_TAG_DOCUMENT)
 	{
-	  DEBUG_printf("2cupsEncodeOptions2: Skipping \"%s\".", option->name);
+	  DEBUG_printf("5encode_options: Skipping \"%s\".", option->name);
           continue;
         }
       }
       else if (group_tag != IPP_TAG_PRINTER)
       {
-	DEBUG_printf("2cupsEncodeOptions2: Skipping \"%s\".", option->name);
+	DEBUG_printf("5encode_options: Skipping \"%s\".", option->name);
         continue;
       }
 
@@ -863,66 +960,10 @@ cupsEncodeOptions2(
 
     if (*ops == IPP_OP_CUPS_NONE && op != IPP_OP_CUPS_NONE)
     {
-      DEBUG_printf("2cupsEncodeOptions2: Skipping \"%s\".", option->name);
+      DEBUG_printf("5encode_options: Skipping \"%s\".", option->name);
       continue;
     }
 
-    _cupsEncodeOption(ipp, group_tag, match, option->name, option->value);
+    _cupsEncodeOption(ipp, group_tag, match, option->name, option->value, depth);
   }
 }
-
-
-#ifdef DEBUG
-/*
- * '_ippCheckOptions()' - Validate that the option array is sorted properly.
- */
-
-const char *				/* O - First out-of-order option or NULL */
-_ippCheckOptions(void)
-{
-  int	i;				/* Looping var */
-
-
-  for (i = 0; i < (int)(sizeof(ipp_options) / sizeof(ipp_options[0]) - 1); i ++)
-    if (strcmp(ipp_options[i].name, ipp_options[i + 1].name) >= 0)
-      return (ipp_options[i + 1].name);
-
-  return (NULL);
-}
-#endif /* DEBUG */
-
-
-/*
- * '_ippFindOption()' - Find the attribute information for an option.
- */
-
-_ipp_option_t *				/* O - Attribute information */
-_ippFindOption(const char *name)	/* I - Option/attribute name */
-{
-  _ipp_option_t	key;			/* Search key */
-
-
- /*
-  * Lookup the proper value and group tags for this option...
-  */
-
-  key.name = name;
-
-  return ((_ipp_option_t *)bsearch(&key, ipp_options,
-                                   sizeof(ipp_options) / sizeof(ipp_options[0]),
-				   sizeof(ipp_options[0]),
-				   (int (*)(const void *, const void *))
-				       compare_ipp_options));
-}
-
-
-/*
- * 'compare_ipp_options()' - Compare two IPP options.
- */
-
-static int				/* O - Result of comparison */
-compare_ipp_options(_ipp_option_t *a,	/* I - First option */
-                    _ipp_option_t *b)	/* I - Second option */
-{
-  return (strcmp(a->name, b->name));
-}