Protect against deep collection values.

michaelrsweet · michaelrsweet · commit b2200a8bed02 · 2026-04-13T12:46:23.000-04:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,6 +1,12 @@
 Changes in libcups
 ==================
 
+v3.0.2 - YYYY-MM-DD
+-------------------
+
+- Fixed a recursion issue with encoding of nested collections.
+
+
 v3.0.1 - 2026-04-09
 -------------------
 
diff --git a/cups/cups-private.h b/cups/cups-private.h
@@ -1,7 +1,7 @@
 //
 // Private definitions for CUPS.
 //
-// Copyright © 2021-2025 by OpenPrinting.
+// Copyright © 2021-2026 by OpenPrinting.
 // Copyright © 2007-2019 by Apple Inc.
 // Copyright © 1997-2007 by Easy Software Products, all rights reserved.
 //
@@ -40,6 +40,13 @@ typedef int mode_t;			// Windows doesn't support mode_t type @private@
 #  define _(x) x
 
 
+//
+// Constants...
+//
+
+#  define _CUPS_MAX_OPTION_DEPTH 4	// Maximum depth of nested options/collections
+
+
 //
 // Types...
 //
@@ -241,7 +248,7 @@ extern void		_cupsBufferRelease(char *b) _CUPS_PRIVATE;
 extern http_t		*_cupsConnect(void) _CUPS_PRIVATE;
 extern char		*_cupsCreateDest(const char *name, const char *info, const char *device_id, const char *device_uri, char *uri, size_t urisize) _CUPS_PRIVATE;
 extern bool		_cupsDirCreate(const char *path, mode_t mode) _CUPS_PRIVATE;
-extern ipp_attribute_t	*_cupsEncodeOption(ipp_t *ipp, ipp_tag_t group_tag, _ipp_option_t *map, const char *name, const char *value) _CUPS_PRIVATE;
+extern ipp_attribute_t	*_cupsEncodeOption(ipp_t *ipp, ipp_tag_t group_tag, _ipp_option_t *map, const char *name, const char *value, int depth) _CUPS_PRIVATE;
 extern const char	*_cupsGetDestResource(cups_dest_t *dest, unsigned flags, char *resource, size_t resourcesize) _CUPS_PRIVATE;
 extern size_t		_cupsGetDests(http_t *http, ipp_op_t op, const char *name, cups_dest_t **dests, cups_ptype_t type, cups_ptype_t mask) _CUPS_PRIVATE;
 extern const char	*_cupsGetPassword(const char *prompt) _CUPS_PRIVATE;
diff --git a/cups/dest-options.c b/cups/dest-options.c
@@ -1,7 +1,7 @@
 //
 // Destination option/media support for CUPS.
 //
-// Copyright © 2021-2024 by OpenPrinting.
+// Copyright © 2021-2026 by OpenPrinting.
 // Copyright © 2012-2019 by Apple Inc.
 //
 // Licensed under Apache License v2.0.  See the file "LICENSE" for more
@@ -2338,7 +2338,7 @@ cups_test_constraints(
 
         case IPP_TAG_BEGIN_COLLECTION :
             col = ippNew();
-            _cupsEncodeOption(col, IPP_TAG_ZERO, NULL, ippGetName(attr), value);
+            _cupsEncodeOption(col, IPP_TAG_ZERO, NULL, ippGetName(attr), value, /*depth*/0);
 
             for (i = 0, count = ippGetCount(attr); i < count; i ++)
             {
diff --git a/cups/encode.c b/cups/encode.c
@@ -1,7 +1,7 @@
 //
 // Option encoding routines for CUPS.
 //
-// Copyright © 2021-2025 by OpenPrinting.
+// Copyright © 2021-2026 by OpenPrinting.
 // Copyright © 2007-2019 by Apple Inc.
 // Copyright © 1997-2007 by Easy Software Products.
 //
@@ -278,6 +278,7 @@ static const _ipp_option_t ipp_options[] =
 //
 
 static int	compare_ipp_options(_ipp_option_t *a, _ipp_option_t *b);
+static void	encode_options(ipp_t *ipp, size_t num_options, cups_option_t *options, ipp_tag_t group_tag, int depth);
 
 
 //
@@ -290,7 +291,8 @@ _cupsEncodeOption(
     ipp_tag_t     group_tag,		// I - Group tag
     _ipp_option_t *map,			// I - Option mapping, if any
     const char    *name,		// I - Attribute name
-    const char    *value)		// I - Value
+    const char    *value,		// I - Value
+    int           depth)		// I - Depth of values
 {
   size_t		i,		// Looping var
 			count;		// Number of values
@@ -498,6 +500,16 @@ _cupsEncodeOption(
 
       case IPP_TAG_BEGIN_COLLECTION :
 	  // Collection value
+	  if (depth >= _CUPS_MAX_OPTION_DEPTH)
+	  {
+	    // Don't allow "infinite" recursion of collection values...
+	    if (copy)
+	      free(copy);
+
+	    ippDeleteAttribute(ipp, attr);
+	    return (NULL);
+	  }
+
 	  num_cols = cupsParseOptions(val, /*end*/NULL, 0, &cols);
 	  if ((collection = ippNew()) == NULL)
 	  {
@@ -510,8 +522,9 @@ _cupsEncodeOption(
 	  }
 
 	  ippSetCollection(ipp, &attr, i, collection);
-	  cupsEncodeOptions(collection, num_cols, cols, IPP_TAG_JOB);
+	  encode_options(collection, num_cols, cols, IPP_TAG_JOB, depth + 1);
 	  cupsFreeOptions(num_cols, cols);
+	  ippDelete(collection);
 	  break;
 
       default :
@@ -538,7 +551,7 @@ cupsEncodeOption(ipp_t      *ipp,	// I - IPP request/response
                  const char *name,	// I - Option name
                  const char *value)	// I - Option string value
 {
-  return (_cupsEncodeOption(ipp, group_tag, _ippFindOption(name), name, value));
+  return (_cupsEncodeOption(ipp, group_tag, _ippFindOption(name), name, value, /*depth*/0));
 }
 
 
@@ -556,11 +569,8 @@ cupsEncodeOptions(
     cups_option_t *options,		// I - Options
     ipp_tag_t     group_tag)		// I - Group to encode
 {
-  size_t			i;		// Looping var
   char			*val;		// Pointer to option value
-  cups_option_t		*option;	// Current option
   ipp_op_t		op;		// Operation for this request
-  const ipp_op_t	*ops;		// List of allowed operations
 
 
   DEBUG_printf("cupsEncodeOptions(ipp=%p(%s), num_options=%u, options=%p, group_tag=%x)", (void *)ipp, ipp ? ippOpString(ippGetOperation(ipp)) : "", (unsigned)num_options, (void *)options, group_tag);
@@ -583,12 +593,91 @@ cupsEncodeOptions(
       ippAddString(ipp, IPP_TAG_OPERATION, IPP_TAG_MIMETYPE, "document-format", NULL, "application/octet-stream");
   }
 
-  // Then loop through the options...
+  // Then encode the options...
+  encode_options(ipp, num_options, options, group_tag, /*depth*/0);
+}
+
+
+#ifdef DEBUG
+//
+// '_ippCheckOptions()' - Validate that the option array is sorted properly.
+//
+
+const char *				// O - First out-of-order option or NULL
+_ippCheckOptions(void)
+{
+  int	i;				// Looping var
+
+
+  for (i = 0; i < (int)(sizeof(ipp_options) / sizeof(ipp_options[0]) - 1); i ++)
+    if (strcmp(ipp_options[i].name, ipp_options[i + 1].name) >= 0)
+      return (ipp_options[i + 1].name);
+
+  return (NULL);
+}
+#endif // DEBUG
+
+
+//
+// '_ippFindOption()' - Find the attribute information for an option.
+//
+
+_ipp_option_t *				// O - Attribute information
+_ippFindOption(const char *name)	// I - Option/attribute name
+{
+  _ipp_option_t	key;			// Search key
+
+
+  // Lookup the proper value and group tags for this option...
+  key.name = name;
+
+  return ((_ipp_option_t *)bsearch(&key, ipp_options,
+                                   sizeof(ipp_options) / sizeof(ipp_options[0]),
+				   sizeof(ipp_options[0]),
+				   (int (*)(const void *, const void *))
+				       compare_ipp_options));
+}
+
+
+//
+// 'compare_ipp_options()' - Compare two IPP options.
+//
+
+static int				// O - Result of comparison
+compare_ipp_options(_ipp_option_t *a,	// I - First option
+                    _ipp_option_t *b)	// I - Second option
+{
+  return (strcmp(a->name, b->name));
+}
+
+
+/*
+ * 'encode_options()' - Encode options to the specified depth.
+ */
+
+void
+encode_options(
+    ipp_t         *ipp,			/* I - IPP request/response */
+    size_t        num_options,		/* I - Number of options */
+    cups_option_t *options,		/* I - Options */
+    ipp_tag_t     group_tag,		/* I - Group to encode */
+    int           depth)		/* I - Depth of options/collections */
+{
+  size_t		i;		/* Looping var */
+  cups_option_t		*option;	/* Current option */
+  ipp_op_t		op = ippGetOperation(ipp);
+					/* Operation for this request */
+  const ipp_op_t	*ops;		/* List of allowed operations */
+
+
+  DEBUG_printf("4encode_options(ipp=%p(%s), num_options=%u, options=%p, group_tag=%x, depth=%d)", (void *)ipp, ipp ? ippOpString(ippGetOperation(ipp)) : "", (unsigned)num_options, (void *)options, group_tag, depth);
+
+  // Loop through the options...
   for (i = num_options, option = options; i > 0; i --, option ++)
   {
-    _ipp_option_t	*match;		// Matching attribute
+    _ipp_option_t	*match;		/* Matching attribute */
 
-    // Skip document format options that are handled above...
+    // Skip document format options that are handled in cupsEncodeOptions2...
     if (!_cups_strcasecmp(option->name, "raw") || !_cups_strcasecmp(option->name, "document-format") || !option->name[0])
       continue;
 
@@ -599,48 +688,38 @@ cupsEncodeOptions(
         continue;
 
       if (match->operations)
-      {
         ops = match->operations;
-      }
       else if (group_tag == IPP_TAG_JOB)
-      {
         ops = ipp_job_creation;
-      }
       else if (group_tag == IPP_TAG_DOCUMENT)
-      {
         ops = ipp_doc_creation;
-      }
       else if (group_tag == IPP_TAG_SUBSCRIPTION)
-      {
         ops = ipp_sub_creation;
-      }
       else if (group_tag == IPP_TAG_PRINTER)
-      {
         ops = ipp_set_printer;
-      }
       else
       {
-	DEBUG_printf("2cupsEncodeOptions: Skipping \"%s\".", option->name);
+	DEBUG_printf("5encode_options: Skipping \"%s\".", option->name);
         continue;
       }
     }
     else
     {
-      int	namelen;		// Length of name
+      int	namelen;		/* Length of name */
 
       namelen = (int)strlen(option->name);
 
       if (namelen < 10 || (strcmp(option->name + namelen - 8, "-default") && strcmp(option->name + namelen - 10, "-supported")))
       {
 	if (group_tag != IPP_TAG_JOB && group_tag != IPP_TAG_DOCUMENT)
 	{
-	  DEBUG_printf("2cupsEncodeOptions: Skipping \"%s\".", option->name);
+	  DEBUG_printf("5encode_options: Skipping \"%s\".", option->name);
           continue;
         }
       }
       else if (group_tag != IPP_TAG_PRINTER)
       {
-	DEBUG_printf("2cupsEncodeOptions: Skipping \"%s\".", option->name);
+	DEBUG_printf("5encode_options: Skipping \"%s\".", option->name);
         continue;
       }
 
@@ -663,63 +742,10 @@ cupsEncodeOptions(
 
     if (*ops == IPP_OP_CUPS_NONE && op != IPP_OP_CUPS_NONE)
     {
-      DEBUG_printf("2cupsEncodeOptions: Skipping \"%s\".", option->name);
+      DEBUG_printf("5encode_options: Skipping \"%s\".", option->name);
       continue;
     }
 
-    _cupsEncodeOption(ipp, group_tag, match, option->name, option->value);
+    _cupsEncodeOption(ipp, group_tag, match, option->name, option->value, depth);
   }
 }
-
-
-#ifdef DEBUG
-//
-// '_ippCheckOptions()' - Validate that the option array is sorted properly.
-//
-
-const char *				// O - First out-of-order option or NULL
-_ippCheckOptions(void)
-{
-  int	i;				// Looping var
-
-
-  for (i = 0; i < (int)(sizeof(ipp_options) / sizeof(ipp_options[0]) - 1); i ++)
-    if (strcmp(ipp_options[i].name, ipp_options[i + 1].name) >= 0)
-      return (ipp_options[i + 1].name);
-
-  return (NULL);
-}
-#endif // DEBUG
-
-
-//
-// '_ippFindOption()' - Find the attribute information for an option.
-//
-
-_ipp_option_t *				// O - Attribute information
-_ippFindOption(const char *name)	// I - Option/attribute name
-{
-  _ipp_option_t	key;			// Search key
-
-
-  // Lookup the proper value and group tags for this option...
-  key.name = name;
-
-  return ((_ipp_option_t *)bsearch(&key, ipp_options,
-                                   sizeof(ipp_options) / sizeof(ipp_options[0]),
-				   sizeof(ipp_options[0]),
-				   (int (*)(const void *, const void *))
-				       compare_ipp_options));
-}
-
-
-//
-// 'compare_ipp_options()' - Compare two IPP options.
-//
-
-static int				// O - Result of comparison
-compare_ipp_options(_ipp_option_t *a,	// I - First option
-                    _ipp_option_t *b)	// I - Second option
-{
-  return (strcmp(a->name, b->name));
-}
