libcups: Fix handling of extension tag in ipp_read_io()

zdohnal · zdohnal · commit e58cba9d6fce · 2025-09-11T14:53:49.000+02:00
Fixes: CVE-2025-58364
diff --git a/cups/ipp.c b/cups/ipp.c
@@ -6045,31 +6045,6 @@ ipp_read_io(void       *src,		/* I - Data source */
 	  */
 
           tag = (ipp_tag_t)buffer[0];
-          if (tag == IPP_TAG_EXTENSION)
-          {
-           /*
-            * Read 32-bit "extension" tag...
-            */
-
-	    if ((*cb)(src, buffer, 4) < 4)
-	    {
-	      DEBUG_puts("1ipp_read_io: Callback returned EOF/error");
-	      goto rollback;
-	    }
-
-	    tag = (ipp_tag_t)((buffer[0] << 24) | (buffer[1] << 16) | (buffer[2] << 8) | buffer[3]);
-
-            if (tag & IPP_TAG_CUPS_CONST)
-            {
-             /*
-              * Fail if the high bit is set in the tag...
-              */
-
-	      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP extension tag larger than 0x7FFFFFFF."), 1);
-	      DEBUG_printf(("1ipp_read_io: bad tag 0x%x.", tag));
-	      goto rollback;
-            }
-          }
 
 	  if (tag == IPP_TAG_END)
 	  {
@@ -6292,6 +6267,7 @@ ipp_read_io(void       *src,		/* I - Data source */
 
 	    if ((*cb)(src, buffer, (size_t)n) < n)
 	    {
+             _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to read IPP attribute name."), 1);
 	      DEBUG_puts("1ipp_read_io: unable to read name.");
 	      goto rollback;
 	    }
