Fix parsing bug in cgiCheckVariables.

michaelrsweet · michaelrsweet · commit c3037eaba40d · 2026-04-05T11:00:41.000-04:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -34,6 +34,7 @@ Changes in CUPS v2.4.17 (YYYY-MM-DD)
 - Fixed a bug in the IPP backend when SNMP was disabled.
 - Fixed a crash bug in the rastertoepson filter.
 - Fixed the range check for job password strings.
+- Fixed a bug in cgiCheckVariables.
 
 
 Changes in CUPS v2.4.16 (2025-12-04)
diff --git a/cgi-bin/var.c b/cgi-bin/var.c
@@ -1,7 +1,7 @@
 /*
  * CGI form variable and array functions for CUPS.
  *
- * Copyright © 2020-2024 by OpenPrinting.
+ * Copyright © 2020-2026 by OpenPrinting.
  * Copyright © 2007-2019 by Apple Inc.
  * Copyright © 1997-2005 by Easy Software Products.
  *
@@ -95,8 +95,11 @@ cgiCheckVariables(const char *names)	/* I - Variables to look for */
     while (*names == ' ' || *names == ',')
       names ++;
 
-    for (s = name; *names != '\0' && *names != ' ' && *names != ','; s ++, names ++)
-      *s = *names;
+    for (s = name; *names != '\0' && *names != ' ' && *names != ','; names ++)
+    {
+      if (s < (name + sizeof(name) - 1))
+        *s++ = *names;
+    }
 
     *s = 0;
     if (name[0] == '\0')
@@ -633,7 +636,7 @@ cgi_add_variable(const char *name,	/* I - Variable name */
 
     if ((var->values = calloc((size_t)element + 1, sizeof(char *))) == NULL)
     {
-      /* 
+      /*
        * Rollback changes
        */
 
