Fix heap buffer overflow in ipp.candroid-9.0.0_r50android-9.0.0_r49android-9.0.0_r48

Bug: 110899492
Test: PoC from bug
Test: Printed on a real printer
Change-Id: I9b7388c75c7a4f13dcd8ba3b2d60b87b057bb216
(cherry picked from commit b58481780c9e85fc71c990f90f0dcdbdcee8fc00)

1 files changed, 2 insertions, 7 deletions

diff --git a/cups/ipp.c b/cups/ipp.c
index 772b2f0a..fd8988fd 100644
--- a/cups/ipp.c
+++ b/cups/ipp.c
@@ -4628,9 +4628,7 @@ ippSetValueTag(
         break;
 
     case IPP_TAG_NAME :
-        if (temp_tag != IPP_TAG_KEYWORD && temp_tag != IPP_TAG_URI &&
-            temp_tag != IPP_TAG_URISCHEME && temp_tag != IPP_TAG_LANGUAGE &&
-            temp_tag != IPP_TAG_MIMETYPE)
+        if (temp_tag != IPP_TAG_KEYWORD)
           return (0);
 
         (*attr)->value_tag = (ipp_tag_t)(IPP_TAG_NAME | ((*attr)->value_tag & IPP_TAG_CUPS_CONST));
@@ -4638,10 +4636,7 @@ ippSetValueTag(
 
     case IPP_TAG_NAMELANG :
     case IPP_TAG_TEXTLANG :
-        if (value_tag == IPP_TAG_NAMELANG &&
-            (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD &&
-             temp_tag != IPP_TAG_URI && temp_tag != IPP_TAG_URISCHEME &&
-             temp_tag != IPP_TAG_LANGUAGE && temp_tag != IPP_TAG_MIMETYPE))
+        if (value_tag == IPP_TAG_NAMELANG && (temp_tag != IPP_TAG_NAME && temp_tag != IPP_TAG_KEYWORD))
           return (0);
 
         if (value_tag == IPP_TAG_TEXTLANG && temp_tag != IPP_TAG_TEXT)