diff -up cups-1.3.7/cgi-bin/var.c.CVE-2010-1748 cups-1.3.7/cgi-bin/var.c
--- cups-1.3.7/cgi-bin/var.c.CVE-2010-1748	2010-05-13 17:17:29.324218144 +0100
+++ cups-1.3.7/cgi-bin/var.c	2010-05-13 17:18:05.660219246 +0100
@@ -1103,6 +1103,9 @@ cgi_initialize_string(const char *data)	
 	    * Read the hex code...
 	    */
 
+            if (!isxdigit(data[1] & 255) || !isxdigit(data[2] & 255))
+	      return (0);
+
             if (s < (value + sizeof(value) - 1))
 	    {
               data ++;