From 24c99e01c9f76adad4a59e60ef52ccfc48a44ffb Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Fri, 20 Dec 2024 11:19:33 +0100 Subject: [PATCH 1/7] ppd-test.c: Fix potential buffer overflow during sscanf Other parts of the code uses bigger array for the same use case, fix the issue by matching the array size to max possible length read by sscanf(). --- ppd/ppd-test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ppd/ppd-test.c b/ppd/ppd-test.c index 4a99698f..e151d6d2 100644 --- a/ppd/ppd-test.c +++ b/ppd/ppd-test.c @@ -3059,7 +3059,7 @@ check_filters(ppd_file_t *ppd, // I - PPD file type[256], // Type for filter dstsuper[16], // Destination super-type for filter dsttype[256], // Destination type for filter - program[128], // Program/filter name + program[1024], // Program/filter name pathprog[1024]; // Complete path to program/filter int cost; // Cost of filter const char *prefix; // WARN/FAIL prefix From 40273044295695424ca003ff1230f912308c1f19 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Fri, 20 Dec 2024 12:11:17 +0100 Subject: [PATCH 2/7] ppd-collection.cxx: memcmp() compares behind buffer for OLDGNU tar --- ppd/ppd-collection.cxx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ppd/ppd-collection.cxx b/ppd/ppd-collection.cxx index d9f7119c..519ddb09 100644 --- a/ppd/ppd-collection.cxx +++ b/ppd/ppd-collection.cxx @@ -67,7 +67,7 @@ typedef union // **** TAR record format **** chksum[8], // Octal checksum value linkflag, // File type linkname[100], // Source path for link - magic[6], // Magic string + magic[8], // Magic string version[2], // Format version uname[32], // User name gname[32], // Group name From a8475f8213385da6927d664608897ee8c6b26703 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Fri, 20 Dec 2024 12:21:32 +0100 Subject: [PATCH 3/7] ppd-collection.cxx: Inodes can uninitialized --- ppd/ppd-collection.cxx | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/ppd/ppd-collection.cxx b/ppd/ppd-collection.cxx index 519ddb09..a383e7aa 100644 --- a/ppd/ppd-collection.cxx +++ b/ppd/ppd-collection.cxx @@ -232,6 +232,7 @@ ppdCollectionListPPDs( ppdlist.PPDsByMakeModel = cupsArrayNew((cups_array_cb_t)compare_ppds, NULL, NULL, 0, NULL, NULL); ppdlist.ChangedPPD = 0; + ppdlist.Inodes = NULL; // @@ -1273,11 +1274,14 @@ free_ppdlist(ppd_list_t *ppdlist) // I - PPD list to free ppd_info_t *ppd; // Pointer to PPD info - for (dinfoptr = (struct stat *)cupsArrayGetFirst(ppdlist->Inodes); - dinfoptr; - dinfoptr = (struct stat *)cupsArrayGetNext(ppdlist->Inodes)) - free(dinfoptr); - cupsArrayDelete(ppdlist->Inodes); + if (ppdlist->Inodes) + { + for (dinfoptr = (struct stat *)cupsArrayGetFirst(ppdlist->Inodes); + dinfoptr; + dinfoptr = (struct stat *)cupsArrayGetNext(ppdlist->Inodes)) + free(dinfoptr); + cupsArrayDelete(ppdlist->Inodes); + } for (ppd = (ppd_info_t *)cupsArrayGetFirst(ppdlist->PPDsByName); ppd; From a2f6d746dbd1763b4f53326735f54df002a1afa2 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Fri, 20 Dec 2024 12:48:16 +0100 Subject: [PATCH 4/7] rastertops.c: Fix possible memory leak --- ppd/rastertops.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ppd/rastertops.c b/ppd/rastertops.c index e1cda804..dc8bac7d 100644 --- a/ppd/rastertops.c +++ b/ppd/rastertops.c @@ -524,7 +524,12 @@ ppdFilterRasterToPS(int inputfd, // I - File descriptor input stream { if (log) log(ld, CF_LOGLEVEL_DEBUG, "ppdFilterRasterToPS: Input is empty, outputting empty file."); + cupsRasterClose(ras); + cupsFileClose(inputfp); + fclose(outputfp); + close(outputfd); + return (0); } From 28ea26adac0e711d6bf2bcbcdb3b41491e149985 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Fri, 20 Dec 2024 13:47:40 +0100 Subject: [PATCH 5/7] ppd-cache: Protect allocated memory from overwrite --- ppd/ppd-cache.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ppd/ppd-cache.c b/ppd/ppd-cache.c index 818f5b09..75ad4fad 100644 --- a/ppd/ppd-cache.c +++ b/ppd/ppd-cache.c @@ -752,7 +752,7 @@ ppdCacheCreateWithFile( cupsArrayAdd(pc->prefilters, value); } - else if (!_ppd_strcasecmp(line, "Product")) + else if (!pc->product && !_ppd_strcasecmp(line, "Product")) { pc->product = strdup(value); } From 0dfd9b3786e533e3df18a6597196ca829ad2db90 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Fri, 20 Dec 2024 13:51:36 +0100 Subject: [PATCH 6/7] pstops: Fix possible memory leaks --- ppd/imagetops-pstops.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ppd/imagetops-pstops.c b/ppd/imagetops-pstops.c index 42ff51d3..a1b2fccf 100644 --- a/ppd/imagetops-pstops.c +++ b/ppd/imagetops-pstops.c @@ -1178,6 +1178,9 @@ ppdFilterImageToPS(int inputfd, // I - File descriptor input if (log) log(ld, CF_LOGLEVEL_ERROR, "ppdFilterImageToPS: The print file could not be opened - %s", strerror(errno)); + cfImageClose(img); + fclose(doc.outputfp); + close(outputfd); return (1); } @@ -1589,6 +1592,8 @@ ppdFilterImageToPS(int inputfd, // I - File descriptor input log(ld, CF_LOGLEVEL_ERROR, "ppdFilterImageToPS: Could not allocate memory."); cfImageClose(img); + fclose(doc.outputfp); + close(outputfd); return (2); } From 01176eee8fb25015224f16877a00e78649928235 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Fri, 20 Dec 2024 11:51:28 +0100 Subject: [PATCH 7/7] ppd-ipp.c: Use correct number of items to prevent buffer overflow The array members are strings, so we can get correct number of times by dividing the array size by char* size. debug.c: Protect against possible format string attack ppd-collection.cxx: Use intmax_t for printing time_t var --- ppd/debug.c | 2 +- ppd/ppd-collection.cxx | 4 ++-- ppd/ppd-ipp.c | 3 ++- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ppd/debug.c b/ppd/debug.c index c002952e..992409bb 100644 --- a/ppd/debug.c +++ b/ppd/debug.c @@ -257,7 +257,7 @@ _ppd_debug_set(const char *logfile, // I - Log file or NULL { char buffer[1024]; // Filename buffer - snprintf(buffer, sizeof(buffer), logfile, getpid()); + snprintf(buffer, sizeof(buffer), "%s-%d", logfile, (int)getpid()); if (buffer[0] == '+') _ppd_debug_fd = open(buffer + 1, O_WRONLY | O_APPEND | O_CREAT, 0644); diff --git a/ppd/ppd-collection.cxx b/ppd/ppd-collection.cxx index a383e7aa..74854111 100644 --- a/ppd/ppd-collection.cxx +++ b/ppd/ppd-collection.cxx @@ -848,9 +848,9 @@ ppdCollectionDumpCache(const char *filename, // I - Filename for (ppd = (ppd_info_t *)cupsArrayGetFirst(ppdlist.PPDsByName); ppd; ppd = (ppd_info_t *)cupsArrayGetNext(ppdlist.PPDsByName)) - printf("%d,%ld,%d,%d,\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\"," + printf("%jd,%ld,%d,%d,\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\",\"%s\"," "\"%s\",\"%s\"\n", - (int)ppd->record.mtime, (long)ppd->record.size, + (intmax_t)ppd->record.mtime, (long)ppd->record.size, ppd->record.model_number, ppd->record.type, ppd->record.filename, ppd->record.name, ppd->record.languages[0], ppd->record.products[0], ppd->record.psversions[0], ppd->record.make, diff --git a/ppd/ppd-ipp.c b/ppd/ppd-ipp.c index 05a58dc2..b272c9fa 100644 --- a/ppd/ppd-ipp.c +++ b/ppd/ppd-ipp.c @@ -1321,7 +1321,8 @@ ppdLoadAttributes( (ppd_option = ppdFindOption(ppd, "print-rendering-intent")) != NULL) && ppd_option->num_choices > 0) { - for (i = 0; i < ppd_option->num_choices && i < sizeof(items); i ++) + num_items = sizeof(items)/sizeof(char*); + for (i = 0; i < ppd_option->num_choices && i < num_items; i ++) items[i] = ppd_option->choices[i].choice; ippAddStrings(attrs, IPP_TAG_PRINTER, IPP_TAG_KEYWORD, "print-rendering-intent-supported", i, NULL, items);