Potentially missing a NULL value check in _cupsConvertOptions

[gabe-sherman]

Hello, I was recently implementing the cups library in my code and I came across a unique situation. I came across a seg fault that occurs when calling _cupsConvertOptions. The root cause of this crash occurs through passing a null pointer as the media_col_sup parameter. Later, when this line of code is executed:

for (i = 0; i < media_col_sup->num_values; i ++)

a seg fault occurs. I attributed this to user error since _cupsConvertOptions is an internal function, but I traced through other call sites of this function to see how media_col_sup is structured. Long story short, there is a possibility for a null pointer to propagate to the _cupsConvertOptions function call beginning with the main method of backend/ipp.c.

In the main method of backend/ipp.c at line 886, the variable media_col_sup is set to NULL. It is then set to the return value of ippFindAttribute (line 1147), which still has the potential to be NULL. This value is then passed into the new_request function (lines 1480 and 1601), and finally into _cupsConvertOptions (line 2875).

I apologize if this is still user error or I have misunderstood an aspect of the API, but it seems like a check of the media_col_sup variable should be done before it's properties are accessed. Thanks.

[zdohnal]

Hi,

IMO theoretically the crash could happen in IPP backend if the destination does not have media-col-supported attribute, which current IPP printers usually have, but it wouldn't harm to protect the code if it does not.

[gabe-sherman]

Thanks for your response, that's the approach I was thinking as well. Although it's an edge case, adding that check to prevent crashing would be useful :)