Skip to content

SEGV ppd-emit.c:905:22 in ppdEmitString() #849

New issue
New issue
Closed
#850
OpenPrinting/libppd
#35
Closed
SEGV ppd-emit.c:905:22 in ppdEmitString()#849
#850
OpenPrinting/libppd
#35
@Drawishe

Description

@Drawishe
Drawishe
opened on Dec 27, 2023

Describe the bug
I have found SIGSEGV crashes with cups upstream version (79c602c), using unit test testppd.c as a harness for fuzzing.
Here is the test.ppd file, which causes SEGV:
testppd.tar.gz

This problem arises due to the lack of verification of size structure for NULL value in ppdEmitString(). In that case function ppdPageSize() returns NULL, which is recorded into structure size, then there is an appeal to the element lenght of size structure, which causes SEGV.

cups/cups/ppd-emit.c

Line 891 in 79c602c

size = ppdPageSize(ppd, "Custom");

cups/cups/ppd-emit.c

Line 905 in 79c602c

values[pos] = size->width;

To Reproduce
Steps to reproduce the behavior:

  1. move given test.ppd file in cups/ directory
  2. build project with clang-13 and ASAN
export CC=clang-13
export CXX=clang++-13
export CFLAGS="-fPIC -fprofile-instr-generate -fcoverage-mapping -fsanitize=address -g"
export CXXFLAGS="-fPIC -fprofile-instr-generate -fcoverage-mapping -fsanitize=address -g"
export LDFLAGS="-g -fsanitize=address"
./configure --enable-static --disable-shared
make
  1. build testppd target
cd cups
make testppd
  1. run testppd
./testppd
AddressSanitizer:DEADLYSIGNAL
=================================================================
==510142==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x561e581ec51f bp 0x7ffcb1f1d3b0 sp 0x7ffcb1f1cb20 T0)
==510142==The signal is caused by a READ memory access.
==510142==Hint: address points to the zero page.
    #0 0x561e581ec51f in ppdEmitString /home/as/cups-oss/cups-opensource/cups/ppd-emit.c:905:22
    #1 0x561e58114a8c in main /home/as/cups-oss/cups-opensource/cups/testppd.c:441:14
    #2 0x7fb9ea8461c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #3 0x7fb9ea846284 in __libc_start_main csu/../csu/libc-start.c:360:3
    #4 0x561e58065080 in _start (/home/as/cups-oss/cups-opensource/cups/testppd+0xbb080)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/as/cups-oss/cups-opensource/cups/ppd-emit.c:905:22 in ppdEmitString
==510142==ABORTING

Expected behaviour
Test case doesn't crash.

System Information:

  • OS and its version: debian, 12
  • CUPS version: upstream (79c602c)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions