Buffer overflow in cupsRasterReadPixels #4551
Comments
|
CUPS.org User: mike Um, the proposed patch isn't correct. The repeat count refers to the number of pixels when bitsPerPixel >= 8 vs. the number of bytes. Will investigate further, but since compression isn't used between filters and since we use sandboxing whenever possible, it is unlikely that this will be exploitable (thus priority 2). |
|
CUPS.org User: mike Fix is attached; the cause is that cupsBytesPerLine is not evenly divisible by cupsBitsPerColor/Pixel, which causes count (which is unsigned) to wrap around and extra memcpy's to be performed. |
|
CUPS.org User: pdewacht Looks ok, I can confirm that that patch fixes the buffer overflow. But can you add a (r->bpp > 0) condition before that modulo operator? Right now there's nothing that guarantees that r->bpp is non-zero. |
|
CUPS.org User: odyx Mike: What's your take on Peter's question on r->bpp guarantee to be non-zero? I'm discussing the patch with the Debian Security Team and the question popped up. |
|
CUPS.org User: mike Please file a new bug to track that change; we can certainly add a bpp check (or probably a check of both cupsBitsPerColor and cupsBitsPerPixel, which is what we use to calculate bpp), but without such a change all you'll manage to do is either crash the filter or (if for some reason the filter catches SIGFPE - I'm not aware of any that do) fail on the first read of 0 bytes. |
|
"raster-buffer-overflow.patch": --- a/filter/raster.c
|
|
"str4551.patch": Index: filter/raster.c--- filter/raster.c (revision 12451)
|
Version: 2.0.1
CUPS.org User: pdewacht
A malformed compressed raster file can trigger a buffer overflow in cupsRasterReadPixels. This is issue was found while testing my brlaser printer driver using american fuzzy lop.
Attached are:
The text was updated successfully, but these errors were encountered: