rastertopwg: heap buffer overflow #4598

michaelrsweet · 2015-03-01T21:52:56Z

Version: 2.0-current
CUPS.org User: pdewacht

In the rastertopwg filter, a malformed raster file can cause the filter to allocate a line buffer that's smaller than cupsBytesPerLine. As a result, cupsRasterReadPixels will write beyond the end of this buffer. A sample file is attached.

This can be remotely triggered on a print server that shares a printer that uses the rastertopwg filter.

Found using afl-fuzz.

michaelrsweet · 2015-03-25T13:49:38Z

CUPS.org User: mike

Fixed in Subversion repository.

michaelrsweet · 2015-03-25T13:49:38Z

"str4598.patch":

Index: filter/rastertopwg.c

--- filter/rastertopwg.c (revision 12567)
+++ filter/rastertopwg.c (working copy)
@@ -3,7 +3,7 @@
*

CUPS raster to PWG raster format filter for CUPS.
*
- * Copyright 2011, 2014 Apple Inc.
- * Copyright 2011, 2014-2015 Apple Inc.
  *
These coded instructions, statements, and computer programs are the
property of Apple Inc. and are protected by Federal copyright law.
@@ -401,6 +401,9 @@
- Copy raster data...
  */
if (linesize < inheader.cupsBytesPerLine)
```
 linesize = inheader.cupsBytesPerLine;
```
line = malloc(linesize);

memset(line, white, linesize);

michaelrsweet closed this as completed Mar 25, 2015

michaelrsweet added the priority-low label Mar 17, 2016

michaelrsweet added this to the Stable milestone Mar 17, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

rastertopwg: heap buffer overflow #4598

rastertopwg: heap buffer overflow #4598

michaelrsweet commented Mar 1, 2015

michaelrsweet commented Mar 25, 2015

michaelrsweet commented Mar 25, 2015

rastertopwg: heap buffer overflow #4598

rastertopwg: heap buffer overflow #4598

Comments

michaelrsweet commented Mar 1, 2015

michaelrsweet commented Mar 25, 2015

michaelrsweet commented Mar 25, 2015

Index: filter/rastertopwg.c