Both /usr/bin/ppdpo and /usr/bin/ppdhtml dump core with fuzz input

[michaelrsweet]

Version: 2.0.2
CUPS.org User: vishwassg

/usr/bin/ppdpo and /usr/bin/ppdhtml dump core if an argument starting with
almost any character(not reproducible with ')', '(', and '&') is passed to
the -D option.
It's reproducible on both sparc and X64.

Steps to reproduce:

/usr/bin/ppdpo -D "almost any character"

Expected result:
Core is not dumped

Actual result:
process terminated by SIGSEGV (Segmentation Fault)

[michaelrsweet]

CUPS.org User: mike

Fixed in Subversion repository.

[michaelrsweet]

"str4627.patch":

Index: ppdc/ppdhtml.cxx

--- ppdc/ppdhtml.cxx (revision 12632)
+++ ppdc/ppdhtml.cxx (working copy)
@@ -1,22 +1,17 @@
//
// "$Id$"
//
-// PPD to HTML utility for the CUPS PPD Compiler.
+// PPD to HTML utility for the CUPS PPD Compiler.
//
-// Copyright 2007-2011 by Apple Inc.
-// Copyright 2002-2005 by Easy Software Products.
+// Copyright 2007-2015 by Apple Inc.
+// Copyright 2002-2005 by Easy Software Products.
//
-// These coded instructions, statements, and computer programs are the
-// property of Apple Inc. and are protected by Federal copyright
-// law. Distribution and use rights are outlined in the file "LICENSE.txt"
-// which should have been included with this file. If this file is
-// file is missing or damaged, see the license at "http:https://www.cups.org/".
+// These coded instructions, statements, and computer programs are the
+// property of Apple Inc. and are protected by Federal copyright
+// law. Distribution and use rights are outlined in the file "LICENSE.txt"
+// which should have been included with this file. If this file is
+// file is missing or damaged, see the license at "http:https://www.cups.org/".
//
-// Contents:
-//
-// main() - Main entry for the PPD to HTML utility.
-// usage() - Show usage and exit.
-//

//
// Include necessary headers...
@@ -58,7 +53,7 @@
_cupsSetLocale(argv);

// Scan the command-line...

• src = 0;
• src = new ppdcSource();

for (i = 1; i < argc; i ++)
if (argv[i][0] == '-')
@@ -97,66 +92,76 @@
else
{
// Open and load the driver info file...

•  src = new ppdcSource(argv[i]);
  

•  src->read_file(argv[i]);
  

• }

•  // Create a composite group with all of the features from the
  

•  // drivers in the info file...
  

•  composite = new ppdcGroup("", "");
  

• if ((d = (ppdcDriver *)src->drivers->first()) != NULL)

• {

• // Create a composite group with all of the features from the

• // drivers in the info file...

• composite = new ppdcGroup("", "");

•  for (d = (ppdcDriver *)src->drivers->first(); d; d = (ppdcDriver *)src->drivers->next())
  

•    for (g = (ppdcGroup *)d->groups->first(); g; g = (ppdcGroup *)d->groups->next())
  

• for (o = (ppdcOption *)g->options->first(); o; o = (ppdcOption *)g->options->next())
  

• {
  

•   if ((compo = composite->find_option(o->name->value)) == NULL)
  

•     composite->add_option(new ppdcOption(o));
  

• }
  

• while (d != NULL)

• {

•  for (g = (ppdcGroup *)d->groups->first(); g; g = (ppdcGroup *)d->groups->next())
  

• for (o = (ppdcOption *)g->options->first(); o; o = (ppdcOption *)g->options->next())

• {

• if ((compo = composite->find_option(o->name->value)) == NULL)
  

•   composite->add_option(new ppdcOption(o));
  

• }

•  puts("<html>");
  

•  printf("<head><title>Driver Summary for %s</title></head>\n", argv[i]);
  

•  printf("<body><h1>Driver Summary for %s</h1>\n", argv[i]);
  

•  printf("<p><table border='1'><thead><tr><th>Printer</th><th>Media Size</th>");
  

•  for (compo = (ppdcOption *)composite->options->first(); compo; compo = (ppdcOption *)composite->options->next())
  

•    printf("<th>%s</th>", compo->text->value);
  

•  puts("</tr></thead><tbody>");
  

•  d = (ppdcDriver *)src->drivers->next();
  

• }

•  // Write HTML summary...
  

•  for (d = (ppdcDriver *)src->drivers->first(); d; d = (ppdcDriver *)src->drivers->next())
  

•  {
  

•    // Write the summary for this driver...
  

• printf("%s", d->model_name->value);

• for (size = (ppdcMediaSize *)d->sizes->first(); size;

•    size = (ppdcMediaSize *)d->sizes->next())
  

•      printf("%s<br>", size->text->value);
  

•    printf("</td>");
  

• puts("");

• printf("<title>Driver Summary for %s</title>\n", argv[i]);

• printf("

  Driver Summary for %s

  \n", argv[i]);

• printf("

  ");

• for (compo = (ppdcOption *)composite->options->first(); compo; compo = (ppdcOption *)composite->options->next())

•  printf("<th>%s</th>", compo->text->value);
  

• puts("

");

•    for (compo = (ppdcOption *)composite->options->first(); compo;
  

•    compo = (ppdcOption *)composite->options->next())
  

• if ((o = d->find_option(compo->name->value)) != NULL)
  

• {
  

•   printf("<td nowrap>");
  

•   for (c = (ppdcChoice *)o->choices->first(); c;
  

•        c = (ppdcChoice *)o->choices->next())
  

•     printf("%s<br>", c->text->value);
  

•   printf("</td>");
  

• }
  

• else
  

•   printf("<td>N/A</td>");
  

• // Write HTML summary...

• for (d = (ppdcDriver *)src->drivers->first(); d; d = (ppdcDriver *)src->drivers->next())

• {

•  // Write the summary for this driver...
  

•  printf("<tr valign='top'><td nowrap>%s</td><td nowrap>", d->model_name->value);
  

•  for (size = (ppdcMediaSize *)d->sizes->first(); size;
  

•  size = (ppdcMediaSize *)d->sizes->next())
  

• printf("%s
  ", size->text->value);

•  printf("</td>");
  

•    puts("</tr>");
  

•  }
  

•  for (compo = (ppdcOption *)composite->options->first(); compo;
  

•  compo = (ppdcOption *)composite->options->next())
  

• if ((o = d->find_option(compo->name->value)) != NULL)

• {

• printf("<td nowrap>");
  

• for (c = (ppdcChoice *)o->choices->first(); c;
  

•      c = (ppdcChoice *)o->choices->next())
  

•   printf("%s<br>", c->text->value);
  

• printf("</td>");
  

• }

• else

• printf("<td>N/A</td>");
  

•  puts("</tbody></table></p>");
  

•  puts("</body>");
  

•  puts("</html>");
  

•  // Delete the printer driver information...
  

•  composite->release();
  

•  src->release();
  

•  puts("</tr>");
  

  }

• // If no drivers have been loaded, display the program usage message.

• if (!src)

• puts("

Printer	Media Size

");

• puts("");

• puts("");

• // Delete the printer driver information...
• composite->release();
• }
• else
• {
• // If no drivers have been loaded, display the program usage message.
  usage();
• }
• src->release();

// Return with no errors.
return (0);
}

Index: ppdc/ppdpo.cxx

--- ppdc/ppdpo.cxx (revision 12632)
+++ ppdc/ppdpo.cxx (working copy)
@@ -1,23 +1,17 @@
//
// "$Id$"
//
-// PPD file message catalog program for the CUPS PPD Compiler.
+// PPD file message catalog program for the CUPS PPD Compiler.
//
-// Copyright 2007-2012 by Apple Inc.
-// Copyright 2002-2005 by Easy Software Products.
+// Copyright 2007-2015 by Apple Inc.
+// Copyright 2002-2005 by Easy Software Products.
//
-// These coded instructions, statements, and computer programs are the
-// property of Apple Inc. and are protected by Federal copyright
-// law. Distribution and use rights are outlined in the file "LICENSE.txt"
-// which should have been included with this file. If this file is
-// file is missing or damaged, see the license at "http:https://www.cups.org/".
+// These coded instructions, statements, and computer programs are the
+// property of Apple Inc. and are protected by Federal copyright
+// law. Distribution and use rights are outlined in the file "LICENSE.txt"
+// which should have been included with this file. If this file is
+// file is missing or damaged, see the license at "http:https://www.cups.org/".
//
-// Contents:
-//
-// main() - Main entry for the PPD compiler.
-// add_ui_strings() - Add all UI strings from the driver.
-// usage() - Show usage and exit.
-//

//
// Include necessary headers...
@@ -58,7 +52,7 @@

// Scan the command-line...
catalog = new ppdcCatalog("en");

• src = 0;
• src = new ppdcSource();
  verbose = 0;
  outfile = 0;

@@ -123,24 +117,29 @@
_("ppdc: Loading driver information file "%s"."),
argv[i]);

•  src = new ppdcSource(argv[i]);
  

•  src->read_file(argv[i]);
  

• }

•  // Add UI strings...
  

•  for (d = (ppdcDriver *)src->drivers->first();
  

•       d;
  

•  d = (ppdcDriver *)src->drivers->next())
  

•  {
  

• if (verbose)

• _cupsLangPrintf(stderr, _("ppdc: Adding/updating UI text from %s."),
  

•         argv[i]);
  

• // If no drivers have been loaded, display the program usage message.
• if ((d = (ppdcDriver *)src->drivers->first()) != NULL)
• {
• // Add UI strings...
• while (d != NULL)
• {

•  if (verbose)
  

• _cupsLangPrintf(stderr, _("ppdc: Adding/updating UI text from %s."), argv[i]);

•    add_ui_strings(d, catalog);
  

•  }
  

•  add_ui_strings(d, catalog);
  

•  // Delete the printer driver information...
  

•  src->release();
  

•  d = (ppdcDriver *)src->drivers->next();
  

  }
• }
• else
• usage();
• // Delete the printer driver information...
• src->release();

// Write the message catalog...
if (!outfile)
usage();
@@ -149,10 +148,6 @@

catalog->release();

• // If no drivers have been loaded, display the program usage message.
• if (!src)

- usage();

// Return with no errors.
return (0);
}

[michaelrsweet]

CUPS.org User: vishwassg

Thank u Michael Sweet