ppd-emit.c: Fix SEGV in 'ppdEmitString()'

When using testppd.c as a harness, a fuzzer found a way to call ppdPageSize() with NULL return value. This caused a segmentation fault because the size structure, which is used by values[pos], was assigned a NULL value. To avoid this, we need to add a NULL value check for the size structure, free allocated memory, and return NULL. Fixes OpenPrinting#849
Drawishe · Dec 27, 2023 · 9e807ac · 9e807ac
1 parent 79c602c
commit 9e807ac
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/cups/ppd-emit.c b/cups/ppd-emit.c
@@ -888,7 +888,12 @@ ppdEmitString(ppd_file_t    *ppd,	/* I - PPD file record */
         cupsCopyString(bufptr, "%%BeginFeature: *CustomPageSize True\n", (size_t)(bufend - bufptr + 1));
         bufptr += 37;
 
-        size = ppdPageSize(ppd, "Custom");
+        if ((size = ppdPageSize(ppd, "Custom")) == NULL)
+        {
+          free(buffer);
+          free(choices);
+          return(NULL);
+        }
 
         memset(values, 0, sizeof(values));