From 9e807ac4cedead2abe60d94c151e6da7b9862c30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9A=D0=B8=D1=80=D0=B8=D0=BB=D0=BB=20=D0=A4=D1=83=D1=80?= =?UTF-8?q?=D0=BC=D0=B0=D0=BD?= Date: Wed, 27 Dec 2023 16:30:59 +0300 Subject: [PATCH] ppd-emit.c: Fix SEGV in 'ppdEmitString()' When using testppd.c as a harness, a fuzzer found a way to call ppdPageSize() with NULL return value. This caused a segmentation fault because the size structure, which is used by values[pos], was assigned a NULL value. To avoid this, we need to add a NULL value check for the size structure, free allocated memory, and return NULL. Fixes #849 --- cups/ppd-emit.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cups/ppd-emit.c b/cups/ppd-emit.c index c56ee16f21..48651dc082 100644 --- a/cups/ppd-emit.c +++ b/cups/ppd-emit.c @@ -888,7 +888,12 @@ ppdEmitString(ppd_file_t *ppd, /* I - PPD file record */ cupsCopyString(bufptr, "%%BeginFeature: *CustomPageSize True\n", (size_t)(bufend - bufptr + 1)); bufptr += 37; - size = ppdPageSize(ppd, "Custom"); + if ((size = ppdPageSize(ppd, "Custom")) == NULL) + { + free(buffer); + free(choices); + return(NULL); + } memset(values, 0, sizeof(values));