Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV ppd-emit.c:905:22 in ppdEmitString() #849

Closed
Drawishe opened this issue Dec 27, 2023 · 0 comments · Fixed by #850 or OpenPrinting/libppd#35
Closed

SEGV ppd-emit.c:905:22 in ppdEmitString() #849

Drawishe opened this issue Dec 27, 2023 · 0 comments · Fixed by #850 or OpenPrinting/libppd#35

Comments

@Drawishe
Copy link
Contributor

Drawishe commented Dec 27, 2023
edited
Loading

Describe the bug
I have found SIGSEGV crashes with cups upstream version (79c602c), using unit test testppd.c as a harness for fuzzing.
Here is the test.ppd file, which causes SEGV:
testppd.tar.gz

This problem arises due to the lack of verification of size structure for NULL value in ppdEmitString(). In that case function ppdPageSize() returns NULL, which is recorded into structure size, then there is an appeal to the element lenght of size structure, which causes SEGV.

cups/cups/ppd-emit.c

Line 891 in 79c602c

size = ppdPageSize(ppd, "Custom");

cups/cups/ppd-emit.c

Line 905 in 79c602c

values[pos] = size->width;

To Reproduce
Steps to reproduce the behavior:

  1. move given test.ppd file in cups/ directory
  2. build project with clang-13 and ASAN
export CC=clang-13
export CXX=clang++-13
export CFLAGS="-fPIC -fprofile-instr-generate -fcoverage-mapping -fsanitize=address -g"
export CXXFLAGS="-fPIC -fprofile-instr-generate -fcoverage-mapping -fsanitize=address -g"
export LDFLAGS="-g -fsanitize=address"
./configure --enable-static --disable-shared
make
  1. build testppd target
cd cups
make testppd
  1. run testppd
./testppd
AddressSanitizer:DEADLYSIGNAL
=================================================================
==510142==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x561e581ec51f bp 0x7ffcb1f1d3b0 sp 0x7ffcb1f1cb20 T0)
==510142==The signal is caused by a READ memory access.
==510142==Hint: address points to the zero page.
    #0 0x561e581ec51f in ppdEmitString /home/as/cups-oss/cups-opensource/cups/ppd-emit.c:905:22
    #1 0x561e58114a8c in main /home/as/cups-oss/cups-opensource/cups/testppd.c:441:14
    #2 0x7fb9ea8461c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #3 0x7fb9ea846284 in __libc_start_main csu/../csu/libc-start.c:360:3
    #4 0x561e58065080 in _start (/home/as/cups-oss/cups-opensource/cups/testppd+0xbb080)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/as/cups-oss/cups-opensource/cups/ppd-emit.c:905:22 in ppdEmitString
==510142==ABORTING

Expected behaviour
Test case doesn't crash.

System Information:

  • OS and its version: debian, 12
  • CUPS version: upstream (79c602c)
Drawishe added a commit to Drawishe/cups that referenced this issue Dec 27, 2023
@Drawishe
ppd-emit.c: Fix SEGV in 'ppdEmitString()'
9e807ac 
When using testppd.c as a harness, a fuzzer found a way to call
ppdPageSize() with NULL return value. This caused a segmentation fault
because the size structure, which is used by values[pos],
was assigned a NULL value. To avoid this, we need to add a
NULL value check for the size structure, free allocated memory,
and return NULL.

Fixes OpenPrinting#849
Drawishe added a commit to Drawishe/cups that referenced this issue Dec 27, 2023
@Drawishe
ppd-emit.c: Fix SEGV in 'ppdEmitString()'
b57843d 
When using testppd.c as a harness, a fuzzer found a way to call
ppdPageSize() with NULL return value. This caused a segmentation fault
because the size structure, which is used by values[pos],
was assigned a NULL value. To avoid this, we need to add a
NULL value check for the size structure, free allocated memory,
and return NULL.

Fixes OpenPrinting#849
@Drawishe Drawishe mentioned this issue Dec 27, 2023
Merged
zdohnal added a commit that referenced this issue Jan 4, 2024
@zdohnal
ppd-emit.c: Fix SEGV in 'ppdEmitString()'
0a834c3 
When using testppd.c as a harness, a fuzzer found a way to call ppdPageSize() with NULL return value.
This caused a segmentation fault because the size structure, which is used by values[pos], was assigned a NULL value.
To avoid this, we need to add a NULL value check for the size structure, free allocated memory, and return NULL.

Fixes #849
zdohnal added a commit to zdohnal/libppd that referenced this issue Jan 4, 2024
@zdohnal
ppd-emit.c: Fix crash if there is no page size for "Custom"
e8784d1 
Original report/fix: OpenPrinting/cups#849
@zdohnal zdohnal mentioned this issue Jan 4, 2024
Merged
tillkamppeter pushed a commit to OpenPrinting/libppd that referenced this issue Jan 5, 2024
@zdohnal
ppd-emit.c: Fix crash if there is no page size for "Custom" (#35)
32eea8a 
Original report/fix: OpenPrinting/cups#849
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@Drawishe