Fix some PPD parser issues discovered via fuzzing (Issue #5623, Issue #…

…5624)
apple · Aug 1, 2019 · d11af54 · d11af54
1 parent b4909ef
commit d11af54
Show file tree

Hide file tree

Showing 7 changed files with 63 additions and 1 deletion.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,4 +1,4 @@
-CHANGES - 2.2.12 - 2019-07-16
+CHANGES - 2.2.12 - 2019-08-01
 =============================
 
 
@@ -29,6 +29,7 @@ Changes in CUPS v2.2.12
 - The scheduler now uses both the group's membership list as well as the
   various OS-specific membership functions to determine whether a user belongs
   to a named group (Issue #5613)
+- Fixed some PPD parser issues (Issue #5623, Issue #5624)
 - The scheduler would restart continuously when idle and printers were not
   shared (rdar://52561199)
 - Fixed a command ordering issue in the Zebra ZPL driver.

diff --git a/cgi-bin/admin.c b/cgi-bin/admin.c
@@ -3410,6 +3410,9 @@ do_set_options(http_t *http,		/* I - HTTP connection */
 
 	      switch (cparam->type)
 	      {
+	        case PPD_CUSTOM_UNKNOWN :
+	            break;
+
 		case PPD_CUSTOM_POINTS :
 		    if (!_cups_strncasecmp(option->defchoice, "Custom.", 7))
 		    {
@@ -4009,6 +4012,9 @@ get_option_value(
 
     switch (cparam->type)
     {
+      case PPD_CUSTOM_UNKNOWN :
+          break;
+
       case PPD_CUSTOM_CURVE :
       case PPD_CUSTOM_INVCURVE :
       case PPD_CUSTOM_REAL :
@@ -4087,6 +4093,9 @@ get_option_value(
 
       switch (cparam->type)
       {
+        case PPD_CUSTOM_UNKNOWN :
+            break;
+
 	case PPD_CUSTOM_CURVE :
 	case PPD_CUSTOM_INVCURVE :
 	case PPD_CUSTOM_REAL :

diff --git a/cups/ppd-emit.c b/cups/ppd-emit.c
@@ -662,6 +662,9 @@ ppdEmitString(ppd_file_t    *ppd,	/* I - PPD file record */
 	{
           switch (cparam->type)
 	  {
+	    case PPD_CUSTOM_UNKNOWN :
+	        break;
+
 	    case PPD_CUSTOM_CURVE :
 	    case PPD_CUSTOM_INVCURVE :
 	    case PPD_CUSTOM_POINTS :
@@ -708,6 +711,9 @@ ppdEmitString(ppd_file_t    *ppd,	/* I - PPD file record */
 	{
           switch (cparam->type)
 	  {
+	    case PPD_CUSTOM_UNKNOWN :
+	        break;
+
 	    case PPD_CUSTOM_CURVE :
 	    case PPD_CUSTOM_INVCURVE :
 	    case PPD_CUSTOM_POINTS :
@@ -803,6 +809,9 @@ ppdEmitString(ppd_file_t    *ppd,	/* I - PPD file record */
 	      {
 	        switch (cparam->type)
 		{
+		  case PPD_CUSTOM_UNKNOWN :
+		      break;
+
 		  case PPD_CUSTOM_CURVE :
 		  case PPD_CUSTOM_INVCURVE :
 		  case PPD_CUSTOM_POINTS :
@@ -1005,6 +1014,9 @@ ppdEmitString(ppd_file_t    *ppd,	/* I - PPD file record */
 	{
           switch (cparam->type)
 	  {
+	    case PPD_CUSTOM_UNKNOWN :
+	        break;
+
 	    case PPD_CUSTOM_CURVE :
 	    case PPD_CUSTOM_INVCURVE :
 	    case PPD_CUSTOM_POINTS :

diff --git a/cups/ppd-mark.c b/cups/ppd-mark.c
@@ -855,6 +855,9 @@ ppd_mark_option(ppd_file_t *ppd,	/* I - PPD file */
 
         switch (cparam->type)
 	{
+	  case PPD_CUSTOM_UNKNOWN :
+	      break;
+
 	  case PPD_CUSTOM_CURVE :
 	  case PPD_CUSTOM_INVCURVE :
 	  case PPD_CUSTOM_REAL :
@@ -932,6 +935,9 @@ ppd_mark_option(ppd_file_t *ppd,	/* I - PPD file */
 
 	switch (cparam->type)
 	{
+	  case PPD_CUSTOM_UNKNOWN :
+	      break;
+
 	  case PPD_CUSTOM_CURVE :
 	  case PPD_CUSTOM_INVCURVE :
 	  case PPD_CUSTOM_REAL :

diff --git a/cups/ppd.c b/cups/ppd.c
@@ -1003,6 +1003,13 @@ _ppdOpen(
 	goto error;
       }
 
+      if (cparam->type != PPD_CUSTOM_UNKNOWN)
+      {
+        pg->ppd_status = PPD_BAD_CUSTOM_PARAM;
+
+        goto error;
+      }
+
      /*
       * Get the parameter data...
       */
@@ -1876,6 +1883,13 @@ _ppdOpen(
     }
     else if (!strcmp(keyword, "PaperDimension"))
     {
+      if (!_cups_strcasecmp(name, "custom") || !_cups_strncasecmp(name, "custom.", 7))
+      {
+        pg->ppd_status = PPD_ILLEGAL_OPTION_KEYWORD;
+
+        goto error;
+      }
+
       if ((size = ppdPageSize(ppd, name)) == NULL)
 	size = ppd_add_size(ppd, name);
 
@@ -1898,6 +1912,13 @@ _ppdOpen(
     }
     else if (!strcmp(keyword, "ImageableArea"))
     {
+      if (!_cups_strcasecmp(name, "custom") || !_cups_strncasecmp(name, "custom.", 7))
+      {
+        pg->ppd_status = PPD_ILLEGAL_OPTION_KEYWORD;
+
+        goto error;
+      }
+
       if ((size = ppdPageSize(ppd, name)) == NULL)
 	size = ppd_add_size(ppd, name);
 
@@ -1927,6 +1948,13 @@ _ppdOpen(
     {
       DEBUG_printf(("2_ppdOpen: group=%p, subgroup=%p", group, subgroup));
 
+      if (!_cups_strcasecmp(name, "custom") || !_cups_strncasecmp(name, "custom.", 7))
+      {
+        pg->ppd_status = PPD_ILLEGAL_OPTION_KEYWORD;
+
+        goto error;
+      }
+
       if (!strcmp(keyword, "PageSize"))
       {
        /*
@@ -2651,6 +2679,7 @@ ppd_get_cparam(ppd_coption_t *opt,	/* I - PPD file */
   if ((cparam = calloc(1, sizeof(ppd_cparam_t))) == NULL)
     return (NULL);
 
+  cparam->type = PPD_CUSTOM_UNKNOWN;
   strlcpy(cparam->name, param, sizeof(cparam->name));
   strlcpy(cparam->text, text[0] ? text : param, sizeof(cparam->text));
 

diff --git a/cups/ppd.h b/cups/ppd.h
@@ -235,6 +235,7 @@ typedef struct ppd_profile_s		/**** sRGB Color Profiles ****/
 /**** New in CUPS 1.2/macOS 10.5 ****/
 typedef enum ppd_cptype_e		/**** Custom Parameter Type @since CUPS 1.2/macOS 10.5@ ****/
 {
+  PPD_CUSTOM_UNKNOWN = -1,		/* Unknown type (error) */
   PPD_CUSTOM_CURVE,			/* Curve value for f(x) = x^value */
   PPD_CUSTOM_INT,			/* Integer number value */
   PPD_CUSTOM_INVCURVE,			/* Curve value for f(x) = x^(1/value) */

diff --git a/cups/testppd.c b/cups/testppd.c
@@ -1054,6 +1054,10 @@ main(int  argc,				/* I - Number of command-line arguments */
             {
 	      switch (cparam->type)
 	      {
+	        case PPD_CUSTOM_UNKNOWN :
+		    printf("              %s(%s): PPD_CUSTOM_UNKNOWN (error)\n", cparam->name, cparam->text);
+	            break;
+
 	        case PPD_CUSTOM_CURVE :
 		    printf("              %s(%s): PPD_CUSTOM_CURVE (%g to %g)\n",
 		           cparam->name, cparam->text,