zdohnal
commented
7 months ago Hi,
thank you for the report!
However it would be great if you ran your scans on the current versions of the project - 2.0.0 - for two reasons:
- you would find out cups-browsed is now in a separate project,
- you would find out the issue was fixed several months ago.
Writing into string
pusing formatted input function at cups-browsed.c:5476 may lead to a buffer overflow, because string conversion specification doesn't have a width limitation.https://github.com/OpenPrinting/cups-filters/blob/d72184e725591f10e2b404b36fe3bf5bc304a299/utils/cups-browsed.c#L5476
It is possible that the variable
pat functionfscanf(fp, "%s", p), which is defined as a pointer to the variablebuf[1024]at cups-browsed.c:5475, of a very large length can lead to buffer overflow, since the pointer to thefpstream has a length of2048defined at cups-browsed.c:500.Path for
fpstream:https://github.com/OpenPrinting/cups-filters/blob/d72184e725591f10e2b404b36fe3bf5bc304a299/utils/cups-browsed.c#L5469
https://github.com/OpenPrinting/cups-filters/blob/d72184e725591f10e2b404b36fe3bf5bc304a299/utils/cups-browsed.c#L5463
https://github.com/OpenPrinting/cups-filters/blob/d72184e725591f10e2b404b36fe3bf5bc304a299/utils/cups-browsed.c#L500
So there is no guarantee that the length of the variable
pobtained from the file does not exceed a length of1024.This situation can be resolved by limiting the field width
fscanf(fp, "%1024s", p);.Found by Linux Verification Center (portal.linuxtesting.ru) with SVACE. Author A. Slepykh.