Writing into string p using formatted input function at cups-browsed.c:5476 may lead to a buffer overflow, because string conversion specification doesn't have a width limitation.
It is possible that the variable p at function fscanf(fp, "%s", p), which is defined as a pointer to the variable buf[1024] at cups-browsed.c:5475, of a very large length can lead to buffer overflow, since the pointer to the fp stream has a length of 2048 defined at cups-browsed.c:500.
Writing into string
p
using formatted input function at cups-browsed.c:5476 may lead to a buffer overflow, because string conversion specification doesn't have a width limitation.https://github.com/OpenPrinting/cups-filters/blob/d72184e725591f10e2b404b36fe3bf5bc304a299/utils/cups-browsed.c#L5476
It is possible that the variable
p
at functionfscanf(fp, "%s", p)
, which is defined as a pointer to the variablebuf[1024]
at cups-browsed.c:5475, of a very large length can lead to buffer overflow, since the pointer to thefp
stream has a length of2048
defined at cups-browsed.c:500.Path for
fp
stream:https://github.com/OpenPrinting/cups-filters/blob/d72184e725591f10e2b404b36fe3bf5bc304a299/utils/cups-browsed.c#L5469
https://github.com/OpenPrinting/cups-filters/blob/d72184e725591f10e2b404b36fe3bf5bc304a299/utils/cups-browsed.c#L5463
https://github.com/OpenPrinting/cups-filters/blob/d72184e725591f10e2b404b36fe3bf5bc304a299/utils/cups-browsed.c#L500
So there is no guarantee that the length of the variable
p
obtained from the file does not exceed a length of1024
.This situation can be resolved by limiting the field width
fscanf(fp, "%1024s", p);
.Found by Linux Verification Center (portal.linuxtesting.ru) with SVACE. Author A. Slepykh.