search

OpenPrinting / cups

OpenPrinting CUPS Sources
https://openprinting.github.io/cups
Apache License 2.0
1.08k stars 193 forks source link

[regression in 2.4.3] nullptr crash when calling cupsGetNamedDest with null name #719

Closed emilio closed 1 year ago

emilio commented 1 year ago

Describe the bug

Libcups crashes when passing nullptr to cupsGetNamedDest:

cupsGetNamedDest(CUPS_HTTP_DEFAULT, /* name */ nullptr, /* instance */ nullptr);

To Reproduce Steps to reproduce the behavior:

  1. Open Firefox
  2. Press Ctrl+P
  3. See crash

Expected behavior Doesn't crash, default dest is returned.

System Information:

Additional context

See https://bugzilla.mozilla.org/show_bug.cgi?id=1836764 for crash stacks and the relevant firefox code which is just calling cupsGetNamedDest as described.

https://github.com/OpenPrinting/cups/commit/070c57da3951c7c5f05b49474ceaf8026dc43bb9 looks like a relevant regressing commit.

emilio commented 1 year ago

https://github.com/OpenPrinting/cups/commit/070c57da3951c7c5f05b49474ceaf8026dc43bb9 (from #455) looks trivially wrong if the passed name is null, it calls cups_name_cb with a null data->name, which crashes on the strcasecmp call. Before there was an if (name) null-check that prevented it.

cc @zdohnal @tillkamppeter

zdohnal commented 1 year ago

Hi Emilio,

thank you for the patch and I'm sorry for inconvenience! I'll release a new version with this issue fixed today, because it breaks a common use case.