Closed Jminis closed 1 year ago
Simple enough fix - just need to make a temporary copy of the stack object before copying...
[master d2edfc664] Fix a bug in the copy stack code (Issue #768)
[2.4.x cd01b4d1a] Fix a bug in the copy stack code (Issue #768)
Description
Hello, while performing fuzzing based on the information registered in OSS-Fuzz, a UAF crash was discovered. I would like to share some basic analysis and crash data related to this. (Additionally, this issue does not have a significantly detrimental effect on the program.)
Crash Log
Analyze
From the debugging results, the obj structure was in a freed state at
memcpy(temp, obj, sizeof(_cups_ps_obj_t));
in the push_stack function below. The point at which it is freed seems to be whentemp = realloc(st->objs, (size_t)st->alloc_objs * sizeof(_cups_ps_obj_t))) == NULL
, as the memory of the heap area pointed to byobj
is freed by realloc.Here,
obj
is an argument at the call ofpush_stack
incopy_stack
, and it was pointing to the st structure that is freed inrealloc
.