search

OpenPrinting / cups

OpenPrinting CUPS Sources
https://openprinting.github.io/cups
Apache License 2.0
967 stars 177 forks source link

SEGV ppd-emit.c:905:22 in ppdEmitString() #849

Closed Drawishe closed 6 months ago

Drawishe commented 6 months ago

Describe the bug I have found SIGSEGV crashes with cups upstream version (79c602c), using unit test testppd.c as a harness for fuzzing. Here is the test.ppd file, which causes SEGV: testppd.tar.gz

This problem arises due to the lack of verification of size structure for NULL value in ppdEmitString(). In that case function ppdPageSize() returns NULL, which is recorded into structure size, then there is an appeal to the element lenght of size structure, which causes SEGV.

https://github.com/OpenPrinting/cups/blob/79c602c60e53af4a1d487d9a678c77b179ed1e4f/cups/ppd-emit.c#L891

https://github.com/OpenPrinting/cups/blob/79c602c60e53af4a1d487d9a678c77b179ed1e4f/cups/ppd-emit.c#L905

To Reproduce Steps to reproduce the behavior:

  1. move given test.ppd file in cups/ directory
  2. build project with clang-13 and ASAN
export CC=clang-13
export CXX=clang++-13
export CFLAGS="-fPIC -fprofile-instr-generate -fcoverage-mapping -fsanitize=address -g"
export CXXFLAGS="-fPIC -fprofile-instr-generate -fcoverage-mapping -fsanitize=address -g"
export LDFLAGS="-g -fsanitize=address"
./configure --enable-static --disable-shared
make
  1. build testppd target
cd cups
make testppd
  1. run testppd 
./testppd
AddressSanitizer:DEADLYSIGNAL
=================================================================
==510142==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x561e581ec51f bp 0x7ffcb1f1d3b0 sp 0x7ffcb1f1cb20 T0)
==510142==The signal is caused by a READ memory access.
==510142==Hint: address points to the zero page.
    #0 0x561e581ec51f in ppdEmitString /home/as/cups-oss/cups-opensource/cups/ppd-emit.c:905:22
    #1 0x561e58114a8c in main /home/as/cups-oss/cups-opensource/cups/testppd.c:441:14
    #2 0x7fb9ea8461c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #3 0x7fb9ea846284 in __libc_start_main csu/../csu/libc-start.c:360:3
    #4 0x561e58065080 in _start (/home/as/cups-oss/cups-opensource/cups/testppd+0xbb080)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/as/cups-oss/cups-opensource/cups/ppd-emit.c:905:22 in ppdEmitString
==510142==ABORTING

Expected behaviour Test case doesn't crash.

System Information: