./FuzzTestppd < crash.input
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3407934==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55c516efc46a bp 0x7fff595743f0 sp 0x7fff59574280 T0)
==3407934==The signal is caused by a READ memory access.
==3407934==Hint: address points to the zero page.
#0 0x55c516efc46a in cupsResolveConflicts /home/as/cups-oss/cups-opensource/cups/ppd-conflicts.c:210
#1 0x55c516dec16f in main /home/as/cups-oss/cups-opensource/FuzzTestppd.c:75:5
#2 0x7fe8ce9671c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#3 0x7fe8ce967284 in __libc_start_main csu/../csu/libc-start.c:360:3
#4 0x55c516d103b0 in _start (/home/as/cups-oss/cups-opensource/FuzzTestppd+0xff3b0) (BuildId: d2bb824ef64e5ffa)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/as/cups-oss/cups-opensource/cups/ppd-conflicts.c:210 in cupsResolveConflicts
==3407934==ABORTING
This problem arises due to the lack of verification of size structure for NULL value in cupsResolveConflicts. The existence of the options structure is checked, however, the elements of this structure may not exist. In that case, we have num_options which is not equal 0, and non-existent values of the options structure, which is causes SEGV, when we try to call options structure elements in ppd-conflicts.c:210.
Describe the bug
I have found SIGSEGV crashes with cups upstream version (c220e78), using custom harness for fuzzing, made of
testppd.c
andtestcache.c
unit-tests.Here is minimized fuzzer-target to reproduce the bug
To Reproduce
Steps to reproduce the behaviour:
crash.input
file into cups projectcrash.tar.gz
This problem arises due to the lack of verification of size structure for NULL value in cupsResolveConflicts. The existence of the
options
structure is checked, however, the elements of this structure may not exist. In that case, we havenum_options
which is not equal 0, and non-existent values of theoptions
structure, which is causes SEGV, when we try to calloptions
structure elements inppd-conflicts.c:210
.https://github.com/OpenPrinting/cups/blob/c220e7836b700563516e152ce629ff59b1b23de7/cups/ppd-conflicts.c#L199 https://github.com/OpenPrinting/cups/blob/c220e7836b700563516e152ce629ff59b1b23de7/cups/ppd-conflicts.c#L210-L211
Solution:
The solution is to add check for NULL value and return 0 if it's true
System information: