search

OpenPrinting / libcups

OpenPrinting CUPS Library Sources
https://openprinting.github.io/cups/cups3.html
Apache License 2.0
35 stars 17 forks source link

Use of uninitialized memory of trailer list #91

Open fish98 opened 1 day ago

fish98 commented 1 day ago

Description

The use of uninitialized memory of the trailer array is found in function cups_fill of cups/file.c. Detailed code can be found below:

unsigned char   trailer[8]; // Trailer bytes
uLong       tcrc;       // Trailer CRC
ssize_t     tbytes = 0; // Number of bytes

if (fp->stream.avail_in > 0)
{
  if (fp->stream.avail_in > sizeof(trailer))
    tbytes = (ssize_t)sizeof(trailer);
  else
    tbytes = (ssize_t)fp->stream.avail_in;

  memcpy(trailer, fp->stream.next_in, (size_t)tbytes);
  fp->stream.next_in  += tbytes;
  fp->stream.avail_in -= (size_t)tbytes;
}

      if (tbytes < (ssize_t)sizeof(trailer))
{
  if (read(fp->fd, trailer + tbytes, sizeof(trailer) - (size_t)tbytes) < ((ssize_t)sizeof(trailer) - tbytes))
  {
...
  }
}

tcrc = ((((((uLong)trailer[3] << 8) | (uLong)trailer[2]) << 8) | (uLong)trailer[1]) << 8) | (uLong)trailer[0];

if (tcrc != fp->crc)
{ 
...

when vail_in is less than sizeof(trailer), the operation memcpy(trailer, fp->stream.next_in, (size_t)tbytes); will end up with uninitialized value in trailer array. The subsequent function if (read(fp->fd, trailer + tbytes, sizeof(trailer) - (size_t)tbytes) < ((ssize_t)sizeof(trailer) - tbytes)) may also inroduce unitialized value issue when read() function returns EOF or error.

Suggested Fix

  1. Initialize trailer with zero e.g., unsigned char trailer[8] = {0};
  2. Handle read() error

Postscript

The issue is identified by OSS-Fuzz harness fuzzipp with MSAN. Here is the linked issue.