when vail_in is less than sizeof(trailer), the operation memcpy(trailer, fp->stream.next_in, (size_t)tbytes); will end up with uninitialized value in trailer array. The subsequent function if (read(fp->fd, trailer + tbytes, sizeof(trailer) - (size_t)tbytes) < ((ssize_t)sizeof(trailer) - tbytes)) may also inroduce unitialized value issue when read() function returns EOF or error.
Suggested Fix
Initialize trailer with zero e.g., unsigned char trailer[8] = {0};
Description
The use of uninitialized memory of the trailer array is found in function
cups_fill
ofcups/file.c
. Detailed code can be found below:when
vail_in
is less thansizeof(trailer)
, the operationmemcpy(trailer, fp->stream.next_in, (size_t)tbytes);
will end up with uninitialized value intrailer
array. The subsequent functionif (read(fp->fd, trailer + tbytes, sizeof(trailer) - (size_t)tbytes) < ((ssize_t)sizeof(trailer) - tbytes))
may also inroduce unitialized value issue whenread()
function returnsEOF
or error.Suggested Fix
unsigned char trailer[8] = {0};
read()
errorPostscript
The issue is identified by OSS-Fuzz harness
fuzzipp
with MSAN. Here is the linked issue.