Re: Bug#972339: armhf: hpcups crashes with free() invalid pointer for some printers

[Jeffrey Walton <noloader@gmail.com>]

On Sat, Feb 27, 2021 at 1:21 PM Bernhard Übelacker
<bernhardu@mailbox.org> wrote:
>
> I have retried with the patch in #974828, but it still
> crashed with the test files from this bug, therefore
> I guess #974828 is similar but unrelated.
>
> Then I took another look at the valgrind runs and found
> that these invalid reads and writes also appear at amd64.
>
> After some digging I gave up to understand the pointer
> calculations and such and tried to just increase the
> allocations and came up with the attached three patches.
>
> (While working at #974828 I found one such "+ 32" in
> HPCupsFilter.cpp which might be already a workaround by upstream?)
>
> With these three applied a valgrind run shows no more errors
> with amd64 or armhf, and also does not abort at armhf.
>
> As this just allocates a few extra bytes I assume that the
> print result should not be different by these patches.
> And I hope that memset'ing these buffers has no security
> related effects.
>
> For the crash is just the Halftoner patch important.
> The other two are currently just for valgrind, but that
> might change in future with compiler changes or similar.
>
> What do you think?

For the 0079 patch, this is probably a little more efficient since it
avoids a mod which may be implemented as a division:

    PlaneSize= (OutputWidth[i]+7)/8; // doublecheck ... should already
be divisible by 8

The thing that is not clear to me... What is the datatype of
OutputWidth[i]? If it is a 16-bit type (or larger), then you may want:

    const size_t width = sizeof(OutputWidth[0])*CHAR_BITS;
    PlaneSize= (OutputWidth[i]+width-1)/8;

Jeff