Bug#812447: cups-filters-core-drivers: sys5ippprinter: Buffer overflow

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#812447: cups-filters-core-drivers: sys5ippprinter: Buffer overflow
From: Julian Andres Klode <jak@debian.org>
Date: Sat, 23 Jan 2016 20:30:31 +0100
Message-id: <[🔎] 20160123201857.GA1689@debian.org>
Reply-to: Julian Andres Klode <jak@debian.org>, 812447@bugs.debian.org

Package: cups-filters-core-drivers
Version: 1.8.1-1
Severity: important
File: /usr/lib/cups/filter/sys5ippprinter

In sys5ippprinter, there seems to error in
set_option_in_str(), causing reads and writes 1,2
or 8 bytes beyond the end of the buffer (AFAICT).

At least for some buffers.

For example, the following invocation, with an option
string as generated by cups-browsed (patched to
include the PDL listed there) and a test page
print command fails:

/usr/lib/cups/filter/sys5ippprinter 250 root "Test Page" 1 "job-uuid=urn:uuid:934a24ec-6725-3576-69fd-5b1d269ef0d6 cups-browsed make-and-model=Example-Make-And-Model media=iso_a4_210x297mm media-bottom-margin=1270 media-left-margin=318 media-right-margin=318 media-top-margin=300 output-format=application/vnd.hp-PCL,image/jpeg,application/PCLm,image/urf sides=two-sided-long-edge job-originating-host-name=localhost date-time-at-creation= date-time-at-processing= time-at-creation=1453564005 time-at-processing=1453564107 print-color-mode=RGB media-class="  /tmp/non-existing

Removing the time related and media-class options makes
it work under valgrind (with errors still being displayed
though - but now 1 byte instead of 2), but still fail in
normal use.

This causes the process to fail memory allocation at some
point, because the metadata of the allocator is overwritten.

Those strings are automatically generated by a combination of
cups-browsed which discovers the printers, if the option for
detecting IPP printers is enabled; and the print job itself.


-- Valgrind (which is buggy and cannot read debug symbols currently):

==1836== Invalid read of size 2
==1836==    at 0x4C2E4CF: memcpy@GLIBC_2.2.5 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1836==    by 0x403FB9: ??? (in /usr/lib/cups/filter/sys5ippprinter)
==1836==    by 0x4022EA: ??? (in /usr/lib/cups/filter/sys5ippprinter)
==1836==    by 0x50D986F: (below main) (in /usr/lib/x86_64-linux-gnu/libc-2.21.so)
==1836==  Address 0x9445126 is 0 bytes after a block of size 646 alloc'd
==1836==    at 0x4C2BC15: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1836==    by 0x4018A5: ??? (in /usr/lib/cups/filter/sys5ippprinter)
==1836==    by 0x50D986F: (below main) (in /usr/lib/x86_64-linux-gnu/libc-2.21.so)
==1836== 
==1836== Invalid read of size 2
==1836==    at 0x4C2E4C0: memcpy@GLIBC_2.2.5 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1836==    by 0x403FB9: ??? (in /usr/lib/cups/filter/sys5ippprinter)
==1836==    by 0x4022EA: ??? (in /usr/lib/cups/filter/sys5ippprinter)
==1836==    by 0x50D986F: (below main) (in /usr/lib/x86_64-linux-gnu/libc-2.21.so)
==1836==  Address 0x9445128 is 2 bytes after a block of size 646 alloc'd
==1836==    at 0x4C2BC15: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1836==    by 0x4018A5: ??? (in /usr/lib/cups/filter/sys5ippprinter)
==1836==    by 0x50D986F: (below main) (in /usr/lib/x86_64-linux-gnu/libc-2.21.so)
==1836== 
==1836== Invalid write of size 2
==1836==    at 0x4C2E4C3: memcpy@GLIBC_2.2.5 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1836==    by 0x403FB9: ??? (in /usr/lib/cups/filter/sys5ippprinter)
==1836==    by 0x4022EA: ??? (in /usr/lib/cups/filter/sys5ippprinter)
==1836==    by 0x50D986F: (below main) (in /usr/lib/x86_64-linux-gnu/libc-2.21.so)
==1836==  Address 0x9445126 is 0 bytes after a block of size 646 alloc'd
==1836==    at 0x4C2BC15: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==1836==    by 0x4018A5: ??? (in /usr/lib/cups/filter/sys5ippprinter)
==1836==    by 0x50D986F: (below main) (in /usr/lib/x86_64-linux-gnu/libc-2.21.so)
==1836== 

valgrind: m_mallocfree.c:303 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
valgrind: Heap block lo/hi size mismatch: lo = 720, hi = 0.
This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (900, 'unstable'), (500, 'unstable-debug'), (100, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cups-filters-core-drivers depends on:
ii  bc               1.06.95-9+b1
ii  libc6            2.21-6
ii  libcups2         2.1.2-2+b1
ii  libcupsfilters1  1.8.1-1urf1
ii  libcupsimage2    2.1.2-2+b1
ii  libgcc1          1:5.3.1-6
ii  liblcms2-2       2.6-3+b3
ii  libpoppler57     0.38.0-2
ii  libqpdf17        6.0.0-2
ii  libstdc++6       5.3.1-6
ii  poppler-utils    0.38.0-2

cups-filters-core-drivers recommends no packages.

cups-filters-core-drivers suggests no packages.

-- no debconf information

-- 
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to (`inline'). Thank you.

Reply to:

Prev by Date: foomatic-filters_4.0.5-6+squeeze2+deb6u13_i386.changes ACCEPTED into squeeze-lts
Next by Date: Bug#809939: ghostscript: FTBFS with libpng16
Previous by thread: foomatic-filters_4.0.5-6+squeeze2+deb6u13_i386.changes ACCEPTED into squeeze-lts
Next by thread: Bug#809939: ghostscript: diff for NMU version 9.16~dfsg-2.1
Index(es):
- Date
- Thread