Bug#975578: cups-browsed: segfault at 0 ip 00000000f7b5637c sp 00000000ffab2890 (NULL pointer deref)
Package: cups-browsed
Version: 1.28.5-1
Severity: important
X-Debbugs-Cc: tg@mirbsd.de
Nov 23 20:34:11 tglase vmunix: [12181565.392373] cups-browsed[19303]: segfault at 0 ip 00000000f7b5637c sp 00000000ffab2890 error 6 in libcupsfilters.so.1.0.0[f7b3a000+24000]
Nov 23 20:34:11 tglase vmunix: [12181565.392385] Code: 48 89 ef 31 c0 e8 04 4c fe ff e9 0f ff ff ff 0f 1f 80 00 00 00 00 8b 7c 24 44 4c 89 f6 e8 8c 47 fe ff c7 44 24 58 01 00 00 00 <67> c6 00 00 e9 02 de ff ff 0f 1f 00 8b 7c 24 44 ba 29 00 00 00 8d
Installing the necessary dbgsym packages and unpacking the source shows
this to clearly be a NULL pointer dereference (more below the backtrace):
tglase@tglase:/tmp/cups-filters-1.28.5 $ gdb /usr/sbin/cups-browsed ~/c-b.core
GNU gdb (Debian 10.1-1+b1) 10.1
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnux32".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/cups-browsed...
Reading symbols from /usr/lib/debug/.build-id/61/b1dea4178595f657692de37d747568dd7f89a8.debug...
[New LWP 19303]
[New LWP 19305]
[New LWP 19304]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnux32/libthread_db.so.1".
Core was generated by `/usr/sbin/cups-browsed'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0xf7b5637c in ppdCreateFromIPP2 (buffer=buffer@entry=0xffab54c0 "/tmp/04b675fbcfcbf",
bufsize=bufsize@entry=8192, response=<optimized out>, make_model=make_model@entry=0x0, pdl=pdl@entry=0x0,
color=color@entry=1, duplex=1, conflicts=0x0, sizes=0x56d66b70, default_pagesize=0x0,
default_cluster_color=0x0) at cupsfilters/ppdgenerator.c:2227
2227 *suffix = '\0';
[Current thread is 1 (Thread 0xf67b2a00 (LWP 19303))]
(gdb) set pagination 0
(gdb) print suffix
$1 = 0x0
(gdb) bt full
#0 0xf7b5637c in ppdCreateFromIPP2 (buffer=buffer@entry=0xffab54c0 "/tmp/04b675fbcfcbf", bufsize=bufsize@entry=8192, response=<optimized out>, make_model=make_model@entry=0x0, pdl=pdl@entry=0x0, color=color@entry=1, duplex=1, conflicts=0x0, sizes=0x56d66b70, default_pagesize=0x0, default_cluster_color=0x0) at cupsfilters/ppdgenerator.c:2227
tbottom = '\000' <repeats 255 times>
ttop = '\000' <repeats 255 times>
twidth = '\000' <repeats 88 times>, "\230j\230\367", '\000' <repeats 28 times>, "\307\305jV\000\000\000\000p5\253\377\000\000\000\000\220\065\253\377\000\000\000\000X\000\000\000\000\000\000\000\240\305jV\000\000\000\000\300\066\253\377\000\000\000\000\fޖ\367\000\000\000\000=\000\000\000\000\000\000\000\006\242eV\000\000\000\000\360\066\253\377\000\000\000\000\f"...
ppdsizename = "\235<\b\000\000\000\000\000`\321\306V\000(\000_\000\000\000\000\000\000\000\000\063o\255\367", '\000' <repeats 12 times>, "\001\000\000\000\000\000\000\000\f\000\000\000\000\000\000\000+\254\230\367\000\000\000\000\255\a\360\367\000\000\000\000ç\230\367\000\000\000\000`\321\325V\000\000\000\000ç\230\367", '\000' <repeats 17 times>, "(\000_\000\000\000\000\000\000\000\000\004S\325V\000(\000_"
tright = '\000' <repeats 255 times>
ippsizename = <optimized out>
suffix = 0x0
tleft = "\240\354\325V\000\000\000\000 \353\325V\000\000\000\000x,\253\377\000\000\000\000\220\374\325V\000\000\000\000\263\016\274_\000\000\000\000!\272\000\000\000\000\000\000\263\016\274_\000\000\000\000!\272\000\000\000\000\000\000p\371\325V\260X\262V\000\000\000\000\000\000\000\000\220\336\362\367\310\066\253\377\000\000\000\000\000\000\000\000 H\325V", '\000' <repeats 155 times>
tlength = '\000' <repeats 16 times>, "\020Y\262V\315\377\377\377\063\000\000\000 \000\000\000\307\305jV\000\000\000\000\v\000\000\000\002\000\000\000\305\305jV\000\000\000\000\264\006\000\000\000\000\000\000\022\242eV\307\305jV\000\000\000\000\002\000\000\000\020\242eV\000\000\000\000\264\006\000\000\000\000\000\000\000\000\000\000\022\242eV", '\000' <repeats 40 times>, "(\000\000\000\060\000\000\000\240\067\253\377\340\066\253\377", '\000' <repeats 16 times>, "\060\000\000\000\060\000\000\000\020<\253\377\020;\253\377", '\000' <repeats 63 times>
all_borderless = 1
fp = 0x56d62e70
printer_sizes = <optimized out>
size = <optimized out>
attr = <optimized out>
attr2 = <optimized out>
defattr = 0x0
quality = <optimized out>
x_dim = <optimized out>
y_dim = <optimized out>
media_col = <optimized out>
media_size = <optimized out>
make = "Zebra\000ZPL Label Printer\000`^\257V\000\000\000\000 ^\257V\000\000\000\000ç\230\367\000\000\000\000\304ԱV\000\000\000\000+\254\230\367", '\000' <repeats 12 times>, "+\254\230\367\000\000\000\000\000\367\325V\000\000\000\000\034\367\325V\000(\000_\304ԱV", '\000' <repeats 12 times>, "p\371\325V\000\000\000\000\177p\255\367\000(\000_\000\000\000\000\000\000\000\000\024\000\000\000\000\000\000\000\320+\253\377", '\000' <repeats 20 times>, "\340+\253\377", '\000' <repeats 12 times>, "\301\351\362\367", '\000' <repeats 12 times>, "\225H\253"...
model = <optimized out>
ppdname = "Unknown\000d\\X\367\000\000\000\000\030\000\000\000\060\000\000\000\360*\253\377 *\253\377`\321\306V\000\000\000\000"
i = <optimized out>
j = <optimized out>
count = <optimized out>
bottom = 0
left = 0
right = 0
top = 0
max_length = 127000
max_width = 20320
min_length = 1270
min_width = 1270
is_apple = <optimized out>
is_pwg = 1
is_pclm = 0
is_pdf = 1
pwg = <optimized out>
xres = <optimized out>
yres = <optimized out>
common_res = 0x56d66c80
current_res = 0x56d66c80
pdl_list = <optimized out>
common_def = 0x56d66920
current_def = 0x0
min_res = 0x56d66930
max_res = 0x56d66940
lang = 0x56ac8ac0
loc = 0xf7abf7c0 <result>
printer_opt_strings_catalog = 0x0
human_readable = <optimized out>
human_readable2 = <optimized out>
keyword = <optimized out>
fin_options = 0x0
buf = '\000' <repeats 32 times>, "/printers/pr-bn-1og", '\000' <repeats 125 times>, "//.cups/lpoptions\000s", '\000' <repeats 60 times>
filter_path = '\000' <repeats 360 times>...
cups_serverbin = <optimized out>
defaultoutbin = <optimized out>
outbin = <optimized out>
outbin_properties = '\000' <repeats 12 times>, "q\324\325V`^\262V\000\000\000\000\264){\366\320\067\253\377\000\000\000\000\000\000\000\000`\324\325Vx\000\000\000/var/cache/cups/cups-browsed-options-Zebra_Technologies_ZTC_ZT410_203dpi_ZPL_172_26_7_16", '\000' <repeats 741 times>...
octet_str_len = 0
outbin_properties_octet = <optimized out>
outputorderinfofound = <optimized out>
faceupdown = <optimized out>
firsttolast = <optimized out>
manual_copies = <optimized out>
is_fax = 0
formatfound = <optimized out>
#1 0x56651c43 in update_cups_queues (unused=<optimized out>) at utils/cups-browsed.c:8537
p = <optimized out>
q = <optimized out>
r = <optimized out>
s = <optimized out>
master = <optimized out>
http = <optimized out>
uri = "ipp://localhost/printers/Zebra_Technologies_ZTC_ZT410_203dpi_ZPL_172_26_7_16", '\000' <repeats 532 times>...
device_uri = "implicitclass://Zebra_Technologies_ZTC_ZT410_203dpi_ZPL_172_26_7_16/", '\000' <repeats 540 times>...
buf = '\000' <repeats 509 times>...
line = '\000' <repeats 960 times>...
num_options = <optimized out>
options = 0x0
num_jobs = <optimized out>
jobs = 0x0
request = <optimized out>
current_time = <optimized out>
i = <optimized out>
ap_remote_queue_id_line_inserted = <optimized out>
want_raw = <optimized out>
num_cluster_printers = <optimized out>
disabled_str = <optimized out>
ptr = <optimized out>
ppdfile = <optimized out>
ifscript = 0x0
fd = <optimized out>
tempfile = '\000' <repeats 256 times>...
buffer = "/tmp/04b675fbcfcbf", '\000' <repeats 430 times>...
bytes = <optimized out>
cups_serverbin = <optimized out>
attr = <optimized out>
count = <optimized out>
left = <optimized out>
right = <optimized out>
bottom = <optimized out>
top = <optimized out>
default_page_size = <optimized out>
best_color_space = 0x0
color_space = <optimized out>
loadedppd = 0x0
ppd = <optimized out>
choice = <optimized out>
in = <optimized out>
out = <optimized out>
keyword = "\200Z\253\377\000\000\000\000A8eV\000\000\000\000\340h\253\377\000\000\000\000\a\274eV\000\000\000\000\a\274eV\000\000\000\000\a\274eV", '\000' <repeats 20 times>, "\340d\253\377\000\000\000\000E", '\000' <repeats 19 times>, "w\002\000\000ipp", '\000' <repeats 93 times>, "\061\067\062.26.7"...
keyptr = <optimized out>
customval = <optimized out>
val = <optimized out>
dest = <optimized out>
is_shared = <optimized out>
conflicts = <optimized out>
printer_attributes = 0x56b01a50
sizes = <optimized out>
printer_ipp_response = <optimized out>
make_model = <optimized out>
pdl = 0x0
color = 1
duplex = 1
default_pagesize = <optimized out>
default_color = 0x0
cups_queues_updated = 0
cannot_create = <optimized out>
#2 0xf7bfdbd3 in g_timeout_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at ../../../glib/gmain.c:4877
timeout_source = 0x56c6d1d0
again = <optimized out>
#3 0xf7bfd085 in g_main_dispatch (context=0x56ac95a0) at ../../../glib/gmain.c:3325
dispatch = 0xf7bfdbc0 <g_timeout_dispatch>
prev_source = 0x0
begin_time_nsec = 0
was_in_call = 0
user_data = 0x0
callback = 0x5664fea0 <update_cups_queues>
cb_funcs = <optimized out>
cb_data = <optimized out>
need_destroy = <optimized out>
source = 0x56c6d1d0
current = 0x56ab6db0
i = 0
__func__ = "g_main_dispatch"
#4 g_main_context_dispatch (context=0x56ac95a0) at ../../../glib/gmain.c:4043
No locals.
#5 0xf7bfd468 in g_main_context_iterate (context=0x56ac95a0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../../../glib/gmain.c:4119
max_priority = 2147483647
timeout = 54
some_ready = 1
nfds = 3
allocated_nfds = 3
fds = 0x56af3380
begin_time_nsec = 0
#6 0xf7bfd74f in g_main_loop_run (loop=<optimized out>) at ../../../glib/gmain.c:4317
self = <optimized out>
__func__ = "g_main_loop_run"
#7 0x5663cc6b in main (argc=1, argv=<optimized out>) at utils/cups-browsed.c:12644
ret = 1
http = <optimized out>
i = <optimized out>
val = <optimized out>
p = <optimized out>
proxy = <optimized out>
error = 0x0
subscription_id = 1890
action = {__sigaction_handler = {sa_handler = 0x566486e0 <sigusr2_handler>, sa_sigaction = 0x566486e0 <sigusr2_handler>}, sa_mask = {__val = {2048, 0 <repeats 31 times>}}, sa_flags = 0, sa_restorer = 0x0}
The offending code is pretty clear, too:
(gdb) list
2222 if (size)
2223 all_borderless = 0;
2224
2225 if (all_borderless) {
2226 suffix = strcasestr(ppdname, ".Borderless");
2227 *suffix = '\0';
2228 }
2229
2230 cupsFilePrintf(fp, "*OpenUI *PageSize/%s: PickOne\n"
2231 "*OrderDependency: 10 AnySetup *PageSize\n"
Looks like a missing NULL check for the strcasestr result.
(gdb) print ppdname
$2 = "Unknown\000d\\X\367\000\000\000\000\030\000\000\000\060\000\000\000\360*\253\377 *\253\377`\321\306V\000\000\000\000"
There’s the culprit — no “.Borderless” in there.
I guess that the loop in lines 2218–2223 is not quite right,
but I can’t introspect now:
(gdb) print *sizes
$4 = {num_elements = 55, alloc_elements = 64, current = 55, insert = 34, unique = 1, num_saved = 0, saved = {0 <repeats 32 times>}, elements = 0x56d685a0, compare = 0xf7b50510 <pwg_compare_sizes>, data = 0x0, hashfunc = 0x0, hashsize = 0, hash = 0x0, copyfunc = 0xf7b50620 <pwg_copy_size>, freefunc = 0xf798e240 <__GI___libc_free>}
(gdb) print *sizes->elements
$5 = (void *) 0x56d66c30
(gdb) print cupsArrayCount(sizes)
You can't do that without a process to debug.
This is most likely not x32-specific thus…
-- System Information:
Debian Release: bullseye/sid
APT prefers unreleased
APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable'), (100, 'experimental')
Architecture: x32 (x86_64)
Foreign Architectures: i386, amd64
Kernel: Linux 5.7.0-1-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)
Versions of packages cups-browsed depends on:
ii cups-daemon 2.3.3-3
ii init-system-helpers 1.59
ii libavahi-client3 0.8-3
ii libavahi-common3 0.8-3
ii libavahi-glib1 0.8-3
ii libc6 2.31-4
ii libcups2 2.3.3-3
ii libcupsfilters1 1.28.5-1
ii libglib2.0-0 2.66.3-1
ii libldap-2.4-2 2.4.56+dfsg-1
ii lsb-base 11.1.0
Versions of packages cups-browsed recommends:
ii avahi-daemon 0.8-3
cups-browsed suggests no packages.
-- no debconf information
Reply to: