Control: tags -1 +pending
Le vendredi, 26 février 2021, 15.41:07 h CET Bernhard Übelacker a écrit :
> Dear Maintainer,
> with the original PPD and input files from Ian I could
> reproduce the issue and with the help of rr-debugger
> this is what I assume what happens:
>
> - The buffer m_pPrinterBuffer is allocated here with
> the current sizes inside cups_header. [1]
>
> - The first page got processed and for the second page
> a new cups_header record gets copied. [2]
> Unfortunately now the header contains higher sizes,
> but the buffer is not grown accordingly.
>
> - Now to this buffer is written by a read function, and beyond
> where the management information of malloc got overwritten for
> some other random memory. [3]
>
> - The defect in the management information of malloc is detected
> and the process is aborted. [4]
>
>
> The attached patch is an attempt to grow the buffer size
> if the header changes on a new page.
> This is just tested for the given crash, nothing more, therefore
> there might be side effects on replacing this buffer?
I have forwarded this upstream, but don't hold your breath; I don't expect any
feedback from them, sadly. :-(
I'll apply this and upload to unstable once the current version migrated.
Thanks a lot for your work!
OdyXAttachment:
signature.asc
Description: This is a digitally signed message part.