Bug#781542: pu: package hp2xx/3.4.4-8
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
I received a report for crashes in hp2xx which were found with American
fuzzy lop (afl). For unstable I already uploaded -10 with the following
patch. It should apply to the version in stable as well since nothing
changed in the code in between. Please advise how to proceed.
Christian
diff -uwr hp2xx-3.4.4a/sources/hpgl.c hp2xx-3.4.4afl//sources/hpgl.c
--- hp2xx-3.4.4a/sources/hpgl.c 2003-06-21 19:54:45.000000000 +0200
+++ hp2xx-3.4.4afl//sources/hpgl.c 2015-03-28 16:01:10.000000000 +0100
@@ -1297,9 +1297,14 @@
** EOF if EOF met
**/
{
- int c;
+ volatile int c; /* Keep compilers from optimizing out the initial EOF check */
+ int i;
char *ptr, numbuf[80];
+ c = getc(hd);
+ if (c == EOF) return EOF;
+ ungetc (c, hd);
+
for (c = getc(hd);
(c != '.') && (c != '+') && (c != '-') && ((c < '0')
|| (c > '9'));
@@ -1316,9 +1321,13 @@
}
/* Number found: Get it */
ptr = numbuf;
+ i = 0;
for (*ptr++ = c, c = getc(hd);
- ((c >= '0') && (c <= '9')) || (c == '.'); c = getc(hd))
+ ((c >= '0') && (c <= '9')) || (c == '.') || (c == '\n'); c = getc(hd))
+ if (c != '\n') {
*ptr++ = c; /* Read number */
+ i++; if (i == 79) break; /* until buffer full */
+ }
*ptr = '\0';
if (c != EOF)
ungetc(c, hd);
diff -uwr hp2xx-3.4.4a/sources/lindef.c hp2xx-3.4.4afl//sources/lindef.c
--- hp2xx-3.4.4a/sources/lindef.c 2003-06-21 17:31:51.000000000 +0200
+++ hp2xx-3.4.4afl//sources/lindef.c 2015-03-28 15:55:29.000000000 +0100
@@ -92,6 +92,11 @@
return;
} else {
index = (int) tmp;
+ if (index > LT_MAX || index < -LT_MAX) {
+ if (!silent_mode)
+ fprintf(stderr,"UL command for invalid linetype %d ignored\n",index);
+ return;
+ }
}
pos_index = index - LT_MIN;
diff -uwr hp2xx-3.4.4a/sources/picbuf.c hp2xx-3.4.4afl//sources/picbuf.c
--- hp2xx-3.4.4a/sources/picbuf.c 2003-06-21 17:31:51.000000000 +0200
+++ hp2xx-3.4.4afl//sources/picbuf.c 2015-03-28 15:55:29.000000000 +0100
@@ -340,6 +340,10 @@
return NULL;
}
+ if (n_rows <= 0 || n_cols <= 0) {
+ Eprintf("Invalid image dimensions: %d x %d\n",n_rows,n_cols);
+ return NULL;
+ }
pb->nr = n_rows;
pb->nc = n_cols;
pb->sd = NULL;
-- System Information:
Debian Release: 7.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: