Bug#781589: unblock: hp2xx/3.4.4-10
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package hp2xx
I received a report of crashes found with American Fuzzy Lop (afl) in my
package hp2xx. The 006_afl.diff from upstream fixes this:
On Sat, Mar 28, 2015 at 04:12:24PM +0100, Martin Kroeker wrote:
> Okay, understood it now - the *reproducer files are the actual, fuzzed
> inputs that cause the respective crashes, and the ones that appear to be
> in some unknown binary representation are simply random bytestreams that
> happen to trip up hp2xx. So far it all seems to boil down to two locations
> that are/were easy to fix, but I guess I will have to do my own runs of
> the
> fuzzer now to be sure the previous checks did not miss anything.
> The attached patch should apply cleanly to 3.4.4, I will update the
> 3.5.alpha snapshot on my website later.
This has already been accepted in unstable and I prepared a version for stable as well.
Please accept this fix also for testing.
Christian
diff -u hp2xx-3.4.4/debian/changelog hp2xx-3.4.4/debian/changelog
--- hp2xx-3.4.4/debian/changelog
+++ hp2xx-3.4.4/debian/changelog
@@ -1,3 +1,9 @@
+hp2xx (3.4.4-10) unstable; urgency=high
+
+ * include patch by Martin Kroeker to fix crashes found by Jodie Cunningham
+
+ -- Christian T. Steigies <cts@debian.org> Mon, 30 Mar 2015 19:45:54 +0200
+
hp2xx (3.4.4-9) unstable; urgency=low
* build-depend on libtiff-dev, not libtiff4-dev (closes: #736012)
only in patch2:
unchanged:
--- hp2xx-3.4.4.orig/debian/patches/006_afl.diff
+++ hp2xx-3.4.4/debian/patches/006_afl.diff
@@ -0,0 +1,63 @@
+diff -uwr hp2xx-3.4.4a/sources/hpgl.c hp2xx-3.4.4afl//sources/hpgl.c
+--- hp2xx-3.4.4a/sources/hpgl.c 2003-06-21 19:54:45.000000000 +0200
++++ hp2xx-3.4.4afl//sources/hpgl.c 2015-03-28 16:01:10.000000000 +0100
+@@ -1297,9 +1297,14 @@
+ ** EOF if EOF met
+ **/
+ {
+- int c;
++ volatile int c; /* Keep compilers from optimizing out the initial EOF check */
++ int i;
+ char *ptr, numbuf[80];
+
++ c = getc(hd);
++ if (c == EOF) return EOF;
++ ungetc (c, hd);
++
+ for (c = getc(hd);
+ (c != '.') && (c != '+') && (c != '-') && ((c < '0')
+ || (c > '9'));
+@@ -1316,9 +1321,13 @@
+ }
+ /* Number found: Get it */
+ ptr = numbuf;
++ i = 0;
+ for (*ptr++ = c, c = getc(hd);
+- ((c >= '0') && (c <= '9')) || (c == '.'); c = getc(hd))
++ ((c >= '0') && (c <= '9')) || (c == '.') || (c == '\n'); c = getc(hd))
++ if (c != '\n') {
+ *ptr++ = c; /* Read number */
++ i++; if (i == 79) break; /* until buffer full */
++ }
+ *ptr = '\0';
+ if (c != EOF)
+ ungetc(c, hd);
+diff -uwr hp2xx-3.4.4a/sources/lindef.c hp2xx-3.4.4afl//sources/lindef.c
+--- hp2xx-3.4.4a/sources/lindef.c 2003-06-21 17:31:51.000000000 +0200
++++ hp2xx-3.4.4afl//sources/lindef.c 2015-03-28 15:55:29.000000000 +0100
+@@ -92,6 +92,11 @@
+ return;
+ } else {
+ index = (int) tmp;
++ if (index > LT_MAX || index < -LT_MAX) {
++ if (!silent_mode)
++ fprintf(stderr,"UL command for invalid linetype %d ignored\n",index);
++ return;
++ }
+ }
+
+ pos_index = index - LT_MIN;
+diff -uwr hp2xx-3.4.4a/sources/picbuf.c hp2xx-3.4.4afl//sources/picbuf.c
+--- hp2xx-3.4.4a/sources/picbuf.c 2003-06-21 17:31:51.000000000 +0200
++++ hp2xx-3.4.4afl//sources/picbuf.c 2015-03-28 15:55:29.000000000 +0100
+@@ -340,6 +340,10 @@
+ return NULL;
+ }
+
++ if (n_rows <= 0 || n_cols <= 0) {
++ Eprintf("Invalid image dimensions: %d x %d\n",n_rows,n_cols);
++ return NULL;
++ }
+ pb->nr = n_rows;
+ pb->nc = n_cols;
+ pb->sd = NULL;
unblock hp2xx/3.4.4-10
-- System Information:
Debian Release: 7.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: