Bug#781589: marked as done (unblock: hp2xx/3.4.4-10)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#781589: marked as done (unblock: hp2xx/3.4.4-10)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 31 Mar 2015 11:21:15 +0000
Message-id: <[🔎] handler.781589.D781589.14278007318875.ackdone@bugs.debian.org>
References: <3e42c65b82ee00800119242671089d0e@mowgli.jungle.funky-badger.org> <[🔎] 20150331105042.30388.17160.reportbug@guido.earth.sol>

Your message dated Tue, 31 Mar 2015 12:18:44 +0100
with message-id <3e42c65b82ee00800119242671089d0e@mowgli.jungle.funky-badger.org>
and subject line Re: Bug#781589: unblock: hp2xx/3.4.4-10
has caused the Debian Bug report #781589,
regarding unblock: hp2xx/3.4.4-10
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
781589: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781589
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: hp2xx/3.4.4-10
From: "Christian T. Steigies" <cts@debian.org>
Date: Tue, 31 Mar 2015 12:50:42 +0200
Message-id: <[🔎] 20150331105042.30388.17160.reportbug@guido.earth.sol>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package hp2xx
I received a report of crashes found with American Fuzzy Lop (afl) in my                                                              
package hp2xx. The 006_afl.diff from upstream fixes this:
On Sat, Mar 28, 2015 at 04:12:24PM +0100, Martin Kroeker wrote:                                                                       
> Okay, understood it now - the *reproducer files are the actual, fuzzed                                                              
> inputs that cause the respective crashes, and the ones that appear to be                                                            
> in some unknown binary representation are simply random bytestreams that                                                            
> happen to trip up hp2xx. So far it all seems to boil down to two locations                                                          
> that are/were easy to fix, but I guess I will have to do my own runs of                                                             
> the                                                                                                                                 
> fuzzer now to be sure the previous checks did not miss anything.                                                                    
> The attached patch should apply cleanly to 3.4.4, I will update the                                                                 
> 3.5.alpha snapshot on my website later.   

This has already been accepted in unstable and I prepared a version for stable as well.
Please accept this fix also for testing.

Christian

diff -u hp2xx-3.4.4/debian/changelog hp2xx-3.4.4/debian/changelog
--- hp2xx-3.4.4/debian/changelog
+++ hp2xx-3.4.4/debian/changelog
@@ -1,3 +1,9 @@
+hp2xx (3.4.4-10) unstable; urgency=high
+
+  * include patch by Martin Kroeker to fix crashes found by Jodie Cunningham
+
+ -- Christian T. Steigies <cts@debian.org>  Mon, 30 Mar 2015 19:45:54 +0200
+
 hp2xx (3.4.4-9) unstable; urgency=low
 
   * build-depend on libtiff-dev, not libtiff4-dev (closes: #736012)
only in patch2:
unchanged:
--- hp2xx-3.4.4.orig/debian/patches/006_afl.diff
+++ hp2xx-3.4.4/debian/patches/006_afl.diff
@@ -0,0 +1,63 @@
+diff -uwr hp2xx-3.4.4a/sources/hpgl.c hp2xx-3.4.4afl//sources/hpgl.c
+--- hp2xx-3.4.4a/sources/hpgl.c	2003-06-21 19:54:45.000000000 +0200
++++ hp2xx-3.4.4afl//sources/hpgl.c	2015-03-28 16:01:10.000000000 +0100
+@@ -1297,9 +1297,14 @@
+  **	      EOF if EOF met
+  **/
+ {
+-	int c;
++	volatile int c;      /* Keep compilers from optimizing out the initial EOF check */
++        int i;
+ 	char *ptr, numbuf[80];
+ 
++        c = getc(hd);
++        if (c == EOF) return EOF;
++        ungetc (c, hd);
++                
+ 	for (c = getc(hd);
+ 	     (c != '.') && (c != '+') && (c != '-') && ((c < '0')
+ 							|| (c > '9'));
+@@ -1316,9 +1321,13 @@
+ 	}
+ 	/* Number found: Get it */
+ 	ptr = numbuf;
++	i = 0;
+ 	for (*ptr++ = c, c = getc(hd);
+-	     ((c >= '0') && (c <= '9')) || (c == '.'); c = getc(hd))
++	     ((c >= '0') && (c <= '9')) || (c == '.') || (c == '\n'); c = getc(hd)) 
++		if (c != '\n') {
+ 		*ptr++ = c;	/* Read number          */
++		    i++; if (i == 79) break; /* until buffer full */ 
++	         }
+ 	*ptr = '\0';
+ 	if (c != EOF)
+ 		ungetc(c, hd);
+diff -uwr hp2xx-3.4.4a/sources/lindef.c hp2xx-3.4.4afl//sources/lindef.c
+--- hp2xx-3.4.4a/sources/lindef.c	2003-06-21 17:31:51.000000000 +0200
++++ hp2xx-3.4.4afl//sources/lindef.c	2015-03-28 15:55:29.000000000 +0100
+@@ -92,6 +92,11 @@
+ 		return;
+ 	} else {
+ 		index = (int) tmp;
++		if (index > LT_MAX || index < -LT_MAX) {
++		       if (!silent_mode)
++				fprintf(stderr,"UL command for invalid linetype %d ignored\n",index);
++		       return;
++                }
+ 	}
+ 
+ 	pos_index = index - LT_MIN;
+diff -uwr hp2xx-3.4.4a/sources/picbuf.c hp2xx-3.4.4afl//sources/picbuf.c
+--- hp2xx-3.4.4a/sources/picbuf.c	2003-06-21 17:31:51.000000000 +0200
++++ hp2xx-3.4.4afl//sources/picbuf.c	2015-03-28 15:55:29.000000000 +0100
+@@ -340,6 +340,10 @@
+ 		return NULL;
+ 	}
+ 
++	if (n_rows <= 0 || n_cols <= 0) {
++	        Eprintf("Invalid image dimensions: %d x %d\n",n_rows,n_cols);
++	        return NULL;
++        }
+ 	pb->nr = n_rows;
+ 	pb->nc = n_cols;
+ 	pb->sd = NULL;

unblock hp2xx/3.4.4-10

-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- End Message ---

--- Begin Message ---

To: "Christian T. Steigies" <cts@debian.org>, 781589-done@bugs.debian.org

Subject: Re: Bug#781589: unblock: hp2xx/3.4.4-10

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Tue, 31 Mar 2015 12:18:44 +0100

Message-id: <3e42c65b82ee00800119242671089d0e@mowgli.jungle.funky-badger.org>

In-reply-to: <[🔎] 20150331105042.30388.17160.reportbug@guido.earth.sol>

References: <[🔎] 20150331105042.30388.17160.reportbug@guido.earth.sol>
On 2015-03-31 11:50, Christian T. Steigies wrote:
Please unblock package hp2xx
I received a report of crashes found with American Fuzzy Lop (afl) in
my package hp2xx. The 006_afl.diff from upstream fixes this:
[...]
This has already been accepted in unstable and I prepared a version
for stable as well.
Please accept this fix also for testing.
$ grep-excuses hp2xx
hp2xx (3.4.4-9 to 3.4.4-10)
    Maintainer: Christian T. Steigies
    Too young, only 0 of 2 days old
    Ignoring block request by freeze, due to unblock request by nthykier
    Not considered

(i.e. it's already been unblocked)

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#781589: unblock: hp2xx/3.4.4-10
  - From: "Christian T. Steigies" <cts@debian.org>

Prev by Date: Processed: Re: Bug#781542: pu: package hp2xx/3.4.4-8
Next by Date: Bug#781621: unblock: tiff/4.0.3-12.3
Previous by thread: Bug#781589: unblock: hp2xx/3.4.4-10
Next by thread: Bug#781621: unblock: tiff/4.0.3-12.3
Index(es):
- Date
- Thread