raster-interpret.c: Fix CVE-2023-4504

We didn't check for end of buffer if it looks there is an escaped character - check for NULL terminator there and if found, return NULL as return value and in `ptr`, because a lone backslash is not a valid PostScript character.
OpenPrinting · Sep 20, 2023 · 2431cad · 2431cad
1 parent 5af8f99
commit 2431cad
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/CHANGES.md b/CHANGES.md
@@ -4,6 +4,8 @@ CHANGES - OpenPrinting CUPS 2.4.7 - TBA
 Changes in CUPS v2.4.7 (TBA)
 -----------------------------------
 
+- CVE-2023-4504 - Fixed Heap-based buffer overflow when reading Postscript
+  in PPD files
 - Added OpenSSL support for cupsHashData (Issue #762)
 - Fixed delays in lpd backend (Issue #741)
 - Fixed extensive logging in scheduler (Issue #604)

diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c
@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st,		/* I  - Stack */
 
 	    cur ++;
 
-            if (*cur == 'b')
+	   /*
+	    * Return NULL if we reached NULL terminator, a lone backslash
+	    * is not a valid character in PostScript.
+	    */
+
+	    if (!*cur)
+	    {
+	      *ptr = NULL;
+
+	      return (NULL);
+	    }
+
+	    if (*cur == 'b')
 	      *valptr++ = '\b';
 	    else if (*cur == 'f')
 	      *valptr++ = '\f';