Missing malloc checks in texttops

[michaelrsweet]

Version: 1.4-current
CUPS.org User: mike

The texttops filter doesn't check the results of the page array allocations which could lead to a heap attack.

[michaelrsweet]

CUPS.org User: mike

Fixed in Subversion repository.

[michaelrsweet]

"str3516.patch":

Index: filter/texttops.c

--- filter/texttops.c (revision 9008)
+++ filter/texttops.c (working copy)
@@ -3,7 +3,7 @@
*

• Text to PostScript filter for the Common UNIX Printing System (CUPS).

• * Copyright 2007-2008 by Apple Inc.
• * Copyright 2007-2010 by Apple Inc.
• Copyright 1993-2007 by Easy Software Products.

• These coded instructions, statements, and computer programs are the
  @@ -176,13 +176,25 @@
  if (SizeColumns <= 0 || SizeColumns > 32767 ||
  SizeLines <= 0 || SizeLines > 32767)
  {
• _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page\n"),
• _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page.\n"),
  SizeColumns, SizeLines);
  exit(1);
  }
• Page = calloc(sizeof(lchar_t *), SizeLines);
• Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines);
• if ((Page = calloc(sizeof(lchar_t *), SizeLines)) == NULL)
• {
• _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page.\n"),

•                SizeColumns, SizeLines);
  

• exit(1);
• }

• if ((Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines)) == NULL)
• {
• _cupsLangPrintf(stderr, _("ERROR: Unable to print %dx%d text page.\n"),

•                SizeColumns, SizeLines);
  

• exit(1);
• }

for (i = 1; i < SizeLines; i ++)
Page[i] = Page[0] + i * SizeColumns;