rastertohp: heap buffer overflow

[michaelrsweet]

Version: 2.0-current
CUPS.org User: pdewacht

In the rastertohp filter, the OutputLine function will copy pixels from the Planes buffer to the ColorBits buffer. For some malformed input data, the ColorBits buffer might be allocated too small, in which case OutputLine will write beyond the end of this buffer.

This can be remotely triggered on a print server that shares a printer that uses the rastertohp filter. Sample file attached.

Found using afl-fuzz.

[michaelrsweet]

CUPS.org User: mike

Fixed in Subversion repository.

[michaelrsweet]

"str4601.patch":

Index: filter/rastertohp.c

--- filter/rastertohp.c (revision 12567)
+++ filter/rastertohp.c (working copy)
@@ -3,7 +3,7 @@
*

• Hewlett-Packard Page Control Language filter for CUPS.
  *
  • * Copyright 2007-2014 by Apple Inc.
  • * Copyright 2007-2015 by Apple Inc.
• Copyright 1993-2007 by Easy Software Products.
  *
• These coded instructions, statements, and computer programs are the
  @@ -354,7 +354,7 @@
  • Allocate memory for a line of graphics...
    */
• if ((Planes[0] = malloc(header->cupsBytesPerLine)) == NULL)
• if ((Planes[0] = malloc(header->cupsBytesPerLine + NumPlanes)) == NULL)
  {
  fputs("ERROR: Unable to allocate memory\n", stderr);
  exit(1);
  @@ -369,7 +369,7 @@
  BitBuffer = NULL;

if (header->cupsCompression)

• CompBuffer = malloc(header->cupsBytesPerLine * 2);
• CompBuffer = malloc(header->cupsBytesPerLine * 2 + 2);
  else
  CompBuffer = NULL;
  }