blob: be0db1fbd4ef1fe54de2ed9cf5912603a0d1a1fb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From a9a7daa77699bd58001c25df8a61a8029a217ddf Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Fri, 1 Sep 2023 16:47:29 +0200
Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
We didn't check for end of buffer if it looks there is an escaped
character - check for NULL terminator there and if found, return NULL
as return value and in `ptr`, because a lone backslash is not
a valid PostScript character.
Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31]
CVE: CVE-2023-4504
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
cups/raster-interpret.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
--- a/cups/raster-interpret.c
+++ b/cups/raster-interpret.c
@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - S
cur ++;
- if (*cur == 'b')
+ /*
+ * Return NULL if we reached NULL terminator, a lone backslash
+ * is not a valid character in PostScript.
+ */
+
+ if (!*cur)
+ {
+ *ptr = NULL;
+
+ return (NULL);
+ }
+
+ if (*cur == 'b')
*valptr++ = '\b';
else if (*cur == 'f')
*valptr++ = '\f';
|
