From 766d8cd7b775411cd831f8aaf752f9427384ace8 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Mon, 27 Nov 2023 10:16:01 +0100 Subject: [PATCH] raster-interpreter.c: Fix crash in 'scan_ps()' found by fuzzer Fuzzer using `_cupsRasterExecPS()` found a way how to pass NULL into `scan_ps()`, causing crash - we have to sanitize the argument for NULL to fix it. Fixes #831 --- CHANGES.md | 1 + cups/raster-interpret.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index f50b6f5ed9..f494a075a6 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -8,6 +8,7 @@ Changes in CUPS v2.4.8 (TBA) successfully printed jobs (Issue #830) - Added warning if the device has to be asked for 'all,media-col-database' separately (Issue #829) +- Fixed crash in `scan_ps()` if incoming argument is NULL (Issue #831) - Fixed memory leak when creating color profiles (Issue #815) - Fixed memory leak when unloading a job (Issue #813) - Raised `cups_enum_dests()` timeout for listing available IPP printers (Issue #751) diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c index b8655c8c67..653d9ea5e2 100644 --- a/cups/raster-interpret.c +++ b/cups/raster-interpret.c @@ -1048,6 +1048,8 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */ int parens; /* Parenthesis nesting level */ + if (!*ptr) + return (NULL); /* * Skip leading whitespace... */