mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity

cups-filters: patch CVE-2025-64524

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64524

Pick the patch referenced by the nvd report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Gyorgy Sarvari
2025-12-25 13:51:37 +01:00
parent 16f6b4287c
commit c590e88d19
2 changed files with 82 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-printing/cups/cups-filters.inc
+1
View File
@@ -11,6 +11,7 @@ DEPENDS:class-native = "poppler-native glib-2.0-native dbus-native pkgconfig-nat
SRC_URI = "http://openprinting.org/download/cups-filters/cups-filters-${PV}.tar.gz \
file://CVE-2025-57812.patch \
file://CVE-2025-64524.patch \
"
inherit autotools-brokensep gettext pkgconfig
meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch
+81
View File
@@ -0,0 +1,81 @@
From 3f24ec5518f3f7f9a7020cd88bb9bbf4e81475fe Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Wed, 12 Nov 2025 15:47:24 +0100
Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file
Infinite loop happened because of crafted input raster file, which led
into heap buffer overflow of `CompressBuf` array.
Based on comments there should be always some `count` when compressing
the data, and processing of crafted file ended with offset and count
being 0.
Fixes CVE-2025-64524
CVE: CVE-2025-64524
Upstream-Status: Backport [https://github.com/OpenPrinting/cups-filters/commit/956283c74a34ae924266a2a63f8e5f529a1abd06]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
filter/rastertopclx.c | 26 ++++++++++++++++++++++++--
1 file changed, 24 insertions(+), 2 deletions(-)
diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c
index 3e7c129..b20d195 100644
--- a/filter/rastertopclx.c
+++ b/filter/rastertopclx.c
@@ -818,10 +818,10 @@ StartPage(ppd_file_t *ppd, /* I - PPD file */
}
if (header->cupsCompression)
- CompBuffer = malloc(DotBufferSize * 4);
+ CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char));
if (header->cupsCompression >= 3)
- SeedBuffer = malloc(DotBufferSize);
+ SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char));
SeedInvalid = 1;
@@ -1152,6 +1152,14 @@ CompressData(unsigned char *line, /* I - Data to compress */
seed ++;
count ++;
}
+
+ //
+ // Bail out if we don't have count to compress
+ //
+
+ if (count == 0)
+ break;
+
}
/*
@@ -1245,6 +1253,13 @@ CompressData(unsigned char *line, /* I - Data to compress */
count = line_ptr - start;
+ //
+ // Bail out if we don't have count to compress
+ //
+
+ if (count == 0)
+ break;
+
#if 0
fprintf(stderr, "DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n",
offset, count, comp_ptr, comp_ptr - CompBuffer,
@@ -1416,6 +1431,13 @@ CompressData(unsigned char *line, /* I - Data to compress */
count = (line_ptr - start) / 3;
+ //
+ // Bail out if we don't have count to compress
+ //
+
+ if (count == 0)
+ break;
+
/*
* Place mode 10 compression data in the buffer; each sequence
* starts with a command byte that looks like: