mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
cups-filters: patch CVE-2025-64524
Details https://nvd.nist.gov/vuln/detail/CVE-2025-64524 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
@@ -0,0 +1,81 @@
|
|||||||
|
From a6cc1c750006a8ac4e5d692f3a7d9ade479519ec Mon Sep 17 00:00:00 2001
|
||||||
|
From: Zdenek Dohnal <zdohnal@redhat.com>
|
||||||
|
Date: Wed, 12 Nov 2025 15:47:24 +0100
|
||||||
|
Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file
|
||||||
|
|
||||||
|
Infinite loop happened because of crafted input raster file, which led
|
||||||
|
into heap buffer overflow of `CompressBuf` array.
|
||||||
|
|
||||||
|
Based on comments there should be always some `count` when compressing
|
||||||
|
the data, and processing of crafted file ended with offset and count
|
||||||
|
being 0.
|
||||||
|
|
||||||
|
Fixes CVE-2025-64524
|
||||||
|
|
||||||
|
CVE: CVE-2025-64524
|
||||||
|
Upstream-Status: Backport [https://github.com/OpenPrinting/cups-filters/commit/0fe46c511e81062575b05936f804eb18c9f0a011]
|
||||||
|
(cherry picked from commit 0fe46c511e81062575b05936f804eb18c9f0a011)
|
||||||
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
||||||
|
---
|
||||||
|
filter/rastertopclx.c | 25 +++++++++++++++++++++++--
|
||||||
|
1 file changed, 23 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c
|
||||||
|
index ded86f114..39cb378bf 100644
|
||||||
|
--- a/filter/rastertopclx.c
|
||||||
|
+++ b/filter/rastertopclx.c
|
||||||
|
@@ -825,10 +825,10 @@ StartPage(cf_filter_data_t *data, // I - filter data
|
||||||
|
}
|
||||||
|
|
||||||
|
if (header->cupsCompression)
|
||||||
|
- CompBuffer = malloc(DotBufferSize * 4);
|
||||||
|
+ CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char));
|
||||||
|
|
||||||
|
if (header->cupsCompression >= 3)
|
||||||
|
- SeedBuffer = malloc(DotBufferSize);
|
||||||
|
+ SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char));
|
||||||
|
|
||||||
|
SeedInvalid = 1;
|
||||||
|
|
||||||
|
@@ -1159,6 +1159,13 @@ CompressData(unsigned char *line, // I - Data to compress
|
||||||
|
seed ++;
|
||||||
|
count ++;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ //
|
||||||
|
+ // Bail out if we don't have count to compress
|
||||||
|
+ //
|
||||||
|
+
|
||||||
|
+ if (count == 0)
|
||||||
|
+ break;
|
||||||
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
@@ -1252,6 +1259,13 @@ CompressData(unsigned char *line, // I - Data to compress
|
||||||
|
|
||||||
|
count = line_ptr - start;
|
||||||
|
|
||||||
|
+ //
|
||||||
|
+ // Bail out if we don't have count to compress
|
||||||
|
+ //
|
||||||
|
+
|
||||||
|
+ if (count == 0)
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
#if 0
|
||||||
|
fprintf(stderr,
|
||||||
|
"DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n",
|
||||||
|
@@ -1424,6 +1438,13 @@ CompressData(unsigned char *line, // I - Data to compress
|
||||||
|
|
||||||
|
count = (line_ptr - start) / 3;
|
||||||
|
|
||||||
|
+ //
|
||||||
|
+ // Bail out if we don't have count to compress
|
||||||
|
+ //
|
||||||
|
+
|
||||||
|
+ if (count == 0)
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
//
|
||||||
|
// Place mode 10 compression data in the buffer; each sequence
|
||||||
|
// starts with a command byte that looks like:
|
||||||
@@ -8,6 +8,7 @@ DEPENDS = "libcupsfilters libppd glib-2.0 poppler"
|
|||||||
SRC_URI = " \
|
SRC_URI = " \
|
||||||
https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \
|
https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \
|
||||||
file://fix-make-race.patch \
|
file://fix-make-race.patch \
|
||||||
|
file://CVE-2025-64524.patch \
|
||||||
"
|
"
|
||||||
SRC_URI[sha256sum] = "b5152e3dd148ed73835827ac2f219df7cf5808dbf9dbaec2aa0127b44de800d8"
|
SRC_URI[sha256sum] = "b5152e3dd148ed73835827ac2f219df7cf5808dbf9dbaec2aa0127b44de800d8"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user