| CVE: CVE-2023-4504 |
| Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31 ] |
| Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> |
| |
| From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00 2001 |
| From: Zdenek Dohnal <zdohnal@redhat.com> |
| Date: Wed, 20 Sep 2023 14:45:17 +0200 |
| Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504 |
| |
| We didn't check for end of buffer if it looks there is an escaped |
| character - check for NULL terminator there and if found, return NULL |
| as return value and in `ptr`, because a lone backslash is not |
| a valid PostScript character. |
| --- |
| cups/raster-interpret.c | 14 +++++++++++++- |
| 1 files changed, 13 insertions(+), 1 deletion(-) |
| |
| diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c |
| index 6fcf731b5..b8655c8c6 100644 |
| --- a/cups/raster-interpret.c |
| +++ b/cups/raster-interpret.c |
| @@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */ |
| |
| cur ++; |
| |
| - if (*cur == 'b') |
| + /* |
| + * Return NULL if we reached NULL terminator, a lone backslash |
| + * is not a valid character in PostScript. |
| + */ |
| + |
| + if (!*cur) |
| + { |
| + *ptr = NULL; |
| + |
| + return (NULL); |
| + } |
| + |
| + if (*cur == 'b') |
| *valptr++ = '\b'; |
| else if (*cur == 'f') |
| *valptr++ = '\f'; |