Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use of uninitialized memory of trailer list #1070

Closed
fish98 opened this issue Oct 3, 2024 · 2 comments
Closed

Use of uninitialized memory of trailer list #1070

fish98 opened this issue Oct 3, 2024 · 2 comments
Assignees
@michaelrsweet
Labels
bug Something isn't working priority-low
Milestone
v2.4.x

Comments

@fish98
Copy link

fish98 commented Oct 3, 2024

Description

Similar to the reported issue in OpenPrinting/libcups#91. The use of uninitialized memory of the trailer array is found in function cups_fill of cups/file.c. Detailed code can be found below:

unsigned char	trailer[8];	// Trailer bytes
uLong		tcrc;		// Trailer CRC
ssize_t		tbytes = 0;	// Number of bytes

if (fp->stream.avail_in > 0)
{
  if (fp->stream.avail_in > sizeof(trailer))
    tbytes = (ssize_t)sizeof(trailer);
  else
    tbytes = (ssize_t)fp->stream.avail_in;

  memcpy(trailer, fp->stream.next_in, (size_t)tbytes);
  fp->stream.next_in  += tbytes;
  fp->stream.avail_in -= (size_t)tbytes;
}

      if (tbytes < (ssize_t)sizeof(trailer))
{
  if (read(fp->fd, trailer + tbytes, sizeof(trailer) - (size_t)tbytes) < ((ssize_t)sizeof(trailer) - tbytes))
  {
...
  }
}

tcrc = ((((((uLong)trailer[3] << 8) | (uLong)trailer[2]) << 8) | (uLong)trailer[1]) << 8) | (uLong)trailer[0];

if (tcrc != fp->crc)
{ 
...

when vail_in is less than sizeof(trailer), the operation memcpy(trailer, fp->stream.next_in, (size_t)tbytes); will end up with uninitialized value in trailer array. The subsequent function if (read(fp->fd, trailer + tbytes, sizeof(trailer) - (size_t)tbytes) < ((ssize_t)sizeof(trailer) - tbytes)) may also inroduce unitialized value issue when read() function returns EOF or error.
@michaelrsweet michaelrsweet self-assigned this Oct 12, 2024
@michaelrsweet michaelrsweet added bug Something isn't working priority-low labels Oct 12, 2024
@michaelrsweet michaelrsweet added this to the v2.4.x milestone Oct 12, 2024
michaelrsweet added a commit that referenced this issue Oct 12, 2024
@michaelrsweet
Make sure we call inflateEnd when there is an error reading or compar…
7a2d383 
…ing the stream CRC (Issue #1070)
michaelrsweet added a commit that referenced this issue Oct 12, 2024
@michaelrsweet
Make sure we call inflateEnd when there is an error reading or compar…
fe04be5 
…ing the stream CRC (Issue #1070)
@michaelrsweet
Copy link
Member

[master 7a2d383] Make sure we call inflateEnd when there is an error reading or comparing the stream CRC (Issue #1070)

[2.4.x fe04be5] Make sure we call inflateEnd when there is an error reading or comparing the stream CRC (Issue #1070)

@michaelrsweet
Copy link
Member

To reiterate my comments on the libcups issue of the same name, this isn't caused by a lack of read validation but the fact that on error we didn't call inflateEnd...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelrsweet michaelrsweet

Labels
bug Something isn't working priority-low
Projects
None yet
Milestone
v2.4.x
Development

No branches or pull requests
2 participants
@michaelrsweet @fish98