ppd-emit.c: Fix SEGV in 'ppdEmitString()'

When using testppd.c as a harness, a fuzzer found a way to call ppdPageSize() with NULL return value. This caused a segmentation fault because the size structure, which is used by values[pos], was assigned a NULL value. To avoid this, we need to add a NULL value check for the size structure, free allocated memory, and return NULL. Fixes #849
OpenPrinting · Jan 4, 2024 · 0a834c3 · 0a834c3
2 parents 63f67ee + 2f8ac40
commit 0a834c3
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/cups/ppd-emit.c b/cups/ppd-emit.c
@@ -888,7 +888,12 @@ ppdEmitString(ppd_file_t    *ppd,	/* I - PPD file record */
         cupsCopyString(bufptr, "%%BeginFeature: *CustomPageSize True\n", (size_t)(bufend - bufptr + 1));
         bufptr += 37;
 
-        size = ppdPageSize(ppd, "Custom");
+        if ((size = ppdPageSize(ppd, "Custom")) == NULL)
+        {
+          free(buffer);
+          free(choices);
+          return (NULL);
+        }
 
         memset(values, 0, sizeof(values));