From b57843db884e26d5049d5563819bf6b159c21e80 Mon Sep 17 00:00:00 2001 From: Kirill Furman Date: Wed, 27 Dec 2023 16:34:24 +0300 Subject: [PATCH] ppd-emit.c: Fix SEGV in 'ppdEmitString()' When using testppd.c as a harness, a fuzzer found a way to call ppdPageSize() with NULL return value. This caused a segmentation fault because the size structure, which is used by values[pos], was assigned a NULL value. To avoid this, we need to add a NULL value check for the size structure, free allocated memory, and return NULL. Fixes #849 --- cups/ppd-emit.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cups/ppd-emit.c b/cups/ppd-emit.c index c56ee16f21..48651dc082 100644 --- a/cups/ppd-emit.c +++ b/cups/ppd-emit.c @@ -888,7 +888,12 @@ ppdEmitString(ppd_file_t *ppd, /* I - PPD file record */ cupsCopyString(bufptr, "%%BeginFeature: *CustomPageSize True\n", (size_t)(bufend - bufptr + 1)); bufptr += 37; - size = ppdPageSize(ppd, "Custom"); + if ((size = ppdPageSize(ppd, "Custom")) == NULL) + { + free(buffer); + free(choices); + return(NULL); + } memset(values, 0, sizeof(values));