Package: cups-filters-core-drivers Version: 1.8.1-1 Severity: important File: /usr/lib/cups/filter/sys5ippprinter
In sys5ippprinter, there seems to error in set_option_in_str(), causing reads and writes 1,2 or 8 bytes beyond the end of the buffer (AFAICT). At least for some buffers. For example, the following invocation, with an option string as generated by cups-browsed (patched to include the PDL listed there) and a test page print command fails: /usr/lib/cups/filter/sys5ippprinter 250 root "Test Page" 1 "job-uuid=urn:uuid:934a24ec-6725-3576-69fd-5b1d269ef0d6 cups-browsed make-and-model=Example-Make-And-Model media=iso_a4_210x297mm media-bottom-margin=1270 media-left-margin=318 media-right-margin=318 media-top-margin=300 output-format=application/vnd.hp-PCL,image/jpeg,application/PCLm,image/urf sides=two-sided-long-edge job-originating-host-name=localhost date-time-at-creation= date-time-at-processing= time-at-creation=1453564005 time-at-processing=1453564107 print-color-mode=RGB media-class=" /tmp/non-existing Removing the time related and media-class options makes it work under valgrind (with errors still being displayed though - but now 1 byte instead of 2), but still fail in normal use. This causes the process to fail memory allocation at some point, because the metadata of the allocator is overwritten. Those strings are automatically generated by a combination of cups-browsed which discovers the printers, if the option for detecting IPP printers is enabled; and the print job itself. -- Valgrind (which is buggy and cannot read debug symbols currently): ==1836== Invalid read of size 2 ==1836== at 0x4C2E4CF: memcpy@GLIBC_2.2.5 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==1836== by 0x403FB9: ??? (in /usr/lib/cups/filter/sys5ippprinter) ==1836== by 0x4022EA: ??? (in /usr/lib/cups/filter/sys5ippprinter) ==1836== by 0x50D986F: (below main) (in /usr/lib/x86_64-linux-gnu/libc-2.21.so) ==1836== Address 0x9445126 is 0 bytes after a block of size 646 alloc'd ==1836== at 0x4C2BC15: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==1836== by 0x4018A5: ??? (in /usr/lib/cups/filter/sys5ippprinter) ==1836== by 0x50D986F: (below main) (in /usr/lib/x86_64-linux-gnu/libc-2.21.so) ==1836== ==1836== Invalid read of size 2 ==1836== at 0x4C2E4C0: memcpy@GLIBC_2.2.5 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==1836== by 0x403FB9: ??? (in /usr/lib/cups/filter/sys5ippprinter) ==1836== by 0x4022EA: ??? (in /usr/lib/cups/filter/sys5ippprinter) ==1836== by 0x50D986F: (below main) (in /usr/lib/x86_64-linux-gnu/libc-2.21.so) ==1836== Address 0x9445128 is 2 bytes after a block of size 646 alloc'd ==1836== at 0x4C2BC15: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==1836== by 0x4018A5: ??? (in /usr/lib/cups/filter/sys5ippprinter) ==1836== by 0x50D986F: (below main) (in /usr/lib/x86_64-linux-gnu/libc-2.21.so) ==1836== ==1836== Invalid write of size 2 ==1836== at 0x4C2E4C3: memcpy@GLIBC_2.2.5 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==1836== by 0x403FB9: ??? (in /usr/lib/cups/filter/sys5ippprinter) ==1836== by 0x4022EA: ??? (in /usr/lib/cups/filter/sys5ippprinter) ==1836== by 0x50D986F: (below main) (in /usr/lib/x86_64-linux-gnu/libc-2.21.so) ==1836== Address 0x9445126 is 0 bytes after a block of size 646 alloc'd ==1836== at 0x4C2BC15: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==1836== by 0x4018A5: ??? (in /usr/lib/cups/filter/sys5ippprinter) ==1836== by 0x50D986F: (below main) (in /usr/lib/x86_64-linux-gnu/libc-2.21.so) ==1836== valgrind: m_mallocfree.c:303 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed. valgrind: Heap block lo/hi size mismatch: lo = 720, hi = 0. This is probably caused by your program erroneously writing past the end of a heap block and corrupting heap metadata. If you fix any invalid writes reported by Memcheck, this assertion failure will probably go away. Please try that before reporting this as a bug. -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (900, 'unstable'), (500, 'unstable-debug'), (100, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages cups-filters-core-drivers depends on: ii bc 1.06.95-9+b1 ii libc6 2.21-6 ii libcups2 2.1.2-2+b1 ii libcupsfilters1 1.8.1-1urf1 ii libcupsimage2 2.1.2-2+b1 ii libgcc1 1:5.3.1-6 ii liblcms2-2 2.6-3+b3 ii libpoppler57 0.38.0-2 ii libqpdf17 6.0.0-2 ii libstdc++6 5.3.1-6 ii poppler-utils 0.38.0-2 cups-filters-core-drivers recommends no packages. cups-filters-core-drivers suggests no packages. -- no debconf information -- Julian Andres Klode - Debian Developer, Ubuntu Member See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/. When replying, only quote what is necessary, and write each reply directly below the part(s) it pertains to (`inline'). Thank you.
