Package: cups-browsed Version: 1.28.5-1 Severity: important X-Debbugs-Cc: t...@mirbsd.de
Nov 23 20:34:11 tglase vmunix: [12181565.392373] cups-browsed[19303]: segfault at 0 ip 00000000f7b5637c sp 00000000ffab2890 error 6 in libcupsfilters.so.1.0.0[f7b3a000+24000] Nov 23 20:34:11 tglase vmunix: [12181565.392385] Code: 48 89 ef 31 c0 e8 04 4c fe ff e9 0f ff ff ff 0f 1f 80 00 00 00 00 8b 7c 24 44 4c 89 f6 e8 8c 47 fe ff c7 44 24 58 01 00 00 00 <67> c6 00 00 e9 02 de ff ff 0f 1f 00 8b 7c 24 44 ba 29 00 00 00 8d Installing the necessary dbgsym packages and unpacking the source shows this to clearly be a NULL pointer dereference (more below the backtrace): tglase@tglase:/tmp/cups-filters-1.28.5 $ gdb /usr/sbin/cups-browsed ~/c-b.core GNU gdb (Debian 10.1-1+b1) 10.1 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnux32". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/sbin/cups-browsed... Reading symbols from /usr/lib/debug/.build-id/61/b1dea4178595f657692de37d747568dd7f89a8.debug... [New LWP 19303] [New LWP 19305] [New LWP 19304] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnux32/libthread_db.so.1". Core was generated by `/usr/sbin/cups-browsed'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0xf7b5637c in ppdCreateFromIPP2 (buffer=buffer@entry=0xffab54c0 "/tmp/04b675fbcfcbf", bufsize=bufsize@entry=8192, response=<optimized out>, make_model=make_model@entry=0x0, pdl=pdl@entry=0x0, color=color@entry=1, duplex=1, conflicts=0x0, sizes=0x56d66b70, default_pagesize=0x0, default_cluster_color=0x0) at cupsfilters/ppdgenerator.c:2227 2227 *suffix = '\0'; [Current thread is 1 (Thread 0xf67b2a00 (LWP 19303))] (gdb) set pagination 0 (gdb) print suffix $1 = 0x0 (gdb) bt full #0 0xf7b5637c in ppdCreateFromIPP2 (buffer=buffer@entry=0xffab54c0 "/tmp/04b675fbcfcbf", bufsize=bufsize@entry=8192, response=<optimized out>, make_model=make_model@entry=0x0, pdl=pdl@entry=0x0, color=color@entry=1, duplex=1, conflicts=0x0, sizes=0x56d66b70, default_pagesize=0x0, default_cluster_color=0x0) at cupsfilters/ppdgenerator.c:2227 tbottom = '\000' <repeats 255 times> ttop = '\000' <repeats 255 times> twidth = '\000' <repeats 88 times>, "\230j\230\367", '\000' <repeats 28 times>, "\307\305jV\000\000\000\000p5\253\377\000\000\000\000\220\065\253\377\000\000\000\000X\000\000\000\000\000\000\000\240\305jV\000\000\000\000\300\066\253\377\000\000\000\000\fޖ\367\000\000\000\000=\000\000\000\000\000\000\000\006\242eV\000\000\000\000\360\066\253\377\000\000\000\000\f"... ppdsizename = "\235<\b\000\000\000\000\000`\321\306V\000(\000_\000\000\000\000\000\000\000\000\063o\255\367", '\000' <repeats 12 times>, "\001\000\000\000\000\000\000\000\f\000\000\000\000\000\000\000+\254\230\367\000\000\000\000\255\a\360\367\000\000\000\000ç\230\367\000\000\000\000`\321\325V\000\000\000\000ç\230\367", '\000' <repeats 17 times>, "(\000_\000\000\000\000\000\000\000\000\004S\325V\000(\000_" tright = '\000' <repeats 255 times> ippsizename = <optimized out> suffix = 0x0 tleft = "\240\354\325V\000\000\000\000 \353\325V\000\000\000\000x,\253\377\000\000\000\000\220\374\325V\000\000\000\000\263\016\274_\000\000\000\000!\272\000\000\000\000\000\000\263\016\274_\000\000\000\000!\272\000\000\000\000\000\000p\371\325V\260X\262V\000\000\000\000\000\000\000\000\220\336\362\367\310\066\253\377\000\000\000\000\000\000\000\000 H\325V", '\000' <repeats 155 times> tlength = '\000' <repeats 16 times>, "\020Y\262V\315\377\377\377\063\000\000\000 \000\000\000\307\305jV\000\000\000\000\v\000\000\000\002\000\000\000\305\305jV\000\000\000\000\264\006\000\000\000\000\000\000\022\242eV\307\305jV\000\000\000\000\002\000\000\000\020\242eV\000\000\000\000\264\006\000\000\000\000\000\000\000\000\000\000\022\242eV", '\000' <repeats 40 times>, "(\000\000\000\060\000\000\000\240\067\253\377\340\066\253\377", '\000' <repeats 16 times>, "\060\000\000\000\060\000\000\000\020<\253\377\020;\253\377", '\000' <repeats 63 times> all_borderless = 1 fp = 0x56d62e70 printer_sizes = <optimized out> size = <optimized out> attr = <optimized out> attr2 = <optimized out> defattr = 0x0 quality = <optimized out> x_dim = <optimized out> y_dim = <optimized out> media_col = <optimized out> media_size = <optimized out> make = "Zebra\000ZPL Label Printer\000`^\257V\000\000\000\000 ^\257V\000\000\000\000ç\230\367\000\000\000\000\304ԱV\000\000\000\000+\254\230\367", '\000' <repeats 12 times>, "+\254\230\367\000\000\000\000\000\367\325V\000\000\000\000\034\367\325V\000(\000_\304ԱV", '\000' <repeats 12 times>, "p\371\325V\000\000\000\000\177p\255\367\000(\000_\000\000\000\000\000\000\000\000\024\000\000\000\000\000\000\000\320+\253\377", '\000' <repeats 20 times>, "\340+\253\377", '\000' <repeats 12 times>, "\301\351\362\367", '\000' <repeats 12 times>, "\225H\253"... model = <optimized out> ppdname = "Unknown\000d\\X\367\000\000\000\000\030\000\000\000\060\000\000\000\360*\253\377 *\253\377`\321\306V\000\000\000\000" i = <optimized out> j = <optimized out> count = <optimized out> bottom = 0 left = 0 right = 0 top = 0 max_length = 127000 max_width = 20320 min_length = 1270 min_width = 1270 is_apple = <optimized out> is_pwg = 1 is_pclm = 0 is_pdf = 1 pwg = <optimized out> xres = <optimized out> yres = <optimized out> common_res = 0x56d66c80 current_res = 0x56d66c80 pdl_list = <optimized out> common_def = 0x56d66920 current_def = 0x0 min_res = 0x56d66930 max_res = 0x56d66940 lang = 0x56ac8ac0 loc = 0xf7abf7c0 <result> printer_opt_strings_catalog = 0x0 human_readable = <optimized out> human_readable2 = <optimized out> keyword = <optimized out> fin_options = 0x0 buf = '\000' <repeats 32 times>, "/printers/pr-bn-1og", '\000' <repeats 125 times>, "//.cups/lpoptions\000s", '\000' <repeats 60 times> filter_path = '\000' <repeats 360 times>... cups_serverbin = <optimized out> defaultoutbin = <optimized out> outbin = <optimized out> outbin_properties = '\000' <repeats 12 times>, "q\324\325V`^\262V\000\000\000\000\264){\366\320\067\253\377\000\000\000\000\000\000\000\000`\324\325Vx\000\000\000/var/cache/cups/cups-browsed-options-Zebra_Technologies_ZTC_ZT410_203dpi_ZPL_172_26_7_16", '\000' <repeats 741 times>... octet_str_len = 0 outbin_properties_octet = <optimized out> outputorderinfofound = <optimized out> faceupdown = <optimized out> firsttolast = <optimized out> manual_copies = <optimized out> is_fax = 0 formatfound = <optimized out> #1 0x56651c43 in update_cups_queues (unused=<optimized out>) at utils/cups-browsed.c:8537 p = <optimized out> q = <optimized out> r = <optimized out> s = <optimized out> master = <optimized out> http = <optimized out> uri = "ipp://localhost/printers/Zebra_Technologies_ZTC_ZT410_203dpi_ZPL_172_26_7_16", '\000' <repeats 532 times>... device_uri = "implicitclass://Zebra_Technologies_ZTC_ZT410_203dpi_ZPL_172_26_7_16/", '\000' <repeats 540 times>... buf = '\000' <repeats 509 times>... line = '\000' <repeats 960 times>... num_options = <optimized out> options = 0x0 num_jobs = <optimized out> jobs = 0x0 request = <optimized out> current_time = <optimized out> i = <optimized out> ap_remote_queue_id_line_inserted = <optimized out> want_raw = <optimized out> num_cluster_printers = <optimized out> disabled_str = <optimized out> ptr = <optimized out> ppdfile = <optimized out> ifscript = 0x0 fd = <optimized out> tempfile = '\000' <repeats 256 times>... buffer = "/tmp/04b675fbcfcbf", '\000' <repeats 430 times>... bytes = <optimized out> cups_serverbin = <optimized out> attr = <optimized out> count = <optimized out> left = <optimized out> right = <optimized out> bottom = <optimized out> top = <optimized out> default_page_size = <optimized out> best_color_space = 0x0 color_space = <optimized out> loadedppd = 0x0 ppd = <optimized out> choice = <optimized out> in = <optimized out> out = <optimized out> keyword = "\200Z\253\377\000\000\000\000A8eV\000\000\000\000\340h\253\377\000\000\000\000\a\274eV\000\000\000\000\a\274eV\000\000\000\000\a\274eV", '\000' <repeats 20 times>, "\340d\253\377\000\000\000\000E", '\000' <repeats 19 times>, "w\002\000\000ipp", '\000' <repeats 93 times>, "\061\067\062.26.7"... keyptr = <optimized out> customval = <optimized out> val = <optimized out> dest = <optimized out> is_shared = <optimized out> conflicts = <optimized out> printer_attributes = 0x56b01a50 sizes = <optimized out> printer_ipp_response = <optimized out> make_model = <optimized out> pdl = 0x0 color = 1 duplex = 1 default_pagesize = <optimized out> default_color = 0x0 cups_queues_updated = 0 cannot_create = <optimized out> #2 0xf7bfdbd3 in g_timeout_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at ../../../glib/gmain.c:4877 timeout_source = 0x56c6d1d0 again = <optimized out> #3 0xf7bfd085 in g_main_dispatch (context=0x56ac95a0) at ../../../glib/gmain.c:3325 dispatch = 0xf7bfdbc0 <g_timeout_dispatch> prev_source = 0x0 begin_time_nsec = 0 was_in_call = 0 user_data = 0x0 callback = 0x5664fea0 <update_cups_queues> cb_funcs = <optimized out> cb_data = <optimized out> need_destroy = <optimized out> source = 0x56c6d1d0 current = 0x56ab6db0 i = 0 __func__ = "g_main_dispatch" #4 g_main_context_dispatch (context=0x56ac95a0) at ../../../glib/gmain.c:4043 No locals. #5 0xf7bfd468 in g_main_context_iterate (context=0x56ac95a0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../../../glib/gmain.c:4119 max_priority = 2147483647 timeout = 54 some_ready = 1 nfds = 3 allocated_nfds = 3 fds = 0x56af3380 begin_time_nsec = 0 #6 0xf7bfd74f in g_main_loop_run (loop=<optimized out>) at ../../../glib/gmain.c:4317 self = <optimized out> __func__ = "g_main_loop_run" #7 0x5663cc6b in main (argc=1, argv=<optimized out>) at utils/cups-browsed.c:12644 ret = 1 http = <optimized out> i = <optimized out> val = <optimized out> p = <optimized out> proxy = <optimized out> error = 0x0 subscription_id = 1890 action = {__sigaction_handler = {sa_handler = 0x566486e0 <sigusr2_handler>, sa_sigaction = 0x566486e0 <sigusr2_handler>}, sa_mask = {__val = {2048, 0 <repeats 31 times>}}, sa_flags = 0, sa_restorer = 0x0} The offending code is pretty clear, too: (gdb) list 2222 if (size) 2223 all_borderless = 0; 2224 2225 if (all_borderless) { 2226 suffix = strcasestr(ppdname, ".Borderless"); 2227 *suffix = '\0'; 2228 } 2229 2230 cupsFilePrintf(fp, "*OpenUI *PageSize/%s: PickOne\n" 2231 "*OrderDependency: 10 AnySetup *PageSize\n" Looks like a missing NULL check for the strcasestr result. (gdb) print ppdname $2 = "Unknown\000d\\X\367\000\000\000\000\030\000\000\000\060\000\000\000\360*\253\377 *\253\377`\321\306V\000\000\000\000" There’s the culprit — no “.Borderless” in there. I guess that the loop in lines 2218–2223 is not quite right, but I can’t introspect now: (gdb) print *sizes $4 = {num_elements = 55, alloc_elements = 64, current = 55, insert = 34, unique = 1, num_saved = 0, saved = {0 <repeats 32 times>}, elements = 0x56d685a0, compare = 0xf7b50510 <pwg_compare_sizes>, data = 0x0, hashfunc = 0x0, hashsize = 0, hash = 0x0, copyfunc = 0xf7b50620 <pwg_copy_size>, freefunc = 0xf798e240 <__GI___libc_free>} (gdb) print *sizes->elements $5 = (void *) 0x56d66c30 (gdb) print cupsArrayCount(sizes) You can't do that without a process to debug. This is most likely not x32-specific thus… -- System Information: Debian Release: bullseye/sid APT prefers unreleased APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable'), (100, 'experimental') Architecture: x32 (x86_64) Foreign Architectures: i386, amd64 Kernel: Linux 5.7.0-1-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/lksh Init: sysvinit (via /sbin/init) Versions of packages cups-browsed depends on: ii cups-daemon 2.3.3-3 ii init-system-helpers 1.59 ii libavahi-client3 0.8-3 ii libavahi-common3 0.8-3 ii libavahi-glib1 0.8-3 ii libc6 2.31-4 ii libcups2 2.3.3-3 ii libcupsfilters1 1.28.5-1 ii libglib2.0-0 2.66.3-1 ii libldap-2.4-2 2.4.56+dfsg-1 ii lsb-base 11.1.0 Versions of packages cups-browsed recommends: ii avahi-daemon 0.8-3 cups-browsed suggests no packages. -- no debconf information
