1.x: Fix NULL-pointer dereference when parsing %%PDFTOPDF comments (#644)

* Fix null pointer dereference in %%PDFTOPDF* parsers

* %%PDFTOPDFCollate comment parsing: Increment p where needed

Without this, if strchr succeeds, p will point to a ':' character.
*p will therefore never be a whitespace in the subsequent loop,
or compare successfully against the "true" string.

diff --git a/filter/gstoraster.c b/filter/gstoraster.c
index 87ff948e6fcbaa21da3ec007f6b38cd6ecae5039..6f4da59910fbb236c33acf266cf463e6900d5f60 100644 (file)
--- a/filter/gstoraster.c
+++ b/filter/gstoraster.c
@@ -104,16 +104,21 @@ parse_pdf_header_options(FILE *fp, gs_page_header *h)
       char *p;
 
       p = strchr(buf+19,':');
-      h->NumCopies = atoi(p+1);
+      if (p) {
+        h->NumCopies = atoi(p+1);
+      }
     } else if (strncmp(buf,"%%PDFTOPDFCollate",17) == 0) {
       char *p;
 
       p = strchr(buf+17,':');
-      while (*p == ' ' || *p == '\t') p++;
-      if (strncasecmp(p,"true",4) == 0) {
-        h->Collate = CUPS_TRUE;
-      } else {
-        h->Collate = CUPS_FALSE;
+      if (p) {
+        p++;
+        while (*p == ' ' || *p == '\t') p++;
+        if (strncasecmp(p,"true",4) == 0) {
+          h->Collate = CUPS_TRUE;
+        } else {
+          h->Collate = CUPS_FALSE;
+        }
       }
     }
   }

diff --git a/filter/mupdftoraster.c b/filter/mupdftoraster.c
index 09c66c00d7dce6d5d1c8de3bc21af6faf51e0c40..a96e9c8c3ef2d9eae88dfd5794668954af1ef580 100644 (file)
--- a/filter/mupdftoraster.c
+++ b/filter/mupdftoraster.c
@@ -102,16 +102,21 @@ parse_pdf_header_options(FILE *fp, mupdf_page_header *h)
       char *p;
 
       p = strchr(buf+19,':');
-      h->NumCopies = atoi(p+1);
+      if (p) {
+        h->NumCopies = atoi(p+1);
+      }
     } else if (strncmp(buf,"%%PDFTOPDFCollate",17) == 0) {
       char *p;
 
       p = strchr(buf+17,':');
-      while (*p == ' ' || *p == '\t') p++;
-      if (strncasecmp(p,"true",4) == 0) {
-        h->Collate = CUPS_TRUE;
-      } else {
-        h->Collate = CUPS_FALSE;
+      if (p) {
+        p++;
+        while (*p == ' ' || *p == '\t') p++;
+        if (strncasecmp(p,"true",4) == 0) {
+          h->Collate = CUPS_TRUE;
+        } else {
+          h->Collate = CUPS_FALSE;
+        }
       }
     }
   }

diff --git a/filter/pdftops.c b/filter/pdftops.c
index 1bfe1a2c7d61c6e004a5c0e6450d0ee087ed9bf9..81ccc983e08c61802dbe011bb0f9d89c60407b9c 100644 (file)
--- a/filter/pdftops.c
+++ b/filter/pdftops.c
@@ -138,25 +138,31 @@ static void parsePDFTOPDFComment(char *filename)
     if (strncmp(buf,"%%PDFTOPDFNumCopies",19) == 0) {
       char *p;
 
-      p = strchr(buf+19,':') + 1;
-      while (*p == ' ' || *p == '\t') p++;
-      strncpy(deviceCopies, p, sizeof(deviceCopies));
-      deviceCopies[sizeof(deviceCopies) - 1] = '\0';
-      p = deviceCopies + strlen(deviceCopies) - 1;
-      while (*p == ' ' || *p == '\t'  || *p == '\r'  || *p == '\n') p--;
-      *(p + 1) = '\0';
-      pdftopdfapplied = 1;
+      p = strchr(buf+19,':');
+      if (p) {
+        p++;
+        while (*p == ' ' || *p == '\t') p++;
+        strncpy(deviceCopies, p, sizeof(deviceCopies));
+        deviceCopies[sizeof(deviceCopies) - 1] = '\0';
+        p = deviceCopies + strlen(deviceCopies) - 1;
+        while (*p == ' ' || *p == '\t'  || *p == '\r'  || *p == '\n') p--;
+        *(p + 1) = '\0';
+        pdftopdfapplied = 1;
+      }
     } else if (strncmp(buf,"%%PDFTOPDFCollate",17) == 0) {
       char *p;
 
-      p = strchr(buf+17,':') + 1;
-      while (*p == ' ' || *p == '\t') p++;
-      if (strncasecmp(p,"true",4) == 0) {
-       deviceCollate = 1;
-      } else {
-       deviceCollate = 0;
+      p = strchr(buf+17,':');
+      if (p) {
+        p++;
+        while (*p == ' ' || *p == '\t') p++;
+        if (strncasecmp(p,"true",4) == 0) {
+          deviceCollate = 1;
+        } else {
+          deviceCollate = 0;
+        }
+        pdftopdfapplied = 1;
       }
-      pdftopdfapplied = 1;
     } else if (strcmp(buf,"% This file was generated by pdftopdf") == 0) {
       pdftopdfapplied = 1;
     }

diff --git a/filter/pdftoraster.cxx b/filter/pdftoraster.cxx
index 1bdde0b1dd646737db0a4c8be5cdb022aef98ad9..7b3af924f9af015b71d7d3ef8afe5feea15a9dcf 100755 (executable)
--- a/filter/pdftoraster.cxx
+++ b/filter/pdftoraster.cxx
@@ -489,16 +489,21 @@ static void parsePDFTOPDFComment(FILE *fp)
       char *p;
 
       p = strchr(buf+19,':');
-      deviceCopies = atoi(p+1);
+      if (p) {
+        deviceCopies = atoi(p+1);
+      }
     } else if (strncmp(buf,"%%PDFTOPDFCollate",17) == 0) {
       char *p;
 
       p = strchr(buf+17,':');
-      while (*p == ' ' || *p == '\t') p++;
-      if (strncasecmp(p,"true",4) == 0) {
-       deviceCollate = true;
-      } else {
-       deviceCollate = false;
+      if (p) {
+        p++;
+        while (*p == ' ' || *p == '\t') p++;
+        if (strncasecmp(p,"true",4) == 0) {
+          deviceCollate = true;
+        } else {
+          deviceCollate = false;
+        }
       }
     }
   }