1.x: Fix NULL-pointer dereference when parsing %%PDFTOPDF comments (#644)
* Fix null pointer dereference in %%PDFTOPDF* parsers
* %%PDFTOPDFCollate comment parsing: Increment p where needed
Without this, if strchr succeeds, p will point to a ':' character.
*p will therefore never be a whitespace in the subsequent loop,
or compare successfully against the "true" string.
sgiOpenFile can fail when passing an image that both has large dimensions and which also uses RLE compression. In that case, sgiOpenFile attempts to allocate space for compression-related tables and these allocations may fail due to the requested size, causing sgiOpenFile to return NULL. Without this fix, the NULL pointer gets dereferenced, which crashes the filter process.
Compare https://en.wikipedia.org/wiki/Silicon_Graphics_Image#Header for an overview of the SGI image headere.
sgiOpenFile can fail when passing an image that both has large
dimensions and which also uses RLE compression. In that case,
sgiOpenFile attempts to allocate space for compression-related tables
and these allocations may fail due to the requested size, causing
sgiOpenFile to return NULL. Without this fix, the NULL pointer gets
dereferenced, which crashes the filter process.
Compare https://en.wikipedia.org/wiki/Silicon_Graphics_Image#Header
for an overview of the SGI image headere.
Till Kamppeter [Tue, 7 Jan 2025 17:30:34 +0000 (18:30 +0100)]
cups-browsed: Fix uninitialized make_model in create_queue()
Fixes #598
At 2 points the string buffer for make_model got malloced but not
initialized by putting a terminating zero to its beginning.
At the same points sizeof() was applied to the pointer to the buffer
rsulting in a 7-byte limit and strncpy was used which does not put a
terminating zero when the string copied is too long for the given
limit (which was always the case). No we use an explicit number for
the limit and strncat which always zero-terminates.
Thanks, Solar Designer, for describing bug and solution so well in
your report.
Same as https://github.com/OpenPrinting/cups-browsed/issues/42:
Till Kamppeter [Sat, 4 Jan 2025 00:19:57 +0000 (01:19 +0100)]
Correct skipping even/odd pages for manual duplex
Fixes #541
The page-set option with choicers "even" and "odd" is designed for
doing manual duplex, by printing the odd pages first, turning the
printed pages over and put them back into the input tray and then
print the even pages.
If the total number of pages to be printed is odd, an empty page needs
to be added to the end of the set of even pages to make the total
number of pages even, to have a front and back for each sheet and so
the correct pairs of pages are on each sheet and always all sheets are
taken from the input tray to the output tray.
This did not work correctly for 2 reasons:
- The skipping of pages for the page-set and for the page-ranges
options were done in the same step, the page ranges must be done
first and from the resulting pages the even or odd pages need to get
skipped.
- To determine whether the total amount of pages to be printed is odd,
only the actually printed pages, with the even or odd pages already
skipped, ar counted, not the pages which would be printed if
page-set is not used. This means especially that a 6-page document
would have 3 even pages, so in the end 3 pages are counted and so an
extra blank page is added (which is wrong as the document has 6
pages which is even). A 5-page document has 2 even pages, so an even
number of pages gets counted and so no blank page gets added.
Now we apply page-ranges and each page which gets printed according to
that we count with the outputno variable. Then we skip the pages with
even or odd outputno depending of the page-set option. In the end,
output no is the number of all pages to be printed and so we know that
if it is odd and we print the even pages, we need to add a blank page.
Backport of https://github.com/OpenPrinting/libcupsfilters/commit/0d98684e62
Till Kamppeter [Sun, 6 Oct 2024 06:42:37 +0000 (08:42 +0200)]
Removed support for legacy CUPS browsing and for LDAP
Legacy CUPS browsing is not needed any more. this functionality got
removed from CUPS with version 1.6, more than a decade ago. In
cups-browsed it was implemented as a legacy support layer for servers
or clients running long-term-support enterprise distributions still
using CUPS 1.5.x or older. Now the support life of all these
distributions should have expired and so this legacy support by
cups-browsed is not needed any more.
In addition, the legacy CUPS browsing implementation in cups-browsed
was listening for UDP packaets on port 631 and by default it accepted
packets from any source, making it easy for attackers to set up forged
printers which could make use of vulnerabilities of CUPS or just find
out about the identity and properties of clients. This is
CVE-2024-47176:
Shortly after it was also found a another vulnerability of the legacy
CUPS browsing support. It was possible to send a well-formed CUPS
broadcast packet to UDP port 631 of cups-browsed, but with a port 80
URL of a web site which redirects on the port and then cups-browsed
falls into an infinite loop sending HTTP requests which can only be
stopped by "kill -9":
pdftopdf: Add newline after each content stream in ::provideStreamData (#587)
When concatenating the data streams for the page's contents, add a new
line at the end of each data stream to avoid cases where the
concatenation might result in a corruption.
Eg (extracted from a real pdf):
Till Kamppeter [Wed, 6 Dec 2023 21:56:41 +0000 (22:56 +0100)]
libcupsfilters: Fixed building with QPDF 11.x
Set CXXFLAGS="-DPOINTERHOLDER_TRANSITION=0" to silence QPDF warnings
QPDF 11 issues warnings about deprecated "PointerHolder", even if the
code does not use "PointerHolder" any more. This compiler macro
suppresses the warnings.
See /usr/include/qpdf/PointerHolder.hh of QPDF 11.
Backported from libcupsfilters (2.x), commit 076a994fce
Added "-std=c++17" C++ compiler flag (PR#18)
Needed as otherwise the QPDF.hh file of QPDF 11 causes the error
‘std::string_view’ has not been declared
Adding the "-std=c++17" to CXXFLAGS fixes this. See also
Till Kamppeter [Mon, 3 Jul 2023 21:25:39 +0000 (23:25 +0200)]
Use description/location from server if available, otherwise from client
When we create a local queue we first check whether we actually got
description and location strings from the remote server/printer, if
they are empty we do not set empty strings but use the IPP attributes
saved locally for our local queue.
This way, if the server does not provide description/location and the
user sets their own, that one is conserved through reboots and daemon
restarts.
Thanks, Edgar Fuß, for the hint to make sure both server-provided and
local-user-defined description/location work.
Till Kamppeter [Wed, 17 May 2023 09:11:29 +0000 (11:11 +0200)]
beh backend: Use execv() instead of system() - CVE-2023-24805
With execv() command line arguments are passed as separate strings and
not the full command line in a single string. This prevents arbitrary
command execution by escaping the quoting of the arguments in a job
with a forged job title.
In addition, done the following fixes and improvements:
- Do not allow '/' in the scheme of the URI (= backend executable
name), to assure that only backends inside /usr/lib/cups/backend/
are used.
- URI must have ':', to split off scheme, otherwise error out.
- Check return value of snprintf() to create call path for backend, to
error out on truncation of a too long scheme or on complete failure
due to a completely odd scheme.
- Use strncat() instead of strncpy() for getting scheme from URI, the latter
does not require setting terminating zero byte in case of truncation.
- Also exclude "." or ".." as scheme, as directories are not valid CUPS
backends.
- Do not use fprintf() in sigterm_handler(), to not interfere with a
fprintf() which could be running in the main process when
sigterm_handler() is triggered.
- Use "static volatile int" for global variable job_canceled.
Till Kamppeter [Wed, 15 Feb 2023 21:29:38 +0000 (22:29 +0100)]
In auto-generated PPDs do not set RGB default on mono printers
When a PPD for a driverless printer is generated by the
_ppdCreateFromIPP2() function and the get-printer-attributes IPP
response gives "print-color-mode-default=auto" the PPD's default
setting for "ColorModel" is always "RGB", even on monochrome printers,
which makes printing fail on most devices.
Now we ignore the "print-color-mode-default" if set to "auto" and
proceed as if no default was given, finding the default by selecting
the most desirable of the existing "ColorModel" choices.
Discovered via
https://github.com/OpenPrinting/cups/issues/614
The bug was originally reported against ipp-usb as the reporter's
printer was connected via IPP-over-USB, but actually the PPD
generators are at fault, and here not only the one in CUPS but also
the one in cups-filters 1.x and libppd 2.x.
Till Kamppeter [Wed, 25 Jan 2023 00:44:32 +0000 (21:44 -0300)]
libcupsfilters: In PPD generator create only one *cupsFilter2: line for raster
If a printer supports more than one raster format (Apple Raster, PWG
Raster, PCLm), create only one "*cupsFilter2: ..." line for raster,
for the most desirable/reliable raster format.
Most preferred is Apple Raster, then PWG Raster, and after that PCLm
Till Kamppeter [Thu, 12 Jan 2023 04:17:01 +0000 (01:17 -0300)]
cfGetPrinterAttributes(): Poll "media-col-database" separately if needed
To get the full set of printer properties from a driverless IPP
printer one does a "get-printer-attributes" IPP request with the
attribute "requested-attributes" set to "all,media-col-database" (note
that "all" does not include "media-col-database" because this
attribute is often very long, it contains all valid combinations of
media size, media type, media source, and margins). For some printers
this fails and we fall back to just "all" and lose valuable
information.
But some of those printers which do not support "requested-attributes"
set to "all,media-col-database" support "requested-attributes" set to
"media-col-database" alone and this we now make use of, by polling
"media-col-database" separately and adding it to the IPP response of
"all" if needed.
Till Kamppeter [Thu, 12 Jan 2023 02:08:03 +0000 (23:08 -0300)]
libcupsfilters: Let PPD generator also parse "media-col-ready" IPP attribute
"media-col-ready" lists the loaded media, in contrary to "media-ready"
as list of complete descriptions of the media ("media-col" data
structure). This often lists also variants like borderless (it is the
same physical paper).
This can for example make borderless printing work if
"media-col-database" is not available. See
OpenPrinting/cups-filters#492
Backported from libcupsfilters (2.x), commit 3b9ec4aa55
Till Kamppeter [Mon, 9 Jan 2023 22:24:47 +0000 (19:24 -0300)]
libcupsfilters: In generate_sizes() consider all margin alternatives
generate_sizes() reads the available margin sizes from the
media-{left,right,top,bottom}-margin-supported printer IPP attributes
to use the minimum value as default for each margin.
In the case that there is more than one margin value, the first value
in the list did not get considered, often making borderless printing
support (zero margin as first in the list) staying undiscovered.
This commit fixes that and makes sure that always the minimum value is
ysed.
Sachin Thakan [Sat, 14 May 2022 07:12:36 +0000 (12:42 +0530)]
libcupsfilters: Read image resolution from EXIF data of JPEG, PNG, TIFF
If images are printed with "print-scaling=none" one wants to have their original size. To get an original size in absolute dimensions (inches, cm) one needs the pixel count and resolution (dpi, ppi). The resolution is supposed to be in the image's own header but in practice it is often not there.
Images from cameras, and also from some scanners, have additional metadata, the so-called EXIF data which usually contains a resolution. So we read out this with the help of libexif.
In Linux distributions there we usually have libexif and so it is no big effort to let libcupsfilters use it. But it is not required, so for low-resource systems libcupsfilters can be built without (and then not having this feature).
Till Kamppeter [Sun, 10 Apr 2022 08:52:58 +0000 (10:52 +0200)]
libcupsfilters: Silenced warnings about deprecated uint16/uint32
The function to read TIFF image files via libtiff in
cupsfilters/image-tiff.c uses the deprecated types uint16 and
uint32. The replacements for these types are uint16_t and uint32_t.
This commit replaces the types and so silences the compiler warnings.
Till Kamppeter [Tue, 5 Apr 2022 16:36:56 +0000 (18:36 +0200)]
pdftops: Identify old LaserJets more precisely for swicth to Poppler
Old HP LaserJet printers have a firmware bug which makes them not
working with Ghostscript's PostScript output, so in pdftops() we
switch to Poppler for them.
Old HP LaserJet printers have a firmware bug which makes them not
working with Ghostscript's PostScript output, so in pdftops() we
switch to Poppler for them.
We consider an old LaserJet every "HP LaserJet XXXXY" printer with
XXXX being a number (not preceded by a letter), typically 1-4 digits
and Y being 0-2 letters, no separated from the numbers by a space.
Unfortunately, we checked only whether after "LaserJet" comes a number
and not the rest. This made also modern printers with names like "HP
LaserJet 500 color M551" considered old and these modern printers have
another PostScript interpreter bug which makes them not print some
files with Poppler, so they need Ghostscript's PostScript output.
Therefore we refine the check for the old-LaserJet quirk to see
whether after the number are extra words and if so, this is again a
modern printer and we do not switch to Poppler.
Till Kamppeter [Mon, 4 Apr 2022 08:36:58 +0000 (10:36 +0200)]
Make pdftopdf also work correctly with auro-rotating off
If one turns off auto-rotating in the pdftopdf() filter function
(option "nopdfAutoRotate") the orientation of the input page on the
output sheet is manually controlled by the options
"orientation-requested" and "landscape".
The cropping of the pages (with "print-scaling=none") did not work
correctly with auto-rotating turned off. This commit fixes this.
Till Kamppeter [Mon, 4 Apr 2022 08:14:28 +0000 (10:14 +0200)]
libcupsfilters: Make pdftopdf() correctly working with "landscape" option
The "landscape" option rotates the input pages by 90 degrees, in the
direction given by the "*LandscapeOrientation" in the PPD file.
The "orientation-requested" option/IPP attribute rotates the page
according to its value: 3: No rotation; 4: 90 degrees anticlockwise;
5: 90 dgrees clockwise; 6: 180 degrees (upside-down).
After that, at least when not suppressed via "nopdfAutoRotate"
("pdfAutoRotate=false") option, auto-rotation kicks in, rotating the
page by 90 degrees (direction according to "*LandscapeOrientation" in
the PPD file) if the orientations of the input page and the output
page mis-match.
Till Kamppeter [Mon, 28 Mar 2022 20:57:21 +0000 (22:57 +0200)]
rastertopdf: Filter fails if no PCLm default resolution given by printer
In PCLm output mode the filter failed to generate PCLm if the printer
has no "pclm-source-resolution-default" IPP attribute (which gets
added to the PPD as "*cupsPclmSourceResolutionDefault"). This often
happens if there is only a single supported resolution. We take now
the first item of "pclm-source-resolution-supported" as default
resolution to make the PCLm output working in this
situation. Offending printers are the HP LaserJet M14-M17 printers
See also https://github.com/apple/cups/issues/6022
Till Kamppeter [Sun, 27 Mar 2022 15:57:06 +0000 (17:57 +0200)]
pdftopdf: Fix N-up printing with long-edge-first
If the printer takes the paper long-edge-first and the number-up
option for printing multiple pages per sheet is used, the grid for the
shrinked pages onm the output sheet is set wrongly (number of lines
and number of columns swapped). This commit fixes the this bug.
Till Kamppeter [Sun, 27 Mar 2022 15:51:12 +0000 (17:51 +0200)]
libcupsfilters: In pdftopdf() fix cropping with long-edge-first
If the printer takes the paper long-edge-first (lasers and inkjets
usually take it short-edge first, but roll-fed large-formats or label
printers also take long-edge-first) the cropping of the page image for
crop-to-fit (print-scaling=none) and fill (print-scaling=fill) by the
pdftopdf() filter function did not work correctly. This is fixed now.
Till Kamppeter [Sun, 27 Mar 2022 15:44:03 +0000 (17:44 +0200)]
pdftops: Use Poppler for all Apple LaserWriter models
We had already switched to Poppler to convert PDF to PostScript on
several Apple LaserWriter models as Ghostscript's PostScript did not
work on these printers, probably due to firmware bugs in the printers.
Now more Apple LaserWriter models were found which need the same
workaround. Therefore we use Poppler for all Apple LaserWriter models
now.
In the imageto... filters with print-scaling=auto the image size was
not compared correctly with the page size to switch between
fit-to-page for large sizes and no scaling for small sizes. The image
size in pixels was compared with the page size in PostScript points
(1/72 inch).
Till Kamppeter [Thu, 17 Feb 2022 16:44:57 +0000 (17:44 +0100)]
imagetoraster, imagetopdf: With print-scaling=none center image correctly
In the imageto... filters with print-scaling=none do the math for
centering the image on the page without the unprintable margins, so
that the image gets correctly centered relative to the page, not to
the printable area of the page.
As in imagetoraster we have to pass on a bitmap of the printable area
for CUPS Raster. we correct for the margins after calculating image
size and position without margins.
In the imageto...()s fixed the print-scaling=none (crop-to-fit) mode,
which prints the image in its original size (based on PPI resolution
stored in the image file or on 200 dpi resolution, which is the
standard resolution for shipping labels). Also use crop-to-fit always
when requested, do not fall back to fit-to-page when the image is
significantly larger or smaller than the page.
libcupsfilters: Changed the default ppi from 128 to 200
This is for image input files which have no PPI resolution in their metadata and are printed without scaling ("print-scaling=none"). In this case the default resolution is used. Formerly it was set to 128 PPI but we change it to 200 PPI now as many shipping labels come as image files with 200 PPI and so it is easier to print them in their original size. For photos this default value is not important though, as photos are usually printed with scaling ("print-scaling=fill" or "print-scaling=fit").
Till Kamppeter [Sat, 5 Feb 2022 19:22:10 +0000 (16:22 -0300)]
pdftopdf: Add 2% tolerance for input size larger than output page
When "print-scaling=auto" or "print-scaling=auto-fit" is used, the
input pages are scaled when they do not fit into the output page
size. Often input ad out page sizes are supposed to be equal, for
example both A4, but rounding errors could make the input considered
larger and unnecessarily scaled.
Therefore we add 2% of tolerance before considering an input page too
large.
RFC7472 requires that 'ipps' must be used over HTTPS, but driverless
does not enforce encryption and will use insecure connection by
default. This makes it unusable with a printer that expects secure
connection only on 'ipps' port.
Till Kamppeter [Thu, 3 Feb 2022 22:03:00 +0000 (19:03 -0300)]
pdftopdf: Set a default for "print-scaling"
If no setting for "print-scaling" is provided via IPP attribute or
command line option there is no default value for it and we get
undefined behavior and also a scary "should never happen" message in
the log.
Now we check after parsing the appropriate IPP attributes and command
line options whether a setting was provided. If not, we use "auto".
Till Kamppeter [Thu, 30 Dec 2021 02:12:00 +0000 (23:12 -0300)]
libcupsfilters: Fix resolver functions for DNS-SD-based URIs
CUPS and cups-browsed use DNS-SD-service-name-based URIs, so that the
printer URIs are robust against changes of network details, for
example of the port, if Printer Applications on a system come up in
different order at every boot.
To be able to access the printer these URIs have to get resolved,
which means to get converted into standard IPP URIs. This is done by
two functions with their source being in cupsfilters/ipp.c.
Unfortunately both functions have a bug and in this commit we fix
these bugs to make the functions correctly working in all cases.
1. resolve_uri()
This function calls cupsBackendDeviceURI() of libcups which resolves
device URIs for the CUPS backends. As it is designed for only using in
CUPS backends it needs some workarounds to make it usuable as
universal library function and make it work in a wide range of system
environments.
One workaround was already applied from the beginning on, re-directing
stderr into the Nirwana, to avoid messages to stderr.
Another is needed and now added: We need to unset the DEVICE_URI
environment variable as the function searches for the device URI to
resolve there at first and not as argc[0]. Otherwise, if we are
running under CUPS, in a backend, we get the print queue's device URI
resolved and not the one which we supply.
We save and restore the value of DEVICE_URI to keep the impact as low
as possible.
2. ippfind_based_uri_converter()
In this function the ippfind utility is called in a fork and the
foreground (parent process) is getting ippfind's stdout through a
pipe. The main process is picking up the data to use it for resolving
the given URI. Here the parent process has unnecessarily: "dup"ed the
read end of the pipe to stdin, and then read the lines from
stdin. This prevents the calling program to use stdin by itself, for
example to receive print job data.
Now this is fixed by directly reading from the read end of the pipe.
Till Kamppeter [Thu, 3 Feb 2022 19:01:56 +0000 (16:01 -0300)]
pdftopdf: Fix orientation-requested = 0
CUPS often adds "orientation-requested=0" to the options in the
filter/backend command line, meaning automatic selection. pdftopdf()
did not support this value and therefore did not do the correct
settings making margins of rotated landscape pages not be done
correctly.
Till Kamppeter [Sat, 15 Jan 2022 18:40:43 +0000 (15:40 -0300)]
libcupsfilters: Let PPD generator take default ColorModel from printer
Instead of selecting the "best" available color mode as default for
the PPD file generated from the response to the get-printer-attributes
IPP request we use the printer default according to the IPP attributes
(print-color-mode-default).
This way on can simply change the default on a network printer's web
interface or on a remote CUPS printer and clients using cups-browsed
or the "driverless" utility respect the change.
This solves https://github.com/OpenPrinting/cups/issues/277, together
with the changes done on CUPS for this issue.
Till Kamppeter [Tue, 4 Jan 2022 20:07:50 +0000 (17:07 -0300)]
libcupsfilters: In imagetoraster() fixed crash with SGray
As the SGray color space was not mentioned in the switch for selecting
the raster line formatting function, a 3-channel color formatting
function was selected instead of the 1-channel grayscale one, leading
to an overrun of the input pixel line, causing a crash.
This is fixed now by also mentioning the 3 standard color spaces for
driverless printing, SGray, SRGB, and AdobeRGB explicily (where for
the latter 2 the selection already worked as they are 3-channel color
options).
TinyTrebuchet [Sat, 15 Jan 2022 14:35:32 +0000 (20:05 +0530)]
Braille: In vectortopdf check inkscape version to call inkscape with the correct command line
From version 1.0.x on, Inkscape does not support the '-A' command line flag any more. Now we check the inkscape version and call inkscape always with the correct command line.
Till Kamppeter [Wed, 22 Dec 2021 22:57:32 +0000 (19:57 -0300)]
cups-browsed: Updated naming of locally created print queues
Naming of local queues created by cups-browsed is now matched to CUPS'
current naming of temporary queues (no leading or trailing
underscores), to avoid duplicates in print dialogs which support CUPS'
temporary queues.
Till Kamppeter [Tue, 12 Oct 2021 11:33:26 +0000 (13:33 +0200)]
libcupsfilters: Make cupsRasterParseIPPOptions() work correctly with PPDs
cupsRasterParseIPPOptions() interprets job options/IPP attributes and
their settings just bei their names. This works well when the
destination printer is not described by a PPD file.
If there is a PPD file, their can be weird option and choice names
which do not tell what they are good for, giving wrong
impressions. Only the PostScript or PJL code assigned to the choices
in the PPD file tells what they actually are supposed to do.
A good example for that is the "Resolution" option of Gutenprint. As
the developers of Gutenprint do not want to solely and directly set
the print resolution with this option (as was Adobe's idea for it),
and instead, do more things with it, as having an "Automatic" choice
or variants of the same resolution (for example different dithering
algorithms), but PPD standards require the choices to be "XXXxYYYdpi"
without exceptions, they come with names like "601x600dpi" for the
variants and the PPD's embedded PostScript code contains the actual
resolution.
To avoid that cupsRasterParseIPPOptions() mis-interprets such weird
PPD options, we check whether we are using a PPD (via the PPD
environment variable) and if so we refrain from parsing options which
are in the PPD. Only if set_defaults = 1 is set, we use them but via a
call of callRasterInterpretPPD() instead of interpreting them by
ourselves option/choice-name-only.
Till Kamppeter [Sun, 19 Sep 2021 17:53:30 +0000 (19:53 +0200)]
libcupsfilters: Let colord_get_profile_for_device_id() not return empty file name
If the function colord_get_profile_for_device_id() returns an empty
file name, the color generates an error message in the CUPS
error_log. Some print dialogs report every log message of level error
to the user even if the job got correctly printed.
zdohnal [Fri, 18 Jun 2021 10:27:53 +0000 (12:27 +0200)]
cups-browsed.c: Make NotifLeaseDuration configurable and renew after half the lease duration not 60 sec before end
1) NotifLeaseDuration directive for cups-browsed.conf - it will make
lease duration for notifications configurable by users. IMO it is not
useful for regular users, but it is helpful during sanity testing
(for verifying that we actually renew the subscription when time
comes). The current hardcoded 1 day is unusuable for that :( .
I implemented the lowest threshold to 300s to prevent a possible DoS.
2) Subscription renewal is set to happen in the middle of NotifLeaseDuration,
not one minute before lease expiration. This was a problem on busy servers,
where cups-browsed was busy and wasn't able to renew the subscription
before cupsd removed it. Then if some jobs had come before the subscription
was created again, the queue got disabled. The proposed approach is based
on behavior of DHCP.
projects / thirdparty / cups-filters.git / log
