From c3d2f07399da93f2b5308f499b1ddc5504d087ce Mon Sep 17 00:00:00 2001
From: =?utf8?q?G=C3=BCnther=20Noack?= <gnoack3000@gmail.com>
Date: Thu, 10 Jul 2025 22:31:02 +0200
Subject: [PATCH] 1.x: Fix NULL-pointer dereference when parsing %%PDFTOPDF
 comments (#644)

* Fix null pointer dereference in %%PDFTOPDF* parsers

* %%PDFTOPDFCollate comment parsing: Increment p where needed

Without this, if strchr succeeds, p will point to a ':' character.
*p will therefore never be a whitespace in the subsequent loop,
or compare successfully against the "true" string.
---
 filter/gstoraster.c    | 17 +++++++++++------
 filter/mupdftoraster.c | 17 +++++++++++------
 filter/pdftops.c       | 36 +++++++++++++++++++++---------------
 filter/pdftoraster.cxx | 17 +++++++++++------
 4 files changed, 54 insertions(+), 33 deletions(-)

diff --git a/filter/gstoraster.c b/filter/gstoraster.c
index 87ff948e6..6f4da5991 100644
--- a/filter/gstoraster.c
+++ b/filter/gstoraster.c
@@ -104,16 +104,21 @@ parse_pdf_header_options(FILE *fp, gs_page_header *h)
       char *p;
 
       p = strchr(buf+19,':');
-      h->NumCopies = atoi(p+1);
+      if (p) {
+        h->NumCopies = atoi(p+1);
+      }
     } else if (strncmp(buf,"%%PDFTOPDFCollate",17) == 0) {
       char *p;
 
       p = strchr(buf+17,':');
-      while (*p == ' ' || *p == '\t') p++;
-      if (strncasecmp(p,"true",4) == 0) {
-        h->Collate = CUPS_TRUE;
-      } else {
-        h->Collate = CUPS_FALSE;
+      if (p) {
+        p++;
+        while (*p == ' ' || *p == '\t') p++;
+        if (strncasecmp(p,"true",4) == 0) {
+          h->Collate = CUPS_TRUE;
+        } else {
+          h->Collate = CUPS_FALSE;
+        }
       }
     }
   }
diff --git a/filter/mupdftoraster.c b/filter/mupdftoraster.c
index 09c66c00d..a96e9c8c3 100644
--- a/filter/mupdftoraster.c
+++ b/filter/mupdftoraster.c
@@ -102,16 +102,21 @@ parse_pdf_header_options(FILE *fp, mupdf_page_header *h)
       char *p;
 
       p = strchr(buf+19,':');
-      h->NumCopies = atoi(p+1);
+      if (p) {
+        h->NumCopies = atoi(p+1);
+      }
     } else if (strncmp(buf,"%%PDFTOPDFCollate",17) == 0) {
       char *p;
 
       p = strchr(buf+17,':');
-      while (*p == ' ' || *p == '\t') p++;
-      if (strncasecmp(p,"true",4) == 0) {
-        h->Collate = CUPS_TRUE;
-      } else {
-        h->Collate = CUPS_FALSE;
+      if (p) {
+        p++;
+        while (*p == ' ' || *p == '\t') p++;
+        if (strncasecmp(p,"true",4) == 0) {
+          h->Collate = CUPS_TRUE;
+        } else {
+          h->Collate = CUPS_FALSE;
+        }
       }
     }
   }
diff --git a/filter/pdftops.c b/filter/pdftops.c
index 1bfe1a2c7..81ccc983e 100644
--- a/filter/pdftops.c
+++ b/filter/pdftops.c
@@ -138,25 +138,31 @@ static void parsePDFTOPDFComment(char *filename)
     if (strncmp(buf,"%%PDFTOPDFNumCopies",19) == 0) {
       char *p;
 
-      p = strchr(buf+19,':') + 1;
-      while (*p == ' ' || *p == '\t') p++;
-      strncpy(deviceCopies, p, sizeof(deviceCopies));
-      deviceCopies[sizeof(deviceCopies) - 1] = '\0';
-      p = deviceCopies + strlen(deviceCopies) - 1;
-      while (*p == ' ' || *p == '\t'  || *p == '\r'  || *p == '\n') p--;
-      *(p + 1) = '\0';
-      pdftopdfapplied = 1;
+      p = strchr(buf+19,':');
+      if (p) {
+        p++;
+        while (*p == ' ' || *p == '\t') p++;
+        strncpy(deviceCopies, p, sizeof(deviceCopies));
+        deviceCopies[sizeof(deviceCopies) - 1] = '\0';
+        p = deviceCopies + strlen(deviceCopies) - 1;
+        while (*p == ' ' || *p == '\t'  || *p == '\r'  || *p == '\n') p--;
+        *(p + 1) = '\0';
+        pdftopdfapplied = 1;
+      }
     } else if (strncmp(buf,"%%PDFTOPDFCollate",17) == 0) {
       char *p;
 
-      p = strchr(buf+17,':') + 1;
-      while (*p == ' ' || *p == '\t') p++;
-      if (strncasecmp(p,"true",4) == 0) {
-	deviceCollate = 1;
-      } else {
-	deviceCollate = 0;
+      p = strchr(buf+17,':');
+      if (p) {
+        p++;
+        while (*p == ' ' || *p == '\t') p++;
+        if (strncasecmp(p,"true",4) == 0) {
+          deviceCollate = 1;
+        } else {
+          deviceCollate = 0;
+        }
+        pdftopdfapplied = 1;
       }
-      pdftopdfapplied = 1;
     } else if (strcmp(buf,"% This file was generated by pdftopdf") == 0) {
       pdftopdfapplied = 1;
     }
diff --git a/filter/pdftoraster.cxx b/filter/pdftoraster.cxx
index 1bdde0b1d..7b3af924f 100755
--- a/filter/pdftoraster.cxx
+++ b/filter/pdftoraster.cxx
@@ -489,16 +489,21 @@ static void parsePDFTOPDFComment(FILE *fp)
       char *p;
 
       p = strchr(buf+19,':');
-      deviceCopies = atoi(p+1);
+      if (p) {
+        deviceCopies = atoi(p+1);
+      }
     } else if (strncmp(buf,"%%PDFTOPDFCollate",17) == 0) {
       char *p;
 
       p = strchr(buf+17,':');
-      while (*p == ' ' || *p == '\t') p++;
-      if (strncasecmp(p,"true",4) == 0) {
-	deviceCollate = true;
-      } else {
-	deviceCollate = false;
+      if (p) {
+        p++;
+        while (*p == ' ' || *p == '\t') p++;
+        if (strncasecmp(p,"true",4) == 0) {
+          deviceCollate = true;
+        } else {
+          deviceCollate = false;
+        }
       }
     }
   }
-- 
2.47.2