From ddaef0f518fb8da48e40b28c074ca4b662dcf8b5 Mon Sep 17 00:00:00 2001 From: Michael R Sweet Date: Fri, 14 Dec 2018 14:29:57 -0500 Subject: [PATCH] Fix potential crash in cups-driverd (rdar://46625579) --- CHANGES.md | 3 ++- scheduler/cups-driverd.cxx | 43 ++++++++++++++++---------------------- 2 files changed, 20 insertions(+), 26 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 0f89216d4..2ea55eff1 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,4 +1,4 @@ -CHANGES - 2.2.10 - 2018-12-10 +CHANGES - 2.2.11 - 2018-12-14 ============================= Changes in CUPS v2.2.11 @@ -6,6 +6,7 @@ Changes in CUPS v2.2.11 - Running ppdmerge with the same input and output filenames did not work as advertised (Issue #5455) +- Fixed a potential crash bug in cups-driverd (rdar://46625579) Changes in CUPS v2.2.10 diff --git a/scheduler/cups-driverd.cxx b/scheduler/cups-driverd.cxx index e6684a139..c13fab48b 100644 --- a/scheduler/cups-driverd.cxx +++ b/scheduler/cups-driverd.cxx @@ -31,7 +31,7 @@ * Constants... */ -#define PPD_SYNC 0x50504439 /* Sync word for ppds.dat (PPD9) */ +#define PPD_SYNC 0x50504441 /* Sync word for ppds.dat (PPDA) */ #define PPD_MAX_LANG 32 /* Maximum languages */ #define PPD_MAX_PROD 32 /* Maximum products */ #define PPD_MAX_VERS 32 /* Maximum versions */ @@ -40,12 +40,9 @@ #define PPD_TYPE_PDF 1 /* PDF PPD */ #define PPD_TYPE_RASTER 2 /* CUPS raster PPD */ #define PPD_TYPE_FAX 3 /* Facsimile/MFD PPD */ -#define PPD_TYPE_OBJECT_ANY 4 /* 3D (AMF/STL/g-code) PPD */ -#define PPD_TYPE_OBJECT_DIRECT 5 /* 3D (AMF/STL/g-code) PPD over any connection */ -#define PPD_TYPE_OBJECT_STORAGE 6 /* 3D (AMF/STL/g-code) PPD for storage to SD card, etc. */ -#define PPD_TYPE_UNKNOWN 7 /* Other/hybrid PPD */ -#define PPD_TYPE_DRV 8 /* Driver info file */ -#define PPD_TYPE_ARCHIVE 9 /* Archive file */ +#define PPD_TYPE_UNKNOWN 4 /* Other/hybrid PPD */ +#define PPD_TYPE_DRV 5 /* Driver info file */ +#define PPD_TYPE_ARCHIVE 6 /* Archive file */ #define TAR_BLOCK 512 /* Number of bytes in a block */ #define TAR_BLOCKS 10 /* Blocking factor */ @@ -1527,8 +1524,20 @@ list_ppds(int request_id, /* I - Request ID */ } if (send_type) - cupsdSendIPPString(IPP_TAG_KEYWORD, "ppd-type", - PPDTypes[ppd->record.type]); + { + if (ppd->record.type < PPD_TYPE_POSTSCRIPT || ppd->record.type > PPD_TYPE_ARCHIVE) + { + /* + * This cache file is corrupted, remove it! + */ + + unlink(filename); + + cupsdSendIPPString(IPP_TAG_KEYWORD, "ppd-type", PPDTypes[PPD_TYPE_UNKNOWN]); + } + else + cupsdSendIPPString(IPP_TAG_KEYWORD, "ppd-type", PPDTypes[ppd->record.type]); + } if (send_model_number) cupsdSendIPPInteger(IPP_TAG_INTEGER, "ppd-model-number", @@ -2111,22 +2120,6 @@ load_ppd(const char *filename, /* I - Real filename */ type = PPD_TYPE_RASTER; else if (strstr(line + 12, "application/vnd.cups-pdf")) type = PPD_TYPE_PDF; - else if (strstr(line + 12, "application/amf") || - strstr(line + 12, "application/g-code") || - strstr(line + 12, "application/sla")) - type = PPD_TYPE_OBJECT_ANY; - } - else if (!strncmp(line, "*cups3DWorkflows:", 17)) - { - int is_direct = strstr(line + 17, "direct") != NULL; - int is_storage = strstr(line + 17, "storage") != NULL; - - if (is_direct && !is_storage) - type = PPD_TYPE_OBJECT_DIRECT; - else if (!is_direct && is_storage) - type = PPD_TYPE_OBJECT_STORAGE; - else - type = PPD_TYPE_OBJECT_ANY; } else if (!strncmp(line, "*cupsModelNumber:", 17)) sscanf(line, "*cupsModelNumber:%d", &model_number); -- 2.39.2