ppd-emit.c: Fix SEGV in 'ppdEmitString()'

When using testppd.c as a harness, a fuzzer found a way to call
ppdPageSize() with NULL return value. This caused a segmentation fault
because the size structure, which is used by values[pos],
was assigned a NULL value. To avoid this, we need to add a
NULL value check for the size structure, free allocated memory,
and return NULL.

Fixes #849

diff --git a/cups/ppd-emit.c b/cups/ppd-emit.c
index c56ee16f2194c5b96e91aaecaa69ae702d89484b..48651dc082943ef6bf283f3ac034594cbecdd2d7 100644 (file)
--- a/cups/ppd-emit.c
+++ b/cups/ppd-emit.c
@@ -888,7 +888,12 @@ ppdEmitString(ppd_file_t    *ppd,  /* I - PPD file record */
         cupsCopyString(bufptr, "%%BeginFeature: *CustomPageSize True\n", (size_t)(bufend - bufptr + 1));
         bufptr += 37;
 
-        size = ppdPageSize(ppd, "Custom");
+        if ((size = ppdPageSize(ppd, "Custom")) == NULL)
+        {
+          free(buffer);
+          free(choices);
+          return(NULL);
+        }
 
         memset(values, 0, sizeof(values));