From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Thu, 1 Aug 2019 17:56:29 +0000 (-0400)
Subject: Fix some PPD parser issues discovered via fuzzing (Issue #5623, Issue #5624)
X-Git-Tag: v2.3.0~22
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc00a7c3adc459ee468ec9e1c52679b83e4a4c9d;p=thirdparty%2Fcups.git

Fix some PPD parser issues discovered via fuzzing (Issue #5623, Issue #5624)
---

diff --git a/CHANGES.md b/CHANGES.md
index 920493c887..4402b0161b 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,4 +1,4 @@
-CHANGES - 2.3.0 - 2019-07-16
+CHANGES - 2.3.0 - 2019-08-01
 ============================
 
 
@@ -23,6 +23,7 @@ Changes in CUPS v2.3.0
 - The scheduler now uses both the group's membership list as well as the
   various OS-specific membership functions to determine whether a user belongs
   to a named group (Issue #5613)
+- Fixed some PPD parser issues (Issue #5623, Issue #5624)
 - Fixed an issue with unsupported "sides" values in the IPP backend
   (rdar://51775322)
 - The scheduler would restart continuously when idle and printers were not
diff --git a/cups/ppd-emit.c b/cups/ppd-emit.c
index b9b0e5ad08..8bffb2bc36 100644
--- a/cups/ppd-emit.c
+++ b/cups/ppd-emit.c
@@ -664,6 +664,9 @@ ppdEmitString(ppd_file_t    *ppd,	/* I - PPD file record */
 	{
           switch (cparam->type)
 	  {
+	    case PPD_CUSTOM_UNKNOWN :
+	        break;
+
 	    case PPD_CUSTOM_CURVE :
 	    case PPD_CUSTOM_INVCURVE :
 	    case PPD_CUSTOM_POINTS :
@@ -710,6 +713,9 @@ ppdEmitString(ppd_file_t    *ppd,	/* I - PPD file record */
 	{
           switch (cparam->type)
 	  {
+	    case PPD_CUSTOM_UNKNOWN :
+	        break;
+
 	    case PPD_CUSTOM_CURVE :
 	    case PPD_CUSTOM_INVCURVE :
 	    case PPD_CUSTOM_POINTS :
@@ -805,6 +811,9 @@ ppdEmitString(ppd_file_t    *ppd,	/* I - PPD file record */
 	      {
 	        switch (cparam->type)
 		{
+		  case PPD_CUSTOM_UNKNOWN :
+		      break;
+
 		  case PPD_CUSTOM_CURVE :
 		  case PPD_CUSTOM_INVCURVE :
 		  case PPD_CUSTOM_POINTS :
@@ -1007,6 +1016,9 @@ ppdEmitString(ppd_file_t    *ppd,	/* I - PPD file record */
 	{
           switch (cparam->type)
 	  {
+	    case PPD_CUSTOM_UNKNOWN :
+	        break;
+
 	    case PPD_CUSTOM_CURVE :
 	    case PPD_CUSTOM_INVCURVE :
 	    case PPD_CUSTOM_POINTS :
diff --git a/cups/ppd-mark.c b/cups/ppd-mark.c
index 9eca0cec7f..7ec0df4739 100644
--- a/cups/ppd-mark.c
+++ b/cups/ppd-mark.c
@@ -851,6 +851,9 @@ ppd_mark_option(ppd_file_t *ppd,	/* I - PPD file */
 
         switch (cparam->type)
 	{
+	  case PPD_CUSTOM_UNKNOWN :
+	      break;
+
 	  case PPD_CUSTOM_CURVE :
 	  case PPD_CUSTOM_INVCURVE :
 	  case PPD_CUSTOM_REAL :
@@ -928,6 +931,9 @@ ppd_mark_option(ppd_file_t *ppd,	/* I - PPD file */
 
 	switch (cparam->type)
 	{
+	  case PPD_CUSTOM_UNKNOWN :
+	      break;
+
 	  case PPD_CUSTOM_CURVE :
 	  case PPD_CUSTOM_INVCURVE :
 	  case PPD_CUSTOM_REAL :
diff --git a/cups/ppd.c b/cups/ppd.c
index ada0c14f7e..fae19c42ee 100644
--- a/cups/ppd.c
+++ b/cups/ppd.c
@@ -992,6 +992,13 @@ _ppdOpen(
 	goto error;
       }
 
+      if (cparam->type != PPD_CUSTOM_UNKNOWN)
+      {
+        pg->ppd_status = PPD_BAD_CUSTOM_PARAM;
+
+        goto error;
+      }
+
      /*
       * Get the parameter data...
       */
@@ -1865,6 +1872,13 @@ _ppdOpen(
     }
     else if (!strcmp(keyword, "PaperDimension"))
     {
+      if (!_cups_strcasecmp(name, "custom") || !_cups_strncasecmp(name, "custom.", 7))
+      {
+        pg->ppd_status = PPD_ILLEGAL_OPTION_KEYWORD;
+
+        goto error;
+      }
+
       if ((size = ppdPageSize(ppd, name)) == NULL)
 	size = ppd_add_size(ppd, name);
 
@@ -1887,6 +1901,13 @@ _ppdOpen(
     }
     else if (!strcmp(keyword, "ImageableArea"))
     {
+      if (!_cups_strcasecmp(name, "custom") || !_cups_strncasecmp(name, "custom.", 7))
+      {
+        pg->ppd_status = PPD_ILLEGAL_OPTION_KEYWORD;
+
+        goto error;
+      }
+
       if ((size = ppdPageSize(ppd, name)) == NULL)
 	size = ppd_add_size(ppd, name);
 
@@ -1916,6 +1937,13 @@ _ppdOpen(
     {
       DEBUG_printf(("2_ppdOpen: group=%p, subgroup=%p", group, subgroup));
 
+      if (!_cups_strcasecmp(name, "custom") || !_cups_strncasecmp(name, "custom.", 7))
+      {
+        pg->ppd_status = PPD_ILLEGAL_OPTION_KEYWORD;
+
+        goto error;
+      }
+
       if (!strcmp(keyword, "PageSize"))
       {
        /*
@@ -2640,6 +2668,7 @@ ppd_get_cparam(ppd_coption_t *opt,	/* I - PPD file */
   if ((cparam = calloc(1, sizeof(ppd_cparam_t))) == NULL)
     return (NULL);
 
+  cparam->type = PPD_CUSTOM_UNKNOWN;
   strlcpy(cparam->name, param, sizeof(cparam->name));
   strlcpy(cparam->text, text[0] ? text : param, sizeof(cparam->text));
 
diff --git a/cups/ppd.h b/cups/ppd.h
index 108f20e2a1..f2ba50db83 100644
--- a/cups/ppd.h
+++ b/cups/ppd.h
@@ -226,6 +226,7 @@ typedef struct ppd_profile_s		/**** sRGB Color Profiles @deprecated@ ****/
 /**** New in CUPS 1.2/macOS 10.5 ****/
 typedef enum ppd_cptype_e		/**** Custom Parameter Type @deprecated@ ****/
 {
+  PPD_CUSTOM_UNKNOWN = -1,		/* Unknown type (error) */
   PPD_CUSTOM_CURVE,			/* Curve value for f(x) = x^value */
   PPD_CUSTOM_INT,			/* Integer number value */
   PPD_CUSTOM_INVCURVE,			/* Curve value for f(x) = x^(1/value) */
diff --git a/cups/testppd.c b/cups/testppd.c
index 914abbd427..36707f29a6 100644
--- a/cups/testppd.c
+++ b/cups/testppd.c
@@ -1245,6 +1245,10 @@ main(int  argc,				/* I - Number of command-line arguments */
             {
 	      switch (cparam->type)
 	      {
+	        case PPD_CUSTOM_UNKNOWN :
+		    printf("              %s(%s): PPD_CUSTOM_UNKNOWN (error)\n", cparam->name, cparam->text);
+	            break;
+
 	        case PPD_CUSTOM_CURVE :
 		    printf("              %s(%s): PPD_CUSTOM_CURVE (%g to %g)\n",
 		           cparam->name, cparam->text,