From 1e7802c0b08f3abee4865eec57fc55c59afe4f4c Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Thu, 13 Jun 2013 11:58:55 +0100 Subject: [PATCH] Prevent stringpool damage leading to memory leaks (bug #974048). Resolves: rhbz#974048 --- cups-stringpool-setprinterattr.patch | 64 ++++++++++++++++++++++++++++ cups.spec | 9 +++- 2 files changed, 71 insertions(+), 2 deletions(-) create mode 100644 cups-stringpool-setprinterattr.patch diff --git a/cups-stringpool-setprinterattr.patch b/cups-stringpool-setprinterattr.patch new file mode 100644 index 0000000..ab3028a --- /dev/null +++ b/cups-stringpool-setprinterattr.patch @@ -0,0 +1,64 @@ +diff -up cups-1.5.4/scheduler/printers.c.stringpool-setprinterattr cups-1.5.4/scheduler/printers.c +--- cups-1.5.4/scheduler/printers.c.stringpool-setprinterattr 2013-06-13 10:40:43.607590350 +0100 ++++ cups-1.5.4/scheduler/printers.c 2013-06-13 10:53:31.134919727 +0100 +@@ -2053,6 +2053,7 @@ cupsdSetPrinterAttr( + ipp_attribute_t *attr; /* Attribute */ + int i, /* Looping var */ + count; /* Number of values */ ++ char *value_dup; /* Copy of attribute value string */ + char *ptr, /* Pointer into value */ + *start, /* Start of value */ + quote; /* Quote character */ +@@ -2121,16 +2122,24 @@ cupsdSetPrinterAttr( + return; + } + +- for (i = 0; i < count; i ++) ++ if ((value_dup = strdup(value)) == NULL) + { +- if ((ptr = strchr(value, ',')) != NULL) ++ cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to copy attribute value."); ++ return; ++ } ++ ++ for (i = 0, start = value_dup; i < count; i ++) ++ { ++ if ((ptr = strchr(start, ',')) != NULL) + *ptr++ = '\0'; + +- attr->values[i].integer = strtol(value, NULL, 10); ++ attr->values[i].integer = strtol(start, NULL, 10); + + if (ptr) +- value = ptr; ++ start = ptr; + } ++ ++ free(value_dup); + } + else + { +@@ -2171,7 +2180,13 @@ cupsdSetPrinterAttr( + return; + } + +- for (i = 0, quote = '\0', ptr = value; i < count; i ++) ++ if ((value_dup = strdup(value)) == NULL) ++ { ++ cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to copy attribute value."); ++ return; ++ } ++ ++ for (i = 0, quote = '\0', ptr = value_dup; i < count; i ++) + { + for (start = ptr; *ptr; ptr ++) + { +@@ -2199,6 +2214,8 @@ cupsdSetPrinterAttr( + + attr->values[i].string.text = _cupsStrAlloc(start); + } ++ ++ free(value_dup); + } + } + diff --git a/cups.spec b/cups.spec index e734893..1cf2be5 100644 --- a/cups.spec +++ b/cups.spec @@ -12,7 +12,7 @@ Summary: Common Unix Printing System Name: cups Version: 1.5.4 -Release: 27%{?dist} +Release: 28%{?dist} License: GPLv2 Group: System Environment/Daemons Source: http://ftp.easysw.com/pub/cups/%{version}/cups-%{version}-source.tar.bz2 @@ -79,13 +79,13 @@ Patch43: cups-str4194.patch Patch44: cups-r10638.patch Patch45: cups-r10642.patch Patch46: cups-str4190.patch - Patch47: cups-str4223.patch Patch48: cups-str4125.patch Patch49: cups-str4140.patch Patch50: cups-str4187.patch Patch51: cups-str4205.patch +Patch52: cups-stringpool-setprinterattr.patch Patch100: cups-lspp.patch @@ -346,6 +346,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results. %patch50 -p1 -b .str4187 # Don't set auth-info-required all of the time (STR #4205) %patch51 -p1 -b .str4205 +# Prevent stringpool damage leading to memory leaks (bug #974048). +%patch52 -p1 -b .stringpool-setprinterattr %if %lspp # LSPP support. @@ -763,6 +765,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man5/ipptoolfile.5.gz %changelog +* Thu Jun 13 2013 Tim Waugh 1:1.5.4-28 +- Prevent stringpool damage leading to memory leaks (bug #974048). + * Tue Apr 23 2013 Tim Waugh 1:1.5.4-27 - dnssd backend: don't crash if avahi gives a callback with no TXT record (bug #927040).