OSH fixes after CVE-2026-8631

Resolves: RHEL-178718
This commit is contained in:
Zdenek Dohnal 2026-06-15 13:13:52 +02:00
parent 5fd973cd2c
commit 46c66ce1fe
2 changed files with 67 additions and 4 deletions

View File

@ -1,8 +1,8 @@
diff --git a/prnt/hpcups/genPCLm.cpp b/prnt/hpcups/genPCLm.cpp
index 1952ef2..0b3208a 100644
index 0e1650c..5f83cba 100644
--- a/prnt/hpcups/genPCLm.cpp
+++ b/prnt/hpcups/genPCLm.cpp
@@ -1921,8 +1921,11 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
@@ -1917,8 +1917,11 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
#ifdef SUPPORT_WHITE_STRIPS
int whiteStripLen=0;
if(!safe_mul_int_positive(thisHeight, currSourceWidth, &whiteStripLen) ||
@ -15,7 +15,7 @@ index 1952ef2..0b3208a 100644
bool whiteStrip=isWhiteStrip(pInBuffer, whiteStripLen);
if(DebugIt2)
{
@@ -1944,11 +1947,17 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
@@ -1940,11 +1943,17 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
ubyte whitePt=0xff;
size_t tmpStripSize=0;
if(!safe_mul_size_t((size_t)scanlineWidth, (size_t)topMarginInPix, &tmpStripSize))
@ -33,3 +33,63 @@ index 1952ef2..0b3208a 100644
memset(tmpStrip,whitePt,tmpStripSize);
@@ -2012,7 +2021,10 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
{
int sourceLen=0;
if(!safe_mul_int_positive(numLinesThisCall, scanlineWidth, &sourceLen))
+ {
+ free(newStripPtr);
return(errorOutAndCleanUp());
+ }
uint32 len=(uint32)sourceLen;
uLongf destSize=len;
@@ -2021,12 +2033,18 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
ubyte whitePt=0xff;
size_t tmpStripSize=0;
if(!safe_mul_size_t((size_t)scanlineWidth, (size_t)topMarginInPix, &tmpStripSize))
+ {
+ free(newStripPtr);
return(errorOutAndCleanUp());
+ }
// We need to inject a blank image-strip with a height==topMarginInPix
ubyte *tmpStrip=(ubyte*)malloc(tmpStripSize);
if(!tmpStrip)
+ {
+ free(newStripPtr);
return(errorOutAndCleanUp());
+ }
uLongf tmpDestSize=destSize;
memset(tmpStrip,whitePt,tmpStripSize);
@@ -2075,20 +2093,29 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
{
int sourceLen=0;
if(!safe_mul_int_positive(numLinesThisCall, scanlineWidth, &sourceLen))
+ {
+ free(newStripPtr);
return(errorOutAndCleanUp());
+ }
if(firstStrip && topMarginInPix)
{
ubyte whitePt=0xff;
size_t tmpStripSize=0;
if(!safe_mul_size_t((size_t)scanlineWidth, (size_t)topMarginInPix, &tmpStripSize))
+ {
+ free(newStripPtr);
return(errorOutAndCleanUp());
+ }
// We need to inject a blank image-strip with a height==topMarginInPix
ubyte *tmpStrip=(ubyte*)malloc(tmpStripSize);
if(!tmpStrip)
+ {
+ free(newStripPtr);
return(errorOutAndCleanUp());
+ }
memset(tmpStrip,whitePt,tmpStripSize);
for(sint32 stripCntr=0; stripCntr<numFullInjectedStrips;stripCntr++)

View File

@ -7,7 +7,7 @@
Summary: HP Linux Imaging and Printing Project
Name: hplip
Version: 3.18.4
Release: 12%{?dist}
Release: 13%{?dist}
License: GPLv2+ and MIT and BSD and IJG and Public Domain and GPLv2+ with exceptions and ISC
Url: https://developers.hp.com/hp-linux-imaging-and-printing
@ -554,6 +554,9 @@ rm -f %{buildroot}%{_sysconfdir}/xdg/autostart/hplip-systray.desktop
%config(noreplace) %{_sysconfdir}/sane.d/dll.d/hpaio
%changelog
* Mon Jun 15 2026 Zdenek Dohnal <zdohnal@redhat.com> - 3.18.4-13
- Fix more leaks in hpcups
* Fri Jun 12 2026 Zdenek Dohnal <zdohnal@redhat.com> - 3.18.4-12
- OSH fixes after CVE-2026-8631