Compare commits
No commits in common. "c8" and "c8-beta" have entirely different histories.
@ -1,95 +0,0 @@
|
||||
diff --git a/prnt/hpcups/genPCLm.cpp b/prnt/hpcups/genPCLm.cpp
|
||||
index 0e1650c..5f83cba 100644
|
||||
--- a/prnt/hpcups/genPCLm.cpp
|
||||
+++ b/prnt/hpcups/genPCLm.cpp
|
||||
@@ -1917,8 +1917,11 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
|
||||
#ifdef SUPPORT_WHITE_STRIPS
|
||||
int whiteStripLen=0;
|
||||
if(!safe_mul_int_positive(thisHeight, currSourceWidth, &whiteStripLen) ||
|
||||
- !safe_mul_int_positive(whiteStripLen, srcNumComponents, &whiteStripLen))
|
||||
+ !safe_mul_int_positive(thisHeight, srcNumComponents, &whiteStripLen))
|
||||
+ {
|
||||
+ free(newStripPtr);
|
||||
return(errorOutAndCleanUp());
|
||||
+ }
|
||||
bool whiteStrip=isWhiteStrip(pInBuffer, whiteStripLen);
|
||||
if(DebugIt2)
|
||||
{
|
||||
@@ -1940,11 +1943,17 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
|
||||
ubyte whitePt=0xff;
|
||||
size_t tmpStripSize=0;
|
||||
if(!safe_mul_size_t((size_t)scanlineWidth, (size_t)topMarginInPix, &tmpStripSize))
|
||||
+ {
|
||||
+ free(newStripPtr);
|
||||
return(errorOutAndCleanUp());
|
||||
+ }
|
||||
|
||||
ubyte *tmpStrip=(ubyte*)malloc(tmpStripSize);
|
||||
if(!tmpStrip)
|
||||
+ {
|
||||
+ free(newStripPtr);
|
||||
return(errorOutAndCleanUp());
|
||||
+ }
|
||||
memset(tmpStrip,whitePt,tmpStripSize);
|
||||
|
||||
|
||||
@@ -2012,7 +2021,10 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
|
||||
{
|
||||
int sourceLen=0;
|
||||
if(!safe_mul_int_positive(numLinesThisCall, scanlineWidth, &sourceLen))
|
||||
+ {
|
||||
+ free(newStripPtr);
|
||||
return(errorOutAndCleanUp());
|
||||
+ }
|
||||
uint32 len=(uint32)sourceLen;
|
||||
uLongf destSize=len;
|
||||
|
||||
@@ -2021,12 +2033,18 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
|
||||
ubyte whitePt=0xff;
|
||||
size_t tmpStripSize=0;
|
||||
if(!safe_mul_size_t((size_t)scanlineWidth, (size_t)topMarginInPix, &tmpStripSize))
|
||||
+ {
|
||||
+ free(newStripPtr);
|
||||
return(errorOutAndCleanUp());
|
||||
+ }
|
||||
|
||||
// We need to inject a blank image-strip with a height==topMarginInPix
|
||||
ubyte *tmpStrip=(ubyte*)malloc(tmpStripSize);
|
||||
if(!tmpStrip)
|
||||
+ {
|
||||
+ free(newStripPtr);
|
||||
return(errorOutAndCleanUp());
|
||||
+ }
|
||||
uLongf tmpDestSize=destSize;
|
||||
memset(tmpStrip,whitePt,tmpStripSize);
|
||||
|
||||
@@ -2075,20 +2093,29 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
|
||||
{
|
||||
int sourceLen=0;
|
||||
if(!safe_mul_int_positive(numLinesThisCall, scanlineWidth, &sourceLen))
|
||||
+ {
|
||||
+ free(newStripPtr);
|
||||
return(errorOutAndCleanUp());
|
||||
+ }
|
||||
|
||||
if(firstStrip && topMarginInPix)
|
||||
{
|
||||
ubyte whitePt=0xff;
|
||||
size_t tmpStripSize=0;
|
||||
if(!safe_mul_size_t((size_t)scanlineWidth, (size_t)topMarginInPix, &tmpStripSize))
|
||||
+ {
|
||||
+ free(newStripPtr);
|
||||
return(errorOutAndCleanUp());
|
||||
+ }
|
||||
|
||||
// We need to inject a blank image-strip with a height==topMarginInPix
|
||||
|
||||
ubyte *tmpStrip=(ubyte*)malloc(tmpStripSize);
|
||||
if(!tmpStrip)
|
||||
+ {
|
||||
+ free(newStripPtr);
|
||||
return(errorOutAndCleanUp());
|
||||
+ }
|
||||
memset(tmpStrip,whitePt,tmpStripSize);
|
||||
|
||||
for(sint32 stripCntr=0; stripCntr<numFullInjectedStrips;stripCntr++)
|
||||
@ -1,514 +0,0 @@
|
||||
From 19eb9648f9878e07bf85f93bbbb5e1f5a567ca62 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Dohnal <zdohnal@redhat.com>
|
||||
Date: Wed, 10 Jun 2026 16:43:42 +0200
|
||||
Subject: [PATCH] CVE-2026-8631: Fix integer overflow in hpcups
|
||||
|
||||
---
|
||||
common/utils.h | 50 ++++++++++++++++++
|
||||
prnt/hpcups/Hbpl1.cpp | 95 ++++++++++++++++++++++++++---------
|
||||
prnt/hpcups/Hbpl1_Wrapper.cpp | 65 ++++++++++++++++++------
|
||||
prnt/hpcups/genPCLm.cpp | 80 ++++++++++++++++++++++-------
|
||||
4 files changed, 231 insertions(+), 59 deletions(-)
|
||||
|
||||
diff --git a/common/utils.h b/common/utils.h
|
||||
index 566058a..37ec465 100644
|
||||
--- a/common/utils.h
|
||||
+++ b/common/utils.h
|
||||
@@ -4,6 +4,10 @@
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
#include <syslog.h>
|
||||
+#include <stdint.h>
|
||||
+#include <limits.h>
|
||||
+#include <stdbool.h>
|
||||
+#include <stddef.h>
|
||||
//#include "hpmud.h"
|
||||
|
||||
#define _STRINGIZE(x) #x
|
||||
@@ -53,6 +57,52 @@ enum UTILS_PLUGIN_LIBRARY_TYPE
|
||||
};
|
||||
|
||||
|
||||
+/* Safe multiplication helpers - prevent integer overflow */
|
||||
+
|
||||
+/**
|
||||
+ * safe_mul_size_t - Safely multiply two size_t values
|
||||
+ * @a: First operand
|
||||
+ * @b: Second operand
|
||||
+ * @out: Output buffer for result
|
||||
+ * Returns: true if multiplication succeeded, false if overflow detected
|
||||
+ */
|
||||
+static inline bool safe_mul_size_t(size_t a, size_t b, size_t *out)
|
||||
+{
|
||||
+ if (!out)
|
||||
+ return false;
|
||||
+ if (a == 0 || b == 0)
|
||||
+ {
|
||||
+ *out = 0;
|
||||
+ return true;
|
||||
+ }
|
||||
+ if (a > ((size_t)-1) / b)
|
||||
+ return false;
|
||||
+ *out = a * b;
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * safe_mul_int_positive - Safely multiply two positive integers
|
||||
+ * @a: First operand (must be >= 0)
|
||||
+ * @b: Second operand (must be >= 0)
|
||||
+ * @out: Output buffer for result
|
||||
+ * Returns: true if multiplication succeeded, false if negative input or overflow detected
|
||||
+ */
|
||||
+static inline bool safe_mul_int_positive(int a, int b, int *out)
|
||||
+{
|
||||
+ if (!out || a < 0 || b < 0)
|
||||
+ return false;
|
||||
+ if (a == 0 || b == 0)
|
||||
+ {
|
||||
+ *out = 0;
|
||||
+ return true;
|
||||
+ }
|
||||
+ if (a > INT_MAX / b)
|
||||
+ return false;
|
||||
+ *out = a * b;
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
diff --git a/prnt/hpcups/Hbpl1.cpp b/prnt/hpcups/Hbpl1.cpp
|
||||
index 7f965f0..12a11da 100644
|
||||
--- a/prnt/hpcups/Hbpl1.cpp
|
||||
+++ b/prnt/hpcups/Hbpl1.cpp
|
||||
@@ -130,8 +130,19 @@ DRIVER_ERROR Hbpl1::StartJob(SystemServices *pSystemServices, JobAttributes *pJA
|
||||
m_PrintinGrayscale = m_JA.integer_values[3]; // cupsInterger3 value
|
||||
m_pSystemServices = pSystemServices; //Reset and UEL not required
|
||||
err = m_pHbpl1Wrapper->StartJob((void**)&m_pOutBuffer, &m_OutBuffSize);
|
||||
- err = sendBuffer(static_cast<const BYTE *>(m_pOutBuffer), m_OutBuffSize);
|
||||
- m_pHbpl1Wrapper->FreeBuffer(m_pOutBuffer, m_OutBuffSize);
|
||||
+ if (err != NO_ERROR)
|
||||
+ {
|
||||
+ return err;
|
||||
+ }
|
||||
+ if (m_pOutBuffer != NULL && m_OutBuffSize > 0)
|
||||
+ {
|
||||
+ err = sendBuffer(static_cast<const BYTE *>(m_pOutBuffer), m_OutBuffSize);
|
||||
+ m_pHbpl1Wrapper->FreeBuffer(m_pOutBuffer, m_OutBuffSize);
|
||||
+ if (err != NO_ERROR)
|
||||
+ {
|
||||
+ return err;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
if (m_PrintinGrayscale == ON){ //Grayscale = ON
|
||||
m_ColorMode = COLORTYPE_BOTH;
|
||||
@@ -156,8 +167,15 @@ DRIVER_ERROR Hbpl1::EndJob()
|
||||
}
|
||||
|
||||
err = m_pHbpl1Wrapper->EndJob((void**)&m_pOutBuffer, &m_OutBuffSize);
|
||||
- err = sendBuffer(static_cast<const BYTE *>(m_pOutBuffer), m_OutBuffSize);
|
||||
- m_pHbpl1Wrapper->FreeBuffer(m_pOutBuffer, m_OutBuffSize);
|
||||
+ if (err != NO_ERROR)
|
||||
+ {
|
||||
+ return err;
|
||||
+ }
|
||||
+ if (m_pOutBuffer != NULL && m_OutBuffSize > 0)
|
||||
+ {
|
||||
+ err = sendBuffer(static_cast<const BYTE *>(m_pOutBuffer), m_OutBuffSize);
|
||||
+ m_pHbpl1Wrapper->FreeBuffer(m_pOutBuffer, m_OutBuffSize);
|
||||
+ }
|
||||
return err;
|
||||
}
|
||||
|
||||
@@ -167,8 +185,15 @@ DRIVER_ERROR Hbpl1::StartPage (JobAttributes *pJA)
|
||||
DRIVER_ERROR err = NO_ERROR;
|
||||
|
||||
err = m_pHbpl1Wrapper->StartPage((void**)&m_pOutBuffer, &m_OutBuffSize);
|
||||
- err = sendBuffer(static_cast<const BYTE *>(m_pOutBuffer), m_OutBuffSize);
|
||||
- m_pHbpl1Wrapper->FreeBuffer(m_pOutBuffer, m_OutBuffSize);
|
||||
+ if (err != NO_ERROR)
|
||||
+ {
|
||||
+ return err;
|
||||
+ }
|
||||
+ if (m_pOutBuffer != NULL && m_OutBuffSize > 0)
|
||||
+ {
|
||||
+ err = sendBuffer(static_cast<const BYTE *>(m_pOutBuffer), m_OutBuffSize);
|
||||
+ m_pHbpl1Wrapper->FreeBuffer(m_pOutBuffer, m_OutBuffSize);
|
||||
+ }
|
||||
return err;
|
||||
}
|
||||
|
||||
@@ -183,28 +208,50 @@ DRIVER_ERROR Hbpl1::sendBlankBands()
|
||||
|
||||
DRIVER_ERROR Hbpl1::FormFeed ()
|
||||
{
|
||||
+ DRIVER_ERROR err = NO_ERROR;
|
||||
|
||||
if (0 != m_numScanLines && m_pbyStripData && 0 != m_nStripSize)
|
||||
- {
|
||||
- ++m_nBandCount;
|
||||
- m_pHbpl1Wrapper->Encapsulate(m_pbyStripData, m_nStripSize, m_nStripHeight, (void**)&m_pOutBuffer, &m_OutBuffSize);
|
||||
- sendBuffer(m_pOutBuffer, m_OutBuffSize);
|
||||
- memset(m_pbyStripData,0xFF,m_nStripSize);
|
||||
- }
|
||||
-
|
||||
- while(m_nBandCount < m_numStrips)
|
||||
- {
|
||||
- ++m_nBandCount;
|
||||
- m_pHbpl1Wrapper->Encapsulate(m_pbyStripData, m_nStripSize, m_nStripHeight, (void**)&m_pOutBuffer, &m_OutBuffSize);
|
||||
- sendBuffer(m_pOutBuffer, m_OutBuffSize);
|
||||
- }
|
||||
-
|
||||
- m_pHbpl1Wrapper->EndPage((void**)&m_pOutBuffer, &m_OutBuffSize);
|
||||
- sendBuffer(m_pOutBuffer, m_OutBuffSize);
|
||||
+ {
|
||||
+ ++m_nBandCount;
|
||||
+ err = m_pHbpl1Wrapper->Encapsulate(m_pbyStripData, m_nStripSize, m_nStripHeight, (void**)&m_pOutBuffer, &m_OutBuffSize);
|
||||
+ if (err != NO_ERROR)
|
||||
+ return err;
|
||||
+ if (m_pOutBuffer != NULL && m_OutBuffSize > 0)
|
||||
+ {
|
||||
+ err = sendBuffer(m_pOutBuffer, m_OutBuffSize);
|
||||
+ if (err != NO_ERROR)
|
||||
+ return err;
|
||||
+ }
|
||||
+ memset(m_pbyStripData,0xFF,m_nStripSize);
|
||||
+ }
|
||||
+
|
||||
+ while(m_nBandCount < m_numStrips)
|
||||
+ {
|
||||
+ ++m_nBandCount;
|
||||
+ err = m_pHbpl1Wrapper->Encapsulate(m_pbyStripData, m_nStripSize, m_nStripHeight, (void**)&m_pOutBuffer, &m_OutBuffSize);
|
||||
+ if (err != NO_ERROR)
|
||||
+ return err;
|
||||
+ if (m_pOutBuffer != NULL && m_OutBuffSize > 0)
|
||||
+ {
|
||||
+ err = sendBuffer(m_pOutBuffer, m_OutBuffSize);
|
||||
+ if (err != NO_ERROR)
|
||||
+ return err;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ err = m_pHbpl1Wrapper->EndPage((void**)&m_pOutBuffer, &m_OutBuffSize);
|
||||
+ if (err != NO_ERROR)
|
||||
+ return err;
|
||||
+ if (m_pOutBuffer != NULL && m_OutBuffSize > 0)
|
||||
+ {
|
||||
+ err = sendBuffer(m_pOutBuffer, m_OutBuffSize);
|
||||
+ if (err != NO_ERROR)
|
||||
+ return err;
|
||||
+ }
|
||||
m_pHbpl1Wrapper->FreeBuffer(m_pOutBuffer,m_OutBuffSize);
|
||||
- m_nBandCount = 0;
|
||||
+ m_nBandCount = 0;
|
||||
|
||||
- return NO_ERROR;
|
||||
+ return err;
|
||||
|
||||
}
|
||||
|
||||
diff --git a/prnt/hpcups/Hbpl1_Wrapper.cpp b/prnt/hpcups/Hbpl1_Wrapper.cpp
|
||||
index a02655f..fb2155f 100644
|
||||
--- a/prnt/hpcups/Hbpl1_Wrapper.cpp
|
||||
+++ b/prnt/hpcups/Hbpl1_Wrapper.cpp
|
||||
@@ -77,19 +77,31 @@ void Hbpl1Wrapper::FreeStripBuffer(void)
|
||||
|
||||
DRIVER_ERROR Hbpl1Wrapper::StartJob(void **pOutBuffer, int *pOutBufferSize)
|
||||
{
|
||||
- DRIVER_ERROR err = NO_ERROR;
|
||||
-
|
||||
- m_pPCLmGenerator->StartJob(pOutBuffer,pOutBufferSize,false);
|
||||
- return err;
|
||||
+ int ret = m_pPCLmGenerator->StartJob(pOutBuffer,pOutBufferSize,false);
|
||||
+ if (ret != success)
|
||||
+ {
|
||||
+ if (pOutBuffer)
|
||||
+ *pOutBuffer = NULL;
|
||||
+ if (pOutBufferSize)
|
||||
+ *pOutBufferSize = 0;
|
||||
+ return SYSTEM_ERROR;
|
||||
+ }
|
||||
+ return NO_ERROR;
|
||||
}
|
||||
|
||||
|
||||
DRIVER_ERROR Hbpl1Wrapper::EndJob(void **pOutBuffer, int *pOutBufferSize)
|
||||
{
|
||||
- DRIVER_ERROR err = NO_ERROR;
|
||||
-
|
||||
- m_pPCLmGenerator->EndJob(pOutBuffer,pOutBufferSize);
|
||||
- return err;
|
||||
+ int ret = m_pPCLmGenerator->EndJob(pOutBuffer,pOutBufferSize);
|
||||
+ if (ret != success)
|
||||
+ {
|
||||
+ if (pOutBuffer)
|
||||
+ *pOutBuffer = NULL;
|
||||
+ if (pOutBufferSize)
|
||||
+ *pOutBufferSize = 0;
|
||||
+ return SYSTEM_ERROR;
|
||||
+ }
|
||||
+ return NO_ERROR;
|
||||
}
|
||||
|
||||
|
||||
@@ -173,8 +185,15 @@ DRIVER_ERROR Hbpl1Wrapper::StartPage(void **pOutBuffer, int *pOutBufferSize)
|
||||
|
||||
PCLmPageContent.duplexDisposition = simplex;
|
||||
|
||||
- m_pPCLmGenerator->StartPage(&PCLmSContent,true,pOutBuffer,pOutBufferSize);
|
||||
-
|
||||
+ int ret = m_pPCLmGenerator->StartPage(&PCLmSContent,true,pOutBuffer,pOutBufferSize);
|
||||
+ if (ret != success)
|
||||
+ {
|
||||
+ if (pOutBuffer)
|
||||
+ *pOutBuffer = NULL;
|
||||
+ if (pOutBufferSize)
|
||||
+ *pOutBufferSize = 0;
|
||||
+ return SYSTEM_ERROR;
|
||||
+ }
|
||||
|
||||
return err;
|
||||
}
|
||||
@@ -182,9 +201,16 @@ DRIVER_ERROR Hbpl1Wrapper::StartPage(void **pOutBuffer, int *pOutBufferSize)
|
||||
|
||||
DRIVER_ERROR Hbpl1Wrapper::EndPage(void **pOutBuffer, int *pOutBufferSize)
|
||||
{
|
||||
- DRIVER_ERROR err = NO_ERROR;
|
||||
- m_pPCLmGenerator->EndPage(pOutBuffer, pOutBufferSize);
|
||||
- return err;
|
||||
+ int ret = m_pPCLmGenerator->EndPage(pOutBuffer, pOutBufferSize);
|
||||
+ if (ret != success)
|
||||
+ {
|
||||
+ if (pOutBuffer)
|
||||
+ *pOutBuffer = NULL;
|
||||
+ if (pOutBufferSize)
|
||||
+ *pOutBufferSize = 0;
|
||||
+ return SYSTEM_ERROR;
|
||||
+ }
|
||||
+ return NO_ERROR;
|
||||
}
|
||||
|
||||
|
||||
@@ -195,9 +221,16 @@ DRIVER_ERROR Hbpl1Wrapper::FormFeed()
|
||||
|
||||
DRIVER_ERROR Hbpl1Wrapper::Encapsulate (void *pInBuffer, int inBufferSize, int numLines, void **pOutBuffer, int *pOutBufferSize)
|
||||
{
|
||||
- DRIVER_ERROR err = NO_ERROR;
|
||||
- m_pPCLmGenerator->Encapsulate(pInBuffer, inBufferSize, numLines, pOutBuffer, pOutBufferSize);
|
||||
- return err;
|
||||
+ int ret = m_pPCLmGenerator->Encapsulate(pInBuffer, inBufferSize, numLines, pOutBuffer, pOutBufferSize);
|
||||
+ if (ret != success)
|
||||
+ {
|
||||
+ if (pOutBuffer)
|
||||
+ *pOutBuffer = NULL;
|
||||
+ if (pOutBufferSize)
|
||||
+ *pOutBufferSize = 0;
|
||||
+ return SYSTEM_ERROR;
|
||||
+ }
|
||||
+ return NO_ERROR;
|
||||
}
|
||||
|
||||
DRIVER_ERROR Hbpl1Wrapper::SkipLines (int iSkipLines)
|
||||
diff --git a/prnt/hpcups/genPCLm.cpp b/prnt/hpcups/genPCLm.cpp
|
||||
index 4db4bde..c330e40 100644
|
||||
--- a/prnt/hpcups/genPCLm.cpp
|
||||
+++ b/prnt/hpcups/genPCLm.cpp
|
||||
@@ -127,6 +127,7 @@
|
||||
#include <fcntl.h>
|
||||
#include <assert.h>
|
||||
#include <math.h>
|
||||
+#include <limits.h>
|
||||
#include <zlib.h>
|
||||
//#include <unistd.h>
|
||||
|
||||
@@ -1674,7 +1675,12 @@ int PCLmGenerator::StartPage(PCLmPageSetup *PCLmPageContent, void **pOutBuffer,
|
||||
destColorSpace=PCLmPageContent->dstColorSpaceSpefication;
|
||||
|
||||
// Calculate how large the output buffer needs to be based upon the page specifications
|
||||
- int tmp_outBuffSize=mediaWidthInPixels*currStripHeight*dstNumComponents;
|
||||
+ int tmp_outBuffSize=0;
|
||||
+ if(!safe_mul_int_positive(mediaWidthInPixels,currStripHeight,&tmp_outBuffSize) ||
|
||||
+ !safe_mul_int_positive(tmp_outBuffSize,dstNumComponents,&tmp_outBuffSize))
|
||||
+ {
|
||||
+ return(errorOutAndCleanUp());
|
||||
+ }
|
||||
|
||||
if(tmp_outBuffSize>currOutBuffSize)
|
||||
{
|
||||
@@ -1742,7 +1748,14 @@ int PCLmGenerator::StartPage(PCLmPageSetup *PCLmPageContent, void **pOutBuffer,
|
||||
{
|
||||
// We need to pad the scratchBuffer size to allow for compression expansion (RLE can create
|
||||
// compressed segments that are slightly larger than the source.
|
||||
- scratchBuffer=(ubyte*)malloc(currStripHeight*mediaWidthInPixels*srcNumComponents*2);
|
||||
+ size_t scratchSize=0;
|
||||
+ if(currStripHeight<=0 || mediaWidthInPixels<=0 || srcNumComponents<=0 ||
|
||||
+ !safe_mul_size_t((size_t)currStripHeight, (size_t)mediaWidthInPixels, &scratchSize) ||
|
||||
+ !safe_mul_size_t(scratchSize, (size_t)srcNumComponents, &scratchSize) ||
|
||||
+ !safe_mul_size_t(scratchSize, 2u, &scratchSize))
|
||||
+ return(errorOutAndCleanUp());
|
||||
+
|
||||
+ scratchBuffer=(ubyte*)malloc(scratchSize);
|
||||
if(!scratchBuffer)
|
||||
return(errorOutAndCleanUp());
|
||||
/*if(DebugIt2)
|
||||
@@ -1798,7 +1811,9 @@ int PCLmGenerator::SkipLines(int iSkipLines)
|
||||
int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeight, void **pOutBuffer, int *iOutBufferSize)
|
||||
{
|
||||
int result=0, numCompBytes;
|
||||
- int scanlineWidth=mediaWidthInPixels*srcNumComponents;
|
||||
+ int scanlineWidth=0;
|
||||
+ if(!safe_mul_int_positive(mediaWidthInPixels, srcNumComponents, &scanlineWidth))
|
||||
+ return(errorOutAndCleanUp());
|
||||
int compSize;
|
||||
// int numLinesThisCall=inBufferSize/(currSourceWidth*srcNumComponents);
|
||||
int numLinesThisCall=thisHeight;
|
||||
@@ -1888,7 +1903,8 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
|
||||
{
|
||||
colorConvertSource(sourceColorSpace, grayScale, (ubyte*)localInBuffer, currSourceWidth, numLinesThisCall);
|
||||
// Adjust the scanline width accordingly
|
||||
- scanlineWidth = mediaWidthInPixels * dstNumComponents;
|
||||
+ if(!safe_mul_int_positive(mediaWidthInPixels, dstNumComponents, &scanlineWidth))
|
||||
+ return(errorOutAndCleanUp());
|
||||
}
|
||||
|
||||
if(leftMarginInPix)
|
||||
@@ -1903,7 +1919,11 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
|
||||
}
|
||||
|
||||
#ifdef SUPPORT_WHITE_STRIPS
|
||||
- bool whiteStrip=isWhiteStrip(pInBuffer, thisHeight*currSourceWidth*srcNumComponents);
|
||||
+ int whiteStripLen=0;
|
||||
+ if(!safe_mul_int_positive(thisHeight, currSourceWidth, &whiteStripLen) ||
|
||||
+ !safe_mul_int_positive(whiteStripLen, srcNumComponents, &whiteStripLen))
|
||||
+ return(errorOutAndCleanUp());
|
||||
+ bool whiteStrip=isWhiteStrip(pInBuffer, whiteStripLen);
|
||||
if(DebugIt2)
|
||||
{
|
||||
if(whiteStrip){
|
||||
@@ -1922,9 +1942,14 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
|
||||
if(firstStrip && topMarginInPix)
|
||||
{
|
||||
ubyte whitePt=0xff;
|
||||
+ size_t tmpStripSize=0;
|
||||
+ if(!safe_mul_size_t((size_t)scanlineWidth, (size_t)topMarginInPix, &tmpStripSize))
|
||||
+ return(errorOutAndCleanUp());
|
||||
|
||||
- ubyte *tmpStrip=(ubyte*)malloc(scanlineWidth*topMarginInPix);
|
||||
- memset(tmpStrip,whitePt,scanlineWidth*topMarginInPix);
|
||||
+ ubyte *tmpStrip=(ubyte*)malloc(tmpStripSize);
|
||||
+ if(!tmpStrip)
|
||||
+ return(errorOutAndCleanUp());
|
||||
+ memset(tmpStrip,whitePt,tmpStripSize);
|
||||
|
||||
|
||||
for(sint32 stripCntr=0; stripCntr<numFullInjectedStrips;stripCntr++)
|
||||
@@ -1989,17 +2014,25 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
|
||||
}
|
||||
else if(currCompressionDisposition==compressFlate)
|
||||
{
|
||||
- uint32 len=numLinesThisCall*scanlineWidth;
|
||||
+ int sourceLen=0;
|
||||
+ if(!safe_mul_int_positive(numLinesThisCall, scanlineWidth, &sourceLen))
|
||||
+ return(errorOutAndCleanUp());
|
||||
+ uint32 len=(uint32)sourceLen;
|
||||
uLongf destSize=len;
|
||||
|
||||
if(firstStrip && topMarginInPix)
|
||||
{
|
||||
ubyte whitePt=0xff;
|
||||
+ size_t tmpStripSize=0;
|
||||
+ if(!safe_mul_size_t((size_t)scanlineWidth, (size_t)topMarginInPix, &tmpStripSize))
|
||||
+ return(errorOutAndCleanUp());
|
||||
|
||||
// We need to inject a blank image-strip with a height==topMarginInPix
|
||||
- ubyte *tmpStrip=(ubyte*)malloc(scanlineWidth*topMarginInPix);
|
||||
+ ubyte *tmpStrip=(ubyte*)malloc(tmpStripSize);
|
||||
+ if(!tmpStrip)
|
||||
+ return(errorOutAndCleanUp());
|
||||
uLongf tmpDestSize=destSize;
|
||||
- memset(tmpStrip,whitePt,scanlineWidth*topMarginInPix);
|
||||
+ memset(tmpStrip,whitePt,tmpStripSize);
|
||||
|
||||
for(sint32 stripCntr=0; stripCntr<numFullInjectedStrips;stripCntr++)
|
||||
{
|
||||
@@ -2017,12 +2050,12 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
|
||||
|
||||
if(newStripPtr)
|
||||
{
|
||||
- result=compress((Bytef*)scratchBuffer,&destSize,(const Bytef*)newStripPtr,scanlineWidth*numLinesThisCall);
|
||||
+ result=compress((Bytef*)scratchBuffer,&destSize,(const Bytef*)newStripPtr,(uLong)sourceLen);
|
||||
if(DebugIt2)
|
||||
writeOutputFile(destSize, scratchBuffer, m_pPCLmSSettings->user_name);
|
||||
if(DebugIt2)
|
||||
{
|
||||
- dbglog("Allocated zlib dest buffer of size %d\n",numLinesThisCall*scanlineWidth);
|
||||
+ dbglog("Allocated zlib dest buffer of size %d\n",sourceLen);
|
||||
dbglog("zlib compression return result=%d, compSize=%d\n",result,(int)destSize);
|
||||
}
|
||||
free(newStripPtr);
|
||||
@@ -2030,12 +2063,12 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
|
||||
}
|
||||
else
|
||||
{
|
||||
- result=compress((Bytef*)scratchBuffer, &destSize, (const Bytef*)localInBuffer, scanlineWidth*numLinesThisCall);
|
||||
+ result=compress((Bytef*)scratchBuffer, &destSize, (const Bytef*)localInBuffer, (uLong)sourceLen);
|
||||
if(DebugIt2)
|
||||
writeOutputFile(destSize, scratchBuffer, m_pPCLmSSettings->user_name);
|
||||
if(DebugIt2)
|
||||
{
|
||||
- dbglog("Allocated zlib dest buffer of size %d\n",numLinesThisCall*scanlineWidth);
|
||||
+ dbglog("Allocated zlib dest buffer of size %d\n",sourceLen);
|
||||
dbglog("zlib compression return result=%d, compSize=%d\n",result,(int)destSize);
|
||||
}
|
||||
}
|
||||
@@ -2044,14 +2077,23 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
|
||||
|
||||
else if(currCompressionDisposition==compressRLE)
|
||||
{
|
||||
+ int sourceLen=0;
|
||||
+ if(!safe_mul_int_positive(numLinesThisCall, scanlineWidth, &sourceLen))
|
||||
+ return(errorOutAndCleanUp());
|
||||
+
|
||||
if(firstStrip && topMarginInPix)
|
||||
{
|
||||
ubyte whitePt=0xff;
|
||||
+ size_t tmpStripSize=0;
|
||||
+ if(!safe_mul_size_t((size_t)scanlineWidth, (size_t)topMarginInPix, &tmpStripSize))
|
||||
+ return(errorOutAndCleanUp());
|
||||
|
||||
// We need to inject a blank image-strip with a height==topMarginInPix
|
||||
|
||||
- ubyte *tmpStrip=(ubyte*)malloc(scanlineWidth*topMarginInPix);
|
||||
- memset(tmpStrip,whitePt,scanlineWidth*topMarginInPix);
|
||||
+ ubyte *tmpStrip=(ubyte*)malloc(tmpStripSize);
|
||||
+ if(!tmpStrip)
|
||||
+ return(errorOutAndCleanUp());
|
||||
+ memset(tmpStrip,whitePt,tmpStripSize);
|
||||
|
||||
for(sint32 stripCntr=0; stripCntr<numFullInjectedStrips;stripCntr++)
|
||||
{
|
||||
@@ -2071,16 +2113,16 @@ int PCLmGenerator::Encapsulate(void *pInBuffer, int inBufferSize, int thisHeigh
|
||||
|
||||
if(newStripPtr)
|
||||
{
|
||||
- compSize=HPRunLen_Encode((ubyte*)newStripPtr, scratchBuffer, scanlineWidth*numLinesThisCall);
|
||||
+ compSize=HPRunLen_Encode((ubyte*)newStripPtr, scratchBuffer, sourceLen);
|
||||
free(newStripPtr);
|
||||
newStripPtr = NULL;
|
||||
}
|
||||
else
|
||||
- compSize=HPRunLen_Encode((ubyte*)localInBuffer, scratchBuffer, scanlineWidth*numLinesThisCall);
|
||||
+ compSize=HPRunLen_Encode((ubyte*)localInBuffer, scratchBuffer, sourceLen);
|
||||
|
||||
if(DebugIt2)
|
||||
{
|
||||
- dbglog("Allocated rle dest buffer of size %d\n",numLinesThisCall*scanlineWidth);
|
||||
+ dbglog("Allocated rle dest buffer of size %d\n",sourceLen);
|
||||
dbglog("rle compression return size=%d=%d\n",result,(int)compSize);
|
||||
}
|
||||
injectRLEStrip(scratchBuffer, compSize, mediaWidthInPixels, numLinesThisCall, destColorSpace, whiteStrip);
|
||||
--
|
||||
2.54.0
|
||||
|
||||
@ -1,75 +0,0 @@
|
||||
From cc245a1117ae478e916662a7d9bded65b55765b8 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Dohnal <zdohnal@redhat.com>
|
||||
Date: Mon, 25 May 2026 15:27:09 +0200
|
||||
Subject: [PATCH] 3.26.4
|
||||
|
||||
---
|
||||
base/utils.py | 42 ++++++++++++++++++++----------------------
|
||||
1 file changed, 20 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/base/utils.py b/base/utils.py
|
||||
index d176c0ddd..780e4766e 100644
|
||||
--- a/base/utils.py
|
||||
+++ b/base/utils.py
|
||||
@@ -2359,11 +2359,10 @@ def check_pkg_mgr( package_mgrs = None):
|
||||
log.debug("Not found")
|
||||
return (0, '')
|
||||
|
||||
-# checks if given process is running.
|
||||
-#return value:
|
||||
-# True or False
|
||||
-# None - if process is not running
|
||||
-# grep output - if process is running
|
||||
+# Check whether any running process command line contains the requested name.
|
||||
+# Return value:
|
||||
+# (True, {pid: cmdline, ...}) when one or more matching processes are found
|
||||
+# (False, {}) when no matching process is found or enumeration fails
|
||||
|
||||
def Is_Process_Running(process_name):
|
||||
if not process_name:
|
||||
@@ -2371,28 +2370,27 @@ def Is_Process_Running(process_name):
|
||||
|
||||
try:
|
||||
process = {}
|
||||
- p1 = Popen(["ps", "-w", "-w", "aux"], stdout=PIPE)
|
||||
- p2 = Popen(["grep", process_name], stdin=p1.stdout, stdout=PIPE)
|
||||
- p3 = Popen(["grep", "-v", "grep"], stdin=p2.stdout, stdout=PIPE)
|
||||
- output = p3.communicate()[0]
|
||||
- log.debug("Is_Process_Running output = %s " %output)
|
||||
-
|
||||
- if output:
|
||||
- for p in output.splitlines():
|
||||
- cmd = "echo '%s' | awk {'print $2'}" %p
|
||||
- status,pid = subprocess.getstatusoutput(cmd)
|
||||
- cmd = "echo '%s' | awk {'print $11,$12'}" %p
|
||||
- status,cmdline = subprocess.getstatusoutput(cmd)
|
||||
- if pid :
|
||||
+ for entry in os.listdir('/proc'):
|
||||
+ if not entry.isdigit():
|
||||
+ continue
|
||||
+ pid = entry
|
||||
+ try:
|
||||
+ with open('/proc/%s/cmdline' % pid, 'rb') as f:
|
||||
+ raw = f.read()
|
||||
+ cmdline = raw.replace(b'\x00', b' ').decode('utf-8', 'replace').strip()
|
||||
+ if process_name in cmdline:
|
||||
process[pid] = cmdline
|
||||
+ except (IOError, OSError):
|
||||
+ continue
|
||||
|
||||
+ log.debug("Is_Process_Running matches = %s " % process)
|
||||
+ if process:
|
||||
return True, process
|
||||
else:
|
||||
return False, {}
|
||||
|
||||
except Exception as e:
|
||||
- log.error("Execution failed: process Name[%s]" %process_name)
|
||||
- print >>sys.stderr, "Execution failed:", e
|
||||
+ log.error("Execution failed: process Name[%s] - error - %s" % (process_name, str(e)))
|
||||
return False, {}
|
||||
|
||||
|
||||
--
|
||||
2.54.0
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
Summary: HP Linux Imaging and Printing Project
|
||||
Name: hplip
|
||||
Version: 3.18.4
|
||||
Release: 13%{?dist}
|
||||
Release: 9%{?dist}
|
||||
License: GPLv2+ and MIT and BSD and IJG and Public Domain and GPLv2+ with exceptions and ISC
|
||||
|
||||
Url: https://developers.hp.com/hp-linux-imaging-and-printing
|
||||
@ -45,16 +45,6 @@ Patch28: hplip-colorlaserjet-mfp-m278-m281.patch
|
||||
Patch30: hplip-typo.patch
|
||||
Patch31: hplip-keyserver.patch
|
||||
Patch32: hplip-covscan.patch
|
||||
# CVE-2026-8632 - Privilege escalation and arbitrary code execution
|
||||
# via operating system command injection in Is_Process_Running()
|
||||
# https://redhat.atlassian.net/browse/RHEL-178359
|
||||
Patch33: hplip-CVE-2026-8632.patch
|
||||
# CVE-2026-8631 - Arbitrary code execution and privilege escalation
|
||||
# via integer overflow in hpcups
|
||||
# https://redhat.atlassian.net/browse/RHEL-178718
|
||||
Patch34: hplip-CVE-2026-8631.patch
|
||||
# OSH fixes after CVE-2026-8631
|
||||
Patch35: hplip-CVE-2026-8631-osh.patch
|
||||
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Requires: python3-pillow
|
||||
@ -263,12 +253,6 @@ rm prnt/hpcups/ErnieFilter.{cpp,h} prnt/hpijs/ernieplatform.h
|
||||
|
||||
# 1602547 - Please review important issues found by covscan in "hplip-3.18.4-2.el8+7" package
|
||||
%patch32 -p1 -b .covscan
|
||||
# CVE-2026-8632 - command injection in Is_Process_Running()
|
||||
%patch -P 33 -p1 -b .CVE-2026-8632
|
||||
# CVE-2026-8631 - integer overflow in hpcups
|
||||
%patch -P 34 -p1 -b .CVE-2026-8631
|
||||
# OSH fixes after CVE-2026-8631
|
||||
%patch -P 35 -p1 -b .CVE-2026-8631-osh
|
||||
|
||||
sed -i.duplex-constraints \
|
||||
-e 's,\(UIConstraints.* \*Duplex\),//\1,' \
|
||||
@ -554,20 +538,6 @@ rm -f %{buildroot}%{_sysconfdir}/xdg/autostart/hplip-systray.desktop
|
||||
%config(noreplace) %{_sysconfdir}/sane.d/dll.d/hpaio
|
||||
|
||||
%changelog
|
||||
* Mon Jun 15 2026 Zdenek Dohnal <zdohnal@redhat.com> - 3.18.4-13
|
||||
- Fix more leaks in hpcups
|
||||
|
||||
* Fri Jun 12 2026 Zdenek Dohnal <zdohnal@redhat.com> - 3.18.4-12
|
||||
- OSH fixes after CVE-2026-8631
|
||||
|
||||
* Tue Jun 09 2026 Zdenek Dohnal <zdohnal@redhat.com> - 3.18.4-11
|
||||
- CVE-2026-8631 hplip: Arbitrary code execution and privilege escalation
|
||||
via integer overflow in hpcups
|
||||
|
||||
* Wed May 27 2026 Zdenek Dohnal <zdohnal@redhat.com> - 3.18.4-10
|
||||
- CVE-2026-8632 hplip: Privilege escalation and arbitrary code execution
|
||||
via OS command injection in Is_Process_Running()
|
||||
|
||||
* Fri Jun 14 2019 Tomas Korbar <tkorbar@redhat.com> - 3.18.4-9
|
||||
- update patch for covscan bug rhbz#1602547
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user