Red Hat Bugzilla – Bug 441732
cups: integer overflow in the sun image handler
Last modified: 2016-03-04 06:23:37 EST
Thomas Pollet reported an integer overflow leading to a heap overflow in the
CUPS' sun image filter
There is more information here:
Created attachment 301869 [details]
Demo image from the public mail
This looks to be just a NULL pointer dereference flaw. It shouldn't have any
adverse affects on the CUPS server.
NULL deref flaw was fixed in SVN commit r7221 (trunk) / r7222 (branch-1.3) that
add check for calloc return value.
svn diff -c 7221 http://svn.easysw.com/public/cups/trunk/filter/image.c
Ludwig Nussel also pointed out that multiplication in calloc call can cause an
integer overflow. Issue was reported as:
(SVN commits r7472 (trunk) / r7485(branch-1.3))
According to upstream analysis, integer overflow is only possible on 32bit
platforms and as tile array is not filled with image data, it only results in a
filter crash, that is logged by CUPS scheduler.
Upstream confirmed that this issue can only cause a crash of image filter.
Result is that malicious print job is not printed. All other jobs are unaffected.
Closing this bug, as this is not a security issue.