Skip to content

Fix PCLm strip overflow and add regression test #105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tillkamppeter merged 3 commits into from
Nov 5, 2025
Merged

Fix PCLm strip overflow and add regression test #105

tillkamppeter merged 3 commits into from
Nov 5, 2025

Conversation

@N3mes1s
Copy link
Contributor

@N3mes1s N3mes1s commented Nov 5, 2025

Summary

  • stream PDF/PCLm drawing commands directly into pdfio with bounds checks to eliminate the fixed 768-byte buffer overflow
  • guard PCLm strip metadata allocations and zero state before reuse to prevent heap corruption
  • add an AddressSanitizer regression shell test (cupsfilters/test-pclm-overflow.sh) and wire it into make check

Testing

  • ASAN_OPTIONS=detect_leaks=0,abort_on_error=0 make check

Fixes #104

@tillkamppeter
Copy link
Member

tillkamppeter commented Nov 5, 2025

@N3mes1s Thanks a lot for the detailed report and the fix. I did not see any issue when reviewing the code, but when triggering the CI your test script is failing.

@uddhavphatak Please check also the rest of your contributed code. Please avoid hard-coded array sizes or data storage, and avoid string manipulation functions without output size control, like strcat(). Also make sure that nothing depends on uninitialized memory.

@N3mes1s
test: drop unused libppd link from PCLm overflow harness
b43478a
@N3mes1s
fix: initialize doc structure to prevent use of uninitialized memory
e14e463 
The pwgtopdf_doc_t doc structure was declared on the stack without
initialization, leaving all fields (including colorProfile) containing
random garbage from the stack memory.

This caused a crash when:
1. The code at line 1328 checked 'if (doc->colorProfile != NULL)'
2. The uninitialized colorProfile could contain any random value,
   including non-NULL garbage that looked like a valid pointer
3. When cmsGetColorSpace(doc->colorProfile) was called with this
   garbage pointer, it caused a segmentation fault

The AddressSanitizer test correctly caught this bug:
  AddressSanitizer: SEGV on unknown address 0x000000000051
  #0 in cmsGetColorSpace
  OpenPrinting#1 in prepare_pdf_page cupsfilters/pwgtopdf.c:1328

Fix: Add memset(&doc, 0, sizeof(doc)) to zero-initialize all fields
before use, ensuring colorProfile and other pointers start as NULL.

This allows the test-pclm-overflow.sh regression test to pass.
@N3mes1s
Copy link
Contributor Author

N3mes1s commented Nov 5, 2025

@tillkamppeter Yeah no issue at all! Was testing a new project i'm working on and found this issue and fixed as well! Was possing locally because i had that lib compiled from other tests! Now it should be fixed. I found another un-initialized memory access and fixed that as well.

@tillkamppeter tillkamppeter merged commit 5894f70 into OpenPrinting:master Nov 5, 2025
1 check passed
@tillkamppeter
Copy link
Member

tillkamppeter commented Nov 5, 2025

Thanks a lot! Everything is working now!

@N3mes1s N3mes1s deleted the fix-pclm-overflow-regression-test branch November 5, 2025 20:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

pwgtopdf PCLm Heap Overflow (master branch, commit 947d2250b3a5463937cde17dd934d37f327b9fa6, unreleased)

2 participants

@N3mes1s @tillkamppeter