Prevent stringpool damage leading to memory leaks (bug #974048).

Resolves: rhbz#974048
2013-06-13 11:58:55 +01:00 · 2013-06-13 11:58:55 +01:00 · 1e7802c0b0
commit 1e7802c0b0
parent 131a54ac1c
2 changed files with 71 additions and 2 deletions
--- a/cups-stringpool-setprinterattr.patch
+++ b/cups-stringpool-setprinterattr.patch
@ -0,0 +1,64 @@
+diff -up cups-1.5.4/scheduler/printers.c.stringpool-setprinterattr cups-1.5.4/scheduler/printers.c
+--- cups-1.5.4/scheduler/printers.c.stringpool-setprinterattr	2013-06-13 10:40:43.607590350 +0100
+++ cups-1.5.4/scheduler/printers.c	2013-06-13 10:53:31.134919727 +0100
+@@ -2053,6 +2053,7 @@ cupsdSetPrinterAttr(
+   ipp_attribute_t	*attr;		/* Attribute */
+   int			i,		/* Looping var */
+ 			count;		/* Number of values */
+  char			*value_dup;	/* Copy of attribute value string */
+   char			*ptr,		/* Pointer into value */
+ 			*start,		/* Start of value */
+ 			quote;		/* Quote character */
+@@ -2121,16 +2122,24 @@ cupsdSetPrinterAttr(
+       return;
+     }
+ 
+-    for (i = 0; i < count; i ++)
+    if ((value_dup = strdup(value)) == NULL)
+     {
+-      if ((ptr = strchr(value, ',')) != NULL)
+      cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to copy attribute value.");
+      return;
+    }
+
+    for (i = 0, start = value_dup; i < count; i ++)
+    {
+      if ((ptr = strchr(start, ',')) != NULL)
+         *ptr++ = '\0';
+ 
+-      attr->values[i].integer = strtol(value, NULL, 10);
+      attr->values[i].integer = strtol(start, NULL, 10);
+ 
+       if (ptr)
+-        value = ptr;
+        start = ptr;
+     }
+
+    free(value_dup);
+   }
+   else
+   {
+@@ -2171,7 +2180,13 @@ cupsdSetPrinterAttr(
+       return;
+     }
+ 
+-    for (i = 0, quote = '\0', ptr = value; i < count; i ++)
+    if ((value_dup = strdup(value)) == NULL)
+    {
+      cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to copy attribute value.");
+      return;
+    }
+
+    for (i = 0, quote = '\0', ptr = value_dup; i < count; i ++)
+     {
+       for (start = ptr; *ptr; ptr ++)
+       {
+@@ -2199,6 +2214,8 @@ cupsdSetPrinterAttr(
+ 
+       attr->values[i].string.text = _cupsStrAlloc(start);
+     }
+
+    free(value_dup);
+   }
+ }
+ 
--- a/cups.spec
+++ b/cups.spec
@ -12,7 +12,7 @@
 Summary: Common Unix Printing System
 Name: cups
 Version: 1.5.4
-Release: 27%{?dist}
+Release: 28%{?dist}
 License: GPLv2
 Group: System Environment/Daemons
 Source: http://ftp.easysw.com/pub/cups/%{version}/cups-%{version}-source.tar.bz2
@ -79,13 +79,13 @@ Patch43: cups-str4194.patch
 Patch44: cups-r10638.patch
 Patch45: cups-r10642.patch
 Patch46: cups-str4190.patch
-
 Patch47: cups-str4223.patch

 Patch48: cups-str4125.patch
 Patch49: cups-str4140.patch
 Patch50: cups-str4187.patch
 Patch51: cups-str4205.patch
+Patch52: cups-stringpool-setprinterattr.patch

 Patch100: cups-lspp.patch

@ -346,6 +346,8 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
 %patch50 -p1 -b .str4187
 # Don't set auth-info-required all of the time (STR #4205)
 %patch51 -p1 -b .str4205
+# Prevent stringpool damage leading to memory leaks (bug #974048).
+%patch52 -p1 -b .stringpool-setprinterattr

 %if %lspp
 # LSPP support.
@ -763,6 +765,9 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man5/ipptoolfile.5.gz

 %changelog
+* Thu Jun 13 2013 Tim Waugh <twaugh@redhat.com> 1:1.5.4-28
+- Prevent stringpool damage leading to memory leaks (bug #974048).
+
 * Tue Apr 23 2013 Tim Waugh <twaugh@redhat.com> 1:1.5.4-27
 - dnssd backend: don't crash if avahi gives a callback with no TXT
  record (bug #927040).