1From 2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Mon Sep 17 00:00:00 2001 2From: Zdenek Dohnal <zdohnal@redhat.com> 3Date: Wed, 20 Sep 2023 14:45:17 +0200 4Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504 5 6We didn't check for end of buffer if it looks there is an escaped 7character - check for NULL terminator there and if found, return NULL 8as return value and in `ptr`, because a lone backslash is not 9a valid PostScript character. 10 11Reference:https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31 12Conflict:Patch context adaptation 13 14--- 15 cups/raster-interpret.c | 14 +++++++++++++- 16 1 files changed, 14 insertions(+) 17 18diff --git a/cups/raster-interpret.c b/cups/raster-interpret.c 19index 6fcf731b5..b8655c8c6 100644 20--- a/cups/raster-interpret.c 21+++ b/cups/raster-interpret.c 22@@ -1116,7 +1116,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - Stack */ 23 24 cur ++; 25 26- if (*cur == 'b') 27+ /* 28+ * Return NULL if we reached NULL terminator, a lone backslash 29+ * is not a valid character in PostScript. 30+ */ 31+ 32+ if (!*cur) 33+ { 34+ *ptr = NULL; 35+ 36+ return (NULL); 37+ } 38+ 39+ if (*cur == 'b') 40 *valptr++ = '\b'; 41 else if (*cur == 'f') 42 *valptr++ = '\f'; 43 44 45