HPLIP

Functions in hppsfilter.c crashes when long string is sent into them

Bug #1725342 reported by zdohnal on 2017-10-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	HPLIP	New	Undecided	Unassigned

Bug Description

Implementation of functions:

open_dbg_outfile()
WriteHeader()
WriteJobAccounting()

contains library function sprintf(), which doesn't check size of input string and simply copies input string into output array, which has definite size. So when input string is longer than output array, program crashes (like in bug report https://bugzilla.redhat.com/show_bug.cgi?id=1500619 ).

Implementation of these functions misses way to deal with long strings, please fix it. I see two ways how to solve it (generally use snprintf instead sprintf):

1) check actual length of string and send it into function with string - there dynamically allocate output array according actual length and then free it.
2) check actual string length and if string is longer than expected, fragment it and send it into function part by part.

Revision history for this message

Shivaprasad (shivahm) wrote on 2017-11-17:

Hi,
Thanks for reporting this issue. We'll reproduce this issue and implement the right solution to handle the length constraints. We'll plan to include this fix in a future release.

Thanks.

Revision history for this message

zdohnal (zdohnal) wrote on 2017-11-20:

Thank you for looking into this issue.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.