The newly re-written hpcups in 3.9.10 just crashed for me with a buffer overflow.
All I did was create a queue from hpcups.drv (PPD attached) and print the test page to it. CUPS 1.4.1.
Marking as a security vulnerability as it may well have security implications.
prnt/hpcups/HPCupsFilter.cpp 272: DEBUG: actual_vertical_resolution = 600
prnt/hpcups/HPCupsFilter.cpp 321: HPCUPS: x_top = 150, y_top = 75, offset = 70
*** buffer overflow detected ***: 990C terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x347b0faae7]
/lib64/libc.so.6[0x347b0f8a50]
990C[0x40336f]
990C[0x403a9d]
990C[0x403e6b]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x347b01eb4d]
990C[0x401bd9]
======= Memory map: ========
00400000-00428000 r-xp 00000000 fd:06 29241 /usr/lib/cups/filter/hpcups
00628000-0065c000 rw-p 00028000 fd:06 29241 /usr/lib/cups/filter/hpcups
0065c000-0065d000 rw-p 00000000 00:00 0
01337000-01358000 rw-p 00000000 00:00 0 [heap]
345f600000-345f69a000 r-xp 00000000 fd:06 57725 /usr/lib64/libgnutls.so.26.14.12
345f69a000-345f899000 ---p 0009a000 fd:06 57725 /usr/lib64/libgnutls.so.26.14.12
345f899000-345f8a0000 rw-p 00099000 fd:06 57725 /usr/lib64/libgnutls.so.26.14.12
347ac00000-347ac20000 r-xp 00000000 fd:06 5254 /lib64/ld-2.10.90.so
347ae1f000-347ae20000 r--p 0001f000 fd:06 5254 /lib64/ld-2.10.90.so
347ae20000-347ae21000 rw-p 00020000 fd:06 5254 /lib64/ld-2.10.90.so
347ae21000-347ae22000 rw-p 00000000 00:00 0
347b000000-347b177000 r-xp 00000000 fd:06 24536 /lib64/libc-2.10.90.so
347b177000-347b376000 ---p 00177000 fd:06 24536 /lib64/libc-2.10.90.so
347b376000-347b37a000 r--p 00176000 fd:06 24536 /lib64/libc-2.10.90.so
347b37a000-347b37b000 rw-p 0017a000 fd:06 24536 /lib64/libc-2.10.90.so
347b37b000-347b380000 rw-p 00000000 00:00 0
347b400000-347b418000 r-xp 00000000 fd:06 73116 /lib64/libpthread-2.10.90.so
347b418000-347b617000 ---p 00018000 fd:06 73116 /lib64/libpthread-2.10.90.so
347b617000-347b618000 r--p 00017000 fd:06 73116 /lib64/libpthread-2.10.90.so
347b618000-347b619000 rw-p 00018000 fd:06 73116 /lib64/libpthread-2.10.90.so
347b619000-347b61d000 rw-p 00000000 00:00 0
347b800000-347b802000 r-xp 00000000 fd:06 82754 /lib64/libdl-2.10.90.so
347b802000-347ba02000 ---p 00002000 fd:06 82754 /lib64/libdl-2.10.90.so
347ba02000-347ba03000 r--p 00002000 fd:06 82754 /lib64/libdl-2.10.90.so
347ba03000-347ba04000 rw-p 00003000 fd:06 82754 /lib64/libdl-2.10.90.so
347bc00000-347bc83000 r-xp 00000000 fd:06 33286 /lib64/libm-2.10.90.so
347bc83000-347be82000 ---p 00083000 fd:06 33286 /lib64/libm-2.10.90.so
347be82000-347be83000 r--p 00082000 fd:06 33286 /lib64/libm-2.10.90.so
347be83000-347be84000 rw-p 00083000 fd:06 33286 /lib64/libm-2.10.90.so
347c000000-347c007000 r-xp 00000000 fd:06 73117 /lib64/librt-2.10.90.so
347c007000-347c206000 ---p 00007000 fd:06 73117 /lib64/librt-2.10.90.so
347c206000-347c207000 r--p 00006000 fd:06 73117 /lib64/librt-2.10.90.so
347c207000-347c208000 rw-p 00007000 fd:06 73117 /lib64/librt-2.10.90.so
347c400000-347c415000 r-xp 00000000 fd:06 81058 /lib64/libz.so.1.2.3
347c415000-347c614000 ---p 00015000 fd:06 81058 /lib64/libz.so.1.2.3
347c614000-347c615000 rw-p 00014000 fd:06 81058 /lib64/libz.so.1.2.3
347cc00000-347cc1c000 r-xp 00000000 fd:06 83294 /lib64/libselinux.so.1
347cc1c000-347ce1b000 ---p 0001c000 fd:06 83294 /lib64/libselinux.so.1
347ce1b000-347ce1c000 r--p 0001b000 fd:06 83294 /lib64/libselinux.so.1
347ce1c000-347ce1d000 rw-p 0001c000 fd:06 83294 /lib64/libselinux.so.1
347ce1d000-347ce1e000 rw-p 00000000 00:00 0
347d400000-347d416000 r-xp 00000000 fd:06 83284 /lib64/libresolv-2.10.90.so
347d416000-347d616000 ---p 00016000 fd:06 83284 /lib64/libresolv-2.10.90.so
347d616000-347d617000 r--p 00016000 fd:06 83284 /lib64/libresolv-2.10.90.so
347d617000-347d618000 rw-p 00017000 fd:06 83284 /lib64/libresolv-2.10.90.so
347d618000-347d61a000 rw-p 00000000 00:00 0
347f400000-347f404000 r-xp 00000000 fd:06 73118 /lib64/libcap-ng.so.0.0.0
347f404000-347f603000 ---p 00004000 fd:06 73118 /lib64/libcap-ng.so.0.0.0
347f603000-347f604000 r--p 00003000 fd:06 73118 /lib64/libcap-ng.so.0.0.0
347f604000-347f605000 rw-p 00004000 fd:06 73118 /lib64/libcap-ng.so.0.0.0
347fc00000-347fc3f000 r-xp 00000000 fd:06 73119 /lib64/libdbus-1.so.3.4.0
347fc3f000-347fe3f000 ---p 0003f000 fd:06 73119 /lib64/libdbus-1.so.3.4.0
347fe3f000-347fe40000 r--p 0003f000 fd:06 73119 /lib64/libdbus-1.so.3.4.0
347fe40000-347fe41000 rw-p 00040000 fd:06 73119 /lib64/libdbus-1.so.3.4.0
3480400000-3480426000 r-xp 00000000 fd:06 81363 /usr/lib64/libpng12.so.0.39.0
3480426000-3480625000 ---p 00026000 fd:06 81363 /usr/lib64/libpng12.so.0.39.0
3480625000-3480626000 rw-p 00025000 fd:06 81363 /usr/lib64/libpng12.so.0.39.0
3486c00000-3486d6e000 r-xp 00000000 fd:06 85070 /usr/lib64/libcrypto.so.1.0.0
3486d6e000-3486f6e000 ---p 0016e000 fd:06 85070 /usr/lib64/libcrypto.so.1.0.0
3486f6e000-3486f90000 rw-p 0016e000 fd:06 85070 /usr/lib64/libcrypto.so.1.0.0
3486f90000-3486f94000 rw-p 00000000 00:00 0
3487c00000-3487c2a000 r-xp 00000000 fd:06 84486 /lib64/libk5crypto.so.3.1
3487c2a000-3487e2a000 ---p 0002a000 fd:06 84486 /lib64/libk5crypto.so.3.1
3487e2a000-3487e2c000 rw-p 0002a000 fd:06 84486 /lib64/libk5crypto.so.3.1
3488800000-3488808000 r-xp 00000000 fd:06 84484 /lib64/libkrb5support.so.0.1
3488808000-3488a08000 ---p 00008000 fd:06 84484 /lib64/libkrb5support.so.0.1
3488a08000-3488a09000 rw-p 00008000 fd:06 84484 /lib64/libkrb5support.so.0.1
3489000000-3489002000 r-xp 00000000 fd:06 84480 /lib64/libkeyutils-1.2.so
3489002000-3489201000 ---p 00002000 fd:06 84480 /lib64/libkeyutils-1.2.so
3489201000-3489202000 rw-p 00001000 fd:06 84480 /lib64/libkeyutils-1.2.so
3489c00000-3489c03000 r-xp 00000000 fd:06 84202 /lib64/libgpg-error.so.0.4.0
3489c03000-3489e02000 ---p 00003000 fd:06 84202 /lib64/libgpg-error.so.0.4.0
3489e02000-3489e03000 rw-p 00002000 fd:06 84202 /lib64/libgpg-error.so.0.4.0
348a000000-348a071000 r-xp 00000000 fd:06 84466 /lib64/libgcrypt.so.11.5.2
348a071000-348a271000 ---p 00071000 fd:06 84466 /lib64/libgcrypt.so.11.5.2
348a271000-348a274000 rw-p 00071000 fd:06 84466 /lib64/libgcrypt.so.11.5.2
348a274000-348a275000 rw-p 00000000 00:00 0
348ac00000-348ac24000 r-xp 00000000 fd:06 107847 /usr/lib64/libjpeg.so.62.0.0
348ac24000-348ae23000 ---p 00024000 fd:06 107847 /usr/lib64/libjpeg.so.62.0.0
348ae23000-348ae24000 rw-p 00023000 fd:06 107847 /usr/lib64/libjpeg.so.62.0.0
348b000000-348b010000 r-xp 00000000 fd:06 84028 /usr/lib64/libtasn1.so.3.1.6
348b010000-348b210000 ---p 00010000 fd:06 84028 /usr/lib64/libtasn1.so.3.1.6
348b210000-348b211000 rw-p 00010000 fd:06 84028 /usr/lib64/libtasn1.so.3.1.6
348bc00000-348bc10000 r-xp 00000000 fd:06 85176 /usr/lib64/libavahi-client.so.3.2.5
348bc10000-348be0f000 ---p 00010000 fd:06 85176 /usr/lib64/libavahi-client.so.3.2.5
348be0f000-348be10000 rw-p 0000f000 fd:06 85176 /usr/lib64/libavahi-client.so.3.2.5
348c000000-348c00b000 r-xp 00000000 fd:06 85174 /usr/lib64/libavahi-common.so.3.5.1
348c00b000-348c20b000 ---p 0000b000 fd:06 85174 /usr/lib64/libavahi-common.so.3.5.1
348c20b000-348c20c000 rw-p 0000b000 fd:06 85174 /usr/lib64/libavahi-common.so.3.5.1
348c800000-348c85a000 r-xp 00000000 fd:06 107849 /usr/lib64/libtiff.so.3.8.2
348c85a000-348ca59000 ---p 0005a000 fd:06 107849 /usr/lib64/libtiff.so.3.8.2
348ca59000-348ca5c000 rw-p 00059000 fd:06 107849 /usr/lib64/libtiff.so.3.8.2
3769000000-3769003000 r-xp 00000000 fd:06 78573 /lib64/libcom_err.so.2.1
3769003000-3769202000 ---p 00003000 fd:06 78573 /lib64/libcom_err.so.2.1
3769202000-3769203000 rw-p 00002000 fd:06 78573 /lib64/libcom_err.so.2.1
3769800000-37698b3000 r-xp 00000000 fd:06 78574 /lib64/libkrb5.so.3.3
37698b3000-3769ab3000 ---p 000b3000 fd:06 78574 /lib64/libkrb5.so.3.3
3769ab3000-3769abd000 rw-p 000b3000 fd:06 78574 /lib64/libkrb5.so.3.3
3769c00000-3769c2d000 r-xp 00000000 fd:06 78575 /lib64/libgssapi_krb5.so.2.2
3769c2d000-3769e2d000 ---p 0002d000 fd:06 78575 /lib64/libgssapi_krb5.so.2.2
3769e2d000-3769e2f000 rw-p 0002d000 fd:06 78575 /lib64/libgssapi_krb5.so.2.2
3879400000-3879416000 r-xp 00000000 fd:06 5246 /lib64/libgcc_s-4.4.2-20091027.so.1
3879416000-3879615000 ---p 00016000 fd:06 5246 /lib64/libgcc_s-4.4.2-20091027.so.1
3879615000-3879616000 rw-p 00015000 fd:06 5246 /lib64/libgcc_s-4.4.2-20091027.so.1
3879800000-38798f3000 r-xp 00000000 fd:06 17930 /usr/lib64/libstdc++.so.6.0.13
38798f3000-3879af3000 ---p 000f3000 fd:06 17930 /usr/lib64/libstdc++.so.6.0.13
3879af3000-3879afa000 r--p 000f3000 fd:06 17930 /usr/lib64/libstdc++.so.6.0.13
3879afa000-3879afc000 rw-p 000fa000 fd:06 17930 /usr/lib64/libstdc++.so.6.0.13
3879afc000-3879b11000 rw-p 00000000 00:00 0
7f5535718000-7f553571e000 rw-p 00000000 00:00 0
7f553571e000-7f5535777000 r-xp 00000000 fd:06 76729 /usr/lib64/libfreebl3.so
7f5535777000-7f5535977000 ---p 00059000 fd:06 76729 /usr/lib64/libfreebl3.so
7f5535977000-7f5535978000 rw-p 00059000 fd:06 76729 /usr/lib64/libfreebl3.so
7f5535978000-7f5535981000 rw-p 00000000 00:00 0
7f5535981000-7f5535989000 r-xp 00000000 fd:06 86884 /lib64/libcrypt-2.10.90.so
7f5535989000-7f5535b88000 ---p 00008000 fd:06 86884 /lib64/libcrypt-2.10.90.so
7f5535b88000-7f5535b89000 r--p 00007000 fd:06 86884 /lib64/libcrypt-2.10.90.so
7f5535b89000-7f5535b8a000 rw-p 00008000 fd:06 86884 /lib64/libcrypt-2.10.90.so
7f5535b8a000-7f5535bbd000 rw-p 00000000 00:00 0
7f5535bbd000-7f5535bd5000 r-xp 00000000 fd:06 15645 /usr/lib64/libcupsimage.so.2
7f5535bd5000-7f5535dd5000 ---p 00018000 fd:06 15645 /usr/lib64/libcupsimage.so.2
7f5535dd5000-7f5535dd6000 rw-p 00018000 fd:06 15645 /usr/lib64/libcupsimage.so.2
7f5535dd6000-7f5535e21000 r-xp 00000000 fd:06 3776 /usr/lib64/libcups.so.2
7f5535e21000-7f5536020000 ---p 0004b000 fd:06 3776 /usr/lib64/libcups.so.2
7f5536020000-7f5536025000 rw-p 0004a000 fd:06 3776 /usr/lib64/libcups.so.2
7f5536025000-7f5536026000 rw-p 00000000 00:00 0
7f5536042000-7f5536043000 rw-p 00000000 00:00 0
7fffcbd34000-7fffcbd49000 rw-p 00000000 00:00 0 [stack]
7fffcbd91000-7fffcbd92000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Making public now, as it is already public here: /bugzilla. redhat. com/show_ bug.cgi? id=544297
https:/