HPLIP

double free in HPCupsFilter::cleanup()

Bug #1308014 reported by Jiri Popelka on 2014-04-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	HPLIP	Fix Released	Undecided	Unassigned
	Fedora	Won't Fix	Undecided	redhat-bugs #1087094

Bug Description

See
https://bugzilla.redhat.com/show_bug.cgi?id=1087094
for original bug report.

Backtrace is here:
https://bugzilla.redhat.com/attachment.cgi?id=885974

Possible patch is attached.

Revision history for this message

In Red Hat Bugzilla #1087094, Herbert (herbert-redhat-bugs) wrote on 2014-04-14:

Description of problem:
Trying to print a pdf displayed by chrome browser. Downloading the pdf, and printing it with Fedora Document Viewer (?Evince?) was successful.

Version-Release number of selected component:
hpijs-3.13.11-4.fc20

Additional info:
reporter: libreport-2.2.1
backtrace_rating: 4
cmdline: HpC5580 15 hcmeyer www.amtrak.com/ccurl/316...ans-Schedule-011314.pdf 1 'InputSlot=Auto number-up=1 MediaType=Automatic PageSize=Letter OutputMode=Draft ColorModel=CMYGray Duplex=None job-uuid=urn:uuid:63a6ed14-0657-3d22-4572-421d40ce1b82 job-originating-host-name=localhost time-at-creation=1397414453 time-at-processing=1397414453'
crash_function: HPCupsFilter::cleanup
executable: /usr/lib/cups/filter/hpcups
kernel: 3.13.9-200.fc20.x86_64
runlevel: N 5
type: CCpp
uid: 4

Truncated backtrace:
Thread no. 1 (4 frames)
#5 HPCupsFilter::cleanup at prnt/hpcups/HPCupsFilter.cpp:223
#6 closeFilter at prnt/hpcups/HPCupsFilter.cpp:217
#7 HPCupsFilter::StartPrintJob at prnt/hpcups/HPCupsFilter.cpp:566
#9 _start

Revision history for this message

In Red Hat Bugzilla #1087094, Herbert (herbert-redhat-bugs) wrote on 2014-04-14:

Created attachment 885974
File: backtrace

Revision history for this message

In Red Hat Bugzilla #1087094, Herbert (herbert-redhat-bugs) wrote on 2014-04-14:

Created attachment 885975
File: cgroup

Revision history for this message

In Red Hat Bugzilla #1087094, Herbert (herbert-redhat-bugs) wrote on 2014-04-14:

Created attachment 885976
File: core_backtrace

Revision history for this message

In Red Hat Bugzilla #1087094, Herbert (herbert-redhat-bugs) wrote on 2014-04-14:

Created attachment 885977
File: dso_list

Revision history for this message

In Red Hat Bugzilla #1087094, Herbert (herbert-redhat-bugs) wrote on 2014-04-14:

Created attachment 885978
File: environ

Revision history for this message

In Red Hat Bugzilla #1087094, Herbert (herbert-redhat-bugs) wrote on 2014-04-14:

Created attachment 885979
File: limits

Revision history for this message

In Red Hat Bugzilla #1087094, Herbert (herbert-redhat-bugs) wrote on 2014-04-14:

#10

Created attachment 885980
File: maps

Revision history for this message

In Red Hat Bugzilla #1087094, Herbert (herbert-redhat-bugs) wrote on 2014-04-14:

#11

Created attachment 885981
File: open_fds

Revision history for this message

In Red Hat Bugzilla #1087094, Herbert (herbert-redhat-bugs) wrote on 2014-04-14:

#12

Created attachment 885982
File: proc_pid_status

Revision history for this message

In Red Hat Bugzilla #1087094, Herbert (herbert-redhat-bugs) wrote on 2014-04-14:

#13

Created attachment 885983
File: var_log_messages

Revision history for this message

In Red Hat Bugzilla #1087094, Tim (tim-redhat-bugs) wrote on 2014-04-14:

#14

#5 HPCupsFilter::cleanup at prnt/hpcups/HPCupsFilter.cpp:223

is here:

void HPCupsFilter::cleanup()
{
    if (m_pPrinterBuffer) {
        delete [] m_pPrinterBuffer; <====
    }

Are you able to reproduce the problem?

Revision history for this message

In Red Hat Bugzilla #1087094, Herbert (herbert-redhat-bugs) wrote on 2014-04-14:

#15

No, it has not occurred again (so far).

Revision history for this message

In Red Hat Bugzilla #1087094, Tim (tim-redhat-bugs) wrote on 2014-04-15:

#16

Could you please attach the PPD file for this queue, from the /etc/cups/ppd/ directory?

Revision history for this message

In Red Hat Bugzilla #1087094, Jiri (jiri-redhat-bugs) wrote on 2014-04-15:

#17

Looks like double free to me.
I've no idea what actually happened but,
given that cleanup() is called from CancelJob() as well as from closeFilter()
I'd suggest:

    if (m_pPrinterBuffer) {
        delete [] m_pPrinterBuffer;
        m_pPrinterBuffer = NULL;
    }

Revision history for this message

In Red Hat Bugzilla #1087094, Tim (tim-redhat-bugs) wrote on 2014-04-15:

#18

Ah, yes, that will be it. Nice catch.

Revision history for this message

Jiri Popelka (jpopelka) wrote on 2014-04-15:

0001-Avoid-double-free-in-HPCupsFilter-cleanup.patch Edit (749 bytes, text/plain)

Revision history for this message

In Red Hat Bugzilla #1087094, Herbert (herbert-redhat-bugs) wrote on 2014-04-15:

#19

Created attachment 886481
PPD file

Bug was caught, here is PPD anyway.

Revision history for this message

goutam kodu (goutam-hplip) wrote on 2014-04-16:

Hi Jiri,

Thank for reporting this issue. Yes, this issue was present in 3.13.11 version of hplip. This has been already fixed in latest hplip-3.14.4.

Please upgrade the hplip version to 3.14.4 or you can download the latest auto installer package @ http://hplipopensource.com/hplip-web/gethplip.html.

Regards,
Goutam