HPLIP

hpcups filter crashes with "free(): invalid pointer" for some printers

Bug #1901209 reported by Didier Raboud
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
HPLIP
New
Undecided
Unassigned
hplip (Debian)
Fix Released
Unknown

Bug Description

When printing to certain printers, the hpcups filter will crash with a "free(): invalid pointer" error, when run on Debian's armhf architecture.

Here's a simple way to reproduce this:

    export PPD=./hplip/ppd/hpcups/hp-officejet_pro_1150c.ppd.gz

    /usr/lib/cups/filter/pdftopdf 1 debian '' 1 '' </usr/share/cups/data/default-testpage.pdf >print_step_1.pdf
    /usr/lib/cups/filter/gstoraster 1 debian '' 1 '' <print_step_1.pdf >print_step_2.raster
    /usr/lib/cups/filter/hpcups 1 debian '' 1 '' <print_step_2.raster >print_step_3.hpcups

The gdb backtrace looks like this:

#0 __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47
#1 0xb6be8dd0 in __libc_signal_restore_set (set=0xbefff1d4) at ../sysdeps/unix/sysv/linux/internal-signals.h:86
#2 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:48
#3 0xb6bd97a2 in __GI_abort () at abort.c:79
#4 0xb6c11c56 in __libc_message (action=action@entry=do_abort, fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:155
#5 0xb6c16c32 in malloc_printerr (str=<optimized out>) at malloc.c:5347
#6 0xb6c17b14 in _int_free (av=<optimized out>, p=0x49e3e0, have_lock=0) at malloc.c:4173
#7 0x00406074 in Compressor::~Compressor (this=0x48ae70, __in_chrg=<optimized out>) at prnt/hpcups/Compressor.cpp:52
#8 0x004065f0 in Mode9::~Mode9 (this=0x48ae70, __in_chrg=<optimized out>) at prnt/hpcups/Mode9.cpp:51
#9 Mode9::~Mode9 (this=0x48ae70, __in_chrg=<optimized out>) at prnt/hpcups/Mode9.cpp:52
#10 0x0040d7e6 in Job::~Job (this=0x4627c8 <filter+4>, __in_chrg=<optimized out>) at prnt/hpcups/Job.cpp:137
#11 0x0040588e in HPCupsFilter::~HPCupsFilter (this=0x4627c4 <filter>, __in_chrg=<optimized out>) at prnt/hpcups/HPCupsFilter.cpp:213
#12 0xb6beaa70 in __run_exit_handlers (status=0, listp=0xb6cba4fc <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:108
#13 0xb6beab32 in __GI_exit (status=<optimized out>) at exit.c:139
#14 0xb6bd9a24 in __libc_start_main (main=0x403719 <main(int, char**)>, argc=6, argv=0xbefff674, init=<optimized out>, fini=0x419b75 <__libc_csu_fini>, rtld_fini=0xb6fe1075 <_dl_fini>, stack_end=0xbefff674) at libc-start.c:342
#15 0x004037e4 in _start () at prnt/hpcups/HPCupsFilter.cpp:919

Didier Raboud (odyx)
Changed in hplip (Debian):
importance: Unknown → High
Revision history for this message
Bernhard Übelacker (bernhardu) wrote :

Did some more research and there happens a buffer
overflow just before in Mode9.cpp:405.
There the the malloc management information residing
a few bytes before the actual pointer got overwritten.
Please find the backtrace in connected debian bug.

Bug Watch Updater (bug-watch-updater)
Changed in hplip (Debian):
importance: High → Unknown
status: Unknown → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in hplip (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.