hpcups filter crashes with "free(): invalid pointer" for some printers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
HPLIP |
New
|
Undecided
|
Unassigned | ||
hplip (Debian) |
Fix Released
|
Unknown
|
Bug Description
When printing to certain printers, the hpcups filter will crash with a "free(): invalid pointer" error, when run on Debian's armhf architecture.
Here's a simple way to reproduce this:
export PPD=./hplip/
/usr/
/usr/
/usr/
The gdb backtrace looks like this:
#0 __libc_do_syscall () at ../sysdeps/
#1 0xb6be8dd0 in __libc_
#2 __GI_raise (sig=sig@entry=6) at ../sysdeps/
#3 0xb6bd97a2 in __GI_abort () at abort.c:79
#4 0xb6c11c56 in __libc_message (action=
#5 0xb6c16c32 in malloc_printerr (str=<optimized out>) at malloc.c:5347
#6 0xb6c17b14 in _int_free (av=<optimized out>, p=0x49e3e0, have_lock=0) at malloc.c:4173
#7 0x00406074 in Compressor:
#8 0x004065f0 in Mode9::~Mode9 (this=0x48ae70, __in_chrg=
#9 Mode9::~Mode9 (this=0x48ae70, __in_chrg=
#10 0x0040d7e6 in Job::~Job (this=0x4627c8 <filter+4>, __in_chrg=
#11 0x0040588e in HPCupsFilter:
#12 0xb6beaa70 in __run_exit_handlers (status=0, listp=0xb6cba4fc <__exit_funcs>, run_list_
#13 0xb6beab32 in __GI_exit (status=<optimized out>) at exit.c:139
#14 0xb6bd9a24 in __libc_start_main (main=0x403719 <main(int, char**)>, argc=6, argv=0xbefff674, init=<optimized out>, fini=0x419b75 <__libc_csu_fini>, rtld_fini=
#15 0x004037e4 in _start () at prnt/hpcups/
Changed in hplip (Debian): | |
importance: | Unknown → High |
Changed in hplip (Debian): | |
importance: | High → Unknown |
status: | Unknown → Confirmed |
Changed in hplip (Debian): | |
status: | Confirmed → Fix Released |
Did some more research and there happens a buffer
overflow just before in Mode9.cpp:405.
There the the malloc management information residing
a few bytes before the actual pointer got overwritten.
Please find the backtrace in connected debian bug.