Ubuntu
splix package

Bug #714259
Comment #25

Comment 25 for bug 714259

Revision history for this message

Leonardo Hamada (leonardohamada) wrote on 2011-06-26:

#25

Double free patch Edit (628 bytes, text/plain)

pstoqpdl requires 2 matching cms files, if they are missing, error messages in /var/log/cups/error_log shows these:

...
E [26/Jun/2011:19:39:24 -0300] [Job 468] SpliX Cannot open CMS file /usr/share/cups/model/samsung/cms/CLP-510cms (2)
E [26/Jun/2011:19:39:24 -0300] [Job 468] SpliX Cannot open CMS file /usr/share/cups/model/samsung/cms/CLP-510cms2 (2)
W [26/Jun/2011:19:39:24 -0300] [Job 468] SpliX CMS data are missing. Color correction aborted
...

now, cms files are optional if they are missing.

the problem occur in pstoqpdl exclusively if someone installs only one file instead of a matching pair, like
CLP-510cms and CLP-510cms2, CLP-510-600x600cms and CLP-510-600x600cms2, CLP-510-1200x600cms and CLP-510-1200x600cms2, CLP-510-1200x1200cms and CLP-510-1200x1200cms2

if the first file exist but the second does not: pstoqpdl is terminated with signal 11 in ubuntu 10.10.
if the second file exist but the first does not: pstoqpdl is terminated with signal 6 in ubuntu 10.10.

signal 6 could be a double free, so in pstoqpdl.cpp there is a code section freeing cms data if one file is missing, but does not set crd and csa to NULL:
...
    if (!crd || !csa) {
        WARNMSG(_("CMS data are missing. Color correction aborted"));
        if (crd)
            delete[] crd;
        if (csa)
            delete[] csa;
...

and at the end of the pstoqpdl filter file (pstoqpdl.cpp) there is another pointer freeing code section:
...
    if (crd)
        delete[] crd;
    if (csa)
        delete[] csa;
    if (manufacturer)
...

I don't know if these could be related with the bug, which I think it should, but a patch would be like:

--- pstoqpdl.cpp.old 2011-06-26 19:22:42.000000000 -0300
+++ pstoqpdl.cpp 2011-06-26 19:24:47.000000000 -0300
@@ -223,10 +223,14 @@
     csa = _readCMSFile(ppd, manufacturer, true);
     if (!crd || !csa) {
         WARNMSG(_("CMS data are missing. Color correction aborted"));
- if (crd)
+ if (crd) {
             delete[] crd;
- if (csa)
+ crd = NULL;
+ }
+ if (csa) {
             delete[] csa;
+ csa = NULL;
+ }
         while (!(feof(stdin))) {
             fgets((char *)&buffer, sizeof(buffer), stdin);
             fprintf(stdout, "%s", (char *)&buffer);

I'm insterested to know if these make any differences. Regards.

pstoqpdl requires 2 matching cms files, if they are missing, error messages in /var/log/cups/error_log shows these:

now, cms files are optional if they are missing.

if the first file exist but the second does not: pstoqpdl is terminated with signal 11 in ubuntu 10.10. 
if the second file exist but the first does not: pstoqpdl is terminated with signal 6 in ubuntu 10.10.

I don't know if these could be related with the bug, which I think it should, but a patch would be like:

--- pstoqpdl.cpp.old	2011-06-26 19:22:42.000000000 -0300
+++ pstoqpdl.cpp	2011-06-26 19:24:47.000000000 -0300
@@ -223,10 +223,14 @@
     csa = _readCMSFile(ppd, manufacturer, true);
     if (!crd || !csa) {
         WARNMSG(_("CMS data are missing. Color correction aborted"));
-        if (crd)
+        if (crd) {
             delete[] crd;
-        if (csa)
+            crd = NULL;
+        }
+        if (csa) {
             delete[] csa;
+            csa = NULL;
+        }
         while (!(feof(stdin))) {
             fgets((char *)&buffer, sizeof(buffer), stdin);
             fprintf(stdout, "%s", (char *)&buffer);

I'm insterested to know if these make any differences. Regards.

Ubuntusplix package

Comment 25 for bug 714259

Ubuntu
splix package