Skip to content

stop response skip loop at nul in commandtops#1637

Open
aizu-m wants to merge 1 commit into
OpenPrinting:masterfrom
aizu-m:commandtops-skip-terminator
Open

stop response skip loop at nul in commandtops#1637
aizu-m wants to merge 1 commit into
OpenPrinting:masterfrom
aizu-m:commandtops-skip-terminator

Conversation

@aizu-m

@aizu-m aizu-m commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Chasing an ASan abort while feeding a fake back-channel to the commandtops filter:

READ of size 1 at 0x6020000000d4 thread T0
    #0 process commandtops.c:321
0x6020000000d4 is located 0 bytes after ... region

The filter reads an option query response from the printer with cupsBackChannelRead(), trims trailing whitespace/control, then skips leading whitespace/control:

for (bufptr = buffer; isspace(*bufptr & 255) || iscntrl(*bufptr & 255); bufptr ++);

iscntrl() is true for the nul byte, so the skip loop walks straight past the string terminator. A device that answers with an all-whitespace line ending in CR/LF (a bare "\n" is enough) reaches here after the trailing trim has zeroed the whole buffer, and the loop then runs off the end of the data. The runaway pointer is handed to _cups_strcpy(buffer, bufptr), so the out-of-bounds read turns into a copy from past the buffer.

The trailing-trim loop above already guards with bufptr >= buffer; the forward loop just needs the matching terminator check.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant