Skip to content

fix out-of-bounds write stripping section comments in help_load_file#1641

Open
aizu-m wants to merge 1 commit into
OpenPrinting:masterfrom
aizu-m:help-index-section-strip-bounds
Open

fix out-of-bounds write stripping section comments in help_load_file#1641
aizu-m wants to merge 1 commit into
OpenPrinting:masterfrom
aizu-m:help-index-section-strip-bounds

Conversation

@aizu-m

@aizu-m aizu-m commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Isolated the <!-- SECTION: --> parsing from help_load_file() under ASan and fed it a comment with no text:

help-index.c: AddressSanitizer: stack-buffer-overflow
READ of size 1 ... offset 1183 ... underflows this variable 'section'

Tracked it down from there. ptr indexes into section after the cupsCopyString(section, ...), but the trailing-strip loop guards the walk with ptr > line. line and section are separate stack buffers, so that test never bounds ptr inside section.

A section that is empty or all-whitespace up to --> (e.g. <!-- SECTION:-->) puts ptr at section[0]. The guard against line then lets the loop decrement past the start of section, writing \0 over the adjacent stack, and the following isspace(*ptr & 255) reads out of bounds too.

Bound the walk to section and drop the stray trailing test. Valid section comments strip the same as before.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant