Control: tags -1 +pending Le vendredi, 26 février 2021, 15.41:07 h CET Bernhard Übelacker a écrit : > Dear Maintainer, > with the original PPD and input files from Ian I could > reproduce the issue and with the help of rr-debugger > this is what I assume what happens: > > - The buffer m_pPrinterBuffer is allocated here with > the current sizes inside cups_header. [1] > > - The first page got processed and for the second page > a new cups_header record gets copied. [2] > Unfortunately now the header contains higher sizes, > but the buffer is not grown accordingly. > > - Now to this buffer is written by a read function, and beyond > where the management information of malloc got overwritten for > some other random memory. [3] > > - The defect in the management information of malloc is detected > and the process is aborted. [4] > > > The attached patch is an attempt to grow the buffer size > if the header changes on a new page. > This is just tested for the given crash, nothing more, therefore > there might be side effects on replacing this buffer?
I have forwarded this upstream, but don't hold your breath; I don't expect any feedback from them, sadly. :-( I'll apply this and upload to unstable once the current version migrated. Thanks a lot for your work! OdyX
signature.asc
Description: This is a digitally signed message part.