cups-filters -- texttopdf integer overflow
Stefan Cornelius from Red Hat reports:
An integer overflow flaw leading to a heap-based buffer overflow was
discovered in the way the texttopdf utility of cups-filter processed
print jobs with a specially crafted line size. An attacker being able
to submit print jobs could exploit this flaw to crash texttopdf or,
possibly, execute arbitrary code with the privileges of the 'lp' user.
Tim Waugh reports:
The Page allocation is moved into textcommon.c, where it does all the
necessary checking: lower-bounds for CVE-2015-3258 and upper-bounds
for CVE-2015-3259 due to integer overflows for the calloc() call
initializing Page and the memset() call in texttopdf.c's
WritePage() function zeroing the entire array.
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright