cups-filters: patch CVE-2025-64524

Details https://nvd.nist.gov/vuln/detail/CVE-2025-64524 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-01 13:58:06 +00:00 · 2025-12-24 11:31:49 +05:30 · 2025-12-24 11:31:49 +05:30 · c8f7748616
commit c8f7748616
parent 44bdb70034
2 changed files with 82 additions and 0 deletions
--- a/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch
+++ b/meta-oe/recipes-printing/cups/cups-filters/CVE-2025-64524.patch
@ -0,0 +1,81 @@
+From a6cc1c750006a8ac4e5d692f3a7d9ade479519ec Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Wed, 12 Nov 2025 15:47:24 +0100
+Subject: [PATCH] rastertopclx.c: Fix infinite loop caused by crafted file
+
+Infinite loop happened because of crafted input raster file, which led
+into heap buffer overflow of `CompressBuf` array.
+
+Based on comments there should be always some `count` when compressing
+the data, and processing of crafted file ended with offset and count
+being 0.
+
+Fixes CVE-2025-64524
+
+CVE: CVE-2025-64524
+Upstream-Status: Backport [https://github.com/OpenPrinting/cups-filters/commit/0fe46c511e81062575b05936f804eb18c9f0a011]
+(cherry picked from commit 0fe46c511e81062575b05936f804eb18c9f0a011)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ filter/rastertopclx.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/filter/rastertopclx.c b/filter/rastertopclx.c
+index ded86f114..39cb378bf 100644
+--- a/filter/rastertopclx.c
+++ b/filter/rastertopclx.c
+@@ -825,10 +825,10 @@ StartPage(cf_filter_data_t      *data,	// I - filter data
+   }
+ 
+   if (header->cupsCompression)
+-    CompBuffer = malloc(DotBufferSize * 4);
+    CompBuffer = calloc(DotBufferSize * 4, sizeof(unsigned char));
+ 
+   if (header->cupsCompression >= 3)
+-    SeedBuffer = malloc(DotBufferSize);
+    SeedBuffer = calloc(DotBufferSize, sizeof(unsigned char));
+ 
+   SeedInvalid = 1;
+ 
+@@ -1159,6 +1159,13 @@ CompressData(unsigned char *line,	// I - Data to compress
+               seed ++;
+               count ++;
+             }
+
+	    //
+	    // Bail out if we don't have count to compress
+	    //
+
+	    if (count == 0)
+	      break;
+ 	  }
+ 
+ 	  //
+@@ -1252,6 +1259,13 @@ CompressData(unsigned char *line,	// I - Data to compress
+ 
+             count = line_ptr - start;
+ 
+	    //
+	    // Bail out if we don't have count to compress
+	    //
+
+	    if (count == 0)
+	      break;
+
+ #if 0
+             fprintf(stderr,
+ 		    "DEBUG: offset=%d, count=%d, comp_ptr=%p(%d of %d)...\n",
+@@ -1424,6 +1438,13 @@ CompressData(unsigned char *line,	// I - Data to compress
+ 
+             count = (line_ptr - start) / 3;
+ 
+	    //
+	    // Bail out if we don't have count to compress
+	    //
+
+	    if (count == 0)
+	      break;
+
+ 	    //
+ 	    // Place mode 10 compression data in the buffer; each sequence
+ 	    // starts with a command byte that looks like:
--- a/meta-oe/recipes-printing/cups/cups-filters_2.0.0.bb
+++ b/meta-oe/recipes-printing/cups/cups-filters_2.0.0.bb
@ -8,6 +8,7 @@ DEPENDS = "libcupsfilters libppd glib-2.0 poppler"
 SRC_URI = " \
 	https://github.com/OpenPrinting/${BPN}/releases/download/${PV}/${BP}.tar.xz \
 	file://fix-make-race.patch \
+	file://CVE-2025-64524.patch \
 "
 SRC_URI[sha256sum] = "b5152e3dd148ed73835827ac2f219df7cf5808dbf9dbaec2aa0127b44de800d8"