driverless: Fix uninitialized buffer and parsing ippfind output

(cherry picked from commit 72d8c47)

Author: zdohnal

cupsfilters/ipp.c

@@ -191,7 +191,7 @@ get_printer_attributes5(http_t *http_printer,
 {
   const char *uri;
   int have_http, uri_status, host_port, i = 0, total_attrs = 0, fallback,
-    cap = 0;
+    cap = 0, uri_alloc = 0;
   char scheme[10], userpass[1024], host_name[1024], resource[1024];
   ipp_t *request, *response = NULL;
   ipp_attribute_t *attr;
@@ -247,7 +247,18 @@ get_printer_attributes5(http_t *http_printer,
   if(resolve_uri_type == CUPS_BACKEND_URI_CONVERTER)
     uri = resolve_uri(raw_uri);
   else
+  {
     uri = ippfind_based_uri_converter(raw_uri, resolve_uri_type);
+    if (uri != NULL)
+      uri_alloc = 1;
+  }
+
+  if (uri == NULL)
+  {
+    log_printf(get_printer_attributes_log,
+        "get-printer-attibutes: Cannot resolve URI: %s\n", raw_uri);
+    return NULL;
+  }
 
   /* Extract URI componants needed for the IPP request */
   uri_status = httpSeparateURI(HTTP_URI_CODING_ALL, uri,
@@ -261,6 +272,7 @@ get_printer_attributes5(http_t *http_printer,
     log_printf(get_printer_attributes_log,
 	       "get-printer-attributes: Cannot parse the printer URI: %s\n",
 	       uri);
+    if (uri_alloc == 1) free(uri);
     return NULL;
   }
 
@@ -273,6 +285,7 @@ get_printer_attributes5(http_t *http_printer,
       log_printf(get_printer_attributes_log,
 		 "get-printer-attributes: Cannot connect to printer with URI %s.\n",
 		 uri);
+      if (uri_alloc == 1) free(uri);
       return NULL;
     }
   } else
@@ -370,6 +383,7 @@ get_printer_attributes5(http_t *http_printer,
       } else {
 	/* Suitable response, we are done */
 	if (have_http == 0) httpClose(http_printer);
+  if (uri_alloc == 1) free(uri);
 	return response;
       }
     } else {
@@ -398,6 +412,7 @@ get_printer_attributes5(http_t *http_printer,
   }
 
   if (have_http == 0) httpClose(http_printer);
+  if (uri_alloc == 1) free(uri);
   return NULL;
 }
 
@@ -418,21 +433,19 @@ ippfind_based_uri_converter (const char *uri, int is_fax)
   char *ippfind_argv[100],	/* Arguments for ippfind */
        *ptr_to_port = NULL,
        *reg_type,
-       *resolved_uri,		/*  Buffer for resolved URI */
+       *resolved_uri = NULL,		/*  Buffer for resolved URI */
        *resource_field = NULL,
        *service_hostname = NULL,
        /* URI components... */
        scheme[32],
        userpass[256],
        hostname[1024],
        resource[1024],
-       buffer[8192],		/* Copy buffer */
+       *buffer = NULL,		/* Copy buffer */
        *ptr;			/* Pointer into string */;
   cups_file_t *fp;		/* Post-processing input file */
   int  status;			/* Status of GET request */
 
-  resolved_uri = (char *)malloc(2048 * (sizeof(char)));
-
   status = httpSeparateURI(HTTP_URI_CODING_ALL, uri, scheme, sizeof(scheme),
 			   userpass, sizeof(userpass),
 			   hostname, sizeof(hostname), &port, resource,
@@ -445,10 +458,16 @@ ippfind_based_uri_converter (const char *uri, int is_fax)
 
   /* URI is not DNS-SD-based, so do not resolve */
   if ((reg_type = strstr(hostname, "._tcp")) == NULL) {
-    free(resolved_uri);
     return strdup(uri);
   }
 
+  resolved_uri = (char *)malloc(MAX_URI_LEN * (sizeof(char)));
+  if (resolved_uri == NULL) {
+    fprintf(stderr, "resolved_uri malloc: Out of memory\n");
+    goto error;
+  }
+  memset(resolved_uri, 0, MAX_URI_LEN);
+
   reg_type --;
   while (reg_type >= hostname && *reg_type != '.')
     reg_type --;
@@ -523,26 +542,38 @@ ippfind_based_uri_converter (const char *uri, int is_fax)
 
   fp = cupsFileStdin();
 
-  while ((bytes = cupsFileGetLine(fp, buffer, sizeof(buffer))) > 0) {
+  buffer = (char*)malloc(MAX_OUTPUT_LEN * sizeof(char));
+  if (buffer == NULL) {
+    fprintf(stderr, "buffer malloc: Out of memory.\n");
+    goto error;
+  }
+  memset(buffer, 0, MAX_OUTPUT_LEN);
+
+  while ((bytes = cupsFileGetLine(fp, buffer, MAX_OUTPUT_LEN)) > 0) {
     /* Mark all the fields of the output of ippfind */
     ptr = buffer;
+
+    /* ignore new lines */
+    if (bytes < 3)
+      goto read_error;
+
     /* First, build the DNS-SD-service-name-based URI ... */
     while (ptr && !isalnum(*ptr & 255)) ptr ++;
 
     service_hostname = ptr; 
-    ptr = memchr(ptr, '\t', sizeof(buffer) - (ptr - buffer));
+    ptr = memchr(ptr, '\t', MAX_OUTPUT_LEN - (ptr - buffer));
     if (!ptr) goto read_error;
     *ptr = '\0';
     ptr ++;
 
     resource_field = ptr;
-    ptr = memchr(ptr, '\t', sizeof(buffer) - (ptr - buffer));
+    ptr = memchr(ptr, '\t', MAX_OUTPUT_LEN - (ptr - buffer));
     if (!ptr) goto read_error;
     *ptr = '\0';
     ptr ++;
 
     ptr_to_port = ptr;
-    ptr = memchr(ptr, '\t', sizeof(buffer) - (ptr - buffer));
+    ptr = memchr(ptr, '\t', MAX_OUTPUT_LEN - (ptr - buffer));
     if (!ptr) goto read_error;
     *ptr = '\0';
     ptr ++;
@@ -566,9 +597,12 @@ ippfind_based_uri_converter (const char *uri, int is_fax)
       output_of_fax_uri = 1; /* fax-uri requested from fax-capable device */
 
   read_error:
-    continue;
+    memset(buffer, 0, MAX_OUTPUT_LEN);
   }
 
+  if (buffer != NULL)
+    free(buffer);
+
  /*
   * Wait for the child processes to exit...
   */
@@ -615,6 +649,8 @@ ippfind_based_uri_converter (const char *uri, int is_fax)
   */
 
  error:
+  if (resolved_uri != NULL)
+    free(resolved_uri);
   return (NULL);
 }
 

cupsfilters/ipp.h

@@ -38,6 +38,9 @@ extern "C" {
 #endif
 
 #define LOGSIZE 4 * 65536
+#define MAX_OUTPUT_LEN 8192
+#define MAX_URI_LEN 2048
+
 char get_printer_attributes_log[LOGSIZE];
 
 const char     *resolve_uri(const char *raw_uri);