Improve page header validation in cupsRasterReadHeader.

michaelrsweet · michaelrsweet · commit 73dcbcd9d173 · 2026-03-03T15:05:17.000-05:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -9,6 +9,7 @@ v3.0.1 - YYYY-MM-DD
 - Updated `httpAddrLookup` to return a numeric address when the resolver
   returns "localhost" for a non-loopback address.
 - Updated `cupsFileGetConf` and `cupsFilePutConf` to escape more characters.
+- Updated `cupsRasterReadHeader` to validate more of the page header values.
 - Fixed a bug when the `ippFindXxx` and `ippSetXxx` functions were mixed
   (Issue #138)
 
diff --git a/cups/raster-error.c b/cups/raster-error.c
@@ -1,7 +1,7 @@
 //
 // Raster error handling for CUPS.
 //
-// Copyright © 2022 by OpenPrinting.
+// Copyright © 2022-2026 by OpenPrinting.
 // Copyright © 2007-2018 by Apple Inc.
 // Copyright © 2007 by Easy Software Products.
 //
@@ -55,7 +55,6 @@ _cupsRasterAddError(const char *f,	// I - Printf-style error message
     char	*temp;			// New buffer
     size_t	size;			// Size of buffer
 
-
     size = (size_t)(buf->end - buf->start + 2 * bytes + 1024);
 
     if (buf->start)
@@ -79,6 +78,9 @@ _cupsRasterAddError(const char *f,	// I - Printf-style error message
   * Append the message to the end of the current string...
   */
 
+  if (buf->current > buf->start)
+    *(buf->current ++) = ' ';
+
   memcpy(buf->current, s, (size_t)bytes);
   buf->current += bytes - 1;
 }
diff --git a/cups/raster-stream.c b/cups/raster-stream.c
@@ -1,7 +1,7 @@
 //
 // Raster file routines for CUPS.
 //
-// Copyright © 2022-2025 by OpenPrinting.
+// Copyright © 2022-2026 by OpenPrinting.
 // Copyright © 2007-2019 by Apple Inc.
 // Copyright © 1997-2006 by Easy Software Products.
 //
@@ -20,6 +20,8 @@
 #define _CUPS_MAX_BYTES_PER_LINE	(16 * 1024 * 1024)
 #define _CUPS_MAX_BITS_PER_COLOR	16
 #define _CUPS_MAX_BITS_PER_PIXEL	240
+#define _CUPS_MAX_HEIGHT		0x00ffffff
+#define _CUPS_MAX_WIDTH			0x00ffffff
 
 
 //
@@ -353,7 +355,7 @@ cupsRasterInitHeader(
   h->cupsWidth  = (unsigned)(media->width * xdpi / 2540);
   h->cupsHeight = (unsigned)(media->length * ydpi / 2540);
 
-  if (h->cupsWidth > 0x00ffffff || h->cupsHeight > 0x00ffffff)
+  if (h->cupsWidth > _CUPS_MAX_WIDTH || h->cupsHeight > _CUPS_MAX_HEIGHT)
   {
     _cupsRasterAddError("Raster dimensions too large.");
     DEBUG_puts("1cupsRasterInitHeader: Returning false.");
@@ -1669,6 +1671,18 @@ cups_raster_update(cups_raster_t *r)	// I - Raster stream
   DEBUG_printf("6cups_raster_update: remaining=%u", r->remaining);
 
   // Validate the page header...
+  if (r->header.cupsBitsPerColor != 1 &&  r->header.cupsBitsPerColor != 2 &&  r->header.cupsBitsPerColor != 4 &&  r->header.cupsBitsPerColor != 8 &&  r->header.cupsBitsPerColor != 16)
+  {
+    _cupsRasterAddError("Invalid bits per color %u.", r->header.cupsBitsPerColor);
+    ret = false;
+  }
+
+  if ((r->header.cupsColorOrder != CUPS_ORDER_CHUNKED && r->header.cupsBitsPerPixel != r->header.cupsBitsPerColor) || (r->header.cupsColorOrder == CUPS_ORDER_CHUNKED && r->header.cupsBitsPerPixel != (r->header.cupsBitsPerColor * r->header.cupsNumColors)))
+  {
+    _cupsRasterAddError("Invalid bits per pixel %u.", r->header.cupsBitsPerPixel);
+    ret = false;
+  }
+
   if (r->header.cupsBytesPerLine == 0)
   {
     _cupsRasterAddError("Invalid raster line length 0.");
@@ -1684,28 +1698,21 @@ cups_raster_update(cups_raster_t *r)	// I - Raster stream
     _cupsRasterAddError("Raster line length %u is not a multiple of the pixel size (%d).", r->header.cupsBytesPerLine, r->bpp);
     ret = false;
   }
-
-  if (r->header.cupsBitsPerColor == 0 || r->header.cupsBitsPerColor > _CUPS_MAX_BITS_PER_COLOR)
-  {
-    _cupsRasterAddError("Invalid bits per color %u.", r->header.cupsBitsPerColor);
-    ret = false;
-  }
-
-  if (r->header.cupsBitsPerPixel == 0 || r->header.cupsBitsPerPixel > _CUPS_MAX_BITS_PER_PIXEL)
+  else if (r->header.cupsBytesPerLine != ((r->header.cupsWidth * r->header.cupsBitsPerPixel + 7) / 8))
   {
-    _cupsRasterAddError("Invalid bits per pixel %u.", r->header.cupsBitsPerPixel);
+    _cupsRasterAddError("Raster line length %u does not match width (%u) and bits per pixel (%u).", r->header.cupsBytesPerLine, r->header.cupsWidth, r->header.cupsBitsPerPixel);
     ret = false;
   }
 
-  if (r->header.cupsWidth == 0)
+  if (r->header.cupsWidth == 0 || r->header.cupsWidth > _CUPS_MAX_WIDTH)
   {
-    _cupsRasterAddError("Invalid raster width 0.");
+    _cupsRasterAddError("Invalid raster width %u.", r->header.cupsWidth);
     ret = false;
   }
 
-  if (r->header.cupsHeight == 0)
+  if (r->header.cupsHeight == 0 || r->header.cupsHeight > _CUPS_MAX_HEIGHT)
   {
-    _cupsRasterAddError("Invalid raster height 0.");
+    _cupsRasterAddError("Invalid raster height %u.", r->header.cupsHeight);
     ret = false;
   }
 
