Off-by-one heap over-read in rastertolabel memcmp for ZEBRA_EPL_PAGE and ZEBRA_CPCL

[Tomer-PL]

Summary

In filter/rastertolabel.c, the blank-line detection at lines 791 and 875 uses memcmp(Buffer, Buffer + 1, header->cupsBytesPerLine) which reads 1 byte past the malloc(cupsBytesPerLine) allocation. The correct length is cupsBytesPerLine - 1, as used at lines 762 and 886 for other printer models.

Details

Buggy (lines 791, 875 — ZEBRA_EPL_PAGE and ZEBRA_CPCL):

if (Buffer[0] || memcmp(Buffer, Buffer + 1, header->cupsBytesPerLine))
//                                          ^^^^^^^^^^^^^^^^^^^^^^^^^ should be -1

Correct (lines 762, 886 — DYMO_3x0 and INTELLITECH_PCL):

if (Buffer[0] || memcmp(Buffer, Buffer + 1, header->cupsBytesPerLine - 1))
//                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ correct

Buffer is allocated at line 428: malloc(header->cupsBytesPerLine), valid indices [0..N-1]. memcmp(..., Buffer + 1, N) reads Buffer[1] through Buffer[N], where Buffer[N] is 1 byte past the allocation.

Reproducer

Submit a raster print job to a ZEBRA EPL or CPCL label printer containing a blank (all-zero) raster line.

ASan output:

ERROR: AddressSanitizer: heap-buffer-overflow
READ of size 32 at OutputLine (rastertolabel.c:791)
0 bytes after 32-byte region allocated at StartPage (rastertolabel.c:428)

Suggested Fix

  // Line 791 (ZEBRA_EPL_PAGE):
- if (Buffer[0] || memcmp(Buffer, Buffer + 1, header->cupsBytesPerLine))
+ if (Buffer[0] || memcmp(Buffer, Buffer + 1, header->cupsBytesPerLine - 1))

  // Line 875 (ZEBRA_CPCL):
- if (Buffer[0] || memcmp(Buffer, Buffer + 1, header->cupsBytesPerLine))
+ if (Buffer[0] || memcmp(Buffer, Buffer + 1, header->cupsBytesPerLine - 1))

This matches the correct pattern already used at lines 762 and 886.

[ValdikSS]

Patches welcome.

[michaelrsweet]

[master f2c41a8] Fix blank line detection in rastertolabel (Issue #1545)

[2.4.x 0cf4fb2] Fix blank line detection in rastertolabel (Issue #1545)