1.x: Fix NULL-pointer dereference when parsing %%PDFTOPDF comments (#644)

gnoack · web-flow · commit c3d2f07399da · 2025-07-10T22:31:02.000+02:00
* Fix null pointer dereference in %%PDFTOPDF* parsers

* %%PDFTOPDFCollate comment parsing: Increment p where needed

Without this, if strchr succeeds, p will point to a ':' character.
*p will therefore never be a whitespace in the subsequent loop,
or compare successfully against the "true" string.
diff --git a/filter/gstoraster.c b/filter/gstoraster.c
@@ -104,16 +104,21 @@ parse_pdf_header_options(FILE *fp, gs_page_header *h)
       char *p;
 
       p = strchr(buf+19,':');
-      h->NumCopies = atoi(p+1);
+      if (p) {
+        h->NumCopies = atoi(p+1);
+      }
     } else if (strncmp(buf,"%%PDFTOPDFCollate",17) == 0) {
       char *p;
 
       p = strchr(buf+17,':');
-      while (*p == ' ' || *p == '\t') p++;
-      if (strncasecmp(p,"true",4) == 0) {
-        h->Collate = CUPS_TRUE;
-      } else {
-        h->Collate = CUPS_FALSE;
+      if (p) {
+        p++;
+        while (*p == ' ' || *p == '\t') p++;
+        if (strncasecmp(p,"true",4) == 0) {
+          h->Collate = CUPS_TRUE;
+        } else {
+          h->Collate = CUPS_FALSE;
+        }
       }
     }
   }
diff --git a/filter/mupdftoraster.c b/filter/mupdftoraster.c
@@ -102,16 +102,21 @@ parse_pdf_header_options(FILE *fp, mupdf_page_header *h)
       char *p;
 
       p = strchr(buf+19,':');
-      h->NumCopies = atoi(p+1);
+      if (p) {
+        h->NumCopies = atoi(p+1);
+      }
     } else if (strncmp(buf,"%%PDFTOPDFCollate",17) == 0) {
       char *p;
 
       p = strchr(buf+17,':');
-      while (*p == ' ' || *p == '\t') p++;
-      if (strncasecmp(p,"true",4) == 0) {
-        h->Collate = CUPS_TRUE;
-      } else {
-        h->Collate = CUPS_FALSE;
+      if (p) {
+        p++;
+        while (*p == ' ' || *p == '\t') p++;
+        if (strncasecmp(p,"true",4) == 0) {
+          h->Collate = CUPS_TRUE;
+        } else {
+          h->Collate = CUPS_FALSE;
+        }
       }
     }
   }
diff --git a/filter/pdftops.c b/filter/pdftops.c
@@ -138,25 +138,31 @@ static void parsePDFTOPDFComment(char *filename)
     if (strncmp(buf,"%%PDFTOPDFNumCopies",19) == 0) {
       char *p;
 
-      p = strchr(buf+19,':') + 1;
-      while (*p == ' ' || *p == '\t') p++;
-      strncpy(deviceCopies, p, sizeof(deviceCopies));
-      deviceCopies[sizeof(deviceCopies) - 1] = '\0';
-      p = deviceCopies + strlen(deviceCopies) - 1;
-      while (*p == ' ' || *p == '\t'  || *p == '\r'  || *p == '\n') p--;
-      *(p + 1) = '\0';
-      pdftopdfapplied = 1;
+      p = strchr(buf+19,':');
+      if (p) {
+        p++;
+        while (*p == ' ' || *p == '\t') p++;
+        strncpy(deviceCopies, p, sizeof(deviceCopies));
+        deviceCopies[sizeof(deviceCopies) - 1] = '\0';
+        p = deviceCopies + strlen(deviceCopies) - 1;
+        while (*p == ' ' || *p == '\t'  || *p == '\r'  || *p == '\n') p--;
+        *(p + 1) = '\0';
+        pdftopdfapplied = 1;
+      }
     } else if (strncmp(buf,"%%PDFTOPDFCollate",17) == 0) {
       char *p;
 
-      p = strchr(buf+17,':') + 1;
-      while (*p == ' ' || *p == '\t') p++;
-      if (strncasecmp(p,"true",4) == 0) {
-	deviceCollate = 1;
-      } else {
-	deviceCollate = 0;
+      p = strchr(buf+17,':');
+      if (p) {
+        p++;
+        while (*p == ' ' || *p == '\t') p++;
+        if (strncasecmp(p,"true",4) == 0) {
+          deviceCollate = 1;
+        } else {
+          deviceCollate = 0;
+        }
+        pdftopdfapplied = 1;
       }
-      pdftopdfapplied = 1;
     } else if (strcmp(buf,"% This file was generated by pdftopdf") == 0) {
       pdftopdfapplied = 1;
     }
diff --git a/filter/pdftoraster.cxx b/filter/pdftoraster.cxx
@@ -489,16 +489,21 @@ static void parsePDFTOPDFComment(FILE *fp)
       char *p;
 
       p = strchr(buf+19,':');
-      deviceCopies = atoi(p+1);
+      if (p) {
+        deviceCopies = atoi(p+1);
+      }
     } else if (strncmp(buf,"%%PDFTOPDFCollate",17) == 0) {
       char *p;
 
       p = strchr(buf+17,':');
-      while (*p == ' ' || *p == '\t') p++;
-      if (strncasecmp(p,"true",4) == 0) {
-	deviceCollate = true;
-      } else {
-	deviceCollate = false;
+      if (p) {
+        p++;
+        while (*p == ' ' || *p == '\t') p++;
+        if (strncasecmp(p,"true",4) == 0) {
+          deviceCollate = true;
+        } else {
+          deviceCollate = false;
+        }
       }
     }
   }
