Possible out-of-bounds write in printer panel
Area: Application
Message
Hello,
In gnome-control-center there is a possible out-of-bounds write of a null-byte in the code of the printer panel. In normalize the allocated size is twice the string size (excluding the terminating null-byte). The worst-case space requirement of the normalized string is twice the size of the original string plus a byte for the terminating null-byte. This fails for every string with single digits and single letters in alternation (especially the empty string).
--- gnome-control-center-43.6.orig/panels/printers/pp-utils.c
+++ gnome-control-center-43.6/panels/printers/pp-utils.c
@@ -119,7 +119,7 @@ normalize (const gchar *input_string)
g_autofree gchar *tmp = g_strstrip (g_ascii_strdown (input_string, -1));
if (tmp)
{
- g_autofree gchar *res = g_new (gchar, 2 * strlen (tmp));
+ g_autofree gchar *res = g_new (gchar, 2 * strlen (tmp) + 1);
for (i = 0; i < strlen (tmp); i++)
{
Edited by Jordan Petridis