[Printing-architecture] [patch] cups-1.7.0: stringpool corruption fix

Tim Waugh twaugh at redhat.com
Fri Nov 1 17:02:42 UTC 2013

There is a long-standing stringpool corruption issue in printers.c.

Attribute values are stored in the global stringpool (implemented in
cups/string.c), which is reference-counted storage for strings. Strings
are stored in a sorted, unique array (cups_array_t, implemented in

If the array is found to be unsorted, or a duplicate is found, the
underlying cups_array_t object switches into "non-unique" mode and
stores new strings by adding to the pool rather than incrementing the
reference count for an existing string (see the cups_array_add()

The accessor functions for the stringpool return "char*" types, but
these are strings which must not be modified -- doing so will trigger
the behaviour described above.

In scheduler/printers.c, there are a couple of places which modify
attribute values in-place. Attached is a patch to fix them.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: cups-stringpool-corruption.patch
Type: text/x-patch
Size: 1856 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/printing-architecture/attachments/20131101/c5083e88/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxfoundation.org/pipermail/printing-architecture/attachments/20131101/c5083e88/attachment.sig>

More information about the Printing-architecture mailing list