Summary
A memory leak vulnerability exists in the CUPS PPD parser (cups/ppd.c) when processing PPD files containing duplicate *JCLBegin or *JCLEnd keywords. Each duplicate keyword causes the previously allocated memory to be orphaned and permanently leaked.
Discovery Method
- Fuzzer:
fuzz_ppd_gen_cache
- Detection: AddressSanitizer + LeakSanitizer
- Date: 2025-11-10
Vulnerability Details
Location
- File:
cups/ppd.c
- Lines: 851 (JCLBegin), 856 (JCLEnd)
- Function:
_ppdOpen()
Root Cause
The parser calls strdup() to allocate memory for JCL keywords without freeing any previously allocated value:
// Line 850-853
else if (!strcmp(keyword, "JCLBegin"))
{
ppd->jcl_begin = strdup(string); // ❌ No free() before assignment
ppd_decode(ppd->jcl_begin);
}If a PPD file contains multiple *JCLBegin lines:
- First occurrence: Allocates memory A, assigns to
ppd->jcl_begin
- Second occurrence: Allocates memory B, overwrites
ppd->jcl_begin
- Memory A is orphaned and leaked (cannot be freed)
The same issue exists for *JCLEnd at line 856.
LeakSanitizer Report
==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 9 byte(s) in 1 object(s) allocated from:
#0 0x5558f3468afa in strdup /src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:596:3
#1 0x5558f35267d2 in _ppdOpen /src/cups/cups/ppd.c:851:24
#2 0x5558f3530e76 in _ppdOpenFile /src/cups/cups/ppd.c:2283:11
#3 0x5558f34c65f7 in LLVMFuzzerTestOneInput /src/cups/ossfuzz/fuzz_ppd_gen_cache.c:289:23
SUMMARY: AddressSanitizer: 9 byte(s) leaked in 1 allocation(s).
Reproduction
Test Case
Fuzzer-generated input: leak-e4ef53d9b1772ff55e830f4060f2afb3c6a79270 (313 bytes)
Analysis shows the file contains two *JCLBegin keywords:
$ strings fuzzer_testcase.bin | grep JCLBegin
*JCLBegin:
*JCLBegin:
Minimal Reproducer
Create a PPD file with duplicate *JCLBegin:
*PPD-Adobe: "4.3"
*FormatVersion: "4.3"
*FileVersion: "1.0"
*LanguageVersion: English
*LanguageEncoding: ISOLatin1
*PCFileName: "LEAK.PPD"
*Manufacturer: "Test"
*Product: "(Test Printer)"
*ModelName: "Test Leak"
*ShortNickName: "Test"
*NickName: "Test Memory Leak"
*PSVersion: "(3010.000) 0"
*JCLBegin: "first_value"
*JCLBegin: "second_value"
*OpenUI *PageSize: PickOne
*DefaultPageSize: Letter
*PageSize Letter: ""
*CloseUI: *PageSize
Summary
A memory leak vulnerability exists in the CUPS PPD parser (
cups/ppd.c) when processing PPD files containing duplicate*JCLBeginor*JCLEndkeywords. Each duplicate keyword causes the previously allocated memory to be orphaned and permanently leaked.Discovery Method
fuzz_ppd_gen_cacheVulnerability Details
Location
cups/ppd.c_ppdOpen()Root Cause
The parser calls
strdup()to allocate memory for JCL keywords without freeing any previously allocated value:If a PPD file contains multiple
*JCLBeginlines:ppd->jcl_beginppd->jcl_beginThe same issue exists for
*JCLEndat line 856.LeakSanitizer Report
Reproduction
Test Case
Fuzzer-generated input:
leak-e4ef53d9b1772ff55e830f4060f2afb3c6a79270(313 bytes)Analysis shows the file contains two
*JCLBeginkeywords:Minimal Reproducer
Create a PPD file with duplicate
*JCLBegin: