[cups.bugs] [HIGH] STR #2388: cups should not create large chunks of memory on the stack

[Joachim Wieland]

DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

The problem showed up specifically in cups/ipp.c in both ippWriteIO() and
ippReadIO(). There, cups creates a buffer of 32 K on the stack. This
sounds little in a world with a few gigs of RAM but there are stack limits
and some operating systems set them to quite conservative values. Worse
even with pthreads where every thread has another (normally significantly
smaller) stack limit.

We noticed that on a gnome application on OpenBSD that was linked against
the cups library. Clicking the print button made the application crash. 

The pthreads stack limits were set to 64k per thread and with quite some
stack backtrace of previous function calls and all their local variables,
cups touched the limit requesting another 32k and the process got killed
by the operating system.

Especially a library does not know in which circumstances it is executed
later and should be conservative about its expectations regarding system
ressources.

I append the patch that fixed that very problem but this bug report is
rather meant as a general advice to not put large data structures on the
stack.

Link: http://www.cups.org/str.php?L2388
Version: 1.1.23
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-cups_ipp_c
Type: application/octet-stream
Size: 18353 bytes
Desc: not available
URL: <https://lists.cups.org/pipermail/cups/attachments/20070519/9538f8a7/attachment.obj>