[cups-devel] [UNKN] STR #4742: NULL dereference after failing to save job when unloading completed jobs

Fri Nov 20 03:48:35 PST 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

This bug appears to have been present for quite a long time.

When cupsdUnloadCompletedJobs() calls cupsdSaveJob(), it does not handle
failures correctly.

If saving the job fails (eg no space), job->dirty will remain set. However:

       if (job->dirty)
         cupsdSaveJob(job);

       unload_job(job);

unload_job() will be called regardless of whether the job is now dirty.
This later causes a NULL dereference when cupsdCleanDirty() calls
cupsdSaveJob() again.

I think the fix would be to only call unload_job(job) if the job is now not
dirty:

       if (job->dirty)
         cupsdSaveJob(job);

       if (!job->dirty)
         unload_job(job);

Link: https://www.cups.org/str.php?L4742
Version: 2.1-current
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJWTwiTAAoJENujp6sI12IjTGYQAIxXam9EIRRRMxw2OAL7kW2+
iwKjqPSNvkRZ6MLc2NQ7EqPJBwF+Ivj1MBHgiXnDMN0MKGOJxDc9MGlF8+PDU012
sRsGrFCKsiEO059aMmvNTNcurtkqX6rsyRt+qAjjkL0J9P50fLGU6Doit69fHMHO
QhwZ942n/fefq8IhYhOK1vY2BJSksC0AuN3kqx1QskSkierXRfDbMbwkI2+Llpas
7N/xY2Xrx+68a4Ut21ueTOkisIKFcgL/a+323ioQftnFN1IBoIW7H/irC+lkiOHQ
y9PbVk1aFeskzcNlsrTZC/4LV7UJMImeisU3lVvsTlemOtzg4iXvnxnnOlU5hcGf
PGYC3SBosl6t5l/4aSCg7lJr0D0b0VMp7Oceth3j5GyOmDghL0ZyreQOu/M80RR4
M2XIz3qn9G2XOMXLgr5hQObAOsTufZjnAP7RfGp2CFg/CXS1Abu5Xt5k4xody68e
sIgDNmXj9Vob0Zlob/f937TxwI64KkxkZwmy+oHHhXeAVxF/D5onihCSUqL3QPru
QWEM0w64+mPHqgvkO/kEqhj2jyUyTm3olGkyuOvsP5tKypL46hQRJs7nFqk9496a
I5TySPqrw34cazknqPSvMqTfSAsTaeyA/lfzG83wo5CrYdR6dpPModDDSuypcIE6
pj7IFoqdZ67Jh9YQFND3
=IHwM
-----END PGP SIGNATURE-----