Summary
The fuzzer fuzz_ppd_gen_conflicts.c incorrectly uses the cupsGetConflicts API by ignoring its return value, causing mismatched option count and pointer state when calling cupsResolveConflicts.
Problem
Line 38 ignores the return value:
cupsGetConflicts(ppd, "SampleOption", "SampleChoice", &options); // ❌ Return value ignored
cupsGetConflicts modifies *options and returns the new count, but the fuzzer continues using the old num_options value from line 31.
Consequence
- Passes mismatched
num_options and *options to cupsResolveConflicts
- Before upstream fix (5b5f5c0d6): NULL pointer dereference crash
- After fix: Logic errors, cannot properly test conflict resolution
Correct Usage
From cups/testppd.c:
num_options = cupsGetConflicts(ppd, "InputSlot", "Envelope", &options);
Should capture and use the return value.
Reference
As noted by @michaelrsweet in GHSA-r4j5-9gvw-5h7q:
"your PoC code uses the cupsGetConflicts API incorrectly - it returns the number of conflicting options, but you are ignoring the return value."
This prevents proper fuzzing of CUPS conflict resolution logic.
Summary
The fuzzer
fuzz_ppd_gen_conflicts.cincorrectly uses thecupsGetConflictsAPI by ignoring its return value, causing mismatched option count and pointer state when callingcupsResolveConflicts.Problem
Line 38 ignores the return value:
cupsGetConflictsmodifies*optionsand returns the new count, but the fuzzer continues using the oldnum_optionsvalue from line 31.Consequence
num_optionsand*optionstocupsResolveConflictsCorrect Usage
From
cups/testppd.c:Should capture and use the return value.
Reference
As noted by @michaelrsweet in GHSA-r4j5-9gvw-5h7q:
This prevents proper fuzzing of CUPS conflict resolution logic.