Memory leak in PPD parser when processing duplicate JCLBegin/JCLEnd keywords

[OwenSanzas]

Summary

A memory leak vulnerability exists in the CUPS PPD parser (cups/ppd.c) when processing PPD files containing duplicate *JCLBegin or *JCLEnd keywords. Each duplicate keyword causes the previously allocated memory to be orphaned and permanently leaked.

Discovery Method

• Fuzzer: fuzz_ppd_gen_cache
• Detection: AddressSanitizer + LeakSanitizer
• Date: 2025-11-10

Vulnerability Details

Location

• File: cups/ppd.c
• Lines: 851 (JCLBegin), 856 (JCLEnd)
• Function: _ppdOpen()

Root Cause

The parser calls strdup() to allocate memory for JCL keywords without freeing any previously allocated value:

// Line 850-853
else if (!strcmp(keyword, "JCLBegin"))
{
    ppd->jcl_begin = strdup(string);  // ❌ No free() before assignment
    ppd_decode(ppd->jcl_begin);
}

If a PPD file contains multiple *JCLBegin lines:

1. First occurrence: Allocates memory A, assigns to ppd->jcl_begin
2. Second occurrence: Allocates memory B, overwrites ppd->jcl_begin
3. Memory A is orphaned and leaked (cannot be freed)

The same issue exists for *JCLEnd at line 856.

LeakSanitizer Report

==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 9 byte(s) in 1 object(s) allocated from:
    #0 0x5558f3468afa in strdup /src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:596:3
    #1 0x5558f35267d2 in _ppdOpen /src/cups/cups/ppd.c:851:24
    #2 0x5558f3530e76 in _ppdOpenFile /src/cups/cups/ppd.c:2283:11
    #3 0x5558f34c65f7 in LLVMFuzzerTestOneInput /src/cups/ossfuzz/fuzz_ppd_gen_cache.c:289:23

SUMMARY: AddressSanitizer: 9 byte(s) leaked in 1 allocation(s).

Reproduction

Test Case

Fuzzer-generated input: leak-e4ef53d9b1772ff55e830f4060f2afb3c6a79270 (313 bytes)

Analysis shows the file contains two *JCLBegin keywords:

$ strings fuzzer_testcase.bin | grep JCLBegin
*JCLBegin:
*JCLBegin:

Minimal Reproducer

Create a PPD file with duplicate *JCLBegin:

*PPD-Adobe: "4.3"
*FormatVersion: "4.3"
*FileVersion: "1.0"
*LanguageVersion: English
*LanguageEncoding: ISOLatin1
*PCFileName: "LEAK.PPD"
*Manufacturer: "Test"
*Product: "(Test Printer)"
*ModelName: "Test Leak"
*ShortNickName: "Test"
*NickName: "Test Memory Leak"
*PSVersion: "(3010.000) 0"

*JCLBegin: "first_value"
*JCLBegin: "second_value"

*OpenUI *PageSize: PickOne
*DefaultPageSize: Letter
*PageSize Letter: ""
*CloseUI: *PageSize