[Bug 2156339] Re: LibreOffice 24.2.7-0ubuntu0.24.04.5 crashes (heap corruption) when opening any ZIP-based document (ODF/OOXML)

Wed, 10 Jun 2026 11:05:39 -0700 

UPDATE: root cause identified — this is NOT a LibreOffice bug, it is a heap
buffer overflow inside libcups (CUPS) triggered while parsing a large
printer PPD. LibreOffice only happens to be the trigger because it builds
the default-printer object (and reads its PPD via libcups) every time a
document is opened.

Environment:
- Ubuntu 24.04 (noble), amd64
- libcups2t64 2.4.7-1.2ubuntu7.13  (regression appeared with the .9 -> .13
  security update on 2026-05-29; symptom: any ZIP-based document open crashes
  with "corrupted size vs. prev_size")
- glibc 2.39-0ubuntu8.7  (glibc only DETECTS the corruption; it is not the 
cause)
- Default printer PPD: Konica Minolta bizhub C224e, classic driver, ~741 KB PPD.
  The SAME printer added as driverless/IPP (≈31 KB PPD) does NOT trigger the 
bug.

Proof (valgrind memcheck, the conversion succeeds under valgrind because the
different heap layout hides the crash, but memcheck catches the overflow):

  Invalid write of size 2 / size 8
    at  _cupsRasterAddError      (libcups.so.2)
    by  _cupsRasterExecPS        (libcups.so.2)
    by  _ppdCacheAssignPresets   (libcups.so.2)
    by  _ppdCacheCreateWithPPD   (libcups.so.2)
    by  ... (libreoffice) psp::JobData::operator=, Printer::Printer(),
        SfxPrinter::SfxPrinter(), ScDocShell::Load ...
  Address 0x... is 3,179 bytes inside a block of size 3,180 alloc'd
    (block alloc'd by realloc in _cupsRasterAddError)

So libcups writes 1+ byte past the end of a 3,180-byte buffer while running
_cupsRasterExecPS on this PPD, corrupting the heap.

Reproduce:
  libreoffice --headless --convert-to pdf <any.ods>      # crashes
  SAL_DISABLE_CUPS=true libreoffice --headless --convert-to pdf <any.ods>  # OK
  (or set a small/driverless PPD as default printer -> OK)

Please reassign / fix in the cups source package (_cupsRasterExecPS /
_cupsRasterAddError in cups/raster-error.c / ppd-cache.c).
Full valgrind log attached.

** Attachment added: "valgrind_cups_stack_anon.log"
   
https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/2156339/+attachment/5976729/+files/valgrind_cups_stack_anon.log

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2156339

Title:
  LibreOffice 24.2.7-0ubuntu0.24.04.5 crashes (heap corruption) when
  opening any ZIP-based document (ODF/OOXML)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/2156339/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to