From 1ff68ff3fd09bd242c5297aaab6eed2ef55d7b9a Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@qt.io>
Date: Thu, 14 Nov 2024 14:53:08 +0100
Subject: [PATCH] QCupsPrintEngine::setProperty(): defend against malformed
 PPK_CupsOptions values

The QCupsPrintEnginePrivate::closePrintDevice() function expects the
cupsOptions string-list to have an even number of elements, because it
iterates in steps of two and doesn't check the size of the container
while in-between steps.

Print a qWarning() in setProperty() when the option value string-list
has an odd number of elements in it, and append an empty entry to
maintain the expected format for closePrintDevice(). This is the
least-intrusive way to fix the problem, hopefully defining previously
undefined behavior without other user-visible effects.

Amends f70924e9ccc016b979bc74bba156600639184be7, which, however, may
have merely moved the code around.

[ChangeLog][QtPrintSupport][QCupsPrintEngine] Fixed a bug where setting
a value string-list with an odd number of elements as the
PPK_CupsOptions value would read uninitialized data.

Pick-to: 6.5 6.2 5.15
Change-Id: I38ed8de6da00f17fa8fe9138d54db3699943f3b1
Reviewed-by: Ahmad Samir <a.samirh78@gmail.com>
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
(cherry picked from commit 7ae959e00ae4385215ab8bde0781255f36b8bd59)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/plugins/printsupport/cups/qcupsprintengine.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/plugins/printsupport/cups/qcupsprintengine.cpp b/src/plugins/printsupport/cups/qcupsprintengine.cpp
index 6c50c11c0f7..c38f163694b 100644
--- a/src/plugins/printsupport/cups/qcupsprintengine.cpp
+++ b/src/plugins/printsupport/cups/qcupsprintengine.cpp
@@ -64,6 +64,12 @@ void QCupsPrintEngine::setProperty(PrintEnginePropertyKey key, const QVariant &v
         break;
     case PPK_CupsOptions:
         d->cupsOptions = value.toStringList();
+        if (d->cupsOptions.size() % 2 == 1) {
+            qWarning("%s: malformed value for key = PPK_CupsOptions "
+                     "(odd number of elements in the string-list; "
+                     "appending an empty entry)", Q_FUNC_INFO);
+            d->cupsOptions.emplace_back();
+        }
         break;
     case PPK_QPageSize:
         d->setPageSize(qvariant_cast<QPageSize>(value));
@@ -212,6 +218,7 @@ void QCupsPrintEnginePrivate::closePrintDevice()
             options.append(QPair<QByteArray, QByteArray>("landscape", ""));
 
         QStringList::const_iterator it = cupsOptions.constBegin();
+        Q_ASSERT(cupsOptions.size() % 2 == 0);
         while (it != cupsOptions.constEnd()) {
             options.append(QPair<QByteArray, QByteArray>((*it).toLocal8Bit(), (*(it+1)).toLocal8Bit()));
             it += 2;