{"id":"CVE-2025-64503","summary":"[BIGSLEEP-434615384] cups-filters 1.x: out of bounds write in pdftoraster","details":"cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. In cups-filters prior to 1.28.18, by crafting a PDF file with a large `MediaBox` value, an attacker can cause CUPS-Filter 1.x’s `pdftoraster` tool to write beyond the bounds of an array. First, a PDF with a large `MediaBox` width value causes `header.cupsWidth` to become large.  Next, the calculation of `bytesPerLine = (header.cupsBitsPerPixel * header.cupsWidth + 7) / 8` overflows, resulting in a small value. Then, `lineBuf` is allocated with the small `bytesPerLine` size. Finally, `convertLineChunked` calls `writePixel8`, which attempts to write to `lineBuf` outside of its buffer size (out of bounds write). In libcupsfilters, the maintainers found the same `bytesPerLine` multiplication without overflow check, but the provided test case does not cause an overflow there, because the values are different. Commit 50d94ca0f2fa6177613c97c59791bde568631865 contains a patch, which is incorporated into cups-filters version 1.28.18.","aliases":["GHSA-893j-2wr2-wrh9"],"modified":"2026-04-02T12:59:23.105801Z","published":"2025-11-12T22:04:03.750Z","related":["MGASA-2025-0304","SUSE-SU-2025:4158-1","SUSE-SU-2025:4198-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64503.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-787"]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2025/11/12/2"},{"type":"WEB","url":"https://github.com/OpenPrinting/cups-filters/blob/aea8d0db017e495b0204433ebdb0e86b4871094c/filter/pdftoraster.cxx#L1620"},{"type":"WEB","url":"https://github.com/OpenPrinting/cups-filters/blob/aea8d0db017e495b0204433ebdb0e86b4871094c/filter/pdftoraster.cxx#L1880"},{"type":"WEB","url":"https://github.com/OpenPrinting/libcupsfilters/blob/1dd86d835b27ed149b66aee1a4853d1db8a1f44c/cupsfilters/pdftoraster.cxx#L1790"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64503.json"},{"type":"ADVISORY","url":"https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-893j-2wr2-wrh9"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64503"},{"type":"FIX","url":"https://github.com/OpenPrinting/cups-filters/commit/50d94ca0f2fa6177613c97c59791bde568631865"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openprinting/cups-filters","events":[{"introduced":"0"},{"fixed":"50d94ca0f2fa6177613c97c59791bde568631865"}]}],"versions":["1.28.0","1.28.1","1.28.10","1.28.11","1.28.12","1.28.13","1.28.14","1.28.15","1.28.16","1.28.17","1.28.2","1.28.3","1.28.4","1.28.5","1.28.6","1.28.7","1.28.8","1.28.9","2.0.0","2.0.1","2.0b1","2.0b2","2.0b3","2.0rc1","2.0rc2","release-1-0","release-1-0-1","release-1-0-10","release-1-0-11","release-1-0-12","release-1-0-13","release-1-0-14","release-1-0-15","release-1-0-16","release-1-0-17","release-1-0-18","release-1-0-19","release-1-0-2","release-1-0-20","release-1-0-21","release-1-0-22","release-1-0-23","release-1-0-24","release-1-0-25","release-1-0-26","release-1-0-27","release-1-0-28","release-1-0-29","release-1-0-3","release-1-0-30","release-1-0-31","release-1-0-32","release-1-0-33","release-1-0-34","release-1-0-35","release-1-0-36","release-1-0-37","release-1-0-38","release-1-0-39","release-1-0-4","release-1-0-40","release-1-0-41","release-1-0-42","release-1-0-43","release-1-0-44","release-1-0-45","release-1-0-46","release-1-0-47","release-1-0-48","release-1-0-49","release-1-0-5","release-1-0-50","release-1-0-51","release-1-0-52","release-1-0-53","release-1-0-54","release-1-0-55","release-1-0-56","release-1-0-57","release-1-0-58","release-1-0-59","release-1-0-6","release-1-0-60","release-1-0-61","release-1-0-62","release-1-0-63","release-1-0-65","release-1-0-66","release-1-0-67","release-1-0-68","release-1-0-69","release-1-0-7","release-1-0-70","release-1-0-71","release-1-0-72","release-1-0-73","release-1-0-74","release-1-0-75","release-1-0-76","release-1-0-8","release-1-0-9","release-1-0-b1","release-1-1-0","release-1-10-0","release-1-11-0","release-1-11-1","release-1-11-2","release-1-11-3","release-1-11-4","release-1-11-5","release-1-11-6","release-1-12-0","release-1-13-0","release-1-13-1","release-1-13-2","release-1-13-3","release-1-13-4","release-1-13-5","release-1-14-0","release-1-14-1","release-1-15-0","release-1-16-0","release-1-16-1","release-1-16-2","release-1-16-3","release-1-16-4","release-1-17-1","release-1-17-2","release-1-17-3","release-1-17-4","release-1-17-5","release-1-17-6","release-1-17-7","release-1-17-8","release-1-17-9","release-1-17.0","release-1-18-0","release-1-19-0","release-1-2-0","release-1-20-0","release-1-20-1","release-1-20-2","release-1-20-3","release-1-20-4","release-1-21-0","release-1-21-1","release-1-21-2","release-1-21-3","release-1-21-4","release-1-21-5","release-1-21-6","release-1-22-0","release-1-22-1","release-1-22-2","release-1-22-3","release-1-22-4","release-1-22-5","release-1-22-6","release-1-23-0","release-1-24-0","release-1-25-0","release-1-25-1","release-1-25-10","release-1-25-11","release-1-25-12","release-1-25-13","release-1-25-2","release-1-25-3","release-1-25-4","release-1-25-5","release-1-25-6","release-1-25-7","release-1-25-8","release-1-25-9","release-1-26-0","release-1-26-1","release-1-26-2","release-1-27-0","release-1-27-1","release-1-27-2","release-1-27-3","release-1-27-4","release-1-27-5","release-1-3-0","release-1-4-0","release-1-5-0","release-1-6-0","release-1-7-0","release-1-8-0","release-1-8-1","release-1-8-2","release-1-8-3","release-1-9-0","v1.17.9"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"1.28.18"}]},{"events":[{"introduced":"2.0.0"},{"fixed":"2.1.2"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64503.json","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["2674399562555427555088079556352570617","316120524088338667775162293151910693371","31798786040038801316455358998125528881","40088510344291631868444126089824812196"]},"id":"CVE-2025-64503-0555d5dd","deprecated":false,"target":{"file":"filter/pdftoraster.cxx"},"source":"https://github.com/openprinting/cups-filters/commit/50d94ca0f2fa6177613c97c59791bde568631865","signature_version":"v1","signature_type":"Line"},{"digest":{"length":6278,"function_hash":"233127756968417408943711359110293010394"},"id":"CVE-2025-64503-b29c8757","deprecated":false,"target":{"function":"outPage","file":"filter/pdftoraster.cxx"},"source":"https://github.com/openprinting/cups-filters/commit/50d94ca0f2fa6177613c97c59791bde568631865","signature_version":"v1","signature_type":"Function"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}