Bug 694133

Summary: Seg faults found by fuzzing in cmd_write_pseudo_band (gxclutil.c:235)
Product: Ghostscript Reporter: Marcos H. Woehrmann <marcos.woehrmann>
Component: FuzzingAssignee: Ray Johnston <ray.johnston>
Status: RESOLVED WORKSFORME    
Severity: normal Keywords: bountiable
Priority: P4    
Version: 9.07   
Hardware: PC   
OS: Linux   
Customer: Word Size: 64
Attachments: log.txt

Description Marcos H. Woehrmann 2013-05-27 18:13:56 UTC
Created attachment 9767 [details]
log.txt

Seg faults in the 64 bit build of ghostscript were found by fuzzing in cmd_write_pseudo_band (gxclutil.c:235) while reading these files. See the attached log.txt for details.

1070.pdf.SIGSEGV.7cc.81.cups.300.1
1070.pdf.SIGSEGV.7cc.81.pbmraw.300.1
1070.pdf.SIGSEGV.7cc.81.pgmraw.300.1
1070.pdf.SIGSEGV.7cc.81.pkmraw.300.1
1070.pdf.SIGSEGV.7cc.81.ppmraw.300.1
1070.pdf.SIGSEGV.7cc.81.psdcmyk.300.1
1070.pdf.SIGSEGV.90d.81.cups.300.1
1070.pdf.SIGSEGV.90d.81.pbmraw.300.1
1070.pdf.SIGSEGV.90d.81.pgmraw.300.1
1070.pdf.SIGSEGV.90d.81.pkmraw.300.1
1070.pdf.SIGSEGV.90d.81.ppmraw.300.1
1070.pdf.SIGSEGV.90d.81.psdcmyk.300.1
2539.pdf.asan.37.1712.pgmraw.300.1
2539.pdf.asan.37.1712.ppmraw.300.1
2639.pdf.SIGSEGV.91a.1823.pkmraw.300.1
2664.pdf.asan.50.1852.cups.300.1
3071.pdf.asan.4e.2304.cups.300.1
3071.pdf.asan.4e.2304.pgmraw.300.1
3071.pdf.asan.4e.2304.ppmraw.300.1
3071.pdf.asan.4e.2304.psdcmyk.300.1
3271.pdf.SIGSEGV.171.2526.pbmraw.300.1
3271.pdf.SIGSEGV.171.2526.pgmraw.300.1
3271.pdf.SIGSEGV.171.2526.pkmraw.300.1
3271.pdf.SIGSEGV.171.2526.ppmraw.300.1
3271.pdf.SIGSEGV.171.2526.psdcmyk.300.1
3271.pdf.SIGSEGV.1fb.2526.cups.300.1
3271.pdf.SIGSEGV.1fb.2526.pbmraw.300.1
3271.pdf.SIGSEGV.1fb.2526.pgmraw.300.1
3271.pdf.SIGSEGV.1fb.2526.pkmraw.300.1
3271.pdf.SIGSEGV.1fb.2526.ppmraw.300.1
3271.pdf.SIGSEGV.1fb.2526.psdcmyk.300.1
3271.pdf.SIGSEGV.204.2526.pbmraw.300.1
3271.pdf.SIGSEGV.204.2526.pgmraw.300.1
3271.pdf.SIGSEGV.204.2526.pkmraw.300.1
3271.pdf.SIGSEGV.204.2526.ppmraw.300.1
3271.pdf.SIGSEGV.204.2526.psdcmyk.300.1
3271.pdf.SIGSEGV.ee.2526.cups.300.1
3271.pdf.SIGSEGV.ee.2526.pbmraw.300.1
3271.pdf.SIGSEGV.ee.2526.pgmraw.300.1
3271.pdf.SIGSEGV.ee.2526.pkmraw.300.1
3271.pdf.SIGSEGV.ee.2526.ppmraw.300.1
3271.pdf.SIGSEGV.ee.2526.psdcmyk.300.1
3271.pdf.asan.18.2526.cups.300.1
3271.pdf.asan.18.2526.pbmraw.300.1
3271.pdf.asan.18.2526.pgmraw.300.1
3271.pdf.asan.18.2526.pkmraw.300.1
3271.pdf.asan.18.2526.ppmraw.300.1
3271.pdf.asan.4f.2526.cups.300.1
3271.pdf.asan.4f.2526.pbmraw.300.1
3271.pdf.asan.4f.2526.pgmraw.300.1
3271.pdf.asan.4f.2526.pkmraw.300.1
3271.pdf.asan.4f.2526.psdcmyk.300.1
3476.pdf.SIGSEGV.77.2753.cups.300.1
3476.pdf.SIGSEGV.77.2753.pbmraw.300.1
3476.pdf.SIGSEGV.77.2753.pgmraw.300.1
3476.pdf.SIGSEGV.77.2753.pkmraw.300.1
3476.pdf.SIGSEGV.77.2753.ppmraw.300.1
3476.pdf.SIGSEGV.77.2753.psdcmyk.300.1
3523.pdf.asan.75.2806.cups.300.1
3523.pdf.asan.75.2806.pbmraw.300.1
3523.pdf.asan.75.2806.pgmraw.300.1
3523.pdf.asan.75.2806.pkmraw.300.1
3523.pdf.asan.75.2806.ppmraw.300.1
3523.pdf.asan.75.2806.psdcmyk.300.1
3622.pdf.asan.2f.2916.cups.300.1
3622.pdf.asan.2f.2916.pbmraw.300.1
3622.pdf.asan.2f.2916.pgmraw.300.1
3622.pdf.asan.2f.2916.pkmraw.300.1
3622.pdf.asan.2f.2916.ppmraw.300.1
3622.pdf.asan.2f.2916.psdcmyk.300.1
3792.pdf.SIGSEGV.c5.3104.cups.300.1
3792.pdf.SIGSEGV.c5.3104.pbmraw.300.1
3792.pdf.SIGSEGV.c5.3104.pgmraw.300.1
3792.pdf.SIGSEGV.c5.3104.pkmraw.300.1
3792.pdf.SIGSEGV.c5.3104.ppmraw.300.1
3794.pdf.asan.77.3106.cups.300.1
3794.pdf.asan.77.3106.pbmraw.300.1
3794.pdf.asan.77.3106.pgmraw.300.1
3794.pdf.asan.77.3106.pkmraw.300.1
3794.pdf.asan.77.3106.ppmraw.300.1
3794.pdf.asan.77.3106.psdcmyk.300.1
3830.pdf.asan.4e.3147.cups.300.1
3830.pdf.asan.4e.3147.pbmraw.300.1
3830.pdf.asan.4e.3147.pgmraw.300.1
3830.pdf.asan.4e.3147.pkmraw.300.1
3830.pdf.asan.4e.3147.ppmraw.300.1
3830.pdf.asan.4e.3147.psdcmyk.300.1
3869.pdf.asan.5f.3189.cups.300.1
3869.pdf.asan.5f.3189.pbmraw.300.1
3869.pdf.asan.5f.3189.pgmraw.300.1
3869.pdf.asan.5f.3189.pkmraw.300.1
3869.pdf.asan.5f.3189.ppmraw.300.0
3869.pdf.asan.5f.3189.ppmraw.300.1
3869.pdf.asan.5f.3189.psdcmyk.300.1
4035.pdf.asan.3f.3375.cups.300.1
4035.pdf.asan.3f.3375.pbmraw.300.1
4035.pdf.asan.3f.3375.pgmraw.300.1
4035.pdf.asan.3f.3375.pkmraw.300.1
4035.pdf.asan.3f.3375.ppmraw.300.0
4035.pdf.asan.3f.3375.ppmraw.300.1
4035.pdf.asan.3f.3375.psdcmyk.300.1
4149.pdf.asan.48.3501.cups.300.1
451.pdf.asan.48.3723.cups.300.1
451.pdf.asan.48.3723.ppmraw.300.1
610.pdf.SIGSEGV.1a8.3900.cups.300.1
610.pdf.SIGSEGV.1a8.3900.pbmraw.300.1
610.pdf.SIGSEGV.1a8.3900.pgmraw.300.1
610.pdf.SIGSEGV.1a8.3900.pkmraw.300.1
610.pdf.SIGSEGV.1a8.3900.ppmraw.300.1
610.pdf.SIGSEGV.1a8.3900.psdcmyk.300.1
776.pdf.SIGSEGV.8ba.4083.cups.300.1
776.pdf.SIGSEGV.8ba.4083.pbmraw.300.1
776.pdf.SIGSEGV.8ba.4083.pgmraw.300.1
776.pdf.SIGSEGV.8ba.4083.pkmraw.300.1
776.pdf.SIGSEGV.8ba.4083.ppmraw.300.1
776.pdf.SIGSEGV.8ba.4083.psdcmyk.300.1
Comment 1 Henry Stiles 2013-06-09 18:35:55 UTC
These problems are Bountible to Shelly and Simon (only) under the arrangement we set up previously for jbig2 and jpeg 2000 problems.  If you 2 can divide them fairly that's great if not I'll review them and assign them.  Let me know.
Comment 2 Ray Johnston 2013-09-19 10:44:42 UTC
I think these have been fixed (possibly by openjpeg fixes since there were many
openjpeg warnings from the debug build)

1070.pdf.SIGSEGV.7cc.81
   ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 8 from 6)
2639.pdf.SIGSEGV.91a.1823
   ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 8 from 6)
2664.pdf.asan.50.1852
   ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 8 from 6)
3071.pdf.asan.4e.2304
   ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 8 from 6)
3271.pdf.SIGSEGV.171.2526
   ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 8 from 6)
3476.pdf.SIGSEGV.77.2753
   ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 8 from 6)
3622.pdf.asan.2f.2916
   ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 8 from 6)
3794.pdf.asan.77.3106
   ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 8 from 6)
3830.pdf.asan.4e.3147
   ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 8 from 6)
3869.pdf.asan.5f.3189
   No errors seen on page 1, page 2 took > 10 minutes, so I killed it.
4035.pdf.asan.3f.3375
   ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 8 from 6)
451.pdf.asan.48.3723
   ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 8 from 6)

These get UMR (but no SEGFAULT)
2539.pdf.asan.37.1712
   ERROR SUMMARY: 3 errors from 2 contexts (suppressed: 8 from 6)
3523.pdf.asan.75.2806
   ERROR SUMMARY: 25 errors from 3 contexts (suppressed: 8 from 6)
4149.pdf.asan.48.3501
   ERROR SUMMARY: 5 errors from 3 contexts (suppressed: 8 from 6)
776.pdf.SIGSEGV.8ba.4083
   ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 8 from 6) openjpeg

These still gets a segfault:
3792.pdf.SIGSEGV.c5.3104 SEGFAULT in pdf14_pop_transparency_group
610.pdf.SIGSEGV.1a8.3900 SEGFAUL in do_validate_chunk
Comment 3 Marcos H. Woehrmann 2015-11-11 09:05:37 UTC
As of e174b0553e6e2d3bb641cbede1187dfe7979ae86 these files no longer segfault.