Bug 690211 - buffer overflow
Summary: buffer overflow
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: General (show other bugs)
Version: 8.62
Hardware: PC Linux
: P4 normal
Assignee: Default assignee
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-22 07:13 UTC by Wolfgang Hamann
Modified: 2014-02-17 04:40 UTC (History)
1 user (show)

See Also:
Customer:
Word Size: ---

Attachments
problem_case (584.93 KB, application/postscript)
2008-12-22 08:42 UTC, Wolfgang Hamann 		Details
patch (499 bytes, patch)
2008-12-22 13:12 UTC, Alex Cherepanov 		Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Hamann 2008-12-22 07:13:22 UTC 
I have a file that causes a buffer overflow on some friend's 8.62 running on a
distro package built with fortify bounds checking.
The file displays without problems on my local system (8.63 without fortify),
runs through distiller, etc.
Can I attach or post the file in question?
The fortify dump reads:
*** buffer overflow detected ***: gs terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x48)[0xb73024c8]
/lib/libc.so.6[0xb7300500]
/lib/libc.so.6[0xb72ffb88]
/lib/libc.so.6(_IO_default_xsputn+0xa0)[0xb72895e0]
/lib/libc.so.6(_IO_vfprintf+0xf72)[0xb725de52]
/lib/libc.so.6(__vsprintf_chk+0xa7)[0xb72ffc37]
/lib/libc.so.6(__sprintf_chk+0x2d)[0xb72ffb7d]
/usr/lib/libgs.so.8(pdf_base_font_alloc+0x324)[0xb77e2734]
/usr/lib/libgs.so.8(pdf_font_descriptor_alloc+0x7d)[0xb77e4cad]
/usr/lib/libgs.so.8[0xb77eff22]
/usr/lib/libgs.so.8[0xb77f0ba5]
/usr/lib/libgs.so.8(pdf_obtain_font_resource+0xa8)[0xb77f1318]
/usr/lib/libgs.so.8[0xb77e73ca]
/usr/lib/libgs.so.8(process_plain_text+0xf5)[0xb77e8575]
/usr/lib/libgs.so.8[0xb77f2738]
/usr/lib/libgs.so.8(gs_text_process+0x12)[0xb786b6c2]
/usr/lib/libgs.so.8(op_show_continue_pop+0x2b)[0xb75e4e6b]
/usr/lib/libgs.so.8[0xb75e51c1]
/usr/lib/libgs.so.8[0xb75c2f4a]
/usr/lib/libgs.so.8(gs_interpret+0x191)[0xb75c4181]
/usr/lib/libgs.so.8(gs_main_run_string_end+0x58)[0xb75b78c8]
/usr/lib/libgs.so.8(gs_main_run_string_with_length+0x92)[0xb75b7d02]
/usr/lib/libgs.so.8(gs_main_run_string+0x4a)[0xb75b7d5a]
/usr/lib/libgs.so.8[0xb75b8b53]
/usr/lib/libgs.so.8[0xb75b93d9]
/usr/lib/libgs.so.8[0xb75b968a]
/usr/lib/libgs.so.8(gs_main_init_with_args+0x4e2)[0xb75bb382]
/usr/lib/libgs.so.8(gsapi_init_with_args+0x3e)[0xb75bc42e]
gs(main+0xcf)[0x80489cf]
/lib/libc.so.6(__libc_start_main+0xe5)[0xb72355f5]
gs[0x8048861]
Comment 1 Ray Johnston 2008-12-22 08:12:51 UTC 
Please attach the file using the "Create a New Attachment" link in the
bug form (http://bugs.ghostscript.com/attachment.cgi?bugid=690211&action=enter)

If you don't wish to share the file, you are welcome to "Edit" the attachment
after uploading it to mark it "Private" in which case only Artifex Software
staff will be able to access the file, and we will treat it as confidential.
Comment 2 Wolfgang Hamann 2008-12-22 08:42:09 UTC 
Created attachment 4668 [details]
problem_case
Comment 3 Alex Cherepanov 2008-12-22 13:12:57 UTC 
Created attachment 4669 [details]
patch

There's indeed a buffer overflow caused by an incorrect calculation of the
buffer
size. The patch allocates sufficient buffer for the worst case.
Comment 4 Alex Cherepanov 2008-12-24 12:41:59 UTC 
The patch is committed as a rev. 3904.
Regression testing shows no differences.

Running our regression testing with -D_FORTIFY_SOURCE=2
reports no other errors.