Bug 694160 - Seg faults found by fuzzing in gx_default_fillpage (gdevddrw.c:1125)
Summary: Seg faults found by fuzzing in gx_default_fillpage (gdevddrw.c:1125)
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Fuzzing (show other bugs)
Version: master
Hardware: PC Linux
: P4 normal
Assignee: Ray Johnston
URL:
Keywords: bountiable
Depends on:
Blocks:
 
Reported: 2013-05-27 19:07 UTC by Marcos H. Woehrmann
Modified: 2014-08-15 09:34 UTC (History)
4 users (show)

See Also:
Customer:
Word Size: 64

Attachments
log.txt (8.05 KB, text/plain)
2013-05-27 19:07 UTC, Marcos H. Woehrmann 		Details
Patch for seg fault in fuzzing file (1.18 KB, patch)
2014-06-22 09:33 UTC, Shailesh Mistry 		Details | Diff
Simple EPS file to test 'ps2pdf' script (526 bytes, image/x-eps)
2014-08-13 18:49 UTC, Vladimir Lomov 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcos H. Woehrmann 2013-05-27 19:07:43 UTC 
Created attachment 9794 [details]
log.txt

Seg faults in the 64 bit build of ghostscript were found by fuzzing in gx_default_fillpage (gdevddrw.c:1125) while reading these files. See the attached log.txt for details.

084db199_8cc1aef4_d13f0af2_e9158eed_fc5ee2df.SIGSEGV.d1c.169.psdcmyk.300.1
084db199_8cc1aef4_d13f0af2_e9158eed_fc5ee2df.SIGSEGV.d1c.169.psdcmyk.72.0
Comment 1 Henry Stiles 2013-06-09 18:35:00 UTC 
These problems are Bountible to Shelly and Simon (only) under the arrangement we set up previously for jbig2 and jpeg 2000 problems.  If you 2 can divide them fairly that's great if not I'll review them and assign them.  Let me know.
Comment 2 Shailesh Mistry 2014-06-22 09:33:20 UTC 
Created attachment 11015 [details]
Patch for seg fault in fuzzing file

The test file can be cut down to one line :-

/eq { showpage grestore grestore } def

This was causing a showpage after the device had been closed and hence a segfault.

The attached patch ensures that systemdict will be used at the correct time and avoid malicious code being injected into the system.
Comment 3 Ray Johnston 2014-07-21 16:48:00 UTC 
Comment on attachment 11015 [details]
Patch for seg fault in fuzzing file

The patch is fine with me. Thanks. Commit, or let me know if you want me to.
Comment 4 Shailesh Mistry 2014-08-11 13:27:37 UTC 
Patch committed as http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4fc4b8410d3
Comment 5 Vladimir Lomov 2014-08-13 18:48:54 UTC 
Hello,
this commit breaks 'ps2pdf' script. Reverting it solves the problem.

Details:

running 'ps2pdf' on attached 'ex.eps' file I get
$ ps2pdf ex.eps
Unrecoverable error: undefined in quit
Operand stack:
    --nostringval--  begin

Interesting thing it that 'ps2pdf' script creates PDF file but wrong dimension.

ghostscript version: compiled from GIT, latest commit:
commit 062f4b4536b7b3fa1742e31c05dc57fe241d6690
Author: Chris Liddell <chris.liddell@artifex.com>
Date:   Wed Aug 13 20:33:36 2014 +0100

    Bug 695423: follow up.
    
    Fix the description comments.
    
    No cluster differences
Comment 6 Vladimir Lomov 2014-08-13 18:49:37 UTC 
Created attachment 11112 [details]
Simple EPS file to test 'ps2pdf' script
Comment 7 Ray Johnston 2014-08-14 09:33:57 UTC 
This patch breaks "quit" apparently. With the patch (commit 4fc4b84) it also
causes bug 695240.

Clearly this needs further work.
Comment 8 Chris Liddell (chrisl) 2014-08-14 11:56:47 UTC 
Is "quit" not stored in systemdict, then? That would seem... er, odd....
Comment 9 Ken Sharp 2014-08-14 12:47:12 UTC 
(In reply to Chris Liddell from comment #8)
> Is "quit" not stored in systemdict, then? That would seem... er, odd....

It is, but apparently systemdict is not open, or something. If I do 'systemdict /quit get exec' then it works. If I simply do 'quit'. then it gives me an 'undefined' error.

I is also the cause of the strange 'undefined' error in #695240. Perhaps the name table is broken in some way ?
Comment 10 Ken Sharp 2014-08-15 02:17:10 UTC 
Because this breaks '-o' and makes it difficult to close the interpreter interactively as well as causing spurious errors in ps2pdf and with at least some pdfwrite configurations, I've chosen to revert the patch.

This is done in commit 1db534ed2b1277b265652d4b660b11e957a3e0bf
Comment 11 Chris Liddell (chrisl) 2014-08-15 09:34:15 UTC 
Fixed (fully) in:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a7e8f759