695318 – Heap-use-after-free in igc_reloc_struct_ptr

Bug 695318 - Heap-use-after-free in igc_reloc_struct_ptr

Summary: Heap-use-after-free in igc_reloc_struct_ptr

Status:	RESOLVED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	Fuzzing (show other bugs)
Version:	master
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	Default assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-06-18 01:35 UTC by Antti Husa
Modified:	2014-07-29 08:57 UTC (History)
CC List:	1 user (show)

See Also:
Customer:
Word Size:	---

Attachments
Malformed PDF that causes heap-use-after-free (38.41 KB, application/x-pdf) 2014-06-18 01:35 UTC, Antti Husa	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Antti Husa 2014-06-18 01:35:36 UTC

Created attachment 11001 [details]
Malformed PDF that causes heap-use-after-free

ASAN reports heap-use-after-free when malformed PDF is opened with Ghostscript, i.e. 'gs -dNOPAUSE <filename>.pdf <text/filename>'.

If ghostscript tries to open two files or even one file with random string as a second argument, heap-use-after-free ensues.
Valid random string would be e.g. 'a' or 'asd' etc.


ASAN report:
==22445== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f779cf55238 at pc 0x77c88b bp 0x7fffffe2b430 sp 0x7fffffe2b428
READ of size 4 at 0x7f779cf55238 thread T0
    #0 0x77c88a in igc_reloc_struct_ptr /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/igc.c:1280
    #1 0x1148b9e in basic_reloc_ptrs /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gsmemory.c:347
    #2 0x111cda1 in font_reloc_ptrs /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gsfont.c:203
    #3 0x1148de0 in basic_reloc_ptrs /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gsmemory.c:358
    #4 0x1148de0 in basic_reloc_ptrs /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gsmemory.c:358
    #5 0x77c7ac in gc_do_reloc /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/igc.c:1247
    #6 0x7780d4 in gs_gc_reclaim /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/igc.c:449
    #7 0x9e1b08 in context_reclaim /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/zcontext.c:291
    #8 0x6b7aec in gs_vmreclaim /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/ireclaim.c:155
    #9 0x6b73ec in ireclaim /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/ireclaim.c:77
    #10 0x6a4a98 in interp_reclaim /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/interp.c:441
    #11 0x688f78 in gs_main_finit /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imain.c:883
    #12 0x689c2a in gs_to_exit_with_code /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imain.c:970
    #13 0x46c0ee in main /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/gs.c:139
    #14 0x7f779e56ebf4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.17/work/glibc-2.17/csu/libc-start.c:258
    #15 0x46bef8 in _start (/home/anon/prog/src/git_ghostscript/ghostpdl/gs/bin/gs+0x46bef8)
0x7f779cf55238 is located 1165880 bytes inside of 1187736-byte region [0x7f779ce38800,0x7f779cf5a798)
freed by thread T0 here:
    #0 0x7f77a0f4f46a in __interceptor_free /home/aki/opt/fu/work/tmp/gcc-4.8.1/x86_64-unknown-linux-gnu/libsanitizer/asan/../../.././libsanitizer/asan/asan_malloc_linux.cc:61
    #1 0x113f014 in gs_heap_free_object /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gsmalloc.c:347
    #2 0x10e0e0a in alloc_free_chunk /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gsalloc.c:1998
    #3 0x10dc297 in i_free_object /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gsalloc.c:926
    #4 0x10dbdb2 in i_resize_object /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gsalloc.c:816
    #5 0xadbfef in x_set_buffer /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./devices/gdevxini.c:612
    #6 0xadd435 in gdev_x_clear_window /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./devices/gdevxini.c:710
    #7 0xadfc62 in gdev_x_put_params /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./devices/gdevxini.c:917
    #8 0x11117c4 in gs_putdeviceparams /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gsdparam.c:877
    #9 0x75fb82 in zputdeviceparams /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/zdevice.c:421
    #10 0x6ace74 in interp /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/interp.c:1561
    #11 0x6a512b in gs_call_interp /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/interp.c:510
    #12 0x6a4c52 in gs_interpret /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/interp.c:468
    #13 0x685695 in gs_main_interpret /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imain.c:247
    #14 0x687c34 in gs_main_run_string_end /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imain.c:660
    #15 0x687826 in gs_main_run_string_with_length /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imain.c:618
    #16 0x687798 in gs_main_run_string /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imain.c:600
    #17 0x68f46c in run_string /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imainarg.c:988
    #18 0x68f2b7 in runarg /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imainarg.c:978
    #19 0x68ec3d in argproc /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imainarg.c:902
    #20 0x68ae20 in gs_main_init_with_args /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imainarg.c:239
    #21 0x46c05e in main /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/gs.c:96
    #22 0x7f779e56ebf4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.17/work/glibc-2.17/csu/libc-start.c:258
previously allocated by thread T0 here:
    #0 0x7f77a0f4f54a in malloc /home/aki/opt/fu/work/tmp/gcc-4.8.1/x86_64-unknown-linux-gnu/libsanitizer/asan/../../.././libsanitizer/asan/asan_malloc_linux.cc:71
    #1 0x113e49e in gs_heap_alloc_bytes /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gsmalloc.c:183
    #2 0x10dfedd in alloc_acquire_chunk /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gsalloc.c:1845
    #3 0x10dd996 in alloc_obj /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gsalloc.c:1304
    #4 0x10db417 in i_alloc_bytes /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gsalloc.c:593
    #5 0xadc03d in x_set_buffer /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./devices/gdevxini.c:612
    #6 0xadd435 in gdev_x_clear_window /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./devices/gdevxini.c:710
    #7 0xadada6 in gdev_x_open /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./devices/gdevxini.c:472
    #8 0xac45ff in x_open /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./devices/gdevx.c:251
    #9 0x11021bd in gs_opendevice /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gsdevice.c:406
    #10 0x1102850 in gs_setdevice_no_erase /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gsdevice.c:518
    #11 0x760436 in zsetdevice /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/zdevice.c:483
    #12 0x6ace74 in interp /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/interp.c:1561
    #13 0x6a512b in gs_call_interp /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/interp.c:510
    #14 0x6a4c52 in gs_interpret /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/interp.c:468
    #15 0x685695 in gs_main_interpret /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imain.c:247
    #16 0x68770e in gs_run_init_file /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imain.c:591
    #17 0x685a80 in gs_main_init2aux /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imain.c:295
    #18 0x685c7b in gs_main_init2 /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imain.c:329
    #19 0x68f0b1 in runarg /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imainarg.c:955
    #20 0x68ec3d in argproc /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imainarg.c:902
    #21 0x68ae20 in gs_main_init_with_args /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imainarg.c:239
    #22 0x46c05e in main /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/gs.c:96
    #23 0x7f779e56ebf4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.17/work/glibc-2.17/csu/libc-start.c:258
SUMMARY: AddressSanitizer: heap-use-after-free /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/igc.c:1280 igc_reloc_struct_ptr
Shadow bytes around the buggy address:
  0x0fef739e29f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fef739e2a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fef739e2a10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fef739e2a20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fef739e2a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0fef739e2a40: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x0fef739e2a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fef739e2a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fef739e2a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fef739e2a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fef739e2a90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd


--
Antti Husa
Research Assistant, OUSPG

Comment 1 Chris Liddell (chrisl) 2014-07-29 08:57:34 UTC

Fixed in:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e889a188