Bug 695348 - SEGV in calculate_contrib (siscale.c:258)
Summary: SEGV in calculate_contrib (siscale.c:258)
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Fuzzing (show other bugs)
Version: master
Hardware: PC Linux
: P4 normal
Assignee: Robin Watts
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-02 03:34 UTC by Antti Husa
Modified: 2015-06-16 07:29 UTC (History)
0 users

See Also:
Customer:
Word Size: ---

Attachments
Malformed PDF that causes SEGV (3.77 KB, application/x-pdf)
2014-07-02 03:34 UTC, Antti Husa 		Details
Proposed patch (550 bytes, patch)
2014-07-02 03:35 UTC, Antti Husa 		Details | Diff
Proposed patch v2 (500 bytes, patch)
2014-07-02 04:58 UTC, Antti Husa 		Details | Diff
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Antti Husa 2014-07-02 03:34:57 UTC 
Created attachment 11039 [details]
Malformed PDF that causes SEGV

ASAN reports global-buffer-overflow when malformed PDF is opened with Ghostscript, i.e. 'gs <filename>.pdf'.

The bug is caused by a variable (fWidthIn at line 201) divided by 0 because the scale variable happens to be negative and max(scale, min_scale) results in 0. This then leads to the variable WidthIn, now containing inf, to be the result of calculation and assigned to npixels variable at line 210. At this point the variable npixels will contain negative value and inevitably lead to a segmentation fault.


The proposed patch simply changes the conditional check at base/gsxiscale.c:234 from if equal to if less than or equal to 0 in order to ensure valid value.


ASAN report:
==11738== ERROR: AddressSanitizer: SEGV on unknown address 0x7ffbc06d2868 (pc 0x00000149670e sp 0x7fffffffa7c0 bp 0x7fffffffa890 T0)
AddressSanitizer can not provide additional info.
    #0 0x149670d in calculate_contrib /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/siscale.c:258
    #1 0x14990c6 in do_init /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/siscale.c:542
    #2 0x149925a in s_IScale_init /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/siscale.c:587
    #3 0x13f325e in gs_image_class_0_interpolate /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gxiscale.c:346
    #4 0x13e229a in gx_image_enum_begin /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gxipixel.c:883
    #5 0x13c9c89 in gx_begin_image1 /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gximage1.c:94
    #6 0x1451593 in gx_default_begin_typed_image /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gdevddrw.c:1077
    #7 0x14512f2 in gx_default_begin_image /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gdevddrw.c:1042
    #8 0x14514fe in gx_default_begin_typed_image /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gdevddrw.c:1069
    #9 0x8f2f82 in bbox_begin_typed_image /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gdevbbox.c:1073
    #10 0x11306ad in gs_image_begin_typed /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/gsimage.c:244
    #11 0x76d04b in zimage_setup /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/zimage.c:183
    #12 0x76d6db in image1_setup /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/zimage.c:246
    #13 0x76d71a in zimage1 /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/zimage.c:257
    #14 0x6aa15a in interp /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/interp.c:1185
    #15 0x6a512b in gs_call_interp /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/interp.c:510
    #16 0x6a4c52 in gs_interpret /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/interp.c:468
    #17 0x685695 in gs_main_interpret /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imain.c:247
    #18 0x687c34 in gs_main_run_string_end /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imain.c:660
    #19 0x687826 in gs_main_run_string_with_length /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imain.c:618
    #20 0x687798 in gs_main_run_string /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imain.c:600
    #21 0x68f46c in run_string /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imainarg.c:988
    #22 0x68f2b7 in runarg /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imainarg.c:978
    #23 0x68ec3d in argproc /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imainarg.c:902
    #24 0x68ae20 in gs_main_init_with_args /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/imainarg.c:239
    #25 0x46c05e in main /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./psi/gs.c:96
    #26 0x7ffff2482c04 (/lib64/libc.so.6+0x24c04)
    #27 0x46bef8 in _start (/home/anon/prog/src/git_ghostscript/ghostpdl/gs/bin/gs+0x46bef8)
SUMMARY: AddressSanitizer: SEGV /home/anon/prog/src/git_ghostscript/ghostpdl/gs/./base/siscale.c:258 calculate_contrib


--
Antti Husa
Research Assistant, OUSPG
Comment 1 Antti Husa 2014-07-02 03:35:39 UTC 
Created attachment 11040 [details]
Proposed patch
Comment 2 Antti Husa 2014-07-02 04:56:55 UTC 
On a closer look it might be better to just set the variable x in row_extent struct to zero if it is negative at line 480 in base/gxipixel.c.

A new proposed patch added as an attachment.
Comment 3 Antti Husa 2014-07-02 04:58:44 UTC 
Created attachment 11041 [details]
Proposed patch v2
Comment 4 Robin Watts 2015-06-15 06:13:26 UTC 
Fixed in:

commit 78b27bf3e1a70699296f41442e767b1d04492b1c
Author: Robin Watts <robin.watts@artifex.com>
Date:   Mon Jun 15 13:51:14 2015 +0100

    Bug 695348: Avoid SEGV in interpolated scaler.

    Don't use interpolated scaler if calculations have overflowed.

Thanks for the report and example file.
Comment 5 Robin Watts 2015-06-16 07:29:50 UTC 
Oops. Typo in that commit. Properly fixed in:

commit b83b92758672b1ea690d4b979afaf07cf251b11f
Author: Robin Watts <robin.watts@artifex.com>
Date:   Mon Jun 15 17:30:39 2015 +0100

    Bug 695348: Proper fix for avoiding SEGV in interpolated scalar.

    Avoid using the interpolated scaler for images where the
    calculations have overflowed.