Bug 698056 - heap-buffer-overflow in gx_ttfReader__Read(base/gxttfb.c)
Summary: heap-buffer-overflow in gx_ttfReader__Read(base/gxttfb.c)
Status: RESOLVED FIXED
Alias: None
Product: GhostXPS
Classification: Unclassified
Component: General (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 normal
Assignee: Chris Liddell (chrisl)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-14 17:56 UTC by Kim Gwan Yeong
Modified: 2017-07-25 04:19 UTC (History)
0 users

See Also:
Customer:
Word Size: ---

Attachments
PoC (37.22 KB, application/zip)
2017-06-14 17:56 UTC, Kim Gwan Yeong 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kim Gwan Yeong 2017-06-14 17:56:58 UTC 
Created attachment 13792 [details]
PoC

Hi.

I found a crashing test case.

Crash does not occur in the no-ASan environment.

Memory corruption occur in the ASan environment or in Valgrind.

Please confirm.

Thanks.

Version 9.22 and Git Head: f887813ad00d680e2ea5d81606fd21d1b68067af
OS: Ubuntu 16.04.2 32bit
Command: ./gxps -sDEVICE=pdfwrite -sOutputFile=/dev/null -dNOPAUSE $FILE

=================================================================
ASan:OUT
=================================================================
==24934==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4c60818 at pc 0xb7273a75 bp 0xbfda6298 sp 0xbfda5e6c
READ of size 2 at 0xb4c60818 thread T0
    #0 0xb7273a74 in __asan_memcpy (/usr/lib/i386-linux-gnu/libasan.so.2+0x8aa74)
    #1 0xb7273c2f in memcpy (/usr/lib/i386-linux-gnu/libasan.so.2+0x8ac2f)
    #2 0x81a2a36 in gx_ttfReader__Read base/gxttfb.c:85
    #3 0x8171423 in ttfReader__Short base/ttfinp.c:42
    #4 0x8179f1e in ttfOutliner__BuildGlyphOutlineAux base/ttfmain.c:787
    #5 0x817afef in ttfOutliner__BuildGlyphOutline base/ttfmain.c:874
    #6 0x817d568 in ttfOutliner__Outline base/ttfmain.c:1033
    #7 0x81a8c29 in gx_ttf_outline base/gxttfb.c:787
    #8 0x816e1fa in append_outline_fitted base/gstype42.c:1595
    #9 0x816bb66 in gs_type42_glyph_outline base/gstype42.c:991
    #10 0x8ba4a25 in gs_default_glyph_info base/gsfont.c:1036
    #11 0x816c004 in gs_type42_glyph_info_by_gid base/gstype42.c:1017
    #12 0x816c82e in gs_type42_glyph_info base/gstype42.c:1088
    #13 0x8870b4a in pdf_compute_font_descriptor devices/vector/gdevpdtd.c:457
    #14 0x8871ed8 in pdf_finish_FontDescriptor devices/vector/gdevpdtd.c:636
    #15 0x88bcedd in pdf_finish_resources devices/vector/gdevpdtw.c:677
    #16 0x877d771 in do_pdf_close devices/vector/gdevpdf.c:2569
    #17 0x87844ce in pdf_close devices/vector/gdevpdf.c:3281
    #18 0x8b83b4b in gs_closedevice base/gsdevice.c:720
    #19 0x911ecd8 in pl_main_universe_dnit pcl/pl/plmain.c:557
    #20 0x911e426 in pl_main_delete_instance pcl/pl/plmain.c:436
    #21 0x8f8bd14 in plapi_delete_instance pcl/pl/plapi.c:89
    #22 0x911d2cf in main pcl/pl/realmain.c:50
    #23 0xb6fd4636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #24 0x8099f90  (/home/karas/gwanyeong/ghostpdl/bin/gxps+0x8099f90)

0xb4c60818 is located 0 bytes to the right of 65560-byte region [0xb4c50800,0xb4c60818)
allocated by thread T0 here:
    #0 0xb727fdee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x8bc7a55 in gs_heap_alloc_bytes base/gsmalloc.c:193
    #2 0x8654534 in chunk_obj_alloc base/gsmchunk.c:909
    #3 0x8654b6d in chunk_alloc_struct_array base/gsmchunk.c:1019
    #4 0x8e05fe8 in gx_char_cache_alloc base/gxccman.c:87
    #5 0x8b9fd98 in gs_font_dir_alloc2_limits base/gsfont.c:255
    #6 0x8b9fc36 in gs_font_dir_alloc2 base/gsfont.c:228
    #7 0x876924b in pdf_open devices/vector/gdevpdf.c:834
    #8 0x8b81d81 in gs_opendevice base/gsdevice.c:456
    #9 0x911ef47 in pl_main_universe_select pcl/pl/plmain.c:581
    #10 0x911df13 in pl_main_run_file pcl/pl/plmain.c:341
    #11 0x91236f1 in pl_main_process_options pcl/pl/plmain.c:1313
    #12 0x911d92a in pl_main_init_with_args pcl/pl/plmain.c:262
    #13 0x8f8bbce in plapi_init_with_args pcl/pl/plapi.c:58
    #14 0x911d206 in main pcl/pl/realmain.c:34
    #15 0xb6fd4636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x3698c0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3698c0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3698c0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3698c0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3698c0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3698c100: 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa
  0x3698c110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3698c120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3698c130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3698c140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3698c150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==24934==ABORTING
Comment 1 Chris Liddell (chrisl) 2017-06-15 07:06:00 UTC 
Fixed:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=937ccd17ac