Bug 690211

Summary: buffer overflow
Product: Ghostscript Reporter: Wolfgang Hamann <hamann.w>
Component: GeneralAssignee: Default assignee <ghostpdl-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: jackie.rosen
Priority: P4    
Version: 8.62   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: problem_case
patch

Description Wolfgang Hamann 2008-12-22 07:13:22 UTC 
I have a file that causes a buffer overflow on some friend's 8.62 running on a
distro package built with fortify bounds checking.
The file displays without problems on my local system (8.63 without fortify),
runs through distiller, etc.
Can I attach or post the file in question?
The fortify dump reads:
*** buffer overflow detected ***: gs terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x48)[0xb73024c8]
/lib/libc.so.6[0xb7300500]
/lib/libc.so.6[0xb72ffb88]
/lib/libc.so.6(_IO_default_xsputn+0xa0)[0xb72895e0]
/lib/libc.so.6(_IO_vfprintf+0xf72)[0xb725de52]
/lib/libc.so.6(__vsprintf_chk+0xa7)[0xb72ffc37]
/lib/libc.so.6(__sprintf_chk+0x2d)[0xb72ffb7d]
/usr/lib/libgs.so.8(pdf_base_font_alloc+0x324)[0xb77e2734]
/usr/lib/libgs.so.8(pdf_font_descriptor_alloc+0x7d)[0xb77e4cad]
/usr/lib/libgs.so.8[0xb77eff22]
/usr/lib/libgs.so.8[0xb77f0ba5]
/usr/lib/libgs.so.8(pdf_obtain_font_resource+0xa8)[0xb77f1318]
/usr/lib/libgs.so.8[0xb77e73ca]
/usr/lib/libgs.so.8(process_plain_text+0xf5)[0xb77e8575]
/usr/lib/libgs.so.8[0xb77f2738]
/usr/lib/libgs.so.8(gs_text_process+0x12)[0xb786b6c2]
/usr/lib/libgs.so.8(op_show_continue_pop+0x2b)[0xb75e4e6b]
/usr/lib/libgs.so.8[0xb75e51c1]
/usr/lib/libgs.so.8[0xb75c2f4a]
/usr/lib/libgs.so.8(gs_interpret+0x191)[0xb75c4181]
/usr/lib/libgs.so.8(gs_main_run_string_end+0x58)[0xb75b78c8]
/usr/lib/libgs.so.8(gs_main_run_string_with_length+0x92)[0xb75b7d02]
/usr/lib/libgs.so.8(gs_main_run_string+0x4a)[0xb75b7d5a]
/usr/lib/libgs.so.8[0xb75b8b53]
/usr/lib/libgs.so.8[0xb75b93d9]
/usr/lib/libgs.so.8[0xb75b968a]
/usr/lib/libgs.so.8(gs_main_init_with_args+0x4e2)[0xb75bb382]
/usr/lib/libgs.so.8(gsapi_init_with_args+0x3e)[0xb75bc42e]
gs(main+0xcf)[0x80489cf]
/lib/libc.so.6(__libc_start_main+0xe5)[0xb72355f5]
gs[0x8048861]
Comment 1 Ray Johnston 2008-12-22 08:12:51 UTC 
Please attach the file using the "Create a New Attachment" link in the
bug form (http://bugs.ghostscript.com/attachment.cgi?bugid=690211&action=enter)

If you don't wish to share the file, you are welcome to "Edit" the attachment
after uploading it to mark it "Private" in which case only Artifex Software
staff will be able to access the file, and we will treat it as confidential.
Comment 2 Wolfgang Hamann 2008-12-22 08:42:09 UTC 
Created attachment 4668 [details]
problem_case
Comment 3 Alex Cherepanov 2008-12-22 13:12:57 UTC 
Created attachment 4669 [details]
patch

There's indeed a buffer overflow caused by an incorrect calculation of the
buffer
size. The patch allocates sufficient buffer for the worst case.
Comment 4 Alex Cherepanov 2008-12-24 12:41:59 UTC 
The patch is committed as a rev. 3904.
Regression testing shows no differences.

Running our regression testing with -D_FORTIFY_SOURCE=2
reports no other errors.