Summary: | Vulnerability report : Ghostscript Heap Overflow | ||
---|---|---|---|
Product: | Ghostscript | Reporter: | Marcos H. Woehrmann <marcos.woehrmann> |
Component: | General | Assignee: | Ken Sharp <ken.sharp> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | jackie.rosen, mehmetgelisin, wade.colson |
Priority: | P4 | ||
Version: | master | ||
Hardware: | PC | ||
OS: | Linux | ||
Customer: | Word Size: | --- |
Description
Marcos H. Woehrmann
2010-01-04 22:18:25 UTC
Created attachment 5847 [details]
description.txt
Created attachment 5848 [details] testg.1883216560.pdf May be a font issue Looks like it is a font issue. Also, like the last one, it gives an error on Windows instead of a crash. The previous issue was partially due to probably random data because of broken compressed stream, and influenced by optimisations in gcc (debug build didn't crash). I'll need to run it on Linux tomorrow to see what's happening, and probably build an optimised executable with debug info. Created attachment 5856 [details] update.txt The original user has sent some further analysis. He's is also wondering if this issue or the previous one (Bug #691043) were significant enough to qualify as bountiable. Ray? Using ddd, the file doesn't provoke a SEGV, in fact on Fedora I'm unable to reproduce a crash at all. Given the fact that this 'probably' depends on the content of uninitialised memory that's not entirely surprising. I have read update.txt but I'm not completely happy about the proposed fix, I'll do some debugging then some desk checking and think about it. OK, this is hopefully fixed by revision 10602: http://ghostscript.com/pipermail/gs-cvs/2010-January/010345.html As noted in the log, I've chosen to simply return when the argument to MINDEX is 0. This is because it seems to be legal, if daft, and we know from experience that just because its silly doesn't mean that producers won't create fonts like this. Unfortunately I have never actually managed to reproduce this problem, so I can't be certain this patch fixes it. It would be best if someone who could previously reproduce the problem woucl check this. |