Bug 692856

Summary: Ghostscript Buffer Overflow Vulnerability
Product: Ghostscript Reporter: Marcos H. Woehrmann <marcos.woehrmann>
Component: PS InterpreterAssignee: Alex Cherepanov <alex>
Status: RESOLVED INVALID    
Severity: normal CC: henry.stiles, jackie.rosen
Priority: P2    
Version: master   
Hardware: PC   
OS: All   
Customer: Word Size: ---
Attachments: Patch
WinDBG output showing the overflow

Description Marcos H. Woehrmann 2012-02-14 00:23:24 UTC 
Because of the sensitive nature of the information in the report the details will be found in Comment #1, which will be viewable only by Artifex staff.
Comment 2 Alex Cherepanov 2012-02-18 05:18:39 UTC 
Created attachment 8365 [details]
Patch

I don't really know what this bug report is about.
There's a suspicious place in mswinpr2 but long file name is detected
and discarded earlier. Still the proposed patch should help to pacify
static analysis tools.
Comment 3 Henry Stiles 2012-02-18 15:48:18 UTC 
Hello Marcos can you ask Sacunia for a command line to reproduce the problem so we can actually reproduce the overflow.
Comment 4 Henry Stiles 2012-02-18 15:52:29 UTC 
(In reply to comment #3)
> Hello Marcos can you ask Sacunia for a command line to reproduce the problem so
> we can actually reproduce the overflow.

Sorry I didn't notice at first everything was set up in the postscript file.  Alex if there is not an overflow just close it as invalid and Marcos will report back to Secunia.
Comment 5 Alex Cherepanov 2012-02-26 22:20:12 UTC 
The use of mswinpr2 device in the sample file indicates that the problem should happen on Windows. However, the maximum path size on Windows is about 256 bytes.
There's no need to stuff in 2000 characters to create an overflow.
Testing the file with different /OutputFile attributes either works or fails with
/rangecheck. No buffer overflow has been detected.

On Linux mswinpr2 cannot be found and the sample program fails when the big path is just a regular string on the stack.

Secunia web site doesn't have SA47855 advisory.
Comment 6 Secunia Research 2012-03-14 16:48:51 UTC 
Created attachment 8414 [details]
WinDBG output showing the overflow
Comment 7 Secunia Research 2012-03-14 16:50:12 UTC 
Comment on attachment 8414 [details]
WinDBG output showing the overflow

Please reference the attached file for evidence of the overflow.
Comment 8 Alex Cherepanov 2012-03-14 20:28:26 UTC 
Please provide more information how to reproduce the bug.
What version of Ghostscript are you using?
How did you compile it?
What is your operation system?
Is it 32 or 64 hit one?
What's your command line?