Bug 693213

Summary: [patch] Robustification of some error condition, please review
Product: Ghostscript Reporter: roucaries.bastien+gs
Component: PS InterpreterAssignee: Alex Cherepanov <alex>
Status: RESOLVED WORKSFORME    
Severity: normal CC: chris.liddell
Priority: P4    
Version: 8.15   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: Local copy of the sample file.
Patch

Description roucaries.bastien+gs 2012-07-23 16:30:50 UTC 
Dear gs upstream,

Could you reviewthe patch at:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=422712

It seems that under some condition you could segfault and that patch solve the problem.

Please comment and assert security impact.

Bastien
Comment 1 Alex Cherepanov 2012-07-25 14:15:02 UTC 
ESP Ghostscript was an an unofficial fork of GNU Ghostscript. It's now abandoned
by the authors and has never been supported by Artifex Software.

None of the official versions have any problems running this command line

cat testpage_filtered_by_pstops.ps | /usr/bin/gs-esp -dQUIET -dDEBUG
-dPARANOIDSAFER -dNOPAUSE -dBATCH -dNOMEDIAATTRS -sDEVICE=cups
-sstdout=%stderr -sOUTPUTFILE=%stdout -c - >/dev/null 2>gs_output
Comment 2 Alex Cherepanov 2012-07-25 14:15:59 UTC 
Created attachment 8801 [details]
Local copy of the sample file.
Comment 3 Chris Liddell (chrisl) 2012-07-25 14:44:17 UTC 
Bastien,

*Please* attach test files here when you open bugs, if you continue fail to do so, they are liable to be closed without further review.

Thanks,

Chris
Comment 4 roucaries.bastien+gs 2012-07-25 15:29:26 UTC 
Created attachment 8803 [details]
Patch

patch
Comment 5 roucaries.bastien+gs 2012-07-25 15:36:24 UTC 
Please do not consider the test case in this bug report.

Notice that the patch joined apply and the bug lie in the modulus operation!

Indeed modulus operation on negative number is implementation defined under C90 but fixed by implementation under C99 (a%b= sign(a) * ( abs(a) % abs(b) ));

The bug is still there in base/gxcht.c where:
static void
init_tile_cursor(int i, tile_cursor_t *ptc, const gx_const_strip_bitmap *btile,
                 int endx, int lasty)
{
    int tw = btile->size.x;
    int bx = ((ptc->tile_shift = btile->shift) == 0 ? endx :
              endx + lasty / btile->size.y * ptc->tile_shift) % tw;
    int by = lasty % btile->size.y;

    ptc->xoffset = bx >> 3;
    ptc->xshift = 8 - (bx & 7);
    ptc->xbytes = (tw - 1) >> 3;
    ptc->xbits = ((tw - 1) & 7) + 1;
    ptc->tdata = btile->data;
    ptc->raster = btile->raster;
    ptc->row = ptc->tdata + by * (int)ptc->raster;
    ptc->data = ptc->row + ptc->xoffset;
    ptc->bit_shift = ptc->xshift;
    if_debug6('h', "[h]plane %d: size=%d,%d shift=%d bx=%d by=%d\n",
              i, tw, btile->size.y, btile->shift, bx, by);
}

So with a C90 compiler, 
if lasty is negative you could go negative in accessing pct->row and provoke a SEGFAULT !

Here function could be robustified by some assert if number are not negative. Or if negative by using the patch.

Remember one this modulus of negative if EVIL.

Bastien
Comment 6 roucaries.bastien+gs 2012-07-25 15:37:20 UTC 
REMIND because dependend to compiler is still here.
Comment 7 Chris Liddell (chrisl) 2012-07-25 15:57:06 UTC 
Please post an example Postscript or PDF file with a suitable command line, which exhibits lasty going negative, and reopen the bug.