Bug 696041

Summary: Crash file for the ps2pdf command (gs)
Product: Ghostscript Reporter: william.robinet
Component: FuzzingAssignee: Default assignee <ghostpdl-bugs>
Status: RESOLVED DUPLICATE    
Severity: normal CC: chris.liddell, william.robinet
Priority: P4    
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: gdb_rh6.6.log
gdb_rh7.1.1503.log
valgrind_rh6.6.log
valgrind_rh7.1.1503.log

Description william.robinet 2015-06-17 03:15:43 UTC 
Hello,

Here is a crash file for the gs command.
The crash can be triggered with the following command on older versions of Ghostscript:

$ ps2pdf test.ps
Segmentation fault

The affected versions are still shipped by various distributions.

ps2pdf is a shell script that calls the gs binary in the following way:

$ /usr/bin/gs -P- -dSAFER -dCompatibilityLevel=1.4 -q -P- -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile=test.pdf -P- -dSAFER -dCompatibilityLevel=1.4 -c .setpdfwrite -f test.ps
Segmentation fault

I attached gdb and valgrind sessions showing the crash on RHEL 6.6 and RHEL 7.1.1503.

The versions of the affected packages on RHEL are:
RHEL6.6
ghostscript-8.70-19.el6.x86_64
ghostscript-debuginfo-8.70-19.el6.x86_64
ghostscript-fonts-5.50-23.2.el6.noarch

RHEL7.1.1503
ghostscript-9.07-18.el7.x86_64
ghostscript-debuginfo-9.07-18.el7.x86_64
ghostscript-fonts-5.50-32.el7.noarch

The problem does not occur with current source revision.

The following commit fixes the segfault, but the problem is not mentioned in
the commit log:
ecc7a199e9307475c37fea0c44d24b85df814ead

The offending file seems to be gs/Resource/Init/gs_ttf.ps

If one replaces this file with the one from the specified commit (or from
the current master) on RHEL 7.1.1503 or RHEL 6.6, the segfault does not
occur anymore.

Since the influence of this commit on the problem is not yet fully understood,
the problem might still be present in current version of gs.

Could you please make this bug private so I can attach the crash file ?


Thanks,
William
Comment 1 william.robinet 2015-06-17 03:22:13 UTC 
Created attachment 11743 [details]
test.ps
Comment 2 william.robinet 2015-06-17 03:23:17 UTC 
Created attachment 11744 [details]
gdb_rh6.6.log
Comment 3 william.robinet 2015-06-17 03:23:52 UTC 
Created attachment 11745 [details]
gdb_rh7.1.1503.log
Comment 4 william.robinet 2015-06-17 03:24:15 UTC 
Created attachment 11746 [details]
valgrind_rh6.6.log
Comment 5 william.robinet 2015-06-17 03:24:41 UTC 
Created attachment 11747 [details]
valgrind_rh7.1.1503.log
Comment 6 william.robinet 2015-06-17 03:29:07 UTC 
The following CVE id was assigned to this issue by RedHat:
CVE-2015-3228
Comment 7 Ken Sharp 2015-06-17 04:52:47 UTC 
Fixed in current version.
Comment 8 Chris Liddell (chrisl) 2015-07-08 01:14:19 UTC 

*** This bug has been marked as a duplicate of bug 696070 ***