Bug 697444

Summary: Null pointer dereference in pdf14_pop_transparency_group()
Product: Ghostscript Reporter: Kamil Frankowicz <kamil.frankowicz>
Component: TransparencyAssignee: Michael Vrhel <michael.vrhel>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P1    
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: POC to trigger null pointer dereference (gs)

Description Kamil Frankowicz 2016-12-19 06:58:00 UTC
Created attachment 13249 [details]
POC to trigger null pointer dereference (gs)

After some fuzz testing I found a crashing test case.

Git Head: 73060a27e554f8e64ae2aba4a1b03822207346c7

Command: s -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_nullptr_pdf14_pop_transparency_group -c quit

ASAN + Output:

GPL Ghostscript GIT PRERELEASE 9.21 (2016-09-14)
Copyright (C) 2016 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
ASAN:DEADLYSIGNAL
=================================================================
==22611==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x0000008fb085 bp 0x7ffe33950ab0 sp 0x7ffe33950820 T0)
==22611==The signal is caused by a READ memory access.
==22611==Hint: address points to the zero page.
    #0 0x8fb084 in pdf14_pop_transparency_group XYZ/ghostpdl/./base/gdevp14.c:1070:31
    #1 0x8de8ab in pdf14_end_transparency_group XYZ/ghostpdl/./base/gdevp14.c:4027:12
    #2 0x890f49 in gx_end_transparency_group XYZ/ghostpdl/./base/gstrans.c:401:16
    #3 0x8fd8f7 in gx_update_pdf14_compositor XYZ/ghostpdl/./base/gdevp14.c:3607:20
    #4 0x8dd061 in pdf14_create_compositor XYZ/ghostpdl/./base/gdevp14.c:3686:16
    #5 0x8d4d53 in send_pdf14trans XYZ/ghostpdl/./base/gdevp14.c:6589:12
    #6 0x890c55 in gs_gstate_update_pdf14trans XYZ/ghostpdl/./base/gstrans.c:168:12
    #7 0x890c55 in gs_end_transparency_group XYZ/ghostpdl/./base/gstrans.c:393
    #8 0x19fe37e in interp XYZ/ghostpdl/./psi/interp.c:1314:40
    #9 0x19fe37e in gs_call_interp XYZ/ghostpdl/./psi/interp.c:511
    #10 0x19fe37e in gs_interpret XYZ/ghostpdl/./psi/interp.c:468
    #11 0x19d1352 in gs_main_interpret XYZ/ghostpdl/./psi/imain.c:245:12
    #12 0x19d1352 in gs_main_run_string_end XYZ/ghostpdl/./psi/imain.c:663
    #13 0x19d1352 in gs_main_run_string_with_length XYZ/ghostpdl/./psi/imain.c:621
    #14 0x19dd2eb in run_string XYZ/ghostpdl/./psi/imainarg.c:977:16
    #15 0x19dd2eb in runarg XYZ/ghostpdl/./psi/imainarg.c:967
    #16 0x19dc748 in argproc XYZ/ghostpdl/./psi/imainarg.c:900:16
    #17 0x19d5283 in gs_main_init_with_args XYZ/ghostpdl/./psi/imainarg.c:238:24
    #18 0x5475d8 in main XYZ/ghostpdl/./psi/gs.c:96:16
    #19 0x7f690806082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #20 0x47b9d8 in _start (/usr/local/bin/gs+0x47b9d8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/ghostpdl/./base/gdevp14.c:1070:31 in pdf14_pop_transparency_group
==22611==ABORTING
Comment 1 Ken Sharp 2016-12-19 07:07:16 UTC
You really aren't supposed to play with the internal functions, but it shouldn't crash either.