|Summary:||Heap buffer overflow in fill_threshhold_buffer()|
|Product:||Ghostscript||Reporter:||Kamil Frankowicz <kamil.frankowicz>|
|Component:||Security (public)||Assignee:||Ray Johnston <ray.johnston>|
|Severity:||blocker||CC:||chris.liddell, deekej, hertzog, meissner, peterkoczan|
Description Kamil Frankowicz 2016-12-31 07:26:00 UTC
Comment 2 Kamil Frankowicz 2017-03-01 00:12:24 UTC
Is anyone here?
Comment 3 Kamil Frankowicz 2017-04-03 23:11:26 UTC
This is CVE-2016-10317.
Comment 4 Ray Johnston 2017-04-04 07:12:17 UTC
This occurs on linux 64-bit builds, not on Windows 64-bit or 32-bit builds since the fast ht_thresh logic doesn't happen if an earlier allocation fails because of 32-bit limits (int on 64-bit Windows is still 32-bit, but is 64 bits on 64-bit linux build). Thanks to Ken for replicating the problem and identifying the system conditions. Note that I've bumped this up to P2 because it is a buffer overflow.
Comment 5 Raphaël Hertzog 2017-04-07 01:06:20 UTC
Is it on purpose that the attachment is private here while it was public for all other reports of Kamil? Is there any ETA for the fix? Also the command line in the first comment mentions a reproducer file named "gs_uaf_pdf14_cleanup_parent_color_profiles" but this is unlikely to be the correct name since that function does not appear in the back trace posted in the same comment. Thank you in advance.
Comment 6 Raphaël Hertzog 2017-05-12 01:24:26 UTC
Is there any news? It would be nice to have a patch for this security issue. Thank you!
Comment 7 Marcus Meissner 2017-07-10 07:48:51 UTC
Comment 8 Ray Johnston 2017-11-21 13:33:36 UTC
This was due to an overflow calculating the size of the thresh_buffer. Fix awaiting review: http://git.ghostscript.com/?p=user/ray/ghostpdl.git;a=commitdiff;h=d7e176da004a49305fe3da8127e5fb4f29ccce4b
Comment 9 Ray Johnston 2017-11-21 21:28:28 UTC
Fixed by commit 362ec9daadb9992b0def3520cd1dc6fa52edd1c4 Author: Ray Johnston <email@example.com> Date: Tue Nov 21 12:48:54 2017 -0800 Fix bug 697459 Buffer overflow in fill_threshold_buffer There was an overflow check for ht_buffer size, but none for the larger threshold_buffer. Note that this file didn't fail on Windows because the combination of the ht_buffer and the size of the (miscalculated due to overflow) threshold_buffer would have exceeded the 2Gb limit.