Bug 698066

Summary: Potential null pointer dereference in mem_planar_get_bits_rectangle (gdevmpla.c)
Product: Ghostscript Reporter: ruc.iser
Component: Graphics LibraryAssignee: Chris Liddell (chrisl) <chris.liddell>
Status: RESOLVED FIXED    
Severity: normal CC: chris.liddell, ruc.iser
Priority: P4    
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---

Description ruc.iser 2017-06-16 06:45:47 UTC 
We found that the function mem_planar_get_bits_rectangle() in file gdevmpla.c duplicates most of mem_get_bits_rectangle() which has already been reported having possibility to result in NULL pointer dereference in Bug #697676. So we have reason to say mem_planar_get_bits_rectangle() may have the same danger.

/base/gdevmpla.c
static int mem_planar_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect, gs_get_bits_params_t * params, gs_int_rect ** unread)
{
    /* This duplicates most of mem_get_bits_rectangle.  Tant pgs. */
    ......  
    if (options == 0) {
        params->options =
            (GB_ALIGN_STANDARD | GB_ALIGN_ANY) |
            (GB_RETURN_COPY | GB_RETURN_POINTER) |
            (GB_OFFSET_0 | GB_OFFSET_SPECIFIED | GB_OFFSET_ANY) |
            (GB_RASTER_STANDARD | GB_RASTER_SPECIFIED | GB_RASTER_ANY) |
            GB_PACKING_CHUNKY |
            GB_COLORS_NATIVE | GB_ALPHA_NONE;
        return_error(gs_error_rangecheck);
    }
    if ((w <= 0) | (h <= 0)) {
        if ((w | h) < 0)
            return_error(gs_error_rangecheck);
        return 0;
    }
    if (x < 0 || w > dev->width - x || y < 0 || h > dev->height - y)
        return_error(gs_error_rangecheck);
    {
        gs_get_bits_params_t copy_params;
        byte **base = &scan_line_base(mdev, y);  // here may result in a null 
                                                 // pointer dereference
        ......
}


Advised Patch:
static int mem_planar_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect, gs_get_bits_params_t * params, gs_int_rect ** unread)
{
            ......
            GB_COLORS_NATIVE | GB_ALPHA_NONE;
        return_error(gs_error_rangecheck);
    }

+	if (mdev→line_ptrs == 0x00)
+		return_error(gs_error_rangecheck);

    if ((w <= 0) | (h <= 0)) {
        if ((w | h) < 0)
            return_error(gs_error_rangecheck);
        return 0;
    }
    ......
}
Comment 1 Chris Liddell (chrisl) 2017-06-16 08:05:04 UTC 
Applied in:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=824aa630e

Thanks for spotting that!
Comment 2 ruc.iser 2017-06-16 21:10:56 UTC 
(In reply to Chris Liddell (chrisl) from comment #1)
> Applied in:
> http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=824aa630e
> 
> Thanks for spotting that!

Actually, we used a technique based on similarity computing to detect other functions in Ghostscript that may have this problem as well. We'll report them soon . So please keep an eye on our following reports.