Bug 698158

Summary: Ghostscript - Out of bounds read in igc_reloc_struct_ptr()
Product: Ghostscript Reporter: Kamil Frankowicz <kamil.frankowicz>
Component: FuzzingAssignee: Chris Liddell (chrisl) <chris.liddell>
Severity: normal CC: omarandemad
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: POC to trigger out of bounds read (gs)

Description Kamil Frankowicz 2017-07-01 05:50:05 UTC
Created attachment 13878 [details]
POC to trigger out of bounds read (gs)

After some fuzz testing I found a crashing test case.

Git Head: 0b7fa9293f43dce8aea028e4d2b32da1d8fc18c8

Command: gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_oobr_igc_reloc_struct_ptr -c quit


==6596==ERROR: AddressSanitizer: SEGV on unknown address 0x629fffffffe0 (pc 0x000001bf15aa bp 0x7ffdaf7cd170 sp 0x7ffdaf7cd070 T0)
==6596==The signal is caused by a READ memory access.
    #0 0x1bf15a9 in igc_reloc_struct_ptr XYZ/ghostpdl/./psi/igc.c:1307:68
    #1 0x1bfb71a in igc_reloc_refs XYZ/ghostpdl/./psi/igcref.c:434:21
    #2 0x1bf60e9 in gc_do_reloc XYZ/ghostpdl/./psi/igc.c:1246:17
    #3 0x1bf60e9 in gs_gc_reclaim XYZ/ghostpdl/./psi/igc.c:450
    #4 0x1cdce57 in context_reclaim XYZ/ghostpdl/./psi/zcontext.c:290:5
    #5 0x1aecbdf in gs_vmreclaim XYZ/ghostpdl/./psi/ireclaim.c:163:9
    #6 0x1aecbdf in ireclaim XYZ/ghostpdl/./psi/ireclaim.c:80
    #7 0x1ad35ac in interp_reclaim XYZ/ghostpdl/./psi/interp.c:447:12
    #8 0x1aaae7e in gs_main_finit XYZ/ghostpdl/./psi/imain.c:914:20
    #9 0x56c040 in main XYZ/ghostpdl/./psi/gs.c:139:9
    #10 0x7f7ec6757439 in __libc_start_main (/usr/lib/libc.so.6+0x20439)
    #11 0x47d4e9 in _start (/usr/local/bin/gs+0x47d4e9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/ghostpdl/./psi/igc.c:1307:68 in igc_reloc_struct_ptr

BTW, please unlock recently fixed issues and request for a some CVEs for them :)
Comment 1 Chris Liddell (chrisl) 2017-07-25 01:08:01 UTC
Fixed in: