Bug 699255

Summary: Buffer overflow on pprintg1 due to mishandle postscript file data to pdf
Product: Ghostscript Reporter: Vítor Hugo Silva <vitorhg20080>
Component: GeneralAssignee: Ken Sharp <ken.sharp>
Status: RESOLVED FIXED QA Contact: Bug traffic <tech>
Severity: major    
Priority: P4 CC: chris.liddell, dkaspar, vitorhg20080
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: Use case that causes buffer overflow
Unmodified file before mutate

Description Vítor Hugo Silva 2018-04-18 04:21:43 UTC
Created attachment 15044 [details]
Use case that causes buffer overflow

A buffer overflow is found on ghostscript 9.18 with a special crafted postscript file.
$ gs -o tested.pdf -sDEVICE=pdfwrite -dPDFSETTINGS=/prepress -dHaveTrueTypes=true -dEmbedAllFonts=true -dSubsetFonts=false -c ".setpdfwrite <</NeverEmbed [ ]>> setdistillerparams" -f fuzzed-case1.ps 
GPL Ghostscript 9.18 (2015-10-05)
Copyright (C) 2015 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Loading NimbusRomNo9L-Reg font from /usr/share/ghostscript/9.18/Resource/Font/NimbusRomNo9L-Reg... 4743540 3133830 2015200 710957 1 done.
Loading NimbusRomNo9L-Med font from /usr/share/ghostscript/9.18/Resource/Font/NimbusRomNo9L-Med... 4820876 3332725 2035392 735152 1 done.
Loading NimbusMono-Regular font from /usr/share/ghostscript/9.18/Resource/Font/NimbusMono-Regular... 4900004 3527153 2055584 752136 1 done.
Loading NimbusMono-Bold font from /usr/share/ghostscript/9.18/Resource/Font/NimbusMono-Bold... 5118700 3762771 2095968 786137 1 done.
Loading NimbusRomNo9L-RegIta font from /usr/share/ghostscript/9.18/Resource/Font/NimbusRomNo9L-RegIta... 5357220 4001795 2156544 851571 1 done.
Loading NimbusSanL-Reg font from /usr/share/ghostscript/9.18/Resource/Font/NimbusSanL-Reg... 5556092 4193319 2358464 1039445 1 done.
*** stack smashing detected ***: gs terminated
Aborted (core dumped)

Backtrace:
#0  0x00007ffff6913428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff691502a in __GI_abort () at abort.c:89
#2  0x00007ffff69557ea in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff6a6d49f "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff69f715c in __GI___fortify_fail (msg=<optimized out>, msg@entry=0x7ffff6a6d481 "stack smashing detected") at fortify_fail.c:37
#4  0x00007ffff69f7100 in __stack_chk_fail () at stack_chk_fail.c:28
#5  0x00007ffff6ee4283 in pprintg1 (s=s@entry=0xbcc840, format=format@entry=0x7ffff711122e "%g %g Td\n", v=inf) at ./base/spprint.c:133
#6  0x00007ffff6ee42a3 in pprintg2 (s=s@entry=0xbcc840, format=format@entry=0x7ffff711122e "%g %g Td\n", v1=<optimized out>, v2=0) at ./base/spprint.c:137
#7  0x00007ffff6ef784a in pdf_set_text_matrix (pdev=0x6a4b38) at ./devices/vector/gdevpdts.c:289
#8  sync_text_state (pdev=0x6a4b38) at ./devices/vector/gdevpdts.c:484
#9  0x00007ffff6ef79e5 in pdf_from_string_to_text (pdev=<optimized out>) at ./devices/vector/gdevpdts.c:507
#10 0x00007ffff6ed0c29 in string_to_text (pdev=<optimized out>) at ./devices/vector/gdevpdfu.c:1046
#11 0x00007ffff6ed2d3b in pdf_open_contents (pdev=pdev@entry=0x6a4b38, context=context@entry=PDF_IN_STREAM) at ./devices/vector/gdevpdfu.c:1118
#12 0x00007ffff6ed3fe4 in pdf_open_page (pdev=pdev@entry=0x6a4b38, context=context@entry=PDF_IN_STREAM) at ./devices/vector/gdevpdfu.c:1832
#13 0x00007ffff6eba95c in pdf_set_drawing_color (pdev=pdev@entry=0x6a4b38, pis=pis@entry=0x644e38, pdc=0xa8db58, psc=psc@entry=0x6a68c0, used_process_color=used_process_color@entry=0x6a68b4, ppscc=0x7ffff7420260 <psdf_set_fill_color_commands>) at ./devices/vector/gdevpdfg.c:1884
#14 0x00007ffff6efe6f0 in pdf_prepare_text_drawing (pte=0xa90e48, pdev=0x6a4b38) at ./devices/vector/gdevpdtt.c:464
#15 pdf_text_process (pte=0xa90e48) at ./devices/vector/gdevpdtt.c:3070
#16 0x00007ffff709cf1b in op_show_continue (i_ctx_p=i_ctx_p@entry=0x661090) at ./psi/zchar.c:578
#17 0x00007ffff7059bec in moveshow (i_ctx_p=0x661090, have_x=<optimized out>, have_y=<optimized out>) at ./psi/zcharx.c:160
#18 0x00007ffff707f199 in interp (pi_ctx_p=pi_ctx_p@entry=0x622090, pref=<optimized out>, perror_object=perror_object@entry=0x7fffffffd8f0) at ./psi/interp.c:1298
#19 0x00007ffff7080059 in gs_call_interp (perror_object=0x7fffffffd8f0, pexit_code=0x7fffffffd8ec, user_errors=1, pref=0x7fffffffd770, pi_ctx_p=<optimized out>) at ./psi/interp.c:510
#20 gs_interpret (pi_ctx_p=<optimized out>, pref=pref@entry=0x7fffffffd8b0, user_errors=1, pexit_code=0x7fffffffd8ec, perror_object=0x7fffffffd8f0) at ./psi/interp.c:468
#21 0x00007ffff70746e5 in gs_main_interpret (perror_object=<optimized out>, pexit_code=<optimized out>, user_errors=<optimized out>, pref=0x7fffffffd8b0, minst=<optimized out>) at ./psi/imain.c:248
#22 gs_main_run_string_end (minst=<optimized out>, user_errors=<optimized out>, pexit_code=<optimized out>, perror_object=<optimized out>) at ./psi/imain.c:666
#23 0x00007ffff7075f49 in run_string (minst=minst@entry=0x621ff0, str=str@entry=0x7033d0 "<66757a7a65642d63617365312e7073>.runfile", options=options@entry=3) at ./psi/imainarg.c:979
#24 0x00007ffff70760ca in runarg (minst=0x621ff0, pre=0x7ffff7155465 "", arg=<optimized out>, post=0x7ffff717266c ".runfile", options=3) at ./psi/imainarg.c:969
#25 0x00007ffff70777fb in gs_main_init_with_args (minst=0x621ff0, argc=argc@entry=12, argv=argv@entry=0x7fffffffe4e8) at ./psi/imainarg.c:239
#26 0x00007ffff7078acb in gsapi_init_with_args (lib=<optimized out>, argc=argc@entry=12, argv=argv@entry=0x7fffffffe4e8) at ./psi/iapi.c:353
#27 0x0000000000400a2f in main (argc=12, argv=0x7fffffffe4e8) at ./psi/dxmainc.c:86

9.18 compiled with -fno-stack-protector and exec-stack
$ ./gs -o tested.pdf -sDEVICE=pdfwrite -dPDFSETTINGS=/prepress -dHaveTrueTypes=true -dEmbedAllFonts=true -dSubsetFonts=false -c ".setpdfwrite <</NeverEmbed [ ]>> setdistillerparams" -f ~/fuzzed-case1.ps 
GPL Ghostscript 9.18 (2015-10-05)
Copyright (C) 2015 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Loading NimbusRomNo9L-Reg font from %rom%Resource/Font/NimbusRomNo9L-Reg... 4642716 3118322 2015200 713958 1 done.
Loading NimbusRomNo9L-Med font from %rom%Resource/Font/NimbusRomNo9L-Med... 4720052 3308698 2035392 742602 1 done.
Loading NimbusMono-Regular font from %rom%Resource/Font/NimbusMono-Regular... 4819372 3506719 2055584 763419 1 done.
Loading NimbusMono-Bold font from %rom%Resource/Font/NimbusMono-Bold... 5058260 3746034 2095968 802381 1 done.
Loading NimbusRomNo9L-RegIta font from %rom%Resource/Font/NimbusRomNo9L-RegIta... 5296780 3985331 2176736 882568 1 done.
Loading NimbusSanL-Reg font from %rom%Resource/Font/NimbusSanL-Reg... 5495652 4177232 2419040 1114203 1 done.
*** Error in `./gs': double free or corruption (!prev): 0x00000000024b0320 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f1c7638f7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f1c7639837a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f1c7639c53c]
./gs[0x722639]
./gs(alloc_restore_all+0x145)[0x86ec25]
./gs(gs_main_finit+0x207)[0x831b17]
./gs(main+0x9a)[0x4648da]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f1c76338830]
./gs(_start+0x29)[0x464939]
======= Memory map: ========
00400000-00df1000 r-xp 00000000 08:01 299078                             /home/pushdword/build_olds/ghostscript-9.18/bin/gs
00ff1000-00ff2000 r--p 009f1000 08:01 299078                             /home/pushdword/build_olds/ghostscript-9.18/bin/gs
00ff2000-01965000 rw-p 009f2000 08:01 299078                             /home/pushdword/build_olds/ghostscript-9.18/bin/gs
01965000-01967000 rw-p 00000000 00:00 0 
02458000-03118000 rw-p 00000000 00:00 0                                  [heap]
7f1c70000000-7f1c70021000 rw-p 00000000 00:00 0 
7f1c70021000-7f1c74000000 ---p 00000000 00:00 0 
7f1c757f0000-7f1c75806000 r-xp 00000000 08:01 1963                       /lib/x86_64-linux-gnu/libgcc_s.so.1
7f1c75806000-7f1c75a05000 ---p 00016000 08:01 1963                       /lib/x86_64-linux-gnu/libgcc_s.so.1
7f1c75a05000-7f1c75a06000 rw-p 00015000 08:01 1963                       /lib/x86_64-linux-gnu/libgcc_s.so.1
7f1c75a06000-7f1c75a2a000 r-xp 00000000 08:01 2136                       /lib/x86_64-linux-gnu/libpng12.so.0.54.0
7f1c75a2a000-7f1c75c29000 ---p 00024000 08:01 2136                       /lib/x86_64-linux-gnu/libpng12.so.0.54.0
7f1c75c29000-7f1c75c2a000 r--p 00023000 08:01 2136                       /lib/x86_64-linux-gnu/libpng12.so.0.54.0
7f1c75c2a000-7f1c75c2b000 rw-p 00024000 08:01 2136                       /lib/x86_64-linux-gnu/libpng12.so.0.54.0
7f1c75c2b000-7f1c75c44000 r-xp 00000000 08:01 2118                       /lib/x86_64-linux-gnu/libz.so.1.2.8
7f1c75c44000-7f1c75e43000 ---p 00019000 08:01 2118                       /lib/x86_64-linux-gnu/libz.so.1.2.8
7f1c75e43000-7f1c75e44000 r--p 00018000 08:01 2118                       /lib/x86_64-linux-gnu/libz.so.1.2.8
7f1c75e44000-7f1c75e45000 rw-p 00019000 08:01 2118                       /lib/x86_64-linux-gnu/libz.so.1.2.8
7f1c75e45000-7f1c75e6b000 r-xp 00000000 08:01 1977                       /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7f1c75e6b000-7f1c7606b000 ---p 00026000 08:01 1977                       /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7f1c7606b000-7f1c7606d000 r--p 00026000 08:01 1977                       /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7f1c7606d000-7f1c7606e000 rw-p 00028000 08:01 1977                       /lib/x86_64-linux-gnu/libexpat.so.1.6.0
7f1c7606e000-7f1c76112000 r-xp 00000000 08:01 25872                      /usr/lib/x86_64-linux-gnu/libfreetype.so.6.12.1
7f1c76112000-7f1c76311000 ---p 000a4000 08:01 25872                      /usr/lib/x86_64-linux-gnu/libfreetype.so.6.12.1
7f1c76311000-7f1c76317000 r--p 000a3000 08:01 25872                      /usr/lib/x86_64-linux-gnu/libfreetype.so.6.12.1
7f1c76317000-7f1c76318000 rw-p 000a9000 08:01 25872                      /usr/lib/x86_64-linux-gnu/libfreetype.so.6.12.1
7f1c76318000-7f1c764d8000 r-xp 00000000 08:01 1969                       /lib/x86_64-linux-gnu/libc-2.23.so
7f1c764d8000-7f1c766d8000 ---p 001c0000 08:01 1969                       /lib/x86_64-linux-gnu/libc-2.23.so
7f1c766d8000-7f1c766dc000 r--p 001c0000 08:01 1969                       /lib/x86_64-linux-gnu/libc-2.23.so
7f1c766dc000-7f1c766de000 rw-p 001c4000 08:01 1969                       /lib/x86_64-linux-gnu/libc-2.23.so
7f1c766de000-7f1c766e2000 rw-p 00000000 00:00 0 
7f1c766e2000-7f1c766fa000 r-xp 00000000 08:01 1968                       /lib/x86_64-linux-gnu/libpthread-2.23.so
7f1c766fa000-7f1c768f9000 ---p 00018000 08:01 1968                       /lib/x86_64-linux-gnu/libpthread-2.23.so
7f1c768f9000-7f1c768fa000 r--p 00017000 08:01 1968                       /lib/x86_64-linux-gnu/libpthread-2.23.so
7f1c768fa000-7f1c768fb000 rw-p 00018000 08:01 1968                       /lib/x86_64-linux-gnu/libpthread-2.23.so
7f1c768fb000-7f1c768ff000 rw-p 00000000 00:00 0 
7f1c768ff000-7f1c7693c000 r-xp 00000000 08:01 61409                      /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.9.0
7f1c7693c000-7f1c76b3b000 ---p 0003d000 08:01 61409                      /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.9.0
7f1c76b3b000-7f1c76b3d000 r--p 0003c000 08:01 61409                      /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.9.0
7f1c76b3d000-7f1c76b42000 rw-p 0003e000 08:01 61409                      /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.9.0
7f1c76b42000-7f1c76c4a000 r-xp 00000000 08:01 1965                       /lib/x86_64-linux-gnu/libm-2.23.so
7f1c76c4a000-7f1c76e49000 ---p 00108000 08:01 1965                       /lib/x86_64-linux-gnu/libm-2.23.so
7f1c76e49000-7f1c76e4a000 r--p 00107000 08:01 1965                       /lib/x86_64-linux-gnu/libm-2.23.so
7f1c76e4a000-7f1c76e4b000 rw-p 00108000 08:01 1965                       /lib/x86_64-linux-gnu/libm-2.23.so
7f1c76e4b000-7f1c76e4e000 r-xp 00000000 08:01 1971                       /lib/x86_64-linux-gnu/libdl-2.23.so
7f1c76e4e000-7f1c7704d000 ---p 00003000 08:01 1971                       /lib/x86_64-linux-gnu/libdl-2.23.so
7f1c7704d000-7f1c7704e000 r--p 00002000 08:01 1971                       /lib/x86_64-linux-gnu/libdl-2.23.so
7f1c7704e000-7f1c7704f000 rw-p 00003000 08:01 1971                       /lib/x86_64-linux-gnu/libdl-2.23.so
7f1c7704f000-7f1c77075000 r-xp 00000000 08:01 1967                       /lib/x86_64-linux-gnu/ld-2.23.so
7f1c770a4000-7f1c770c5000 rw-p 00000000 00:00 0 
7f1c770c5000-7f1c7725d000 r--p 00000000 08:01 28987                      /usr/lib/locale/locale-archive
7f1c7725d000-7f1c77264000 rw-p 00000000 00:00 0 
7f1c77273000-7f1c77274000 rw-p 00000000 00:00 0 
7f1c77274000-7f1c77275000 r--p 00025000 08:01 1967                       /lib/x86_64-linux-gnu/ld-2.23.so
7f1c77275000-7f1c77276000 rw-p 00026000 08:01 1967                       /lib/x86_64-linux-gnu/ld-2.23.so
7f1c77276000-7f1c77277000 rw-p 00000000 00:00 0 
7ffd17c61000-7ffd17c82000 rw-p 00000000 00:00 0                          [stack]
7ffd17d37000-7ffd17d3a000 r--p 00000000 00:00 0                          [vvar]
7ffd17d3a000-7ffd17d3c000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)

Sometimes it doesn't trigger the vulnerability. Another result with the same call:
$ ./gs -o tested.pdf -sDEVICE=pdfwrite -dPDFSETTINGS=/prepress -dHaveTrueTypes=true -dEmbedAllFonts=true -dSubsetFonts=false -c ".setpdfwrite <</NeverEmbed [ ]>> setdistillerparams" -f ~/fuzzed-case1.ps
GPL Ghostscript 9.18 (2015-10-05)
Copyright (C) 2015 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Loading NimbusRomNo9L-Reg font from %rom%Resource/Font/NimbusRomNo9L-Reg... 4642716 3118322 2015200 713958 1 done.
Loading NimbusRomNo9L-Med font from %rom%Resource/Font/NimbusRomNo9L-Med... 4720052 3308698 2035392 742602 1 done.
Loading NimbusMono-Regular font from %rom%Resource/Font/NimbusMono-Regular... 4819372 3506719 2055584 763419 1 done.
Loading NimbusMono-Bold font from %rom%Resource/Font/NimbusMono-Bold... 5058260 3746034 2095968 802381 1 done.
Loading NimbusRomNo9L-RegIta font from %rom%Resource/Font/NimbusRomNo9L-RegIta... 5296780 3985331 2176736 882568 1 done.
Loading NimbusSanL-Reg font from %rom%Resource/Font/NimbusSanL-Reg... 5495652 4177232 2419040 1114203 1 done.
Segmentation fault (core dumped)

Use case that trigger this vulnerability is attached as fuzzed-case1.ps
Comment 1 Vítor Hugo Silva 2018-04-18 07:30:57 UTC
Indirectly you have fixed the issue with 9.20 and newer.
I've contacted distro's to make sure their repo is up to date.
Is worth the effort to create a specific patch for this case if 9.18 migration to 9.20 or newer brake anything?
Comment 2 Ken Sharp 2018-04-18 07:42:34 UTC
(In reply to Vítor Hugo Silva from comment #1)
> Indirectly you have fixed the issue with 9.20 and newer.

No, we certainly have not! The problem is easily reproducible in current code.

I have a fix which I'm testing.


> I've contacted distro's to make sure their repo is up to date.
> Is worth the effort to create a specific patch for this case if 9.18
> migration to 9.20 or newer brake anything?

We don't do patches for older versions of Ghostscript, for free users (we only do limited backwards patching for commercial customers).

This leads me to a couple of comments I was going to make:

Could you please test against the current version of Ghostscript ? The line numbers in the trace don't match up with the current code.

Could you please either supply simpler files, or indicate where in the file the change has been made, or at the very least supply the file before and after fuzzing.

This file has 10 pages, and the error only occurs on page 4. It was quite awkward to find what had been modified in such a large file.
Comment 3 Ken Sharp 2018-04-18 07:49:02 UTC
Commit 39b1e54b2968620723bf32e96764c88797714879 guards against excessively large numbers under these conditions.
Comment 4 Vítor Hugo Silva 2018-04-18 07:52:23 UTC
I can provide you the basefile.ps that I use to mutate and you can diff.
I see you marked as resolved. Can I ask you some time to test on the latest code again?
I'm attaching the basecase.ps (unmodified file).
Comment 5 Vítor Hugo Silva 2018-04-18 07:53:03 UTC
Created attachment 15046 [details]
Unmodified file before mutate
Comment 6 Vítor Hugo Silva 2018-04-18 07:56:31 UTC
This has been assigned as CVE-2018-10194
Comment 7 Ken Sharp 2018-04-18 08:01:29 UTC
(In reply to Vítor Hugo Silva from comment #4)
> I can provide you the basefile.ps that I use to mutate and you can diff.

I meant for future reference, I already worked out what changes had been made to the file, it just took time because I didn't have the original as reference.

> I see you marked as resolved. Can I ask you some time to test on the latest
> code again?

For what reason ? I debugged the problem through the code at HEAD~2 (SHA1 fb4c58a0e097e39547dde3d46893ce1b05d19539) and then again with the commit I referenced above. Tested on Windows and Linux and the problem no longer exhibits for me, because we clamp the rogue value to 0.

So what would I be looking for if I ran it again ?
Comment 8 Vítor Hugo Silva 2018-04-18 08:03:46 UTC
(In reply to Ken Sharp from comment #7)
> (In reply to Vítor Hugo Silva from comment #4)
> > I can provide you the basefile.ps that I use to mutate and you can diff.
> 
> I meant for future reference, I already worked out what changes had been
> made to the file, it just took time because I didn't have the original as
> reference.
> 
> > I see you marked as resolved. Can I ask you some time to test on the latest
> > code again?
> 
> For what reason ? I debugged the problem through the code at HEAD~2 (SHA1
> fb4c58a0e097e39547dde3d46893ce1b05d19539) and then again with the commit I
> referenced above. Tested on Windows and Linux and the problem no longer
> exhibits for me, because we clamp the rogue value to 0.
> 
> So what would I be looking for if I ran it again ?

Ok sure, you are right.
You have the base file, the muted one that triggers the bug for future reference.
Thank you for the fix!
Comment 9 Ken Sharp 2018-04-18 08:12:25 UTC
(In reply to Vítor Hugo Silva from comment #8)

> Thank you for the fix!

Thanks for the report :-)
Comment 10 Vítor Hugo Silva 2018-11-29 16:40:46 UTC
Hey, can you make this public? Sorry to ask so late.
Thanks
Comment 11 Chris Liddell (chrisl) 2018-11-29 17:36:10 UTC
(In reply to Vítor Hugo Silva from comment #10)
> Hey, can you make this public? Sorry to ask so late.
> Thanks

Done