Bug 699665

Summary: memory corruption in aesdecode
Product: Ghostscript Reporter: Tavis Ormandy <taviso>
Component: Security (public)Assignee: Chris Liddell (chrisl) <chris.liddell>
Status: NOTIFIED FIXED QA Contact: gs-security
Severity: normal    
Priority: P2 CC: cbuissar, deekej, dr, jsmeix, scorneli, till.kamppeter
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: 501,641 Word Size: ---

Description Tavis Ormandy 2018-08-21 22:12:12 UTC
This was found by fuzzing, memory corruption in aesdecode operator

$ ./gs -q -sDEVICE=ppmraw -dSAFER 
GS>{ runpdfbegin } stopped {} if
GS>.writepdfmarkdict
GS<1>{ PDFsetpattern } stopped {} if
GS<7>resolveopdict
GS<8>{ .copydict } stopped {} if
GS<10>{ pdf_gen_user_password_R2 } stopped {} if
GS<12>aesdecode
Segmentation fault
Comment 1 Ken Sharp 2018-08-24 08:18:43 UTC
Fixed in this commit:

8e9ce5016db968b40e4ec255a3005f2786cce45f

Basically, make sure we have set an AES key before we try to use it, otherwise we can try to access an uninitialised pointer.