Bug 700169

Summary: Type confusion in setcolorspace
Product: Ghostscript Reporter: Man Yue Mo <mmo>
Component: GeneralAssignee: Default assignee <ghostpdl-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: dr, jsmeix, till.kamppeter
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---

Description Man Yue Mo 2018-11-13 12:08:57 UTC 
Hi,

In `seticc`, the value of `Name` from `ICCdict` (`pnameval`) is used as a string without checking its type:

http://git.ghostscript.com/?p=ghostpdl.git;a=blob;f=psi/zicc.c;h=53bdf340df0f2110c17d1c17e1d309d37b1c23df;hb=2dceb0400c5a571f23070891b8a8028d04926de1#l79

http://git.ghostscript.com/?p=ghostpdl.git;a=blob;f=psi/zicc.c;h=53bdf340df0f2110c17d1c17e1d309d37b1c23df;hb=2dceb0400c5a571f23070891b8a8028d04926de1#l82

`ICCdict` is derived from an argument of `setcolorspace`, which can lead to type confusion. For example:

gs -q -sDEVICE=ppmraw -dSAFER
GS>[/ICCBased <</N 3 /DataSource (abc) /Name 16#41 >>] setcolorspace
Segmentation fault (core dumped)

Tested on a build with commit 2dceb04. Thank you very much for your help and please let me know if there is anything I can help.

Best Regards,

Man Yue Mo
Comment 1 Ken Sharp 2018-11-14 10:06:52 UTC 
Fixed in commit 434753adbe8be5534bfb9b7d91746023e8073d16

Note that commit 9a1b3ac61761094713f44dedfce56013308a3b1d
 adds a few more type checking cases as well.
Comment 2 Man Yue Mo 2018-11-14 14:42:21 UTC 
Thanks! I was investigating the ones in `zbfont.c` and `set_outputintent` and you beat me to it :)

Would you be happy for me to request a CVE combining this and Bug 700168? And are these also going to be fixed in 9.26? Thanks.
Comment 3 Ken Sharp 2018-11-14 14:49:23 UTC 
(In reply to Man Yue Mo from comment #2)
> Thanks! I was investigating the ones in `zbfont.c` and `set_outputintent`
> and you beat me to it :)
> 
> Would you be happy for me to request a CVE combining this and Bug 700168?

Certainly, or two separate ones; as you see fit.


> And are these also going to be fixed in 9.26? Thanks.

These two will be, yes. The ones in commit 9a1b3 won't be (unless the build/release maintainer overrules me). We're in the middle of doing a release and I'm wary of pulling in large changes at this stage.
Comment 4 Man Yue Mo 2018-11-14 14:57:18 UTC 
Thanks. I will make the request then. It may be worth putting just the one in `zbfont.c` from 9a1b3 into the release also as that one looks very much like it is reachable. I can do some further investigation. Thanks.
Comment 5 Man Yue Mo 2018-11-15 11:32:39 UTC 
I can confirm that the ones in `zbfont.c` that are fixed in 9a1b3 can be reached.

gs -q -dSAFER -sDEVICE=ppmraw
GS>/fontDict 10 dict def
GS>fontDict /FMapType 4 put
GS>fontDict /FDepVector [] put
GS>fontDict /Encoding [] put
GS>fontDict /FontType 0 put
GS>fontDict /FontMatrix matrix put
GS>fontDict /OrigFont 16#41 put
GS>/myFont (myFont) fontDict definefont
Segmentation fault (core dumped)

gs -q -dSAFER -sDEVICE=ppmraw
GS>/fontDict 10 dict def
GS>/fontInfo 2 dict def
GS>/origFont 2 dict def
GS>/origFontName 16#41 def
GS>/origFontStyle 16#41 def
GS>fontDict /FMapType 4 put
GS>fontDict /FDepVector [] put
GS>fontDict /Encoding [] put
GS>fontDict /FontType 0 put
GS>fontDict /FontMatrix matrix put
GS>fontDict /FontInfo fontInfo put
GS>fontInfo /OrigFontName origFontName put
GS>fontInfo /OrigFontStyle origFontStyle put
/myFont (myFont) fontDict definefont def
Segmentation fault (core dumped)

So I'd suggest adding these fixes to 9.26 as well. Thanks.