|Summary:||global-buffer-overflow at devices/gdevpjet.c:177 in pj_common_print_page|
|Component:||General||Assignee:||Default assignee <ghostpdl-bugs>|
Description Suhwan 2019-10-26 06:14:54 UTC
Comment 1 Ken Sharp 2019-10-26 13:58:28 UTC
The line cuaing the error is: (spr40[dp] >> 1) + When i is 1528 (ie its the last 'chunk' because DATA_SIZE is 1536 and we stop when i >= DATA_SIZE). The problem is that we copy 'line_size' bytes from the device into the line buffer: gdev_prn_copy_scan_lines(pdev, lnum, (byte *)data, line_size); where line_size in this case is 1530 bytes. But we transpose the data using a limit of 'DATA_SIZE' for i: /* Transpose the data to get pixel planes. */ for ( i = 0, odp = plane_data; i < DATA_SIZE; i += 8, odp++ ) And Data_SIZE is 1536 bytes. Which means we read off the end of the buffer by 6 bytes, which means we are using uninitialised data. Its the use of uninitialised data which causes the buffer overflow, trying to read 95 bytes along an array of 8 bytes. We simply need to set those bytes to 0. Its possible there is code which is trying to do that already: /* Pad with 0s to fill out the last */ /* block of 8 bytes. */ memset(end_data, 0, 7); But if that's what its doing, its in the wrong place, end_data is decremented before we reach here if the line has any white space at the right edge. Which means that code is simply overwriting 0x00 bytes with more 0x00 bytes. So I've chosen to simply set the entire buffer to 0x00 before we start copying and processing, its a one-time setup cost so its probably cheaper than trying to clean the buffer on every line. While this is probably benign (the data we are writing is unused), its poor practice at best.
Comment 2 Ken Sharp 2019-10-26 14:08:26 UTC
Fixed in commit aba3375ac24f8e02659d9b1eb9093909618cdb9f