Bug 701845

Summary: Division by Zero at base/gxclrast.c:1145 in clist_playback_band
Product: Ghostscript Reporter: Suhwan <prada960808>
Component: GeneralAssignee: Ray Johnston <ray.johnston>
Status: RESOLVED FIXED    
Severity: normal CC: chris.liddell
Priority: P4    
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: poc

Description Suhwan 2019-11-05 17:15:46 UTC 
Created attachment 18450 [details]
poc

Hello

I found a Division by Zero bug in GhostScript.
Please confirm. 
Thanks.

OS:        Ubuntu 18.04 64bit
Version:   commit 1159afbcad927e1a32008b0ab87e257fc21da8e2

Steps to reproduce:
1. Download the .POC files.
2. Compile the source code with "make sanitize" using gcc.
3. Run following cmd.

gs -dBATCH -dNOPAUSE -dSAFER -dFIXEDMEDIA -dTextAlphaBits=4 -sPAPERSIZE=a4 -sOutputFile=tmp -sDEVICE=devicen $PoC

Here's ASAN report.

==20860==ERROR: AddressSanitizer: FPE on unknown address 0x55b2e4568077 (pc 0x55b2e4568077 bp 0x7ffde73de2c0 sp 0x7ffde73d93e0 T0)
    #0 0x55b2e4568076 in clist_playback_band base/gxclrast.c:1145
    #1 0x55b2e458cfed in clist_playback_file_bands base/gxclread.c:920
    #2 0x55b2e458c7ca in clist_render_rectangle base/gxclread.c:854
    #3 0x55b2e458b7a0 in clist_rasterize_lines base/gxclread.c:743
    #4 0x55b2e458a5af in clist_get_bits_rectangle base/gxclread.c:632
    #5 0x55b2e45f330a in clist_get_bits_rect_mt base/gxclthrd.c:845
    #6 0x55b2e5039253 in gx_default_get_bits base/gdevdgbr.c:54
    #7 0x55b2e4513bb9 in gdev_prn_get_bits base/gdevprn.c:1687
    #8 0x55b2e421e09e in spotcmyk_print_page base/gdevdevn.c:1398
    #9 0x55b2e4510a02 in gx_default_print_page_copies base/gdevprn.c:1231
    #10 0x55b2e45103d1 in gdev_prn_output_page_aux base/gdevprn.c:1133
    #11 0x55b2e4510669 in gdev_prn_output_page base/gdevprn.c:1169
    #12 0x55b2e5040b81 in gx_forward_output_page base/gdevnfwd.c:183
    #13 0x55b2e4bee83e in gs_output_page base/gsdevice.c:212
    #14 0x55b2e524de6b in zoutputpage psi/zdevice.c:416
    #15 0x55b2e516abc6 in do_call_operator psi/interp.c:86
    #16 0x55b2e5174345 in interp psi/interp.c:1300
    #17 0x55b2e516c713 in gs_call_interp psi/interp.c:520
    #18 0x55b2e516bdb8 in gs_interpret psi/interp.c:477
    #19 0x55b2e514030f in gs_main_interpret psi/imain.c:253
    #20 0x55b2e51437c4 in gs_main_run_string_end psi/imain.c:791
    #21 0x55b2e5143189 in gs_main_run_string_with_length psi/imain.c:735
    #22 0x55b2e51430fb in gs_main_run_string psi/imain.c:716
    #23 0x55b2e514fdbf in run_string psi/imainarg.c:1117
    #24 0x55b2e514fb62 in runarg psi/imainarg.c:1086
    #25 0x55b2e514f3e1 in argproc psi/imainarg.c:1008
    #26 0x55b2e5149bad in gs_main_init_with_args01 psi/imainarg.c:241
    #27 0x55b2e514a011 in gs_main_init_with_args psi/imainarg.c:288
    #28 0x55b2e5155541 in psapi_init_with_args psi/psapi.c:272
    #29 0x55b2e5324b71 in gsapi_init_with_args psi/iapi.c:148
    #30 0x55b2e3ef4ef8 in main psi/gs.c:95
    #31 0x7f5f70b3ab96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #32 0x55b2e3ef4c99 in _start (gs+0x36cc99)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE base/gxclrast.c:1145 in clist_playback_band
Comment 1 Ray Johnston 2019-11-05 18:01:41 UTC 
With HEAD (commit 1159afbcad927e1a32008b0ab87e257fc21da8e2) on Windows 32-bit
with:

debugbin/gswin32c -sDEVICE=devicen -dTextAlphaBits=4 -Z: -o x.devn poc.pdf

I get:
GPL Ghostscript GIT PRERELEASE 9.51: c:\artifex\cgit\ghostpdl\base\gxclrast.c(2132): Bad op fe band y0 = 264 file pos 4096 buf pos 702/4096

On 64-bit Ubuntu I get similar:

GPL Ghostscript GIT PRERELEASE 9.51: ./base/gxclrast.c(2132): Bad op fe band y0 = 542 file pos 4096 buf pos 667/4096

but then this is followed by:
Floating point exception (core dumped)

Running under gdb, the divide by zero is seen to be:

#0 in clist_playback_band (playback_action=playback_action_render, cdev=0x22ec088, s=0x7fffffff69a0, target=0x298fb18, x0=0, y0=813,
    mem=0x2258978) at ./base/gxclrast.c:1145

with state_slot pointing to a bogus tile:
 {head = {size = 567232, depth = 0}, width = 0, height = 0, shift = 0, raster = 0, id = 0, x_reps = 0 '\000', y_reps = 0 '\000', rep_shift = 0,
  index = 0, num_bands = 0, num_planes = 0 '\000'}

Taking this, and will test on linux 64-bit when fixed.
Comment 2 Ray Johnston 2020-01-08 20:38:33 UTC 
Fixed in commit 372c862f2050d82248316f54156e5bb33dd7520a                                                                                             Author: Ray Johnston <ray.johnston@artifex.com>                                                                                             Date:   Fri Jan 3 09:56:29 2020 -0800   
                                                                                                                                                                                                                                                  
The devicen device used to define 32-bit depth, but 0 components and no
standard process colors or names. This confused the pdf14 device into
writing a clist with 1-component (gray), but then because the icc_profile
had 4 components, would try and use 4 component when reading.

Fix by making it 32-bit CMYK, and also fix to write a valid PCX by
converting the 32-bit CMYK to 24-bit RGB on output. PCX cannot handle
32-bit CMYK. Prior to this, 32-bit CMYK would fail showpage with a
rangecheck error.