Bug 701877

Summary: heap-buffer-overflow at devices/vector/gdevtxtw.c:2114 in txt_add_fragment
Product: Ghostscript Reporter: Suhwan <prada960808>
Component: GeneralAssignee: Ken Sharp <ken.sharp>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P4    
Version: master   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: poc

Description Suhwan 2019-11-07 17:05:45 UTC
Created attachment 18494 [details]
poc

Hello

I found a heap-buffer-overflow bug in GhostScript.
Please confirm. 
Thanks.

OS:        Ubuntu 18.04 64bit
Version:   commit 66878fb30f37b06a532fdce39991f31642cdb09b

Steps to reproduce:
1. Download the .POC files.
2. Compile the source code with "make sanitize" using gcc.
3. Run following cmd.

gs -dBATCH -dNOPAUSE -sOutputFile=tmp -sDEVICE=txtwrite $PoC

Here's ASAN report.

==11134==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000034e5c at pc 0x7f78fbfc9733 bp 0x7ffca555a9a0 sp 0x7ffca555a148
READ of size 20 at 0x606000034e5c thread T0
    #0 0x7f78fbfc9732  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
    #1 0x5565f660f6a2 in txt_add_fragment devices/vector/gdevtxtw.c:2114
    #2 0x5565f66118b9 in textw_text_process devices/vector/gdevtxtw.c:2228
    #3 0x5565f691909b in gs_text_process base/gstext.c:596
    #4 0x5565f6e8e2cf in op_show_continue_pop psi/zchar.c:696
    #5 0x5565f6e88cf4 in zshow psi/zchar.c:78
    #6 0x5565f6df7e26 in do_call_operator psi/interp.c:86
    #7 0x5565f6e04a57 in interp psi/interp.c:1674
    #8 0x5565f6df9973 in gs_call_interp psi/interp.c:520
    #9 0x5565f6df9018 in gs_interpret psi/interp.c:477
    #10 0x5565f6dcd56f in gs_main_interpret psi/imain.c:253
    #11 0x5565f6dd0a24 in gs_main_run_string_end psi/imain.c:791
    #12 0x5565f6dd03e9 in gs_main_run_string_with_length psi/imain.c:735
    #13 0x5565f6dd035b in gs_main_run_string psi/imain.c:716
    #14 0x5565f6ddd01f in run_string psi/imainarg.c:1117
    #15 0x5565f6ddcdc2 in runarg psi/imainarg.c:1086
    #16 0x5565f6ddc641 in argproc psi/imainarg.c:1008
    #17 0x5565f6dd6e0d in gs_main_init_with_args01 psi/imainarg.c:241
    #18 0x5565f6dd7271 in gs_main_init_with_args psi/imainarg.c:288
    #19 0x5565f6de27a1 in psapi_init_with_args psi/psapi.c:272
    #20 0x5565f6fb1dd1 in gsapi_init_with_args psi/iapi.c:148
    #21 0x5565f5b81c08 in main psi/gs.c:95
    #22 0x7f78fa744b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #23 0x5565f5b819a9 in _start (gs+0x36d9a9)

0x606000034e5c is located 0 bytes to the right of 60-byte region [0x606000034e20,0x606000034e5c)
allocated by thread T0 here:
    #0 0x7f78fc02eb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x5565f68e14c5 in gs_heap_alloc_bytes base/gsmalloc.c:193
    #2 0x5565f68e19d2 in gs_heap_alloc_byte_array base/gsmalloc.c:252
    #3 0x5565f6610643 in textw_text_process devices/vector/gdevtxtw.c:2181
    #4 0x5565f691909b in gs_text_process base/gstext.c:596
    #5 0x5565f6e8e2cf in op_show_continue_pop psi/zchar.c:696
    #6 0x5565f6e88cf4 in zshow psi/zchar.c:78
    #7 0x5565f6df7e26 in do_call_operator psi/interp.c:86
    #8 0x5565f6e04a57 in interp psi/interp.c:1674
    #9 0x5565f6df9973 in gs_call_interp psi/interp.c:520
    #10 0x5565f6df9018 in gs_interpret psi/interp.c:477
    #11 0x5565f6dcd56f in gs_main_interpret psi/imain.c:253
    #12 0x5565f6dd0a24 in gs_main_run_string_end psi/imain.c:791
    #13 0x5565f6dd03e9 in gs_main_run_string_with_length psi/imain.c:735
    #14 0x5565f6dd035b in gs_main_run_string psi/imain.c:716
    #15 0x5565f6ddd01f in run_string psi/imainarg.c:1117
    #16 0x5565f6ddcdc2 in runarg psi/imainarg.c:1086
    #17 0x5565f6ddc641 in argproc psi/imainarg.c:1008
    #18 0x5565f6dd6e0d in gs_main_init_with_args01 psi/imainarg.c:241
    #19 0x5565f6dd7271 in gs_main_init_with_args psi/imainarg.c:288
    #20 0x5565f6de27a1 in psapi_init_with_args psi/psapi.c:272
    #21 0x5565f6fb1dd1 in gsapi_init_with_args psi/iapi.c:148
    #22 0x5565f5b81c08 in main psi/gs.c:95
    #23 0x7f78fa744b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) 
Shadow bytes around the buggy address:
  0x0c0c7fffa590: 00 00 00 00 00 00 04 fa fa fa fa fa fd fd fd fd
  0x0c0c7fffa5a0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fffa5b0: fa fa fa fa 00 00 00 00 00 00 02 fa fa fa fa fa
  0x0c0c7fffa5c0: 00 00 00 00 00 00 04 fa fa fa fa fa 00 00 00 00
  0x0c0c7fffa5d0: 00 00 02 fa fa fa fa fa 00 00 00 00 00 00 04 fa
=>0x0c0c7fffa5e0: fa fa fa fa 00 00 00 00 00 00 00 00[fa]fa fa fa
  0x0c0c7fffa5f0: 00 00 00 00 00 00 00 02 fa fa fa fa fa fa fa fa
  0x0c0c7fffa600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fffa610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fffa620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fffa630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Comment 1 Ken Sharp 2019-11-17 19:49:48 UTC
This is fixed in commit da03855bf9ca18eab05d4ac870d73f457758a77f