ghostscript 8.63 pdf parsing overflow sample malformed file: Program terminated with signal 11, Segmentation fault. [New process 22489] #0 0xb7860dde in gs_gc_reclaim () from /usr/lib/libgs.so.8 (gdb) i r eax 0x41414141 1094795585 ecx 0x8195374 135877492 edx 0x81779a8 135756200 ebx 0xb7c7cff4 -1211641868 esp 0xbfd4fb30 0xbfd4fb30 ebp 0xbfd50278 0xbfd50278 esi 0x8193b28 135871272 edi 0x43434343 1128481603 eip 0xb7860dde 0xb7860dde <gs_gc_reclaim+494> eflags 0x210287 [ CF PF SF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) x/11i $pc 0xb7860dde <gs_gc_reclaim+494>: mov 0xc(%eax),%edx 0xb7860de1 <gs_gc_reclaim+497>: orl $0xfffffffe,(%esi) 0xb7860de4 <gs_gc_reclaim+500>: test %edx,%edx 0xb7860de6 <gs_gc_reclaim+502>: je 0xb7860e02 <gs_gc_reclaim+530> 0xb7860de8 <gs_gc_reclaim+504>: mov %eax,0xc(%esp) 0xb7860dec <gs_gc_reclaim+508>: lea 0xc(%esi),%eax 0xb7860def <gs_gc_reclaim+511>: mov %eax,0x4(%esp) 0xb7860df3 <gs_gc_reclaim+515>: mov -0x6c8(%ebp),%eax 0xb7860df9 <gs_gc_reclaim+521>: mov %edi,0x8(%esp) 0xb7860dfd <gs_gc_reclaim+525>: mov %eax,(%esp) 0xb7860e00 <gs_gc_reclaim+528>: call *%edx (gdb) x/x 0x8193b28 0x8193b28: 0x42424242 (gdb) analysis shows exploitation is straight forward, since we control eax which gets moved to edx which in turn gets called at gs_gc_reclaim+528 bash$ perl pdf2pspoc.pl ; pdf2ps evil.pdf **** Warning: Specified xref location is beyond end of file. **** Warning: An error occurred while reading an XREF table. **** The file has been damaged. This may have been caused **** by a problem while converting or transfering the file. **** Ghostscript will attempt to recover the data. **** Error reading a content stream. The page may be incomplete. **** Unknown operator: '%%EOF' Error: /typecheck in --run-- Operand stack: --nostringval-- --dict:5/14(L)-- F1 20 83 7 0 -- nostringval-- Type Font Encoding WinAnsiEncoding Subtype 14 Type1 Execution stack: %interp_exit .runexec2 --nostringval-- --nostringval-- -- nostringval-- 2 %stopped_push --nostringval-- --nostringval-- -- nostringval-- false 1 %stopped_push 1905 1 3 %oparray_pop 1904 1 3 %oparray_pop 1888 1 3 %oparray_pop --nostringval-- -- nostringval-- 2 1 1 --nostringval-- %for_pos_int_continue -- nostringval-- --nostringval-- --nostringval-- --nostringval-- %array_continue --nostringval-- false 1 %stopped_push -- nostringval-- %loop_continue --nostringval-- --nostringval-- -- nostringval-- --nostringval-- false 1 %stopped_push --nostringval-- %loop_continue --nostringval-- Dictionary stack: --dict:1150/1684(ro)(G)-- --dict:1/20(G)-- --dict:75/200(L)-- -- dict:75/200(L)-- --dict:106/127(ro)(G)-- --dict:275/300(ro)(G)-- -- dict:24/25(L)-- --dict:4/6(L)-- --dict:25/40(L)-- Current allocation mode is local Last OS error: 2 GPL Ghostscript 8.63: Unrecoverable error, exit code 1 $ poc to reproduce available via email on request.
Please attach the PDF file (evil.pdf). The latest release is 8.64. Please retest with that version (that's the first thing we will do anyway once the file is provided).
You can mark attachments as 'private' through the edit link after upload if you're worried about disclosure to third parties.
*** This bug has been marked as a duplicate of 690523 ***