Bug 690522 - gs pdf parsing buffer overflow
Summary: gs pdf parsing buffer overflow
Status: RESOLVED DUPLICATE of bug 690523
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: PDF Interpreter (show other bugs)
Version: 0.00
Hardware: PC All
: P4 normal
Assignee: Alex Cherepanov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-08 09:40 UTC by knud
Modified: 2009-06-16 20:29 UTC (History)
0 users

See Also:
Customer:
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description knud 2009-06-08 09:40:05 UTC
ghostscript 8.63 pdf parsing overflow 

sample malformed file:
Program terminated with signal 11, Segmentation fault.
[New process 22489]
#0  0xb7860dde in gs_gc_reclaim () from /usr/lib/libgs.so.8
(gdb) i r
eax            0x41414141       1094795585
ecx            0x8195374        135877492
edx            0x81779a8        135756200
ebx            0xb7c7cff4       -1211641868
esp            0xbfd4fb30       0xbfd4fb30
ebp            0xbfd50278       0xbfd50278
esi            0x8193b28        135871272
edi            0x43434343       1128481603
eip            0xb7860dde       0xb7860dde <gs_gc_reclaim+494>
eflags         0x210287 [ CF PF SF IF RF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) x/11i $pc
0xb7860dde <gs_gc_reclaim+494>: mov    0xc(%eax),%edx
0xb7860de1 <gs_gc_reclaim+497>: orl    $0xfffffffe,(%esi)
0xb7860de4 <gs_gc_reclaim+500>: test   %edx,%edx
0xb7860de6 <gs_gc_reclaim+502>: je     0xb7860e02 <gs_gc_reclaim+530>
0xb7860de8 <gs_gc_reclaim+504>: mov    %eax,0xc(%esp)
0xb7860dec <gs_gc_reclaim+508>: lea    0xc(%esi),%eax
0xb7860def <gs_gc_reclaim+511>: mov    %eax,0x4(%esp)
0xb7860df3 <gs_gc_reclaim+515>: mov    -0x6c8(%ebp),%eax
0xb7860df9 <gs_gc_reclaim+521>: mov    %edi,0x8(%esp)
0xb7860dfd <gs_gc_reclaim+525>: mov    %eax,(%esp)
0xb7860e00 <gs_gc_reclaim+528>: call   *%edx
(gdb) x/x 0x8193b28
0x8193b28:      0x42424242
(gdb) 

analysis shows exploitation is straight forward, since we control eax 
which gets moved to edx which in turn gets called at gs_gc_reclaim+528

bash$ perl pdf2pspoc.pl ; pdf2ps evil.pdf
   **** Warning:  Specified xref location is beyond end of file.
   **** Warning:  An error occurred while reading an XREF table.
   **** The file has been damaged.  This may have been caused
   **** by a problem while converting or transfering the file.
   **** Ghostscript will attempt to recover the data.
   **** Error reading a content stream. The page may be incomplete.
   **** Unknown operator: '%%EOF'
Error: /typecheck in --run--
Operand stack:
   --nostringval--   --dict:5/14(L)--   F1   20   83   7   0   --
nostringval--   Type   Font   Encoding   WinAnsiEncoding   Subtype   14   Type1
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --
nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --
nostringval--   false   1   %stopped_push   1905   1   3   %oparray_pop   
1904   1   3   %oparray_pop   1888   1   3   %oparray_pop   --nostringval--   --
nostringval--   2   1   1   --nostringval--   %for_pos_int_continue   --
nostringval--   --nostringval--   --nostringval--   --nostringval--   
%array_continue   --nostringval--   false   1   %stopped_push   --
nostringval--   %loop_continue   --nostringval--   --nostringval--   --
nostringval--   --nostringval--   false   1   %stopped_push   --nostringval--   
%loop_continue   --nostringval--
Dictionary stack:
   --dict:1150/1684(ro)(G)--   --dict:1/20(G)--   --dict:75/200(L)--   --
dict:75/200(L)--   --dict:106/127(ro)(G)--   --dict:275/300(ro)(G)--   --
dict:24/25(L)--   --dict:4/6(L)--   --dict:25/40(L)--
Current allocation mode is local
Last OS error: 2
GPL Ghostscript 8.63: Unrecoverable error, exit code 1
$ 

poc to reproduce available via email on request.
Comment 1 Ray Johnston 2009-06-08 09:47:19 UTC
Please attach the PDF file (evil.pdf). The latest release is 8.64. Please
retest with that version (that's the first thing we will do anyway once the
file is provided).
Comment 2 Ralph Giles 2009-06-08 09:48:17 UTC
You can mark attachments as 'private' through the edit link after upload if
you're worried about disclosure to third parties.
Comment 3 Alex Cherepanov 2009-06-16 20:29:54 UTC

*** This bug has been marked as a duplicate of 690523 ***