Bug 692856 - Ghostscript Buffer Overflow Vulnerability
Summary: Ghostscript Buffer Overflow Vulnerability
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: PS Interpreter (show other bugs)
Version: master
Hardware: PC All
: P2 normal
Assignee: Alex Cherepanov
Depends on:
Reported: 2012-02-14 00:23 UTC by Marcos H. Woehrmann
Modified: 2014-02-17 04:40 UTC (History)
2 users (show)

See Also:
Word Size: ---

Patch (1.07 KB, patch)
2012-02-18 05:18 UTC, Alex Cherepanov
Details | Diff
WinDBG output showing the overflow (2.40 KB, text/plain)
2012-03-14 16:48 UTC, Secunia Research

Note You need to log in before you can comment on or make changes to this bug.
Description Marcos H. Woehrmann 2012-02-14 00:23:24 UTC
Because of the sensitive nature of the information in the report the details will be found in Comment #1, which will be viewable only by Artifex staff.
Comment 2 Alex Cherepanov 2012-02-18 05:18:39 UTC
Created attachment 8365 [details]

I don't really know what this bug report is about.
There's a suspicious place in mswinpr2 but long file name is detected
and discarded earlier. Still the proposed patch should help to pacify
static analysis tools.
Comment 3 Henry Stiles 2012-02-18 15:48:18 UTC
Hello Marcos can you ask Sacunia for a command line to reproduce the problem so we can actually reproduce the overflow.
Comment 4 Henry Stiles 2012-02-18 15:52:29 UTC
(In reply to comment #3)
> Hello Marcos can you ask Sacunia for a command line to reproduce the problem so
> we can actually reproduce the overflow.

Sorry I didn't notice at first everything was set up in the postscript file.  Alex if there is not an overflow just close it as invalid and Marcos will report back to Secunia.
Comment 5 Alex Cherepanov 2012-02-26 22:20:12 UTC
The use of mswinpr2 device in the sample file indicates that the problem should happen on Windows. However, the maximum path size on Windows is about 256 bytes.
There's no need to stuff in 2000 characters to create an overflow.
Testing the file with different /OutputFile attributes either works or fails with
/rangecheck. No buffer overflow has been detected.

On Linux mswinpr2 cannot be found and the sample program fails when the big path is just a regular string on the stack.

Secunia web site doesn't have SA47855 advisory.
Comment 6 Secunia Research 2012-03-14 16:48:51 UTC
Created attachment 8414 [details]
WinDBG output showing the overflow
Comment 7 Secunia Research 2012-03-14 16:50:12 UTC
Comment on attachment 8414 [details]
WinDBG output showing the overflow

Please reference the attached file for evidence of the overflow.
Comment 8 Alex Cherepanov 2012-03-14 20:28:26 UTC
Please provide more information how to reproduce the bug.
What version of Ghostscript are you using?
How did you compile it?
What is your operation system?
Is it 32 or 64 hit one?
What's your command line?