Bug 697444 - Null pointer dereference in pdf14_pop_transparency_group()
Summary: Null pointer dereference in pdf14_pop_transparency_group()
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Transparency (show other bugs)
Version: master
Hardware: PC Linux
: P1 normal
Assignee: Michael Vrhel
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-19 06:58 UTC by Kamil Frankowicz
Modified: 2016-12-29 12:20 UTC (History)
0 users

See Also:
Customer:
Word Size: ---

Attachments
POC to trigger null pointer dereference (gs) (46 bytes, text/plain)
2016-12-19 06:58 UTC, Kamil Frankowicz 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kamil Frankowicz 2016-12-19 06:58:00 UTC 
Created attachment 13249 [details]
POC to trigger null pointer dereference (gs)

After some fuzz testing I found a crashing test case.

Git Head: 73060a27e554f8e64ae2aba4a1b03822207346c7

Command: s -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_nullptr_pdf14_pop_transparency_group -c quit

ASAN + Output:

GPL Ghostscript GIT PRERELEASE 9.21 (2016-09-14)
Copyright (C) 2016 Artifex Software, Inc.  All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
ASAN:DEADLYSIGNAL
=================================================================
==22611==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000098 (pc 0x0000008fb085 bp 0x7ffe33950ab0 sp 0x7ffe33950820 T0)
==22611==The signal is caused by a READ memory access.
==22611==Hint: address points to the zero page.
    #0 0x8fb084 in pdf14_pop_transparency_group XYZ/ghostpdl/./base/gdevp14.c:1070:31
    #1 0x8de8ab in pdf14_end_transparency_group XYZ/ghostpdl/./base/gdevp14.c:4027:12
    #2 0x890f49 in gx_end_transparency_group XYZ/ghostpdl/./base/gstrans.c:401:16
    #3 0x8fd8f7 in gx_update_pdf14_compositor XYZ/ghostpdl/./base/gdevp14.c:3607:20
    #4 0x8dd061 in pdf14_create_compositor XYZ/ghostpdl/./base/gdevp14.c:3686:16
    #5 0x8d4d53 in send_pdf14trans XYZ/ghostpdl/./base/gdevp14.c:6589:12
    #6 0x890c55 in gs_gstate_update_pdf14trans XYZ/ghostpdl/./base/gstrans.c:168:12
    #7 0x890c55 in gs_end_transparency_group XYZ/ghostpdl/./base/gstrans.c:393
    #8 0x19fe37e in interp XYZ/ghostpdl/./psi/interp.c:1314:40
    #9 0x19fe37e in gs_call_interp XYZ/ghostpdl/./psi/interp.c:511
    #10 0x19fe37e in gs_interpret XYZ/ghostpdl/./psi/interp.c:468
    #11 0x19d1352 in gs_main_interpret XYZ/ghostpdl/./psi/imain.c:245:12
    #12 0x19d1352 in gs_main_run_string_end XYZ/ghostpdl/./psi/imain.c:663
    #13 0x19d1352 in gs_main_run_string_with_length XYZ/ghostpdl/./psi/imain.c:621
    #14 0x19dd2eb in run_string XYZ/ghostpdl/./psi/imainarg.c:977:16
    #15 0x19dd2eb in runarg XYZ/ghostpdl/./psi/imainarg.c:967
    #16 0x19dc748 in argproc XYZ/ghostpdl/./psi/imainarg.c:900:16
    #17 0x19d5283 in gs_main_init_with_args XYZ/ghostpdl/./psi/imainarg.c:238:24
    #18 0x5475d8 in main XYZ/ghostpdl/./psi/gs.c:96:16
    #19 0x7f690806082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #20 0x47b9d8 in _start (/usr/local/bin/gs+0x47b9d8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/ghostpdl/./base/gdevp14.c:1070:31 in pdf14_pop_transparency_group
==22611==ABORTING
Comment 1 Ken Sharp 2016-12-19 07:07:16 UTC 
You really aren't supposed to play with the internal functions, but it shouldn't crash either.